Managed Security Services - Cisco

1y ago
6 Views
2 Downloads
4.89 MB
62 Pages
Last View : 1m ago
Last Download : 2m ago
Upload by : Olive Grimm
Transcription

Managed Security ServicesGeorgina SchaeferConsulting Systems Engineer, SP Wireline EMEASolution Architect, Managed Security ServicesSession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public1

Enterprise Security Driversestulidetis ncerep etexey omptirucSec corexityelpmoc ndsdna ema nelrebd rsonmskun ttac d peehTof a rienceeexpSession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.stoc"atusjtno e"siy entrtirucceSn seetw e haebter secur ereim d inmroetsPan o c ueru ed tciseesvmmopreCisco Public2

Security Deployment TrendsCustomer’sHead OfficeCentralizeddedicatedHybrid Networkbased /appliancebasedModeldistributed integratedsecurity ModelInternetIP/MPLS/Layer 2Based NetworkCustomer’sSmall Branch OfficeCustomer’sBranch OfficeInternetCustomer’sSmall Branch OfficeCustomer’sBranch OfficeCustomer’sBranch OfficeCustomer’sSmall Branch OfficeSession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public3

Agenda Managed Security Services Market Managed Security ServicesManaged Threat DefenseManaged Trust IdentityManaged Secure Connectivity Summary - Q&ASession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public4

Managed Security Services PortfolioMSS offerings have been around for sometimeServices include: Managed Firewalls (bulk of revenue) Managed VPNs Managed IDS Managed Anti-Virus Managed AuthenticationSession NumberPresentation ID Cisco Systems,Systems, Inc.Inc. AllAll rightsrights reserved.reserved. 2002,2005 CiscoCisco Public55

MSSP Revenues ShiftRapid growth in Managed IDSPS Professional ServicesAV Anti-VirusVA Vulnerability AssessmentIDS Intrusion Detection SystemSIS Security Intelligence ServicesREPS Remote End-Point SecuritySource: Yankee Group, 2002Session NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public6

Network Security EvolutionOperational Capability2015Today2005Adaptive networks – future state Self-managing, self-protecting, selfhealing Highly available network services Security-aware network elementsProtection from simple threats Convergence of scanning or filtering Comprehensive view of all security elements Security embedded in switch or router Manageability is critical19951985Detection of simple threats Reactive virus and intrusion detection Automates some manual procedures “Best-of-breed” perimeter point products Dedicated security appliance introducedBlock and Hide Crypto solves everything CLI Operator Interfaces Manual proceduresApplications to Services & Complexity of SecuritySession NumberJP Biz Protection 2002Presentation ID Cisco Systems,Systems, Inc.Inc. AllAll rightsrights reserved.reserved. 2002,2005 CiscoCisco Public7

MSSP PlayersMainly from 4 different categories: Network/Systems Integrators (e.g. CGEY, Unisys, IBM)– Focus on global outsourcing deal with custom solutions Pure play security SP (e.g. Ubizen, Getronics, NetSec)– Often positioned as niche players Technology owners/Software vendors (e.g. Symantec, ISS,Baltimore)– Services tend to be limited to their own technology Service Providers (e.g. BT, DT, FT, C&W, Equant, AT&T)– Traditionally deliver connectivity servicesSession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public8

Status of the MSS market Most of the current portfolios are targeted at medium/largeenterprises and are based on appliances each solving asingle problemSPs started to build Managed Security Services 2-3 years agowhen not all the required security features were available inroutersDifficult to address the price-sensitive and mass-markets(high capex, high opex, integration complexity)Session NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public9

Market Inhibitors Enterprises unwilling to outsource security Lack of perceived need for extensive security Unproven reputation of MSS Provider SPs unwilling to go beyond CPE Perceived higher costs of Outsourced service Too many offerings with unclear definitions Product oriented vs Global Security SolutionSession NumberPresentation ID Cisco Systems,Systems, Inc.Inc. AllAll rightsrights reserved.reserved. 2002,2005 CiscoCisco Public1010

Market SegregationCustomSLAs (bronze, silver, gold)High Price24X7Detailed reportsOn-going monitoringLog analysisRedundancy1500-3000 euro/month MNCLarge Ent. (250 )Bundled Delta Price to CXPackaged with CXBasic reportsNetwork/CPEMedium (50-249)50-150 euro/monthValue/price Small (10-49)Mass market Session NumberPresentation IDPrice sensitivePoint productSelf managed 2005 Cisco Systems, Inc. All rights reserved.Micro ( 10)5 euro/monthCisco Public11

