Take the Hassel out of your ISE deployment! K.I.T.T. Know ISE Through Training BRKSEC-2059 - Deploying ISE in a Dynamic Public Environment BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 1
Deploying ISE in a Dynamic Public Environment Clark Gambrel, CCIE #18179 Technical Leader, Engineering, Security Business Group BRKSEC-2059
Introduction
Clark Gambrel, CCIE #18179 Technical Leader Engineering Security Business Group cgambrel@cisco.com @ClarkGambrel BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
KENTUCKY BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Here BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
KENTUCKY Kentucky is known for BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
KENTUCKY BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
KENTUCKY BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Agenda Introduction Public environments, Why are they so challenging? Advice Words to live by in any environment (Best Practice!) Education What we have learned Hospitals/Medical Protecting the heart of your network Public Transportation Tips for the thrifty traveler Conclusion
Please Fill Out The Survey! BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Cisco ISE & TrustSec Sessions: Building Blocks BRKSEC-3699 Designing ISE for Scale & High Availability (Thurs 8:00 am) BRKCOC-2015 Cisco IT's Assured Network Access: (ISE) Deployment and Best Practices (Thurs 10:30am). BRKSEC-3697 Advanced ISE Services, Tips and Tricks (Wed 8:00am) (Thurs 8:00am) BRKSEC-2045 - Mobile Devices and BYOD Security - Deployment and Best Practices (Mon 4:00pm) (Tue 4:00pm) PSOSEC-2009- ISE 2.0 & 2.1 Features (Tue 12:30 pm + Wed 10:30 am) BRKSEC-2695 - Building an Enterprise Access Control Architecture using ISE and TrustSec (Mon 1:30 pm + Wed 8:00 am) BRKSEC-2059 Deploying ISE in a Dynamic Public Environment (Thurs 8:00 am) BRKCRS 1449 Enabling Security Everywhere on Enterprise Networks (Mon 4:00pm) BRKCRS-2893 Choice of Segmentation and Group-based Policies (Thurs 8:00am) BRKSEC-2203 Deploying TrustSec Security Group Tagging (Tue 1:30pm) BRKSEC-3690 Advanced Security Group Tags: The Detailed Walk Through (Wed 1:30pm) BRKSEC-2026 - Building Network Security Policy: Through Data Intelligence (Thurs 1:00pm) 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Public environments, Why are they so challenging?
Public environments, Why are they so challenging? On average each person carries 2.9 devices BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Public environments, Why are they so challenging? On average each person carries 2.9 devices Each year new devices are introduced Kenny Louie under Creative Commons License BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Public environments, Why are they so challenging? On average each person carries 2.9 devices Each year new devices are introduced Devices add new technology enhancements, i.e. TLS versions, mini browsers New and Improved - http://tvtropes.org BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Public environments, Why are they so challenging? On average each person carries 2.9 devices Each year new devices are introduced Devices add new technology enhancements, i.e. TLS versions, mini browsers Device behavior differs from one OS version to the next Dilbert 2010 BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Public environments, Why are they so challenging? Devices are mostly unmanaged Source www.huffingtonpost.com BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Public environments, Why are they so challenging? Devices are mostly unmanaged End users have different levels of knowledge when it comes to configuring their own devices Where s the ANY key? BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Public environments, Why are they so challenging? Devices are mostly unmanaged End users have different levels of knowledge when it comes to configuring their own devices Users expect a simple experience, similar to home use BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Public environments, Why are they so challenging? Devices are mostly unmanaged End users have different levels of knowledge when it comes to configuring their own devices Users expect a simple experience, similar to home use Lots of configuration parameters on ISE/Wireless Controller, which are correct? BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Advice Words to live by in any environment (Best Practice)
Advice: Timers Displaying a Clock Collection - www.doityourself.com BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Advice: Old Timers BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Advice: Timers BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Advice: Timers WLC: Radius Default timer value of 2 seconds is too short During busy times, Authentication latency may increase and exceed the default value Use best practice value between 5-10 seconds, typically Use timers appropriate to the environment (tune for your environment) Some remote/cloud based radius servers may have higher authentication latency and require some tweaking. BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Advice: Timers WLC: Radius - Continued Setting timers too long and the client might restart its session, retries from radius server will be dropped Avoid unnecessary radius server flaps with timers that are too short PSN1 PSN2 Radius flapping can have some major impacts on an ISE deployment Superman II, Warner Brothers 1980 BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Advice: Timers - Radius Typically 5-10 seconds BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Advice: Timers - Radius Typically 5-10 seconds Usually matches Auth server timeout value BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Advice: Timers WLC: Radius - Continued Make sure that Aggressive Failover is disabled in the command line of the WLC This can have a big impact on ISE and Wireless Auths in general (Cisco Controller) >config radius aggressive-failover