Cisco NGFW and UTM update Security Expert Call series

Transcription

1 Cisco NGFW and UTM update Security Expert Call series 6 th of October Istvan Segyik (CCIE security #47531) Escalations Engineer, Cisco GVE isegyik@cisco.com

2 Today s topics Cisco Firepower NGFW overview Cisco NGFW platforms and software editions Firepower 6.1 What is new? Cisco Meraki Cloud Managed networking overview Cisco Meraki MX security gateways Demo: quick impression on both systems Q&A

3 Cisco Firepower NGFW

4 Cisco NGFW overview

5 Secure the perimeter and the DC while... New demands More things Sophisticated threats Global collaboration Private and Public Cloud datacenters Anywhere access, BYOD Sophisticated penetration Complex malware Access is tougher to manage Visibility is more elusive Threats are harder to stop

6 What Cisco offers is... Cisco Firepower NGFW Stop more threats Gain more insight Detect earlier, act faster Reduce complexity Get more from your network Threat Focused Fully Integrated

7 Major NGFW system components DNS Sinkhole Security feeds URL IP DNS Dynamic and Static NAT High Availability High Bandwidth SSL Decryption Engine AVC NGIPS AMP file inspection AMP Threat Grid DNS $ % * # Allow Block DMZ Internet Firewall Private Network

8 Wait! Where is anti-spam?! *+%#& Cisco NGFW can: Inspect SMTP, POP3, IMAP, etc. traffic as an application and transport method for data; Inspect the content, look for malware; Do these things fast. But security is more than a potentially added single anti-spam engine: Multiple anti-spam engines, flexible SPAM quarantine; authentication, integration: SPF, DKIM, DMARC handling; Sophisticated filtering: application parameters, content, volumetric, etc.; Conditional routing; Graymail detection, classification, proper control; Handling payload encryption (S/MIME, CRES, PGP, other proprietary...); Granular reporting; Etc.. We recommend our market leading Security Appliance:

9 NGFW components: Firewall All NGFW editions have Stateful inspection firewall functionality. The ASA+Firepower (Hybrid) and Firepower Threat Defense (Unified) editions use the ASA (LINA) Firewall engine: Which is the World s most proven stateful inspection engine being continuously developed; Has sophisticated Application Level GW (ALG) functions to let modern applications safely passing the FW and address translation. Legacy Sourcefire appliances have a good firewall too.

10 NGFW components: SSL decryption $ % * # By now all hardware platforms support SSL decryption.... but all of them do it software or minimal HW assistance on the data plane CPUs. The next generation platforms have high performance cryptographic accelerator ASICs: At the moment they are used for IPsec acceleration only; Forthcoming software release is going to enable HW acceleration of SSL/TLS decryption. On the other hand be aware of big industry players intention to prevent Enterprise firewalls and proxies sniffing into TLS/SSL channels!

11 NGFW components: Application Visibility & Control (AVC) Cisco database (based on OppenAppID): 4,000+ apps Prioritize traffic 1 2 Network & users OpenAppID See and understand risks Enforce granular access control Prioritize traffic and limit rates Create detectors for custom apps

12 NGFW components: web controls Filtering NGFW Security feeds URL IP DNS Safe Search Cisco URL Database gambling Allow Block Allow Block DNS Sinkhole Category-based Policy Creation Admin Classify 280M+ URLs Filter sites using 80+ categories Manage allow/block lists easily Block latest malicious URLs

13 NGFW components: web controls - explained We have: dynamic URL category filtering and URL IP DNS reputation filtering capabilities. They are different technologies, mainly different purposes with very little overlap. Dynamic URL filtering: Huge, cached DB of URLs with on-demand query in case of unknown URLs seen; 80 categories plus each URL has a reputation score; Now provides Safe search capabilities too; Primary intention is enforcing acceptable web usage; Requires URL license. Security feeds URL IP DNS URL and IP reputation filtering: Cisco Talos provided or custom static list of categorized URLs and IP addresses pre-downloaded and cached; URLs on this list can be handled together with Dynamic URL categories in an Access Control Policy rule but this is a separate feed; They focus on known bad hosts; They are included in the Threat license along with IPS functionality.

