Building Network Security Policy Through Data Intelligence
|
|
- Dustin Dalton
- 6 years ago
- Views:
Transcription
1
2 Building Network Security Policy Through Data Intelligence Darrin Miller Distinguished Technical Marketing Engineer Matthew Robertson, Technical Marketing Engineer
3 Cisco Spark How Questions? Use Cisco Spark to chat with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space Cisco Spark spaces will be available until July 3, cs.co/ciscolivebot# 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
4 Agenda Introduction Harnessing Network Telemetry Discover and Classify Assets Design and implementing policy Monitoring security policy Active Enforcement Conclusion
5 About this Session: Segmentation Cisco and/or its affiliates. All rights reserved. Cisco Public 5
6 Segmentation is Hard We all know we want it but we re not sure how to do it effectively Cow Pig Probably not drunk. CISO: How do I deploy segmentation without getting fired? 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
7 Segmentation is a Process Ongoing Refinement Define the Objectives Ongoing monitoring & Validation Visibility: Understand Behaviour Enforcement: Active Enforcement Cluster & Segment Definition Author Validation: Would it Work? 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
8 Who we are Matt Robertson Security Business Group (SBG) Technical Marketing Engineer Darrin Miller Enterprise Networking Business Group (Not SBG) Distinguished Technical Marketing Engineer 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
9 Segmentation & Network Security Policy Security policy should dictate a hierarchy of access permissions; that is, grant users access only to what is necessary for the completion of their work Static ACL VLAN Routing Redudancy Private VLAN DHCP Scope Raw Addresses Group Policy 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
10 Group Based Policies Simple ways to add access control policy for new things Represent threat state or vulnerable devices Reduce effort in adds, moves & changes Acquisitions and partnerships Internet of Things Use Groups to represent suspicious devices based on threat state detected Reduce error prone admin More consistent security policy BYOD Cloud Reduce OpEx Use groups to protect device types that you cannot patch Reduced time to implement changes Manage complexity 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
11 Group Policy Examples TrustSec ACI Firewall Objects And More! 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
12 Policy Between Groups Engineers Pigs Beer Garden Cows Classification Propagation Enforcement Classification 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
13 Creating The Policy Matrix How do I discover assets? How do I create groups? How do I decide my policy? How do I know my policy is valid? How do I verify that its working? Destination Group Source Group Action 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
14 Scope of Discussion: Enterprise-Wide Policy Branch Campus Datacenter Cloud Datacenter Cloud Network as a Sensor Shared Visibility Tetration Analytics 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
15 Agenda Introduction Harnessing Network Telemetry
16 Network Telemetry Telemetry: an automated communications process by which measurements and other data are collected at remote or inaccessible points and transmitted to receiving equipment for monitoring. Talos Endpoint Agent Access Switch Distribution/Core Switch Firewall Proxy Identity Network Devices Isolated knowledge based on function and location AD & DNS Global Intelligence 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
17 Our Receiving Equipment Cisco Stealthwatch Cisco Stealthwatch: Is a collector and aggregator of network telemetry for the purposes of security analysis and monitoring. Cisco ISE: Collects and aggregates network telemetry to facilitate next-generation secure network access. Cisco Identity Services Engine 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
18 ISE: Building the Session Table Session Table Group Definitions Active Authentication (host supplied): User & Device Authentication MAC Authentication bypass Web portal Passive Authentication (collected): WMI, Agent, SPAN, Syslog, REST API, Endpoint Probe Profiling (collected): Infrastructure provided (DHCP, HTTP, etc) Signature based Alternative Active Authenticator 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
19 Stealthwatch: Building the Flow Table Flow Table User/Device Identity NetFlow / IPFIX Threat Intelligence weblogs Transactional Contextual Group Definitions 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
20 eth0/1 eth0/2 Transactional Telemetry with NetFlow port port 80 Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent SGT DGT TCP Flags 10:20: eth0/ TCP SYN,ACK,PSH 10:20: eth0/ TCP SYN,ACK,FIN 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
21 eth0/1 eth0/2 Telemetry Processing: Stitching Uni-directional flow records port 1024 Start Time Interface Src IP Src Port Dest IP Dest Port Proto port 80 Pkts Sent Bytes Sent 10:20: eth0/ TCP :20: eth0/ TCP SGT DGT Start Time Client IP Client Port Server IP Server Port Proto Client Bytes Client Pkts Server Bytes Server Pkts Client SGT Server SGT Interfaces 10:20: TCP eth0/1 eth0/2 Bi-directional: Conversation flow record Allows easy visualization and analysis 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
22 Telemetry Processing: De-duplication Start Time port 1024 Sw1 ASA port 80 Client IP Client Port Server IP Server Port Proto Client Bytes Client Pkts Server Bytes Server Pkts App Client SGT Server SGT Exporter, Interface, Direction, Action 10:20: TCP HTTP Sw1, eth0, in Sw1, eth1, out Sw2, eth0, in Sw2, eth1, out ASA, eth1, in ASA, eth0, out, Permitted ASA eth0, in, Permitted ASA, eth1, out Sw3, eth1, in Sw3, eth0, out Sw1, eth1, in Sw1, eth0, out Sw2 Sw Cisco and/or its affiliates. All rights reserved. Cisco Public 22
23 Conversational Flow Record Who What Who When Where How More context Stitched and de-duplicated Conversational representation Highly scalable data collection and compression Months of data retention 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
24 ISE as a Telemetry Source Device/User Authentication Device Profiling Passive Identity Stealthwatch Management Console Maintain historical session table Correlate NetFlow to username Build User-centric reports pxgrid Cisco ISE Authenticated Session Table 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
25 Host Groups Virtual Container of IP Addresses User defined Similar attributes Model any Process/Application 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
26 Threat Intelligence Stealthwatch Threat Intelligence License Known C&C Servers Tor Entrance and Exits 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
27 Decorated Conversational Flow Record NBAR Geo-IP mapping ISE Telemetry Applied situational awareness Threat Intelligence Flow Sensor 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
28 Agenda Introduction Harnessing Network Telemetry Discover and Classify Assets
29 Classification Grouping objects based on their similar properties Aristotle Plato Categories are discrete entities characterized by a set of properties which are shared by their members 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
30 Classification Canadian Bacon is Ham! No 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