MSS and European CompaniesSMEs represent more than 99% of companies!By 2008 they should generate 66% of European MSS salesSession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public12

Managed Services – Multi-deviceManaged IntrusionProtectionSP IPNetworkManaged FirewallManaged Router VPN Many devices Î High CAPEX Labour intensive operation Î High OPEX Different services coming from different providers (SP, SI, MSSP, )Î Lack of consistency in Security PolicyNot the best model to address small offices or SMBsSession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public13

Managed Services – Single DeviceSP IPNetworkSP IPNetworkFull Managed Security Services Service are turned on on-demand Î extending CPE lifecycle 1 or 2 devices for the full service portfolio Î Lower CAPEX Less truck-roll and devices to manage Î Lower OPEX Decreased churn through a comprehensive PortfolioBetter Model for mass-deployment servicesSession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public14

Moving from Managed Security Services toSecured Managed Services Managed Security as a OptionSecured Managed ServicesSecurity is an add-onSecurity is built-inChallenging integrationIntelligent collaborationNot cost effectiveAppropriate securityGartner: By 2006, 60 percent of firewall and intrusion detectionfunctionality will be delivered via network security platformsSession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public15

Managed Security Service ExamplesSession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public16

Service Provider SecurityFundamentalsSecurity PolicySecurity Policy Defines Network Design RequirementsSecure ConnectivityTrust & IdentityManageNetwork InfrastructureProtectionSecureProtect the networkinfrastructure from attacksand ge the network tointelligently protectendpointsSecure and scalablenetwork connectivityThreat DefensePrevent and respondto network attacks andthreats such as wormsSecurity OperationSecurity Management and Monitoring, Incident Response processingSession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public17

Managed Security Service Portfolio Threat Defense ServicesManaged Firewall - Ability to customize security rules, policies and portsManaged Intrusion Protection - Protection of vital information from intrudersManaged DDOS ProtectionManaged Endpoint Protection (Server and Desktop protection)Email Virus Protection - Protection against spam attacks and virus spreadContent Filtering Secure connectivity ServicesSecure remote-user access to company informationVirtual Private Network (VPN) Services using IPSec or SSL VPN Trust and Identity ServicesOn single factor or Two-factor authentication (token/smart USB or card)PKI certificateEndpoint security compliancy (Network Admission Control)Session NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public18

Managed Services / Market SegmentSession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public19

Protection at every Network LayerSP ManagedSecurityService orcustomermanagedSP ManagedSecurityServicesSP SecuredInfrastructureCisco can help SP provide a complete security portfolio CPE & network-based VPN, firewalls & IDS/IPSSession NumberPresentation ID Endpoint threat protectionIdentity managementSecurity service provisioningSecurity threat management 2005 Cisco Systems, Inc. All rights reserved.Cisco Public20

CPE Based Managed ServiceSecurity Devices / ProductsMSSP SOC–Cisco ISR with integrated security–ASA, PIX, IPS appliances–Cisco 7600 with security servicemodulesService ProvisioningCustomer BHead OfficeCustomer AHead Office–CiscoWorks VMS–Cisco Configuration Engine–Partner productService MonitoringInternet–CS-MARSManaged ServicesCustomer ABranch OfficeCustomer ABranch OfficeCustomer BBranch OfficeSession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Customer BBranch Office–Firewall–IPS–IPSec / SSL VPN–Managed authenticationCisco Public21

Cisco ISR Routers and ASA 5500 SeriesFlexible Security and VPN Deployment OptionsAdaptive SecurityAppliance PreferencePreference forfor dedicateddedicated securitysecuritydevicesdevices LANLAN interfacesinterfaces DeliversDelivers latestlatest threatthreat ed ServicesRouters PreferencePreference forfor andand familiarityfamiliarity withwithIOS-basedIOS-based devicesdevices LANLAN andand WANWAN interfacesinterfaces DeliversDelivers bestbest ofof breedbreed routingrouting andandQoSQoS functionalityfunctionality MostMost featurefeature richrich remoteremote accessaccessVPNVPN solutionsolution ConsolidatesConsolidates maximummaximum networknetworkandand securitysecurity functionsfunctions onon singlesingleplatformplatform DedicatedDedicated functionsfunctions ensureensuremaximummaximum softwaresoftware versioningversioningsimplicitysimplicity MostMost featurefeature richrich site-to-sitesite-to-site VPNVPNsolutionsolution LeverageLeverage existingexisting routerrouterinvestmentinvestmentTailored Solutions for Every Deployment EnvironmentSession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public22