disable BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Advice: Timers - WLANs Increase Session Timeout to 2+ hours (7200+ sec), if Enabled (recommended) BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Advice: Timers - WLANs This can also be sent as a Radius attribute in ISE under the AuthZ Profile BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Advice: Timers - WLANs Increase Client Exclusion to 180+ seconds (3+ mins) BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Advice: Timers - WLANs For 802.1X SSIDs, Increase Client Idle Timeout to 1 hour (3600 sec) For Guest/Hotspot SSIDs, leave this low (300 sec) to free up resources (http redirect sessions) for clients that have disconnected BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Advice: Timers - WLANs Interim Update WLC 7.6: Recommended setting: Disabled Behavior: Only send update on IP address change Ensures we get critical IP updates (Framed-IP-Address) and Device Sensor updates. Device Sensor updates not impacted BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Advice: Timers - WLANs Interim Update WLC 7.6: Recommended setting: Disabled WLC 8.0: Recommended setting: Enabled with Interval set to 0 Behavior: Only send update on IP address change Device Sensor updates not impacted Settings mapped correctly on upgrades BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Advice: VM Resources Reservations To be successful (and supported) ISE VMs must be built with Dedicated Resources that are equivalent to the hardware appliance. Specifications listed in ISE 1.3+ Installation Guide BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Advice: VM Resources Reservations To be successful (and supported) ISE VMs must be built with Dedicated Resources that are equivalent to the hardware appliance. Specifications listed in ISE 2.0.1+ Installation Guide BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Advice: VM Resources Reservations To be successful (and supported) ISE VMs must be built with Dedicated Resources that are equivalent to the hardware appliance. BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Advice: VM Resources Reservations To be successful (and supported) ISE VMs must be built with Dedicated Resources that are equivalent to the hardware appliance. BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Advice: VM Resources Reservations To be successful (and supported) ISE VMs must be built with Dedicated Resources that are equivalent to the hardware appliance. In 1.3 we added OVA Templates for deploying SNS-3415 and SNS-3495 equivalent hardware. That has been expanded to include the SNS-3515 and SNS- 3595 platforms as well. It is highly recommended that you use these templates! BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Advice: VM Resources Reservations Admin and MnT nodes rely heavily on disk usage (read/writes). Deploying ISE in VMware environments where shared disk storage is utilized may not give a like disk performance when compared to physical appliances Increasing the number of disk shares that a node is allocated can in most cases increase performance of the node. BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Advice: VM Resources Reservations - Before & After Chart BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Advice: VM Resources Reservations Before & After Graph BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Advice: Avoid Meltdowns ISE Settings Make sure that you have Anomalous Suppression Detection enabled, suppress misbehaving clients as well as repeated successful authentications BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Advice: Avoid Meltdowns ISE Settings Make sure that you have Anomalous Suppression Detection enabled, suppress misbehaving clients as well as repeated successful authentications Administration Settings Protocols Radius BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Advice: Avoid Meltdowns ISE Settings Make sure that you have Anomalous Suppression Detection enabled, suppress misbehaving clients as well as repeated successful authentications Only use the profiling probes/information that you need. Don t have information overload. Avoid probes that use SPAN. Start with Radius only first. Use device sensors in network access device Administration Deployment Profiling BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Advice: Avoid Meltdowns ISE Settings Enable EndPoint Attribute Filter Administration Settings Profiling BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Advice: Avoid Meltdowns ISE Settings Enable EndPoint Attribute Filter Avoid Radius Flapping BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Advice: Bugs!!! BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Advice: Bugs CSCuu68490 - duplicate radius-acct update message sent while roaming If Radius NAC is configured on a WLAN and a client connected to it roams, the WLC will send two accounting update packets BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Advice: Bugs CSCuu68490 - duplicate radius-acct update message sent while roaming If Radius NAC is configured on a WLAN and a client connected to it roams, the WLC will send two accounting update packets These packets are unique (different radius IDs) but contain the same information 47ms Same data Different ID BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Advice: Bugs CSCuu68490 - duplicate radius-acct update message sent while roaming If Radius NAC is configured on a WLAN and a client connected to it roams, the WLC will send two accounting update packets These packets are unique (different radius IDs) but contain the same information Currently resolved in 8.1.131.0+ and 8.2.100.0+ WLC code versions. 