31 Classification Canadian Bacon Ham American Bacon 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
32 Classification: Objective All IP Space 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
33 Classification: Objective Things I don t own Function Things I own Location Servers NGFW HQ Branch Geo-IP ASNs CoLo Threat Intel HR Application Imaging 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
34 Host Groups: Logical Buckets of IP Space Hierarchical structure Examples: My DNS Servers are and All my POSs are /24 My HQ is /8 Etc. IP Address list A host can exist in multiple Host Groups A Host can not be simultaneously Inside and Outside 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
35 Host Group Tactics: Best Practices Outside Hosts Trusted Internet Hosts Partners/Trusted Entities Monitored Internet Hosts Specific hosts of interest. Ex. Cloud Service Providers Suspect Fat finger Investigation acceleration Inside Hosts Catch All Unclassified Space By Location for reference and trust boundaries By Function for security policy and reporting By Application for investigation 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
36 Building Groups: Direct Configuration Suspect Fat Finger: Numerous 1-digit transpositions of RFC1918 Space Helps eliminate false positives Ex. Outbound RDP to Czech Republic Or a defect 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
37 Building Groups: Leverage Telemetry Group Definitions Search 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
38 Group Telemetry Host Groups is just an XML File! 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
39 Host Group Automation Tetration Analytics Contextual IP Definitions IPAM Threat Intel ASN:IP Databases Scripted conversion to host groups Etc Cisco and/or its affiliates. All rights reserved. Cisco Public 39
40 Discovery of servers through flow Search for Top Hosts Serving Traffic Filter on Services/Applications of Interest Start with well known services: DNS (UDP/53) Mail Servers (imap4, smtp) Domain Controllers Kerberos AND NetBIOS AND SMB AND LDAP File and Backup Servers (nfs, smb) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
41 Discovery of DNS Servers Example Likely DNS Servers: Go and Validate Examine Volume Rogue or misconfiguration Note the drastic decrease 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
42 Validation of Server Classification 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
43 Validation of Server Classification Assertion: is an Imaging Archive Server Check corporate records: Compare to any IPAM Reverse DNS Validate corporate ownership Location & subnet Other Activity: What else is it serving What else is it connecting to Other applications Ports/protocols Flow Search: See previous 2 slides What are the clients? Type of Client (ISE) End users 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
44 Discovery of Clients Find top peers communicating with the Imaging Archive Server Group 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
45 Identifying Inbound Clients All inbound Clients over the course of the day Stack ranked by volume Cisco and/or its affiliates. All rights reserved. Cisco Public 45
46 Sometimes its About the Process Loin cut Rolled in peameal (cornmeal is acceptable) Brine cure Canadian Bacon 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
47 Identify Application Clients Filer top peers on known application details (https) Identification of potential Radiology Imaging Clients 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
48 Validate and Classify Clients Look, a Doctor! Classify into Radiology Imaging Client Group 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
49 Automatic Classification First introduced in Stealthwatch 6.7 Currently only for Scanners Expect to see significant enhancements 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
50 Begin Mapping Dependencies and Policy 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
51 Begin Mapping Dependencies and Policy Inter-system relationships 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
52 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
53 Stealthwatch as a Telemetry Source Data Exporter: High speed export of Stealthwatch bi-flow via web socket Flow Collector 4000/5000 models Other Application 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
54 Stealthwatch Data Exporter: Splunk Use Data Exporter to move biflow data into Splunk 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
55 Segmentation Service Analysis & Segment Definition Output: Host Groups, NGFW ACLs, SGTs Segmentation Service Software Custom rules Meta Data Stealthwatch bi-flow Sessions & Groups AD IPAM Host Groups 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
56 Cluster Analysis 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
57 Agenda Introduction Harnessing Network Telemetry Discover and Classify Assets Design and implementing policy
58 Starting a Segmentation Design Discuss assets to protect Classification Mechanisms Policy Enforcement Points Propagation Methods Example: Cardholder Data, Medical Record, intellectual data Example: Dynamic, Static, etc. DC segmentation (DC virtual/ physical switches or virtual/physical Firewalls) User to DC access control (Identify capable switches or firewalls in the path) Inline Tagging SXP DM-VPN GET-VPN IPSec vxlan etc Cisco and/or its affiliates. All rights reserved. Cisco Public 58
59 Logical Groupings Based On Business Goals Business-based groupings to provide consistent policy and access independent of network topology Contractor Contractor 1 Building Management 50 Temperature Device 1 Employee Employee 1 Employee 2 Employee 3 Leverage attributes such as location and device type to define group assignments Contractor 2 Contractor 3 Contractor 4 Surveillance Device 1 50 Temperature Device 2 Employee 4 Surveillance Device 2 FinanceServer Printers Fin 1 Fin 2 Printer 1 Printer Cisco and/or its affiliates. All rights reserved. Cisco Public 59
60 Approaching a Design Start with desired goals in mind, e.g. e.g. controlled access to Production systems or PCI Servers etc. Remember many use-cases can be localized, for example: User to DC Access Control BYOD Contractor Access Control Extranet security Simplifying Firewall rules, VPN access, ACLs or WSA rules Problems where OpEx is high can be good places to start Complex ACLs, Firewall rule complexity are good indicators of where dynamic objects (TrustSec, ID Firewall, etc.) will help the most 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
61 Starting a Design First, think about the assets to protect Cardholder Data, Medical Choose mechanisms for classifying systems (assigning SGTs to assets) Based on the policy goals choose where policy enforcement is needed, e.g. DC segmentation for Production vs Non-Production zones (e.g. DC virtual/ physical switches or virtual/physical Firewalls protecting those assets User to DC access control (Identify capable switches or firewalls in the path where we can enable initial enforcement) Choose objects to the policy enforcement devices in an automated fashion Management/Control Plane REST APIs with pus/sub, PxGrid, SXP, etc. Data Plane TrustSec (VXLAN, DMVPN, etc.) ACI (VXLAN, etc.), NSH 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