Managed Security Services TrendsPrimary services Threat Defense- Firewall- Virus scanningApplication FWDeep PacketInspectionDay Zero AttackProtection- Intrusion & DDoS detectionIPS Secure Connectivity- VPN/tunnelingSSL VPN Trust & Identity- AuthenticationSecurityComplianceCheckManaged ServiceImplementation & delivery Quality guarantees (SLAs) Sales, lease Setup/installation Configuration Proactive fault, life-cycle, andperformance management Immediate alert responseTrouble-ticket processAnalysisConfigurationTroubleshooting Emergency response - threat orservice outagesSession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public23

Managed Threat DefenseSession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public24

Managed Firewalling Analyses all data traffic flowing from one network to another Allows or denies access based on pre-defined security policies High-volume packet inspection Internal address masking (NAT/PAT) Most common managed security service:CPE based service (FW installed at customer’s premise)Network based service User authentication and Content filtering as a service optionSession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public25

Managed Firewall ServiceBaseline service Stateful packet filtering Address translation support RoutingService options Advanced Application Support Redundancy / High Availability Authentication Web content Filtering Virtual FirewallSession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public26

Advanced Application SupportAttacks based on Web ApplicationsInternalUsers98%Internet accessRich media43%IM traffic43%Web enabled appsWeb services55%Port 8043%Internet64% of enterprises have opened Port80 on their firewalls for their growingweb application trafficSource:AugSessionNumberPresentation ID“ 75% of successful attacks against Webservers are entering through applicationsand not at the network level.”2002 InfoWorld/Network Computing survey of IT Professionals 2005 Cisco Systems, Inc. All rights reserved.80 –HTTPJohn Pescatore, VP and Research Director, Gartner, June 2002.Cisco Public27

Advanced Application SupportWeb-Traffic Inspection ServicesI am emailtraffic honest!Payload Port 25Payload Port 80I am http webtraffic honest!Supported on IOS / PIX 7.0 / ASA / FWSM 3.1HTTP Inspection Engine Delivers application level control through inspection ofweb-based (port 80) trafficServer FarmCorporateOfficeEmail Inspection Engine Control misuse of emailprotocols SMTP, ESMTP, IMAP,POP inspection engines Prevents port 80 misuse by rogue apps that hide trafficinside http to avoid scrutiny e.g.Instant Messaging (AIM, MSN Messenger, Yahoo .)Peer-to-Peer Protocols (Kazaa )Example: Instant messaging and peer-to-peer applicationssuch as KazaaInspection Enginesprovide protocolanomaly detectionservices MIME type/content filtering .Session NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public28

BelgacomManaged VPN service and FirewallSession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public29

SP Managed Firewall Service vs. In Housecustomer management Benefits ofout-taskingReduced monthlyrecurring managementcost (65%)Increased networkreliability (24-hourmonitoring)Monthly Recurring Cost(Nine Sites, 2500 Users) 10,000 9,000 8,000HW/SW Lease Cost65% Savings 7,000Event Response 6,000 5,000Lower implementationand training cost 4,000Flexibility toreallocate IT staff tostrategic projects 2,000Alert Analysis 3,000FW Management 1,000 0Report /DocumentationManaged bySPSession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.In HouseCisco Public30

Intrusion Prevention 80% of the recent attacks have been performed over port 80 It is not enough to firewall to counter attack In-depth inspection of traffic is required to identify attackswithin legal traffic on both the network and the critical hosts IDS services only generate alarms – Intrusion “Prevention”Services or “Inline IDS” can DROP traffic matching attacksignaturesFalse positives will drop good traffic!! Not very common today in the low end spaceSession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public31

Managed IPS or “Anti-X” services Provides protection against :Viruses, Worms, Spyware / Adware, Denial of Service. Use IDS/IPS hybrid technology – Signature based, anomalybased, behaviour based Signatures must be updated on a regular basis Events must be regularly monitored and False Positives /Negatives tuned IPS services require powerful and complex management,monitoring and response procedures Need 24x7 service operation hence required a well automatedsystemSession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public32