14 NGFW components: web controls explained cont. DNS reputation filtering: Talos provided list of domain names pre-positioned and cached; This feeds the DNS sniffing and redirection engine; Included in the Threat license along with IPS and IP URL reputation feeds. Wait...! Open DNS? Not yet. Talos might use some information from ODNS for this feed but there is no direct API connection to ODNS cloud in this case. Still ODNS can be used in parallel with a Cisco NGFW.... and that makes sense, ODNS is the best tool to prevent connection to suspicious hosts behind dynamically generated fast flux domains. Security feeds URL IP DNS

15 NGFW components: Intrusion Prevention System There are multiple Snort engines running in parallel. Cisco Talos provides signature updates and/or 3rd party feeds can be used as well. The IPS system is tightly integrated with the AVC engine which is based on OpenAppID Highly tunable: Custom policies and rules can be added over the GUI or imported in Snort rule format; Cloning policies, policy sections and rules can be done on the GUI; Access Control Policy can assign separate IPS policy to a rule; Intelligent Application Bypass can SECURELY optimize inspection for certain applications. Advanced pre-processors for: Protocol normalization; Fighting certain attacks like volumetric DoS; Increasing application protocol security, e.g. SIP or SCADA protocols.

16 NGFW components: improved traffic control Identity Integration ISE pxgrid VDI Captive Portal Active/Passive NTLM Kerberos True-IP Policy X-Forwarded-For True-Client-IP Custom Headers Target threats accurately Enforce authentication Analyze headers in more depth Rate limiting Rule-based limits Reports QoS rules Tunnel Policy Pre-filtering Priority policy Policy migration Control application usage Block unwanted traffic early

17 NGFW components: anti-malware nice diagram File Reputation c File & Device Trajectory AMP for Endpoint Log AMP for Network Log? Known Signatures Fuzzy Fingerprinting Indications of compromise Threat Grid Sandboxing Advanced Analytics Dynamic analysis Threat intelligence Threat Disposition Uncertain Safe Risky Sandbox Analysis Enforcement across all endpoints Block known malware Investigate files safely Detect new threats Respond to alerts

18 NGFW components: anti-malware explanation FireAMP for Networks runs on Cisco NGFW products. It is a composite engine: Creates a hash and runs a reputation check against AMP Cloud or on-premises Private AMP appliance; Creates a behavior pattern analysis for executables and compares that against the AMP Cloud (Spero engine); May run local Clam AV check (traditional, off-line AV engine); Can submit a file to Cisco Threat Grid Cloud or on-premises dynamic analysis (sandbox) system; Can store files, whatever files for additional analysis; It can retrospectively convict files that have been passed, alert, remediate and draw network trajectory for forensics; It requires a Malware license which includes certain (platform dependent) number of daily TG submissions. AMP has an endpoint version as well: called AMP for Endpoints (AMP4E). AMP4E can report compromise events and contextual data to Firepower Management center.

19 NGFW components: Correlation Engine nice picture App & Device Data ISE Blended threats 1 2 Prioritize response Automate policies Block Data packets Communications Network profiling Phishing attacks Innocuous payloads Infrequent callouts 3 Accept Scan network traffic Correlate data Detect stealthy threats Respond based on priority

20 NGFW components: Correlation Engine - explained Available only with centralized management at the moment (FMC). The system can do active and passive profiling of: Network segment traffic; Hosts (OS, applications, versions, AMP4E information, etc.). FMC has a Nessus vulnerability database as well. FMC can correlate: Host profiles and profile changes; The vulnerability DB; Traffic profile changes or certain patterns; Local Malware and/or IPS events; External AMP4E events; Connection events (local and NetFlow reported); Etc. Correlation is driven by correlation policies and can trigger Remediation actions. Plus there are some built-in correlations that improves alerting (calculation of impact score).