62 Security Object Initial Considerations Unlike traditional segmentation/access control Adding dynamically assigned groups later should be easy (TrustSec, ID FW, etc.) No configuration impact on infrastructure, all Group Config is centralized Keep groups as simple as possible whilst still meeting policy requirements Easy to add Security Objects later as needed Should not be necessary to transfer complexity, like extensive AD groups, into Security Objects (Not 1 AD : 1 Security Object) Compliance goals, roles previously used for VLAN assignment tend to be simple Consider if all roles need a Security Object assigned? Remember that group membership may change very frequently, Groups and Group-based policies tend not to change frequently Cisco and/or its affiliates. All rights reserved. Cisco Public 62
63 Group-based Policies in Firewalls Simplified rule management: Define protected assets by their role, not their IP address Groups retrieved from ACI and TrustSecenabled data centers Avoids complexity and add/move/change effort Leads to much simpler and smaller rulebase Consistent, clear, simple rules 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
64 Security Object Relationship Mapping All Groups External Guests Internet Partner Users User1App1 User1App2 Audit Admin Non Compliant User2App1 User1App3 User1App4 Devices Device1 App1 Device 3 App1 BYOD Access Device1 App3 Unified Comm. HVAC Billing Device2 App1 Device 2 App3 Device1 App2 Device2 App3 Security Guest Devices Apps/Services AD Server Device 1 App3 App1 App3 Unified Comm. HVAC Network Services 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
65 Static Dynamic Classification Methods User endpoints Ideal for users and mobile devices Virtual Systems Dynamic mechanisms Passive ID (Easy Connect) ACI (App- Centric) 802.1X. WebAuth V. Port Profile MAB, Profiling pxgrid & REST APIs SGT #1 SGT #2 Internal resources Static mechanisms SGT #3 Internal IT infrastructure and topology-based policy IP Address Subnets VLANs SGT #4 Partner & external External partners and 3rd party connections L3 Interface VN Port 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
66 Identify Where Groups can be Created/Assinged Need to be Assigned Based on the assets to protect identify where we need to classify End User, Endpoint is classified with SGT SVI interface is mapped to SGT Physical Server is mapped to SGT Campus Access Distribution Core DC Core EOR DC Access Enterprise Backbone SRC: VLAN is mapped to SGT WLC FW Hypervisor SW BYOD device is classified with SGT Virtual Machine is mapped to SGT 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
67 Enabling Classifications Many migration options can be used to make enabling easy If per-user authorization is not in place Enabling VLAN, subnet, L3 Interface mappings can provide coarse classification initially Per-user authorization (TrustSec, Passive ID) can then override static classification Many systems may get Unknown classificaiton assignments initially Focus on the explicit classifications needed to meet policy Keeping classifications simple can mean days not weeks to enable 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
68 Users Security Object Single Application Mappings User1App1 User2App2 Admin Device1 App2 Devices Device2 App1 Device1 App1 Device 3 App1 Billing Apps/Services AD Server App1 App2 Network Services 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
69 Policy Matrix Example Legend ACL Deny Permit 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
70 Deployment Approach Users connect to network, Monitor mode allows traffic regardless of authentication Authentication can be performed passively resulting in Group assignments Monitor Mode Enterprise Network Catalyst Switches/WLC Classified traffic traverses the network allowing monitoring and validation that: Assets are correctly classified Traffic flows to assets are as predicted/expected SRC \ DST PCI Server Prod Server Dev Server (2000) (1000) (1010) Employees (100) Deny Permit all all (M) Permit all Deny Permit all all (M) PCI User (105) Permit all Permit all Deny Permit all all (M) Unknown (0) Deny Permit all all (M) Permit all Deny Permit all all (M) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
71 Enabling Group-Based Policies Across the Enterprise Goal: Consistent Security Groups and Identity shared between TrustSec and ACI domains Allow TrustSec security groups to be used in ACI policies Allow ACI EndPoint Groups to be used in policies across the Enterprise Simplified management of security appliances using both TrustSec and ACI classifications TrustSec Policy Domain ACI Policy Domain Campus / Branch / Non-ACI DC TrustSec Policy Domain ISE 2.1 APIC Data Center APIC Policy Domain Voice Employee Supplier BYOD Voice VLAN Data VLAN TrustSec domain ACI Fabric Web App DB 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
72 TrustSec Security Groups Provisioned in ACI TrustSec ACI ISE Dynamically provisions TrustSec Security Groups in ACI Fabric Security Groups TrustSec Groups represented as External EPGs 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
73 TrustSec Domain Automatically aware of ACI Application Servers TrustSec ACI ISE dynamically learns EPGs and VM Bindings from ACI fabric TrustSec Domain VM1 TrustSec Policies Controlling Access to ACI Data Centers VM1000 ACI Fabric 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
74 Group Policy APIs Share group info to simplify policy management Share classifications to reduce SecOps effort, deliver consistency and simplify audit AWS Security Groups ACI EndPoint Groups Azure Network Security Groups APIC DC Rackspace Security Groups OpenStack Security Groups Scripts to Read/Write Groups ODL Groups VTS Groups Multiple clouds with consistent policy Enterprise Security Groups Foundation for DNA/SDA 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
75 Agenda Introduction Harnessing Network Telemetry Discover and Classify Assets Design and implementing policy Monitoring security policy
76 Crypto Compliance (ETA) Are my services cryptographic compliant. Filter/sort results on cryptographic information (ex. SSL vs TLS) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
77 Stealthwatch Security Model Track and/or measure behaviour/activity Notification of security event generated Algorithm Security Event Alarm Suspicious behaviour observed or anomaly detected 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
78 Alarm Categories Each category accrues points Cisco and/or its affiliates. All rights reserved. Cisco Public 78
79 Monitoring of Traditional Segmentation Policies PCI Zone Map Forbidden Relationship Inter-system relationships 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
80 Policy Violation: Host Locking Client group Server group Client traffic conditions Server traffic conditions Successful or unsuccessful 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
81 Visibility into Group Policy Source and Destination group numbers and names stitched into flow table Source and Destination groups collected from flow records IP-SGT binding collected from pxgrid with Stealthwatch Cisco and/or its affiliates. All rights reserved. Cisco Public 81
82 NetFlow SGT Support Source Tag: Retrieved from the packet Destination Tag: Derived based on destination IP Address Switch Derived Source Tag: 4K Only: Value applied on the packet on egress SGT Table 6K only: export in NetFlow template data tables mapping Security Group Tags to Security Group Names SGACL Drop Record 6k only: Generate a flow record on a SGACL drop 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