Managed IPS ServiceBaseline service 24 x 7 Service and Support Intrusion monitoring Event correlation / Alarm filtering Web Portal: Log trending and analysis with periodic trafficand alert reportsService options Vulnerability Assessment Signature updates (Managed IPS / Anti-Virus service) Incident handling Anti-X services (Anti Virus, Anti-Spyware, Intrusion / Worms/DOS attack prevention) Redundancy/failoverSession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public33

Equant Intrusion DetectionSession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public34

Equant Intrusion Detectioncont’d Service is based on Cisco IDS/IPS appliances Monitoring and management is provided by Ubizen (Cybertrust)Ubizen analyzes the IDS logs and identifies the threats that requireimmediate actionCustomer benefits: real-time discovery of attacks with predictable turnaround time and consistent procedures; reduction of false alarms; lowerTCOService is integrated with Equant deliveryDMZ NetworkInternetFacedFirewallInternal NetworkIDS Management networkCustomer siteSession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.InternetEquant/Ubizen SOCCisco Public35

Equant Intrusion Detection Service ProfileWho does what? Done By Equant– Professional consultancy engagement– Device Installation, Management and Monitoring Done by Ubizen (under Equant branding)– 24x7 Real-time intrusion monitoring– 24x7 Real-time event correlation & interpretation– 24x7 Incident handling« Real-time » customer alerting and recommendations– Full Reporting capabilitiesReal-time reports at Equant Intrusion Detection ReportCenterConsolidated Monthly reports, SLA’sSession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public36

SP Managed IDS/IPS Service vs. In House Benefits ofManaged IDS/IPSReduced monthlyrecurring managementcost (75%)Increased networkreliability (24-hourmonitoring)Lower implementationand training costFlexibility toreallocate IT staff tostrategic projectsMonthly Recurring Cost(4-IPS Sensors) 40,000 35,000 30,00075% SavingsProactiveMonitoring 25,000 20,000BackupIT Personnel 15,000 10,000 5,000 0Major Changeand RequestConfig. MgmtEvent Watch and ResponseReport GenerationManaged by SPSession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.In HouseCisco Public37

DoS/DDoS AttacksMultiple Threats and TargetsAttack ombies:Use valid protocolsSpoof source IPMassively distributedVariety of attacks DoS/DOS : denyaccess to authorizedusers and consumeresources:bandwidth,CPU,memory blocksProvider infrastructure: DNS, routers and linksAccess lineSession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Entire data center: Servers, security devices, routers Ecommerce, web, DNS, email, Cisco Public38

Two Dimensions to DDoS:Number of Attacking Hosts, Total BandwidthzzzScale of Attackszzzz10Kspackets/secNon-essentialprotocols (egICMP)100s sourcesz100Ks packets/secEssential protocolsSpoofed10Ks of zombiesCompound worm &DDoS attackszz19992003Million packets/sec100Ks of zombies2004Sophistication of AttacksSession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public39

Analysts on DDoS“Effective protection against DoS attacks rests in thehands of the ISPs providing the physicalconnection. E-businesses should demand quality-ofservice statements from their ISPs requiring them tocontrol a DoS attack.”J. Pescatore and W. Malik from Gartner GroupSession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public40

Clean Pipes Solution OverviewCustomerPremiseAccess / AggregationPE(s)CleaningCenterCoreGuard(s)L2 Agg.ArborControllerPDetectorCarrier PeeringPASBRPEPeering EdgeISR/Alt ISP orDetectorHosting IDCDetectionIdentify and classifyattacks based on vert “attack” traffic to thecleaning center to be“scrubbed”, inject cleantraffic back to EnterprisecustomerAnti-spoofing, anomalyrecognition and packetinspection and cleaning (i.e.scrubbing) of “bad” trafficProvisioning and Management – WBM for Guard/Detector, Controller based Mgmt for ArborBuilt on Cisco Network using Infrastructure Security “Best Common Practices”Session NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public41