21 NGFW components: Firepower Management Center Centralized management for multi-site deployments Firepower Management Center Multi-domain management Firewall & AVC Role-based access control NGIPS High availability AMP APIs and pxgrid integration Security Intelligence Available in physical and virtual options Manage across many sites Control access and set policies Investigate incidents Prioritize response

22 NGFW components: FMC explained FMC is the centralized management server for: Legacy Sourcefire Firepower appliances; Firepower Threat Defense (FTD) unified code based appliances; Firepower modules of hybrid editions (ASA code is still independently managed). There are plans to manage ASA module of hybrid editions in FMC as well. FMC is not only management but: Important integration point: provides APIs, calls APIs (e.g. ISE pxgrid); Event management, aggregation,, correlation, alerting, historical data storage point; Provides forensics tools as well like: different dashboards, data mining capabilities, network file trajectories, etc..

23 NGFW components: Firepower Device Manager Firepower Device Manager Integrated on-box option for single instance deployment Easy set-up Role-based access control High availability Physical and virtual options NAT and Routing Intrusion and Malware prevention Device monitoring VPN support Set up easily Control access and set policies Investigate incidents Prioritize response

24 NGFW components: Firepower Device Manager - explained Embedded device manager for Firepower Threat Defense based appliances. Legacy Sourcefire appliances has only a status monitoring HTML GUI, ASA+FP editions uses ASDM. FDM and FMC are exclusive, both cannot be used together. Main usage scenarios: Simplified systems management and monitoring for simple deployments; Initial deployment of the appliance by a technician at a remote site.

25 NGFW components: Cisco Defense Orchestrator Security Policy Management Simple Search- Based Management Device Onboarding Import From Offline Object & Policy Analysis Application, URL, Malware & Threat Policy Management Change Impact Modeling Security Templates Discover Direct From Device Notifications Reports Simplify security policy management in the cloud with Cisco Defense Orchestrator Security Plan and model security policy changes before deploying them across the cloud Deploy changes across virtual environments in real time or offline Receive notifications about any unplanned changes to security policies and objects

26 NGFW components: Cisco Defense Orchestrator - explained CDO is an optional simplified Cloud Management platform for on-premises NGFW deployments. Simplified because it is a product in an early stage. Sales is limited to qualified opportunities only.

27 NGFW components: Security Intelligence Threat Intelligence Security Coverage Research Response 1.5 million daily malware samples WWW Endpoints Web 250+ Researchers 600 billion daily messages Networks NGIPS Jan 24 x 7 x 365 Operations 16 billion daily web requests Devices Identify advanced threats Get specific intelligence Catch stealthy threats Stay protected with updates 10x times more data than what nearest competitor sees and analyzes

28 And this works... NSS proven The latest NSS breach detection test justified the effectiveness of Firepower. Two highlights: 100% Detection Rate with 100% anti-evasion rating; Far most threat found in 1 min: 67% and in 3 min: 91.8%. Find more:

29 NGFW integrations

30 APIs and programmability quick overview Sensors and FMC has had the estreamer API for a long time: Open specification; A bit more complex. FMC now has a REST based API which is: Simple; Being developed fast; Already makes possible things like Cisco ACI DC fabric integration. FMC can run built in custom external remediation modules (Perl script format) triggered by correlation policies. The system uses open protocols: Open AppID, Snort signatures, (STIX, TAXII on roadmap). There are closed APIs used for advanced integrations like: ISE pxgrid for user- and endpoint identity and context information retrieval; ISE EPS API calls for ISE enforced endpoint quarantine in the access layer.

31 Integration with Cisco Identity Services Engine ISE pxgrid TrustSec BYOD Employee Tag Guest Tag Guest Access Supplier Tag Server Tag Quarantine Tag Suspicious Tag ISE Segmentation Firepower Management Center Propagate User Context Device context Access policies Policy automation Set access control policies Propagate rules and context Establish a secure network Remediate breaches automatically

32 Integration with MS Terminal server based VDI solutions www Terminal Services Agent Firepower Management Center User IPs VDI APIs User 1 User 2 User 3 User 1 User 2 User 3 Route user information to Terminal Services Capture information using APIs Identify risky behavior

33 NGFW Platforms and software Editions

34 Fast moving target

35 It is transition time, and they are not always easy... Cisco is working on multiple NGFW transitions: Moving away from legacy Sourcefire appliances to new generation platforms running Firepower Threat Defense image. Moving from legacy ASA 5500-X hardware based ASA+FP solutions to FTD on same- or new hardware. Industry is moving as well: Firewall and IPS functions are getting virtualized at some points. They become Virtual Network Functions (NFV). Virtualized security devices are many times sold as on-demand, subscription based services.