83 SGT-NetFlow Device List Device First Release Source Tag Destination tag Switch- Derived SGT SGT Table SGACL Drop Record Catalyst 6500 (Sup2T) IOS 15.1(1)SY1 Yes (match) Yes (match) No Yes Yes (dedicated monitor) ISR, ASR, CSR IOS XE 3.13S Yes Yes No No No Catalyst 3850, 3650 IOS XE 3.7.1E IOS XE 3.6.3E* Yes (match) Yes (match) No No No Catalyst 4500 (Sup 7-E, 7L-E, 8-E) IOS XE 3.7.1E IOS XE 3.6.3E* Yes (collect) Yes (collect) Yes No No ASA No No No No NSEL Record Stealthwatch FlowSensor 6.8 Yes No No No No 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
84 Considerations: 3850 Ingress: Source Tag Sources: Derived from packet header DGT Sources: Derived based on destination IP lookup SGACL enforcement must be enabled Trunk link only Egress: Source Tag Sources: Incoming packet header Port configured SGT IP to SGT mapping Destination Tag Sources: Derived based on destination IP lookup Requires SGACL enforcement to be enabled Trunk link only! flow monitor cts-cyber-monitor-in exporter StealthWatch-FC cache timeout active 60 record cts-cyber-3k-in!! flow monitor cts-cyber-monitor-out exporter StealthWatch-FC cache timeout active 60 record cts-cyber-3k-out! interface GigabitEthernet1/0/1 ip flow monitor cts-cyber-monitor-in input ip flow monitor cts-cyber-monitor-out output! vlan configuration 100 ip flow monitor cts-cyber-monitor-in input ip flow monitor cts-cyber-monitor-out output! 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
85 Considerations: 3850! flow record cts-cyber-3k-in match datalink mac source address input match datalink mac destination address input match ipv4 tos match ipv4 ttl match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input match flow direction match flow cts source group-tag match flow cts destination group-tag collect counter bytes long collect counter packets long collect timestamp absolute first collect timestamp absolute last!! flow record cts-cyber-3k-out match ipv4 tos match ipv4 ttl match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match flow direction match flow cts source group-tag match flow cts destination group-tag collect counter bytes long collect counter packets long collect timestamp absolute first collect timestamp absolute last! 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
86 Considerations: 4500 Sup 7-E, 7L-E, 8-E Source Tag: Packet header Maximum 12K distinct SRC-IP s Destination Tag: Derived based on destination IP Switch Derived Source Tag: SGT enforced on the packet from the switch Policy acquisition SGT in the packet SGT lookup on source IP Port SGT lookup SGT on packet at egress! flow record cts-cyber-4k match ipv4 tos match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input match flow direction collect flow cts source group-tag collect flow cts destination group-tag collect flow cts switch derived-sgt collect transport tcp flags collect interface output collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last! 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
87 Considerations: 6500 Sup 2T TrustSec data table: Export SGT-SGN mapping in NetFlow template! flow record cts-cyber-6k match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match flow cts source group-tag match flow cts destination group-tag collect transport tcp flags collect interface output collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last! SGACL Drop: Flow record generated on a drop Requires dedicated Flow Monitor Source Tag: Packet header IP-SGT lookup Destination Tag: Derived based on destination IP lookup Cisco and/or its affiliates. All rights reserved. Cisco Public 87
88 Considerations: 6500 Sup2T SGACL Drop config: Exporter and monitor:! flow exporter ise destination source TenGigabitEthernet2/1 transport udp 9993 option cts-sgt-table timeout 10! flow monitor FNF_SGACL_DROP exporter ise record cts-record-ipv4! cts role-based ip flow monitor FNF_SGACL_DROP dropped! flow exporter CYBER_EXPORTER destination source TenGigabitEthernet2/1 transport udp 2055 option cts-sgt-table timeout 10! flow monitor CYBER_MONITOR exporter CYBER_EXPORTER cache timeout active 60 record cts-cyber-6k! 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
89 Considerations: ISR, ASR, CSR Source Tag: Packet header IP-SGT lookup Destination Tag: Destination IP lookup! flow record cts-cyber-ipv4 match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input match flow direction match flow cts source group-tag match flow cts destination group-tag collect routing next-hop address ipv4 collect ipv4 dscp collect ipv4 ttl minimum collect ipv4 ttl maximum collect transport tcp flags collect interface output collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last collect application name! Cisco and/or its affiliates. All rights reserved. Cisco Public 89
90 Modeling Group Policy in Stealthwatch Custom event triggers on traffic condition Rule name and description Source Tag Destination Tag Trigger on traffic in both directions; Successful or unsuccessful 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
91 Modeling Group Policy in Stealthwatch Create flow-based rules for all proposed policy elements Policy Violation alarm will trigger if condition is met. Simulating proposed drop Cisco and/or its affiliates. All rights reserved. Cisco Public 91
92 Modeling Policy: Alarm Occurrence Alarm dashboard showing all Policy alarms Details of Employee to Productions Servers alarm occurrences 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
93 Modeled Policy: Flow Details How When Who Where What Who Is this communication permissible? Source Tag Destination Tag Yes Tune No Respond 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
94 Monitoring Unified SGT-ACI Policy Group Definitions pxgrid Cisco ISE Policy Plane Integration APIC-DC Policy Push Tetration Analytics SGT Definitions EPG Definitions Tetration Telemetry NetFlow SPAN pci_users SGT: 16 TrustSec Domain ACI Domain ACI Domain EV_appProfile_LOB2_App1EPG SGT: Cisco and/or its affiliates. All rights reserved. Cisco Public 94
95 Monitoring Unified SGT-ACI Policy C6K2T-CORE-1#$how flow monitor CYBER_MONITOR cache filter ipv4 destination address snip-- IPV4 SOURCE ADDRESS: IPV4 DESTINATION ADDRESS: TRNS SOURCE PORT: 0 TRNS DESTINATION PORT: 2048 FLOW CTS SOURCE GROUP TAG: 100 FLOW CTS DESTINATION GROUP TAG: 0 IP PROTOCOL: 1 tcp flags: 0x00 interface output: Te2/1 counter bytes: 1320 counter packets: 22 timestamp first: 04:04: timestamp last: 04:04: IPV4 SOURCE ADDRESS: IPV4 DESTINATION ADDRESS: TRNS SOURCE PORT: 0 TRNS DESTINATION PORT: 2048 FLOW CTS SOURCE GROUP TAG: 100 FLOW CTS DESTINATION GROUP TAG: IP PROTOCOL: 1 tcp flags: 0x00 interface output: Te2/1 counter bytes: 1440 counter packets: 24 timestamp first: 04:04: timestamp last: 04:04: C6K2T-CORE-1#sho cts environment-data --snip-- Security Group Name Table: 0-00:Unknown 2-00:TrustSec_Devices 3-00:Network_Services 4-00:Employees 5-00:Contractors 6-00:Guests 7-00:Production_Users 8-00:Developers 9-00:Auditors 10-00:Point_of_Sale_Systems 11-00:Production_Servers 12-00:Development_Servers 13-00:Test_Servers 14-00:PCI_Servers 15-00:BYOD 16-00:pci_users :Quarantined_Systems :EV_appProfile_LOB1_Web1EPG :EV_appProfile_LOB1_App1EPG :EV_appProfile_LOB1_DB1EPG :EV_appProfile_NetworkServicesEPG :EV_appProfile_LOB2_App1EPG --snip Cisco and/or its affiliates. All rights reserved. Cisco Public 95
96 Monitoring Unified Policy: Stealthwatch Flow Source Group assigned by ISE authorization Endpoint Group defined in APIC 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