Cisco Anomaly / DDoS Protection SolutionDetects and automatically mitigates the broadest range R3of Distributed Denial of Service (DDoS) attacks:Aug 04 Ensures legitimate transactions get through Multiple defenses including source verificationCisco Guard XT 5650 &Traffic Anomaly Detector XT 5600 Behavioral anomaly recognition engine Performance for largest enterprises and providers On-demand diversion for attack scrubbingR41QCY05 1Mpps per appliance and clustering capabilityCisco Catalyst 6500 / 7600Anomaly Guard Module &Traffic Anomaly Detector ModuleOn Demand ScrubbingTraffic destinedto the targetMultiVerificationProcessCisco (Riverhead)Guard XTDynamic filters toblock attack sourcesLegitimate trafficto targetAnti-spoofingto block spoofedpacketsRate limitsLegitimate trafficCisco (Riverhead) TrafficAnomaly Detector XTDynamic &Static FiltersNon-targeted zone(s)Session NumberPresentation IDActiveVerificationStatisticalAnalysisLayer 7AnalysisRate LimitingBehavioral Anomaly Engine 2005 Cisco Systems, Inc. All rights reserved.Cisco Public42

SP Revenue ModelsSUBSCRIPTIONSERVICE - ACustomer pays X% of markup ontransit/bandwidth purchased for guaranteeof availabilitySUBSCRIPTIONSERVICE- BCustomer pays normal rates fortransit/bandwidth, then pays extra flat feefor detection and mitigation (pricingsubject to business model)ON-DEMANDCustomer pays premium for ‘scrubbed’bandwidth after calling during an attack(not seen often).Session NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public43

Managed DDoS ServicesCisco Powered ProvidersService NameDeployment ModelScenarioAT&TDDoS Defense Optionfor Internet Protectmanaged servicesManaged Network DDoSProtection ServiceNetFlow ArborPeakflow SP GuardSPRINTIP Defender managedserviceManaged Network DDoSProtection ServiceDetector GuardDDoS AttackMitigation ServiceManaged Network DDoSProtection ServiceDetector GuardDDoS Peering PointProtectionPeering Edge DDoSProtection ServiceNetFlow ArborPeakflow SP GuardCustomerCable & WirelessTelecom ItaliaRackspacePrevenTier DDoSMitigation serviceManaged Hosting DDoSProtection ServiceArborPeakflowSP NetFlowDetector GuardDataPipeSureArmour DDoSprotection serviceManaged Hosting DDoSProtection ServiceDetector GuardSession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public44

Endpoint SecurityCisco Security Agent A new kind of Host Protection product for desktop, laptop, &server computersWindows NT, Windows 2000, Windows XP, Solaris 2.8, LinuxAggregates multiple security functions in one agent Shift from Signature-based to Policy-BasedEffective against existing & previously unseen attacksStopped Slammer, nimda & code red sight unseen with out-of-the-boxpolicies Centrally administered, with distributed, autonomous policyenforcementScales well & also works with intermittently connected hostsCan also adapt defenses based upon correlation of events from differenthostsDefinition of active endpoint protectionSession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public45

What is Cisco Security Agent ?PersonalFirewallPersonal DataprotectionOSHardeningtoolDistributedIPSServer & Desktop ProtectionSession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public46

CSA Aggregates Multiple EndpointSecurity FunctionsCSADesktop/Laptop ProtectionBlock Incoming Network RequestsBlock Outgoing Network RequestsStateful Packet AnalysisDetect /Block Port ScansDetect /Block Network DoS AttacksDetect /Prevent Malicious ApplicationsDetect/Prevent Known Buffer OverflowsDetect/Prevent Unknown Buffer OverflowsDetect/Prevent Unauthorized File ModificationOperating System LockdownSession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Conventional lIDS9999999999999999999999Cisco Public47

CSA ComplementsTraditional Desktop AVCSAAnti-VirusAnti-VirusStop Known Virus/Worm Propagation99Stop Unknown Virus/Worm Propagation9Malicious Code Protection999Scan/Detect Infected Files““Clean”Clean” Infected FilesIdentify Viruses/Worms by NameNo Signature Updates Required9Distributed Firewall Functionality9Operating System Lockdown99Correlates Events Across EndpointsSession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public48

Managed CSA Value Proposition Lower Operating CostsRemove monitoring/maintenance tasks, remove need for hiring/trainingof security experts Higher Level of SecurityMSSP has more extensive IT resources, 24x7x365 protection ofsystems, reduced implementation time, and faster resolution forsecurity incidents Reduced False PositivesMSSP has extensive knowledge of best practices to customize thetechnology Increased Security Posture AwarenessMSSPs offer real-time and historical perspectives of device securityeasily accessible via the webSession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public49