8.0 MR3+ BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Advice: Bugs CSCuz76370 - Purging of EP's dependency is on Oracle to determine EP Owner BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Inter-Node Communications Radius Flapping can be a real mess! MnT Profiling sync leverages JGroup channels All replication outside node group must traverse PAN including Ownership Change! If Local JGroup fails, then nodes fall back to Global JGroup communication channel. MnT PAN PAN WLC PSN5 says I own this mac address PSN1 PSN PSN3 says L2 or L3 Ok PSN5 owns this mac address PSN PSN2 NODE GROUP A (JGROUP A) PSN4 PSN PSN PSN5 NODE GROUP B (JGROUP B) PSN PSN3 PSN PSN6 BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Inter-Node Communications Radius Flapping can be a real mess! MnT Ok, now Radius flapping occurs. This could be due to timeouts received to WLC or due to the Radius NAC accounting bug This will also happen if a PSN receives profiling information for an endpoint that it doesn t own MnT PAN PAN WLC PSN5 says Ok PSN3 owns this mac address PSN1 PSN PSN3 says I L2 or L3 own this mac address PSN PSN2 NODE GROUP A (JGROUP A) PSN4 PSN PSN PSN5 NODE GROUP B (JGROUP B) PSN PSN3 PSN PSN6 BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Avoid Radius Flapping USE BEST PRACTICE!!! BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Education What we have learned
Education: High Authentication Latency eduroam eduroam allows users from participating organizations to use their local credentials while visiting other eduroam locations to access the internet. eduroam is a cloud based Radius proxy. It acts as a federation point between education/research based entities and their Radius servers. eduroam s Radius proxy is accessed via the internet. BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Education: High Authentication Latency eduroam jsmith@usau.edu username: jsmith@usau.edu Radius: Accept High Latency? BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Education: High Authentication Latency eduroam Due to the high authentication latency sometimes associated with cloud based radius servers, it may be necessary to adjust your radius timers. If using a load balancer, create a separate VIP for eduroam (can contain the same PSNs) If no load balancer, dedicate PSNs for eduroam (or other high latency SSIDs), if possible BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Education: Students Converge at Lunch High Density Student s roaming patterns especially during meal times and events can cause an increased load on your wireless and ISE infrastructure. Make sure that you have enough wireless density to handle this converged access. Distribute the load across multiple PSNs to avoid overwhelming a single server. BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Education: User w/multiple devices PEAP Problem Good reason to use EAP-TLS Students carry multiple devices PEAP-MSChapV2 as 802.1X Authentication Method may cause AD lockouts if not changed on all devices. Locked accounts generate Help desk calls. A single device with old password may cause repeated AD lockouts BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Hospitals/Medical Protecting the heart of your network
Hospital: Medical Devices Securing and Profiling Most medical devices don t support 802.1X BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Hospital: Medical Devices Securing and Profiling Encrypt! Most medical devices don t support 802.1X To protect patient data, use WPA2- PSK with Mac Filtering and Profiling BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Hospital: Medical Devices Securing and Profiling Most medical devices don t support 802.1X To protect patient data, use WPA2- PSK with Mac Filtering and Profiling Use unique attributes to profile your medical devices Typical attributes that work well for medical devices are dhcp-classidentifier, dhcp-parameterrequest-list and host-name BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Hospital: Beware of Profiling Changes Causes for change OUI information changes and Device Feed Service updates. Zebra Technologies Completes Acquisition of Motorola Solutions' Enterprise Business Press Releases 2014 ZIH Corp BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Hospital: Beware of Profiling Changes Causes for change OUI information changes and Device Feed Service updates. What this means Before acquisition: BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Hospital: Beware of Profiling Changes Causes for change OUI information changes and Device Feed Service updates. What this means After acquisition: BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Hospital: Beware of Profiling Changes Causes for change OUI information changes and Device Feed Service updates. Device OS/Firmware updates www.apple.com BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Hospital: Beware of Profiling Changes Causes for change OUI information changes and Device Feed Service updates. Device OS/Firmware updates Spoofed MAC Addresses with new or different profiling attributes BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Hospital: Beware of Profiling Changes Causes for change OUI information changes and Device Feed Service updates. Device OS/Firmware updates Spoofed MAC Addresses with new or different profiling attributes BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Hospital: Beware of Profiling Changes Alternate Policy Match with Alarms It is possible to build a fallback policy below your original policy that relies on a static MAC Whitelist (No profiling) BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Hospital: Beware of Profiling Changes Alternate Policy Match with Alarms It is possible to build a fallback policy below your original policy that relies on a static MAC Whitelist (No profiling) This policy would catch any device that was in the configured whitelist and allow network access, simple right? BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Hospital: Beware of Profiling Changes Alternate Policy Match with Alarms It is possible to build a fallback policy below your original policy that relies on a static MAC Whitelist (No profiling) This policy would catch any device that was in the configured whitelist and