36 Cisco Firepower Editions FTD ASA-OS ASA SSP Firep. NGIPS FP SSP FXOS ASA5585 chassis Firepower 4100 / 9300 Firepower NGIPS (in container) Firepower NGIPS FTD ASA-OS Hardware Legacy Sourcefire appliance ASA55xx * ASA55xx Virtual Firepower NGIPSv FTDv VMware ESXi ESXi, KVM or AWS x86 server x86 server NGIPS (Legacy Sourcefire appliances) Firepower Threat Defense (Unified Image) ASA with Firepower services (Hybrid) * Except: 5585, 5505, 5512 and 5515

37 NGFW / NGIPS HW / SW bundles overview Platform Image(s) ASA engine Firepower engines FX-OS Redundancy Embedded GUI Firepower 7K/8K NGIPS No * Full No Stateful Active / Standby ** Health status only AMP 7K/8K NGIPS No * Full No Stateful Active / Standby ** Health status only Firepower 4K-ASA ASA Full No Yes Stateful A/S or A/A or clustering Centralized management AMP extra storage FMC No No FMC Yes No Radware DefensePro ASDM CSM No 4150 only Firepower 4K-FTD FTD Limited Full Yes Stateful A/S FDM FMC Optional No Firepower 9300-ASA ASA Full No Yes Stateful A/S or A/A and clustering Firepower 9300-FTD FTD Limited Full Yes Stateful A/S or Intra-chassis clustering only ASA55xx-ASA ASA Full No Yes Stateful A/S or A/A or clustering ASA55xx w/ FP (Hybrid) ASA + NGIPS Full Full No Stateful A/S or A/A or clustering ASDM CSM No Yes FDM FMC No No ASDM CSM No No ASDM FMC + CSM No No ASA55xx-FTD *** FTD Limited Full No Stateful A/S FDM FMC No No * NGIPS only image has limited stateful FW functions embedded. ** Routed mode is stateful, switch mode is stateless. *** ASA 5505, 5512 and 5515 are not supported

38 Firepower Threat Defense This is Cisco s unified NGFW code. Main things to know: It replaces the stateful FW and VPN modules of the former Sourcefire code with ASA engines. FTD keeps IPS only deployment options like physical in-line, in-line tap mode and promiscuous modes. It has a unified CLI and can be fully managed by FMC (former ASA functions as well). There are three missing important features that the ASA+SF hybrid edition has: Multiple context mode; RA VPN; Clustering. These missing features are being built and going to be launched in foreseeable time.

39 FTD deployment modes IPS/IDS only ports Fail-to-wire NetMods Full Firewall Ports Inline Routed NetMod Passive Transparent Inline Tap Virtual or Physical

40 Firepower 4100 series Latest high performance 1 RU platform. Flexible platform with hardware acceleration where needed and with no bottleneck. Runs FX-OS as chassis manager layer. 8 built in 10G SFP+ ports and 2 network module slots. Multi-port 10G and 40G network modules with Failto-wire (HW bypass) models. Modules are compatible with the FP9300 series. Redundant- hot swappable power supplies and fans. It can run ASA or FTD logical devices. FP 4150 can run Radware Defense Pro as well with ASA.

41 Firepower 9300 series Latest high performance 3 RU, modular platform. Flexible platform with hardware acceleration where needed and with no bottleneck. Runs FX-OS as chassis manager layer. 8 built in 10G SFP+ ports and 2 network module slots. Multi-port 10G, 40G and 100G network modules with Fail-to-wire (HW bypass) models. 10G and 40G modules are compatible with the FP9300 series. Redundant- hot swappable power supplies and fans. It can run ASA (optionally with DefensePro) or FTD logical devices.