Which SPs could offer Managed CSA? If you already have existing know-how/infrastructureto support IDS servicesSimilar type of service – define policies, implement, monitorand correlate events, tune . Do not necessarily need to be involved in “desktopmanagement” if the customer has the resources todo this Probably best to partner with an established MSSPe.g. Ubizen?Session NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public50

Managed Trust and IdentitySession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public51

Cisco Network Admission Control (NAC) Restricts and Controls Network AccessEndpoint device interrogated for policycomplianceNetwork determines appropriateadmission enforcement: permit, deny,quarantine, restrict Cisco-led, Multi-partner ProgramLimits damage from viruses & wormsCoalition of market leading vendors A Cisco Self-Defending Network InitiativeDramatically improves network’s ability toidentify, prevent, and adapt to threatsSession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public52

Cisco Network Admission Control:What It Does1. Non-compliant endpointattempts connection2. Non-compliantstatus determinedBRANCH ORCAMPUS3. Infection contained;endpoints securedCAMPUSAccess DeniedRemediationCiscoTrustAgentSession NumberPresentation IDQuarantine 2005 Cisco Systems, Inc. All rights reserved.Cisco Public53

NAC Customer Benefits Dramatically improved securityProactive protection against worms & virusesLeverage the network to audit & enforce hostsecurity policiesNetwork segmentation services for isolationand remediation Extend existing investmentLeverage investment in network infrastructureand host securityFocus operations on prevention, not reaction Increase enterprise resilienceComprehensive admission control across allaccess methodsEnsure endpoints conform to security policySession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public54

Secure ConnectivitySession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public55

Secure ConnectivityEasy VPNCentral SiteBranch OfficeCisco IOSRouter,3002, orPIXInternetHome OfficeCisco IOSRouter, VPNConcentrator,or PIX9 Simple9 Scalable9 FlexibleCisco VPN S/WClient onPC/MAC/Unix Remote/branch device can be a PIX, IOS router, 3002, or Ciscoclient software on a PC/Mac/Unix computer. Remote device contacts central-site router/concentrator,and provides authentication credentials. If credentials are valid, central-site “pushes” configurationdata securely to the remote device and VPN is established.Session NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public56

Secure ConnectivityDynamic Multipoint VPN (DMVPN)Secure Meshed Tunnels Automatically!HubVPNBenefits:SpokeBSpoke A Full Meshed connectivity withconfiguration simplicity of huband spoke Preserves (central) bandwidth,minimizes latency Support for dynamicallyaddressed spokes Zero touch configuration foraddition of new spokes in theDMVPN DMVPN Tunnels Traditional Static Tunnels Static Known IP Addresses Dynamic Unknown IP AddressesSession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public57

Secure ConnectivityV3PN: Secure, Toll Quality Voice, Video, DataV3PN:SRTP Protects LANLLQ before crypto toensure voice priorityVPNEncryptionEgress InterfaceQoS Policy Data, voice and video traffic deliveredwith QoS policies for latency sensitivetrafficBenefits: Wirespeed encryptionIPSec/GRETunnelTelco/BroadbandService Provider Bandwidth conservation Toll quality, jitter-free voice and videoLLQ before crypto toensure voice priorityEgress InterfaceQoS Policy LAN and WAN securityVPNSRTP Protects LANQoSV3PNVoiceVideoSession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public58

SSL VPN and IPSecConnectivity ProfilesSSL VPNIPSEC VPN Uses a standard web browserto access the corporatenetwork Uses purpose-built clientsoftware for network access SSL encryption native tobrowser provides transportsecurity Applications accessed throughbrowser portal Limited client/serverapplications accessedusing appletsSession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved. Client provides encryption anddesktop security Client establishes seamlessconnection to network All applications are accessiblethrough their native interfaceCisco Public59

SSL VPNDeployment EnvironmentsSSL VPN Anywhere access Access from non-corporatemachines Customized user portals Granular access control Easy firewall traversal fromany locationDEPLOYMENTS Unmanaged desktopsExtranetsEmployee-owned computers “Lite” usersEmployees who only needoccasional accessEmployees who need access to fewapplications Simple or locked-down accessRestricted server and applicationaccess by populationSession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.Cisco Public60

December 12 – 15Cannes, FranceSession NumberPresentation ID 2005 Cisco Systems, Inc. All rights reserved.61

Session NumberCisco IOSPresentation IDFirewall 2002,Cisco Systems,Systems, Inc.Inc. AllAll rightsrights reserved.reserved. 2001,2005 CiscoCisco Public6262