97 Agenda Introduction Harnessing Network Telemetry Discover and Classify Assets Design and implementing policy Monitoring security policy Active Enforcement
98 Enabling Enforcement Example with TrustSec Egress Enforcement Security Group ACL PCI Server Campus Network Production Server Users, Endpoints Catalyst Switches/WLC (3K/4K/6K) N7K Development Server Monitor Mode SRC \ DST PCI Server (2000) Prod Server (1000) Dev Server (1010) Employees (100) Deny all Deny all Permit all PCI User (105) Permit all Permit all Permit all Unknown (0) Deny all Deny all Permit all Enforcement may be enabled gradually per destination Security Group basis Initially use SGACLs with deny logging enabled (remove log later if not required) Keep default policy as permit and allow traffic unknown SGT during deployment 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
99 Centralized SGACL Management in ISE 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
100 Applying SGACLs SGACL_1 permit tcp dst eq 443 permit tcp dst eq 80 permit tcp dst eq 22 permit tcp dst eq 3389 permit tcp dst eq 135 permit tcp dst eq 136 permit tcp dst eq 137 permit tcp dst eq 138 permit tcp des eq 139 deny ip 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
101 Policy Deployment Incremental Deployment/Rollback Staging matrix allows changes to be applied on controlled basis Incremental deployment - Apply changes across more of the network as desired Ability to back out changes Uses workflow process with approval 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
102 Validation What am I eating? OR Canadian Bacon Ham 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
103 Monitoring as Enforcement is Enabled Dynamic Security Objects reduces SecOps effort but works differently Ops understanding needed Dynamic security functions are audited differently but easier and more accurate Some new functions should be monitored Management plane/control plane notifications and logging need to be managed Need to log dynamic security object membership chip 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
104 ACL Monitoring Switches/Routers are best effort C6K2T-CORE-1#sho cts role-based permissions IPv4 Role-based permissions from group 8:EMPLOYEE_FULL to group 8:EMPLOYEE_FULL: Malware_Prevention-11 C6K2T-CORE-1#sho ip access-list Role-based IP access list Deny IP-00 (downloaded) 10 deny ip Role-based IP access list Malware_Prevention-11 (downloaded) 10 deny icmp log-input (51 matches) 20 deny udp dst range log-input 30 deny tcp dst range log-input 40 deny udp dst eq domain log-input *May 24 04:50:06.090: %SEC-6-IPACCESSLOGDP: list Malware_Prevention-11 denied icmp (GigabitEthernet1/1 ) -> (8/0), 119 packets 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
105 FirePOWER Services Redirect Create service policy to forward suspicious traffic to FirePOWER Services 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
106 Threat Defense With ACI TrustSec Policy Domain INTERNET ENTERPRISE NETWORK ISE learns about ACI EPG s & shares via pxgrid (Provides Threat Defense for flows to ACI DC) FP 9300, ASA 5585 ACI Policy Domain APIC DC Quarantined COA ISE EPS: PxGrid Quarantine (over PxGrid) Source Criteria Destination Criteria Service Action IP SGT IP SGT any Quarantined any WEB_EPG any Deny 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
107 Agenda Introduction Harnessing Network Telemetry Discover and Classify Assets Design and implementing policy Monitoring security policy Active Enforcement Conclusion
108 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
109 Related Breakouts BRKSEC-3014 Security Monitoring with Stealthwatch: The Detailed Walkthrough Matt Robertson Monday, June 26, 1:30 3:30 pm BRKSEC-3690 Advanced Security Group Tags: The Detailed Walkthrough Darrin Miller Monday, June 26, 1:30 3:30 pm BRKSEC-2203 Enabling Software Defined Segmentation with TrustSec Fay Lee Tuesday, June 27, 4:00 5:30 pm BRKSEC-2695 Building an Enterprise Access Control Architecture Imran Bashir Tuesday, Jun 27, 8:00 10:00 am ; Wednesday June 28,1:30-3:30 pm BRKSEC-3697 Advanced ISE Service, Tips and Tricks Aaron Woland Tuesday, Jun 27, 8:00 10:00 am ; Wednesday June 28,1:30-3:30 pm 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
110 Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card. Complete your session surveys through the Cisco Live mobile app or on Don t forget: Cisco Live sessions will be available for viewing on demand after the event at Cisco and/or its affiliates. All rights reserved. Cisco Public
111 Key Takeaways The network can provide telemetry to build effective security policy Stealthwatch and ISE provide visibility to users, devices and activity TrustSec is used to dynamically segment and program the network 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
112 Thank you
113
We re ready. Are you?
We re ready. Are you? Network as a Sensor and Enforcer Matt Robertson, Technical Marketing Engineer BRKSEC-2026 Why are we here today? Insider Threats Leverage the network Identify and control policy,
More informationTrustSec (NaaS / NaaE)
TrustSec (NaaS / NaaE) per@cisco.com Security on top of the mind for our customers 60% 85% 54% of data is stolen in HOURS of point-of-sale intrusions aren t discovered for WEEKS of breaches remain undiscovered
More informationCisco Day Hotel Mons Wednesday
Cisco Day 2016 20.4.2016 Hotel Mons Wednesday Three Friends in Security : Identity, Visibility and Enforcement Stop the bad guys immediately György Ács IT Security Consulting Systems Engineer 20 April
More informationSecurity Monitoring with Stealthwatch:
Security Monitoring with Stealthwatch: The Detailed Walkthrough Matthew Robertson, Technical Marketing Engineer BRKSEC-3014 Cisco Spark How Questions? Use Cisco Spark to chat with the speaker after the
More informationCisco dan Hotel Crowne Plaza Beograd, Srbija.
Cisco dan 31. 3. 2016. Hotel Crowne Plaza Beograd, Srbija www.ciscoday.com Three Friends in Security : Identity, Visibility and Enforcement Stop the bad guys immediately György Ács IT Security Consulting
More informationIdentity Based Network Access
Identity Based Network Access Identity Based Network Access - Agenda What are my issues Cisco ISE Power training What have I achieved What do I want to do What are the issues? Guest Student Staff Contractor
More information2012 Cisco and/or its affiliates. All rights reserved. 1
2012 Cisco and/or its affiliates. All rights reserved. 1 Policy Access Control: Challenges and Architecture UA with Cisco ISE Onboarding demo (BYOD) Cisco Access Devices and Identity Security Group Access
More informationCompare Security Analytics Solutions
Compare Security Analytics Solutions Learn how Cisco Stealthwatch compares with other security analytics products. This solution scales easily, giving you visibility across the entire network. Stealthwatch
More informationDigital Network Architecture for Securing Enterprise Networks
Digital Network Architecture for Securing Enterprise Networks Matt Robertson Evgeny Mirolyubov Technical Marketing Engineers, Advanced Threat Solutions Cisco Spark How Questions? Use Cisco Spark to communicate
More informationMonitoring and Threat Detection
Monitoring and Threat Detection with Netflow Michael Belan Consulting Systems Engineer Cisco GSSO January 2017 AGENDA What is SW? Where does it fit in overall Cisco Security framework? What is SW? What
More informationNetwork as an Enforcer (NaaE) Cisco Services. Network as an Enforcer Cisco and/or its affiliates. All rights reserved.