42 Hey, what is FX-OS?! This is how we say: Welcome to NFV everywhere! It is a secure boot enabled software layer that: Manages the chassis hardware; Runs on separate CPU on the FP4100 and 9300 series; Allocates resources to logical devices; Manages logical devices; Boots and updates logical devices (securely, signed packages only); Has an IOS like CLI and an HTML GUI; Was built to be highly programmable over its REST API. FX-OS No, it is not a bootloader causing extra complications

43 Virtual NGFW platforms Platform ASA engine Firepower engines Hypervisor support Application level Redundancy Embedded GUI Centralized management NGIPSv No Yes VMware ESXi only. No No FMC ASAv Yes No ESXi, KVM, Hyper-V, Azure, AWS, Stateful Active / Standby ASDM CSM FTDv Yes Yes KVM, ESXi, AWS Stateful Active / Standby No FMC

44 Firepower 6.1 What is new?

45 New features in Firepower 6.1 FMCv and FTDv support on KVM; VDI identity FW in Windows Terminal Server based VDI environments; Safe Search and YouTube EDU Policies (for US. customers mainly); Official- built-in ISE Remediation; Inline Source SGT Tags not only on FTDv but legacy Sourcefire Appliances as well; On-premise AMP Private Cloud appliance support; On-Box device manager (limited, no Java) for FTD on former ASA Saleen (5500X) platforms; Official FMC HA (FMC 1500, 2000, 3500 and 4000 appliances only); REST API through FMC only at the moment. FTD is not officially supported (though certain features work for FTD appliances); Rate limiting QoS phase 1 (FTD(v) only); Pre-filter policies (FTD(v) only); Site-to-Site VPN for FTD (officially supported between FTD devices only at the moment, simple crypto map like, no overlay routing, IKEv1 and IKEv2 are both supported); Multicast routing for FTD(v); Shared NAT policies for FTD(v) so identical NAT policies must not have to be configured on each and every FTD device in FTD; Support for Fail-to-Wire Netmods in FP4000 and FP9300 chassis IPS inline-pair and inline-pair tap mode interfaces only; Unified CLI for FTD(v) you don t have to change to diagnostic CLI to see former ASA LINA CLI commands; True-IP Policy Enforcement (XFF).

46 VDI identity FW in Windows Terminal Server environments Supports Microsoft Windows TS environments only. Provides user identity information for VDI users. The agent sends information to FMC over the REST API and does PAT as well. FMC configures the sensor over estreamer.

47 FMC REST API First REST based API opened into the Firepower system. FTD is officially not supported, but some parts (policy, identity work). Built in REST API explorer with script examples, available functions, etc. Main functions: Interface, virtual switch and virtual bridge configurations (legacy NGIPS only) already used in the NGIPS ACI device pack; Identity functions already used by the VDI identity TS agent ; Policy functions: Access Rule granularity. Disabled by default. More information:

48 On-box device manager Officially called: Firepower Device Manager (FDM). Java-less embedded GUI for FTD on ASA 55xx devices only at the moment. It is not supported to work in parallel with FMC (centralized management). Primary usage scenarios: Small Business with no IT security personnel; Initial provisioning by an onsite technician. Limited functionality which is going to be improved step by step in forthcoming releases. It has an Easy Setup Wizard which can useful during provisioning, even if FMC takes over later on. You may read more here:

49 On-box device manager

50 Rate Limiting QoS Phase 1. Supported on FTD devices managed by FMC only. Uses bi-directional rate limiters no shaping, no BW. reservation at the moment. Separate QoS policy object which can be mapped to one or more devices. One device can have one QoS policy only. The QoS policy rules can use the same object DB and conditions as other policies. Rate limiters are applied per interface when configured for Zones: E.g. DMZ Zone has two interfaces: dmz1 and dmz2 ; QoS policy rule applies 20 Mbps upload limitation for an application towards the DMZ zone; FTD will limit traffic to 20 Mbps upload on each interface separately which means aggregate 40 for the whole zone. Note: this is phase one only. QoS is actively developed in forthcoming releases.

51 Pre-filter policy on FTD Firepower has inspected clear-text tunneled packets before 6.1 automatically. Pre-filter policies can match: GRE, IP-in-IP, 6in4 and Teredo tunnels based on port numbers or custom tunnel policies; Source/Destination interfaces, subnets and ports. Pre-filter policy is applied before the Access Control Policy. One Pre-filter policy can be enforced on a certain FTD device. Actions: Block drops the packet; Fastpath forwards the packets without additional inspection, if possible forwards in SmartNIC (no dataplane CPU usage); Analyze Analyze the packet as per the matching Access Control Policy rule.