Moving from Managed Security Services to Secured Managed Services Managed Security as a Option Security is an add-on Challenging integration Not cost effective Secured Managed Services Security is built-in Intelligent collaboration Appropriate security Gartner: By 2006, 60 percent of firewall and intrusion detection

Related Documents:

Cisco ASA 5505 Cisco ASA 5505SP Cisco ASA 5510 Cisco ASA 5510SP Cisco ASA 5520 Cisco ASA 5520 VPN Cisco ASA 5540 Cisco ASA 5540 VPN Premium Cisco ASA 5540 VPN Cisco ASA 5550 Cisco ASA 5580-20 Cisco ASA 5580-40 Cisco ASA 5585-X Cisco ASA w/ AIP-SSM Cisco ASA w/ CSC-SSM Cisco C7600 Ser

Supported Devices - Cisco SiSi NetFlow supported Cisco devices Cisco Catalyst 3560 Cisco 800 Cisco 7200 Cisco Catalyst 3750 Cisco 1800 Cisco 7600 Cisco Catalyst 4500 Cisco 1900 Cisco 12000 Cisco Catalyst 6500 Cisco 2800 Cisco ASR se

Cisco Nexus 1000V Cisco Nexus 1010 Cisco Nexus 4000 Cisco MDS 9100 Series Cisco Nexus 5000 Cisco Nexus 2000 Cisco Nexus 6000 Cisco MDS 9250i Multiservice Switch Cisco MDS 9700 Series Cisco Nexus 7000/7700 Cisco Nexus 3500 and 3000 CISCO NX-OS: From Hypervisor to Core CISCO DCNM: Single

Cisco Nexus 7706 Cisco ASR1001 . Cisco ISR 4431 Cisco Firepower 1010 Cisco Firepower 1140 Cisco Firepower 2110 Cisco Firepower 2130 Cisco FMC 1600 Cisco MDS 91485 Cisco Catalyst 3750X Cisco Catalyst 3850 Cisco Catalyst 4507 Cisco 5500 Wireless Controllers Cisco Aironet Access Points .

Sep 11, 2017 · Note: Refer to the Getting Started with Cisco Commerce User Guide for detailed information on how to use common utilities for a record in Cisco Commerce. See Cisco Commerce Estimates and Configurations User Guide for more information.File Size: 664KBPage Count: 5Explore furtherSolved: Cisco Serial Number Lookups - Cisco Communitycommunity.cisco.comHow to view and/or update your CCO profilewww.cisco.comSolved: How do I associate a contract to my Cisco.com .community.cisco.comHow do I find my Cisco Contract Number? - Ciscowww.cisco.comPower calculator tool - Cisco Communitycommunity.cisco.comRecommended to you b

Apr 05, 2017 · Cisco 4G LTE and Cisco 4G LTE-Advanced Network Interface Module Installation Guide Table 1 Cisco 4G LTE NIM and Cisco 4G LTE-Advanced NIM SKUs Cisco 4G LTE NIM and Cisco 4G LTE-Advanced NIM SKUs Description Mode Operating Region Band NIM-4G-LTE-LA Cisco 4G LTE NIM module (LTE 2.5) for LATAM/APAC carriers. This SKU is File Size: 2MBPage Count: 18Explore furtherCisco 4G LTE Software Configuration Guide - GfK Etilizecontent.etilize.comSolved: 4G LTE Configuration - Cisco Communitycommunity.cisco.comCisco 4G LTE Software Configuration Guide - Ciscowww.cisco.comCisco 4G LTE-Advanced Configurationwww.cisco.com4G LTE Configuration - Cisco Communitycommunity.cisco.comRecommended to you b

Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unified Computing System (Cisco UCS), Cisco UCS B-Series Blade Servers, Cisco UCS C-Series Rack Servers, Cisco UCS S-Series Storage Servers, Cisco UCS Manager, Cisco UCS

Cisco 2951 2 2 Cisco 3925 4 4 Cisco 3945 4 4 Cisco 3925E 3 3 Cisco 3945E 3 3 Cisco 1841 1 1 Cisco 2801 2 1 Cisco 2811 2 1 Cisco 2821 2 1 Cisco 2851 2 1 Cisco 3825 4 2 Cisco 3845 4 4 Table 1A provides relevant software information Router Chassis Software Release Minimum Software Package Cisco 1921 15.0(1)M2 IP Base