Network as an Enforcer (NaaE) Cisco Services INTRODUCTION... 6 Overview of Network as an Enforcer... 6 Key Benefits... 6 Audience... 6 Scope... 6... 8 Guidelines and Limitations... 8 Configuring SGACL
More informationCisco TrustSec Software-Defined Segmentation Platform and Capability Matrix Release 6.3
TrustSec Software-Defined Segmentation Platform and Capability Matrix Release 6.3 TrustSec uniquely builds upon your existing identity-aware infrastructure by enforcing segmentation and access control
More informationPSOACI Tetration Overview. Mike Herbert
Tetration Overview Mike Herbert Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion
More informationBuilding an End-End Policy Driven Secure Hybrid Cloud DC Architecture
BRKSEC-2980 Building an End-End Policy Driven Secure Hybrid Cloud DC Architecture David Jansen CCIE #5952 DSE Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session
More informationCisco SD-Access Policy Driven Manageability
BRKCRS-3811 Cisco SD-Access Policy Driven Manageability Victor Moreno, Distinguished Engineer Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session
More informationCisco Campus Fabric Introduction. Vedran Hafner Systems engineer Cisco
Cisco Campus Fabric Introduction Vedran Hafner Systems engineer Cisco Campus Fabric Abstract Is your Campus network facing some, or all, of these challenges? Host Mobility (w/o stretching VLANs) Network
More informationData Center Security. Fuat KILIÇ Consulting Systems
Data Center Security Fuat KILIÇ Consulting Systems Engineer @Security Data Center Evolution WHERE ARE YOU NOW? WHERE DO YOU WANT TO BE? Traditional Data Center Virtualized Data Center (VDC) Virtualized
More informationSDN Security BRKSEC Alok Mittal Security Business Group, Cisco
SDN Security Alok Mittal Security Business Group, Cisco Security at the Speed of the Network Automating and Accelerating Security Through SDN Countering threats is complex and difficult. Software Defined
More informationCisco TrustSec 4.0:How to Create Campus and Branch-Office Segmentation
Ordering Guide TrustSec 4.0:How to Create Campus and Branch-Office Segmentation Ordering Guide November 2013 2013 and/or its affiliates. All rights reserved. This document is Public Information. Page 1
More informationSegmentation. Threat Defense. Visibility
Segmentation Threat Defense Visibility Establish boundaries: network, compute, virtual Enforce policy by functions, devices, organizations, compliance Control and prevent unauthorized access to networks,
More informationCisco Firepower NGIPS Tuning and Best Practices
Cisco Firepower NGIPS Tuning and Best Practices John Wise, Security Instructor High Touch Delivery, Cisco Learning Services CTHCRT-2000 Cisco Spark How Questions? Use Cisco Spark to communicate with the
More informationSubscriber Data Correlation
Subscriber Data Correlation Application of Cisco Stealthwatch to Service Provider mobility environment Introduction With the prevalence of smart mobile devices and the increase of application usage, Service
More informationStealthwatch ülevaade + demo ja kasutusvõimalused. Leo Lähteenmäki
Stealthwatch ülevaade + demo ja kasutusvõimalused Leo Lähteenmäki 09:00-9:30 Hommikukohv ja registreerimine 09:30 11:15 Stealthwatch ülevaade + demo ja kasutusvõimalused 11:00 11:15 Kohvipaus 11:15 12:00
More informationAPIC-EM / EasyQoS - End to End Orchestration of QoS in Enterprise Networks
APIC-EM / EasyQoS - End to End Orchestration of QoS in Enterprise Networks Saurav Prasad Technical Marketing Engineer CTHNMS-1002 Cisco Spark How Questions? Use Cisco Spark to chat with the speaker after
More informationEvolving your Campus Network with. Campus Fabric. Shawn Wargo. Technical Marketing Engineer BRKCRS-3800
Evolving your Campus Network with Campus Fabric Shawn Wargo Technical Marketing Engineer BRKCRS-3800 Campus Fabric Abstract Is your Campus network facing some, or all, of these challenges? Host Mobility
More informationDNA Automation Services Offerings
DNA Automation Services Offerings Jamie Owen, Solutions Architect, Cisco Advanced Services Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session
More informationVeč kot SDN - SDA arhitektura v uporabniških omrežjih
Več kot SDN - SDA arhitektura v uporabniških omrežjih Aleksander Kocelj SE Cisco Agenda - Introduction to Software Defined Access - Brief description on SDA - Cisco SDA Assurance - DEMO 2 New Requirements
More information2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
2018 Cisco and/or its affiliates. All rights reserved. Cisco Public PSODCN-1030 Intent Based Systems Deliver Automation Dave Malik Cisco Fellow and Chief Architect Advanced Services @dmalik2 2018 Cisco
More informationCisco Cyber Threat Defense Solution 1.0
Cisco Cyber Threat Defense Solution 1.0 Contents 1. Introduction to the Cisco Cyber Threat Defense Solution 1.0 2. Technical overview of the Cisco Cyber Threat Defense Solution 1.0 3. Using the Cisco Cyber
More informationRouting Underlay and NFV Automation with DNA Center
BRKRST-1888 Routing Underlay and NFV Automation with DNA Center Prakash Rajamani, Director, Product Management Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session
More informationCisco Secure Access Control
Cisco Secure Access Control Delivering Deeper Visibility, Centralized Control, and Superior Protection Martin Briand - Security Escalation VSE Global Virtual Engineering Oriol Madriles Soriano Security
More informationSD-Access Wireless: why would you care?
SD-Access Wireless: why would you care? CUWN Architecture - Centralized Overview Policy Definition Enforcement Point for Wi-Fi clients Client keeps same IP address while roaming WLC Single point of Ingress
More informationCisco Next Generation Firewall and IPS. Dragan Novakovic Security Consulting Systems Engineer
Cisco Next Generation Firewall and IPS Dragan Novakovic Security Consulting Systems Engineer Cisco ASA with Firepower services Cisco TALOS - Collective Security Intelligence Enabled Clustering & High Availability
More informationCisco Group Based Policy Platform and Capability Matrix Release 6.4
Group d Policy Platform and Capability Matrix Release 6.4 (inclusive of TrustSec Software-Defined Segmentation) Group d Policy (also known as TrustSec Software-Defined Segmentation) uniquely builds upon
More informationIntroducing Cisco Network Assurance Engine
BRKACI-2403 Introducing Cisco Network Assurance Engine Intent Based Networking for Data Centers Sundar Iyer, Distinguished Engineer Head Cisco Network Assurance Engine Team Dhruv Jain, Director of Product
More informationMonitoring the Device
The system includes dashboards and an Event Viewer that you can use to monitor the device and traffic that is passing through the device. Enable Logging to Obtain Traffic Statistics, page 1 Monitoring
More informationCertKiller q
CertKiller.500-451.28q Number: 500-451 Passing Score: 800 Time Limit: 120 min File Version: 5.3 500-451 Cisco Unified Access Systems Engineer Exam I just passed today with 89%. My sole focus was the VCE.
More informationCisco Firepower NGFW. Anticipate, block, and respond to threats
Cisco Firepower NGFW Anticipate, block, and respond to threats You have a mandate to build and secure a network that supports ongoing innovation Mobile access Social collaboration Public / private hybrid
More informationUser-to-Data-Center Access Control Using TrustSec Design Guide
CISCO VALIDATED DESIGN User-to-Data-Center Access Control Using TrustSec Design Guide October 2015 REFERENCE NETWORK ARCHITECTURE Table of Contents About This Document... 1 Cisco TrustSec Overview... 2
More informationCisco Tetration Analytics
Cisco Tetration Analytics Real-time application visibility and policy management using advanced analytics Yogesh Kaushik, Sr. Director Product Management PSOACI-2100 Agenda Market context Introduction:
More informationAlgoSec: How to Secure and Automate Your Heterogeneous Cisco Environment
BRKPAR-2488 AlgoSec: How to Secure and Automate Your Heterogeneous Cisco Environment Edy Almer How to Secure and Automate Your Heterogeneous Cisco Environment Yogesh Kaushik, Senior Director Cisco Doug
More informationIntuit Application Centric ACI Deployment Case Study
Intuit Application Centric ACI Deployment Case Study Joon Cho, Principal Network Engineer, Intuit Lawrence Zhu, Solutions Architect, Cisco Agenda Introduction Architecture / Principle Design Rollout Key
More informationCisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller
Cisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller For Comments, please email: howtoguides@external.cisco.com Current Document Version: 3.0 August 27, 2012 Table
More informationONE POLICY. Tengku Shahrizam, CCIE Asia Borderless Network Security 20 th June 2013
ONE POLICY Tengku Shahrizam, CCIE Asia Borderless Network Security 20 th June 2013 Agenda Secure Unified Access with ISE Role-Based Access Control Profiling TrustSec Demonstration How ISE is Used Today
More informationNetwork Visibility and Segmentation
Network Visibility and Segmentation 2019 Cisco and/ or its affiliates. All rights reserved. Contents Network Segmentation A Services Approach 3 The Process of Segmentation 3 Segmentation Solution Components
More informationContents. Introduction
Contents Introduction Prerequisites Requirements Components Used Configure Network Diagram ISE - Configuration Steps 1. SGT for Finance and Marketing 2. Security group ACL for traffic Marketing ->Finance
More informationTetration Hands-on Lab from Deployment to Operations Support
LTRACI-2184 Tetration Hands-on Lab from Deployment to Operations Support Furong Gisiger, Solutions Architect Lawrence Zhu, Sr. Solutions Architect Cisco Spark How Questions? Use Cisco Spark to communicate
More informationCisco UCS Director and ACI Advanced Deployment Lab
Cisco UCS Director and ACI Advanced Deployment Lab Michael Zimmerman, TME Vishal Mehta, TME Agenda Introduction Cisco UCS Director ACI Integration and Key Concepts Cisco UCS Director Application Container
More informationCisco TrustSec Software-Defined Segmentation Release 6.1 System Bulletin
System Bulletin TrustSec Software-Defined Segmentation Release 6.1 System Bulletin Introduction Network segmentation is essential for protecting critical business assets. TrustSec Software Defined Segmentation
More informationUser Identity Sources
The following topics describe Firepower System user identity sources, which are sources for user awareness. These users can be controlled with identity and access control policies: About, on page 1 The
More informationCisco Stealthwatch Endpoint License with Cisco AnyConnect NVM
Cisco Stealthwatch Endpoint License with Cisco AnyConnect NVM How to implement the Cisco Stealthwatch Endpoint License with the Cisco AnyConnect Network Visibility Module Table of Contents About This Document...