52 Pre-filter policy on FTD

53 Cisco Meraki Cloud Managed networks

54 Cisco Meraki Cloud Managed Networking Overview

55 Cisco Cloud Managed Networking (Meraki) Wireless Access Points (MR series) Layer 2 and Layer 3 switches (MS series) Security Gateways (MX series) IP Telephony (MC47) Mobile Device Management (Meraki Systems Manager) More on Meraki:

56 Cisco Cloud Managed Networking (Meraki) Unified cloud-based management: the Dashboard. A complete enterprise network can be modeled with Meraki. Dashboard hierarchy: one Organization includes one or more Networks. Role Based Access Control. Advanced Networking Functions. Simple and fast deployment. Advanced Troubleshooting functions. Partners can easily sell it as Managed Networking Service. Since it is fully cloud managed, it is cloud supported as well, it is Cisco who checks the log files in CLI shells, etc. for you.

57 Meraki Wireless Quality n and ac, Indoor and Outdoor Access Points Dedicated security radios to detect RF interference and L1 / L2 attacks The Dashboard has integrated CMX Location Analytics function Wireless Mesh capabilities Seamless roaming (802.11r) Advanced QoS Advanced RF optimization and monitoring Extensive Client monitoring and profiling Paid (guest) Access (PayPal)

58 Meraki Wireless Security Multiple Authentication Types WPA(2)-PSK WPA(2)-Enterprise: Meraki (back-end) or RADIUS (can be ISE) Open- with optional web authentication: RADIUS, LDAP, Facebook, Google, AUP only... Web authentication can be combined with WPA (and NAC) Air Marshal WIPS with automated or manual containment NAT mode with optional peer-to-peer traffic restrictions within an SSID L3 and L7 (AVC) Firewall and URL filtering Meraki MDM (Systems Manager) integration Simplified NAC (host compliance) that works with Web Authentication VPN tunneling from AP to a central MX Security Gateway (remote- small office solution)

59 Meraki wired LAN Switches Many L2 and L3 models, some of them can be stacked 10G and Nbase-T Multi-gigabit technology support PoE and PoE+ plus support Advanced QoS Security functions Useful troubleshooting tools: Packet Capture, Cable Test, etc.

60 Meraki wired LAN security Port Security DHCP Guard Port isolation (PVLAN) Multiple authentication technologies: Web authentication; 802.1X with Meraki backend or external RADIUS server. L3 and L7 (AVC) packet filtering

61 Meraki MX Security Gateways Cisco UTM

62 Cisco Meraki MX Security Gateway overview This is a UTM. It has advanced- and integrated security features implemented in a simplified way. Multiple hardware options, some with built in Access Point. Cloud managed over Dashboard with cross device (MR, MX, MS) group policies. Advanced site-to-site VPN (iwan) Flexible balancing between two ISP uplinks AVC and URL filtering Advanced QoS (shaping, policing, dynamic routing between uplinks based on latency, etc.) 3G / 4G support with external USB attached modems. Active / Standby stateless failover support.

63 Meraki MX Security L3-L7 Firewall Meraki with Cloud Application Detection Snort IPS engine with built in rules and minimal customization. Anti-malware: Currently Kaspersky; Soon: Cisco AMP with ThreatGrid. Dynamic URL filtering. Geolocation based filtering. Web authentication. ID Firewall with Active Directory integration.

64 Meraki MX models Where Notable Features Throughput Price (USD List) MX64/64W Small branch (~50 clients) 11ac wireless (MX64W) 250 Mbps (FW) 200 Mbps (UTM) $595/$945 MX65/65W MX84 MX100 Small branch (~50 clients) Mid-size branch (~200 clients) Mid-size branch/ Small campus (~500 clients) PoE+, dual WAN, ac SFP Ports SFP Ports 250 Mbps (FW) 200 Mbps (UTM) 500 Mbps (FW) 300 Mbps (UTM) 750 Mbps (FW) 650 Mbps (UTM) $945/$1,245 $1,995 $4,995 Z1 For teleworkers (1-5 users) Dual-radio wireless FW throughput: 50 Mbps MX400 Large branch/campus (~2,000 clients) Power redundancy Modular interface SFP or SFP+ (with modules) 1 Gbps (FW) 1 Gbps (UTM) $15,995 MX600 Campus/ VPN Concentration (~10,000 clients) Power redundancy Modular interface SFP or SFP+ (with modules) 1 Gbps (FW) 1 Gbps (UTM) $31,995 All devices support 3G/4G