allow network access, simple right? You can then add an alarm to send an email, whenever a device matches that policy. Currently we can enable for a single policy only. BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Hospital: Beware of Profiling Changes Alternate Policy Match with Alarms It is possible to build a fallback policy below your original policy that relies on a static MAC Whitelist (No profiling) This policy would catch any device that was in the configured whitelist and allow network access, simple right? You can then add an alarm to send an email, whenever a device matches that policy. Currently we can enable for a single policy only. BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Hospital: Paging Dr. Ihateloggingin Suggestions for better user experience Doctors by nature are usually very busy and the last thing they want to do is to spend time logging into a webportal or changing a PEAP password. Use EAP-TLS BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Hospital: Paging Dr. Ihateloggingin Suggestions for better user experience Doctors by nature are usually very busy and the last thing they want to do is to spend time logging into a webportal or changing a PEAP password. Use EAP-TLS A better option, if available would be to use EAP-TLS and CWA-Chaining to a Single Sign On (SSO) server. This would allow the end user to leverage the SSO token for other portals as well. Add an AUP check rule to stay logged in. BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Hospital: Nurse Carts/IP Phones Advice on corporate devices Nurses typically use rolling computer carts for charting patient information. To ensure continuous connections for these devices, survey your wireless for Voice applications. For ease of use and manageability, use Active Directory Group Policy Objects (GPO) to manage the supplicants and certificates of AD joined devices. BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Hospital: Medical NAC Profiles custom built for medical devices Secure-access options for healthcare-specific devices Identification and classification of healthcarespecific devices (250+ devices) Profiling methods and best practices Thank s Craig! Segmentation of medical devices BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Public Transportation Tips for the thrifty traveler
Airport: Hotspot setup with custom redirect Using AP groups/names You can use ISE to target advertising to your clients BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Airport: Hotspot setup with custom redirect Using AP groups/names You can use ISE to target advertising to your clients AP groups/names or some unique Radius attributes returned from the WLC during authentication can be used as location BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Airport: Hotspot setup with custom redirect Using AP groups/names You can use ISE to target advertising to your clients AP groups/names or some unique Radius attributes returned from the WLC during authentication can be used as location Matched policies based on these locations can send unique portals that advertise local businesses and shops near the user. BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Airport: Hotspot setup with custom redirect Using AP groups/names You can use ISE to target advertising to your clients AP groups/names or some unique Radius attributes returned from the WLC during authentication can be used as location Matched policies based on these locations can send unique portals that advertise local businesses and shops near the user. Create unique portal pages for each area. Advertisements can be built into the portal page or referenced from an external server. BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Airport: Hotspot setup with custom redirect Using MSE and ISE 2.0 New to ISE 2.0, you can now leverage Mobility Services Engine (MSE) for physical location tracking Location information returned from the MSE can be used in the Authorization rule for directing clients to the portal serving their location. 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Soapbox: Buy Public Certificates Stop teaching users to accept Man-in-the-middle attacks! BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Conclusion
Conclusion Review Public Environments can be challenging Avoid ISE meltdowns Keep up to date with versions and patches, be aware of software defects that might affect your environment Use advice in this guide to solve challenges in your environment Use Real Best Practice to ensure that you have a successful deployment. BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Public ISE Community Public ISE Community: http://cs.co/ise-community Monitored and Responded to by TME s on my Team Ask Questions There Get Answers by Cisco Experts & Partners BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Security Joins the Customer Connection Program Customer User Group Program 19,000+ Who can join: Cisco customers, service providers, solution partners and training partners Private online community to connect with peers & Cisco s Security product teams Monthly technical & roadmap briefings via WebEx Opportunities to influence product direction Members Strong Join in World of Solutions Security zone Customer Connection stand Learn about CCP and Join New member thank-you gift* Customer Connection Member badge ribbon Local in-person meet ups starting Fall 2016 New member thank you gift * & badge ribbon when you join in the Cisco Security booth Other CCP tracks: Collaboration & Enterprise Networks Join Online www.cisco.com/go/ccp Come to Security zone to get your new member gift* and ribbon Presentation ID * While supplies last 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card. Complete your session surveys through the Cisco Live mobile app or from the Session Catalog on CiscoLive.com/us. Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions BRKSEC-2059 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Thank you