More informationSourcefire Network Security Analytics: Finding the Needle in the Haystack
Sourcefire Network Security Analytics: Finding the Needle in the Haystack Mark Pretty Consulting Systems Engineer #clmel Agenda Introduction The Sourcefire Solution Real-time Analytics On-Demand Analytics
More informationCisco Tetration Analytics Demo. Ing. Guenter Herold Area Manager Datacenter Cisco Austria GmbH
Cisco Tetration Analytics Demo Ing. Guenter Herold Area Manager Datacenter Cisco Austria GmbH Agenda Introduction Theory Demonstration Innovation Through Engineering
More informationCisco TrustSec How-To Guide: Monitor Mode
Cisco TrustSec How-To Guide: Monitor Mode For Comments, please email: howtoguides@external.cisco.com Current Document Version: 3.0 August 27, 2012 Table of Contents Table of Contents... 2 Introduction...
More informationTrustSec Configuration Guides. TrustSec Capabilities on Wireless 8.4 Software-Defined Segmentation through SGACL Enforcement on Wireless Access Points
TrustSec Configuration Guides TrustSec Capabilities on Wireless 8.4 Software-Defined Segmentation through SGACL Enforcement on Wireless Access Points Table of Contents TrustSec Capabilities on Wireless
More informationCisco TrustSec Software-Defined Segmentation Release 6.1 System Bulletin
System Bulletin TrustSec Software-Defined Segmentation Release 6.1 System Bulletin Introduction Network segmentation is essential for protecting critical business assets. TrustSec Software Defined Segmentation
More informationBorderless Networks. Tom Schepers, Director Systems Engineering
Borderless Networks Tom Schepers, Director Systems Engineering Agenda Introducing Enterprise Network Architecture Unified Access Cloud Intelligent Network & Unified Services Enterprise Networks in Action
More informationCisco ISE Ports Reference
Cisco ISE Infrastructure Cisco ISE Infrastructure, on page 1 Cisco ISE Administration Node Ports, on page 2 Cisco ISE Monitoring Node Ports, on page 4 Cisco ISE Policy Service Node Ports, on page 6 Cisco
More informationCisco TrustSec How-To Guide: Central Web Authentication
Cisco TrustSec How-To Guide: Central Web Authentication For Comments, please email: howtoguides@external.cisco.com Current Document Version: 3.0 August 27, 2012 Table of Contents Table of Contents... 1
More informationPolicy Defined Segmentation with Cisco TrustSec
Policy Defined Segmentation with Cisco TrustSec Session ID 18PT Rob Bleeker Consulting System Engineer CCIE #: 2926 Abstract This session will explain how TrustSec Security Group Tagging can be used to
More informationSecurity? where to? Adrian Aron. Consultant Systems Engineer. 19 Oct
Security? where to? Adrian Aron Consultant Systems Engineer 19 Oct Agenda Industry shift and trends Router security, switch security OpenDNS Integration and automation Q&A Road from task to implementation
More informationP ART 3. Configuring the Infrastructure
P ART 3 Configuring the Infrastructure CHAPTER 8 Summary of Configuring the Infrastructure Revised: August 7, 2013 This part of the CVD section discusses the different infrastructure components that are
More informationIntroduction to Network Discovery and Identity
The following topics provide an introduction to network discovery and identity policies and data: Host, Application, and User Detection, page 1 Uses for Host, Application, and User Discovery and Identity
More informationCisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1
Cisco ISE Overview, page 2 Key Functions, page 2 Identity-Based Network Access, page 2 Support for Multiple Deployment Scenarios, page 3 Support for UCS Hardware, page 3 Basic User Authentication and Authorization,
More informationPASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year
PASS4TEST \ http://www.pass4test.com We offer free update service for one year Exam : 300-208 Title : Implementing Cisco Secure Access Solutions Vendor : Cisco Version : DEMO Get Latest & Valid 300-208
More informationplixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels
Scrutinizer Competitor Worksheet Scrutinizer Malware Incident Response Scrutinizer is a massively scalable, distributed flow collection system that provides a single interface for all traffic related to
More informationExamTorrent. Best exam torrent, excellent test torrent, valid exam dumps are here waiting for you
ExamTorrent http://www.examtorrent.com Best exam torrent, excellent test torrent, valid exam dumps are here waiting for you Exam : 400-251 Title : CCIE Security Written Exam (v5.0) Vendor : Cisco Version
More informationACI Terminology. This chapter contains the following sections: ACI Terminology, on page 1. Cisco ACI Term. (Approximation)
This chapter contains the following sections:, on page 1 Alias API Inspector App Center Alias A changeable name for a given object. While the name of an object, once created, cannot be changed, the Alias
More informationCisco Software-Defined Access
Cisco Software-Defined Access Introducing an entirely new era in networking. What if you could give time back to IT? Provide network access in minutes for any user or device to any application-without
More informationNetwork Element Configuration
The following describes how to configure Flexible NetFlow and NTP servers on your ISR. Configuring a Network Element, page 1 NTP Configuration, page 1 NetFlow Configuration, page 2 Configuring a Network
More informationThere are two ways for a sensor device to detect the Security Group Tag (SGT) assigned to the traffic:
Contents Introduction Components Used Overview The User-IP Mapping Method The Inline Tagging Method Troubleshooting From the Restricted Shell of a Firepower Device From the Expert Mode of a Firepower Device
More informationForeScout Extended Module for Carbon Black
ForeScout Extended Module for Carbon Black Version 1.0 Table of Contents About the Carbon Black Integration... 4 Advanced Threat Detection with the IOC Scanner Plugin... 4 Use Cases... 5 Carbon Black Agent
More informationHigh Availability Synchronization PAN-OS 5.0.3
High Availability Synchronization PAN-OS 5.0.3 Revision B 2013, Palo Alto Networks, Inc. www.paloaltonetworks.com Contents Overview... 3 Device Configuration... 4 Network Configuration... 9 Objects Configuration...