65 Example: MX65W hardware elements included

66 MX ordering and BoM example Ordering a Cisco Meraki unit requires two items: Hardware 1, 3, 5, 7 or 10 years license Example: MX 84 with 3 years Advanced Security licence: Name Catalog Num Vendor Description Qty Unit Price Duration Prorated Unit List Price Extended Price Discount % Total Price LIC-MX84-SEC-3YR LIC-MX84-SEC-3YR Cisco Meraki MX84 Advanced Security , ,00 0, ,00 LIC-MX84-SEC-3YR 4000,00 MX84-HW MX84-HW Cisco Meraki MX84 Cloud Managed Security Appliance , ,00 0, ,00 MX84-HW Meraki MX(USD) 1995, ,00

67 Meraki MX VPN Simple RA VPN using the native VPN capabilities of common Operating Systems. AnyConnect based RA VPN is on roadmap. Hub & Spoke or Mesh site-to-site VPN among Meraki devices: Automated configuration; The IPsec and IKE policies cannot be tuned; Split or Full tunneling (it is possible to concentrate Internet breakout to a dedicated HUB locations); iwan capabilities: in case of dual WAN uplink, it is possible to have dual VPN connection with quality based routing. IPsec/IKEv1 site-to-site VPN tunnels to other Cisco and 3rd party devices. IKEv1; Pre-shared key; Possible to tune IKEv1 and IPsec settings in this case.

68 Meraki MX vs. Cisco ISR Intelligent Path Selection Security & Compliance Transport Independence Application Optimization Unified Communications Routed Protocols Feature Description On-Premise - Cisco ISR Cloud Managed - Meraki MX Load Balancing Policy-Based Path Selection Number of Paths Supported Rapid Failure Detection and Mitigation Virtual Private Network Firewall Intrusion Prevention & Detection Content/URL Filtering Anti-Virus / Malware Detection WAN Connectivity Cellular IPv6 WAN Optimization Content Caching Application Visibility Congestion Control Voice Gateway Session Border Controller Call Control Agent OSPF EIGRP BGP Yes Yes (L7 / app level) Multiple (Any Transport) Yes (Blackout & Brownout) Yes Yes Yes (Snort) Yes (Cloud Web Security) AMP T1/E1, T3/E3, Serial, xdsl, Ethernet Yes (Integrated/Module) Yes Yes (WAAS) Yes (Akamai) Yes Yes (HQoS) Yes Yes Yes Yes Yes Yes Yes Yes (L3-L4 - based on loss, jitter, latency) 2 (Broadband,4G,MPLS) Yes Yes Yes Yes (Snort) Yes (Built-in) AMP Ethernet Yes (Dongle) Planned (2H2016) No Yes (Squid-Cache) Yes Yes (L7 Traffic prioritization) No No No Supported at the headend No Planned (FY17) Integrated Storage & Compute Integrated Compute Yes (UCS E-Series) No

69 Meraki MX vs. ASA/Firepower major differences Less granular and less flexible policies. Less customizable and less granular logging. Less granular reporting and monitoring. No AMP4E integration (network AMP is on roadmap only). No granular file filtering. Less granular AVC functionality, no integration with the IPS engine. Far less customizable IPS (Snort) engines, no customization of preprocessors at all. No multiple context mode. Less granular Forensics capabilities. Host profiling is less granular and not security focused. No built in vulnerability analysis engine. No IoC support. No IPv6 support yet. Etc.

70 Real quick demo and Q&A

71 With this offer, you will: Gain valuable information on your network including critical attacks Reduce risk and make security a growth engine for your business This offer is valid through December 29 th, 2016 in Austria, Belgium, Denmark, Finland, France, Germany, Ireland, Italy, Luxemburg, Netherlands, Norway, Spain, Sweden, Switzerland and United Kingdom. For more information and to request a Threat Scan POV, go to

72