More informationSecuring BYOD with Cisco TrustSec Security Group Firewalling
White Paper Securing BYOD with Cisco TrustSec Security Group Firewalling Getting Started with TrustSec What You Will Learn The bring-your-own-device (BYOD) trend can spur greater enterprise productivity
More informationImplementing Cisco Edge Network Security Solutions ( )
Implementing Cisco Edge Network Security Solutions (300-206) Exam Description: The Implementing Cisco Edge Network Security (SENSS) (300-206) exam tests the knowledge of a network security engineer to
More informationEvolution of Data Center Security Automated Security for Today s Dynamic Data Centers
Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers Speaker: Mun Hossain Director of Product Management - Security Business Group Cisco Twitter: @CiscoDCSecurity 2 Any
More informationIntelligent WAN NetFlow Monitoring Deployment Guide
Cisco Validated design Intelligent WAN NetFlow Monitoring Deployment Guide September 2017 Table of Contents Table of Contents Deploying the Cisco Intelligent WAN... 1 Deployment Details...1 Deploying NetFlow
More informationCisco ISE Features Cisco ISE Features
Cisco ISE Overview, on page 2 Key Functions, on page 2 Identity-Based Network Access, on page 3 Support for Multiple Deployment Scenarios, on page 3 Support for UCS Hardware, on page 3 Basic User Authentication
More informationJunos Security. Chapter 4: Security Policies Juniper Networks, Inc. All rights reserved. Worldwide Education Services
Junos Security Chapter 4: Security Policies 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net Worldwide Education Services Chapter Objectives After successfully completing this chapter,
More informationDisclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme
SAI2803BU The Road to Micro- Segmentation with VMware NSX #VMworld #SAI2803BU Disclaimer This presentation may contain product features that are currently under development. This overview of new technology
More informationIdentity Firewall. About the Identity Firewall
This chapter describes how to configure the ASA for the. About the, on page 1 Guidelines for the, on page 7 Prerequisites for the, on page 9 Configure the, on page 10 Monitoring the, on page 16 History
More informationCisco Trusted Security Enabling Switch Security Services
Cisco Trusted Security Enabling Switch Security Services Michal Remper, CCIE #8151 CSE/AM mremper@cisco.com 2009 Cisco Systems, Inc. All rights reserved. 1 Enter Identity & Access Management Strategic
More informationISE Identity Service Engine
CVP ISE Identity Service Engine Cisco Validated Profile (CVP) Series 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 10 Contents 1. Profile introduction...
More informationCisco Stealthwatch. Internal Alarm IDs 7.0
Cisco Stealthwatch Internal Alarm IDs 7.0 Stealthwatch Internal Alarm IDs Some previously used alarms are now obsolete and no longer listed in this file. 1 Host Lock Violation 5 SYN Flood 6 UDP Flood 7
More informationCisco Application Policy Infrastructure Controller Data Center Policy Model
White Paper Cisco Application Policy Infrastructure Controller Data Center Policy Model This paper examines the Cisco Application Centric Infrastructure (ACI) approach to modeling business applications
More informationCisco ISE Ports Reference
Cisco ISE Infrastructure, page 1 Cisco ISE Administration Node Ports, page 2 Cisco ISE Monitoring Node Ports, page 4 Cisco ISE Policy Service Node Ports, page 5 Cisco ISE pxgrid Service Ports, page 10
More informationServiceability of SD-WAN
BRKCRS-2112 Serviceability of SD-WAN Chandrabalaji Rajaram & Ali Shaikh Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live
More informationConfiguring Web Cache Services By Using WCCP
CHAPTER 44 Configuring Web Cache Services By Using WCCP This chapter describes how to configure your Catalyst 3560 switch to redirect traffic to wide-area application engines (such as the Cisco Cache Engine
More informationService Graph Design with Cisco Application Centric Infrastructure
White Paper Service Graph Design with Cisco Application Centric Infrastructure 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 101 Contents Introduction...
More informationThreat Centric Network Security
BRKSEC-2056 Threat Centric Network Security Ted Bedwell, Principal Engineer Network Threat Defence Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this
More informationCisco Nexus Data Broker
Data Sheet Cisco Nexus Data Broker Product Overview You used to monitor traffic mainly to manage network operations. Today, when you monitor traffic you can find out instantly what is happening throughout
More informationChapter 5. Security Components and Considerations.
Chapter 5. Security Components and Considerations. Technology Brief Virtualization and Cloud Security Virtualization concept is taking major portion in current Data Center environments in order to reduce
More informationTop 10 use cases of HP ArcSight Logger
Top 10 use cases of HP ArcSight Logger Sridhar Karnam @Sri747 Karnam@hp.com #HPSecure Big data is driving innovation The Big Data will continue to expand Collect Big Data for analytics Store Big Data for
More informationMonitor Mode Deployment with Cisco Identity Services Engine. Secure Access How -To Guides Series
Monitor Mode Deployment with Cisco Identity Services Engine Secure Access How -To Guides Series Author: Adrianne Wang Date: December 2012 Table of Contents Monitor Mode... 3 Overview of Monitor Mode...
More informationCisco SD-WAN (Viptela) Migration, QoS and Advanced Policies Hands-on Lab
Cisco SD-WAN (Viptela) Migration, QoS and Advanced Policies Hands-on Lab Ali Shaikh Technical Leader Faraz Shamim Sr. Technical Leader Mossaddaq Turabi Distinguished ENgineer Cisco Spark How Questions?
More informationIntroduction to Network Discovery and Identity
The following topics provide an introduction to network discovery and identity policies and data: Host, Application, and User Detection, on page 1 Uses for Host, Application, and User Discovery and Identity
More informationNext generation branch with SD-WAN and NFV
Next generation branch with SD-WAN and NFV Kiran Ghodgaonkar, Senior Manager, Enterprise Marketing Mani Ganeson, Senior Product Manager PSOCRS-2004 @ghodgaonkar Cisco Spark How Questions? Use Cisco Spark
More informationA Pragmatic Approach to HealthCare Security. Hans Mathys CSE, Cybersecurity, Cisco Switzerland
A Pragmatic Approach to HealthCare Security Hans Mathys CSE, Cybersecurity, Cisco Switzerland Referatsabstract A Pragmatic Approach To HealthCare Security - Cyber-Security ist nicht nur eine Herausforderung
More informationChoice of Segmentation and Group Based Policies for Enterprise Networks
Choice of Segmentation and Group Based Policies for Enterprise Networks Hari Holla Technical Marketing Engineer, Cisco ISE BRKCRS-2893 hari_holla /in/hariholla Cisco Spark How Questions? Use Cisco Spark
More informationDeploying Cloud-Agnostic Applications with Cisco CloudCenter
LTRCLD-2303 Deploying Cloud-Agnostic Applications with Cisco CloudCenter Zack Kielich CloudCenter Product Manager Vince Motto Sr. Technical Leader Andrew Horrigan Consulting Engineer Matt Tarkington Consulting
More information