tacccio: cisco security strategies · cisco confidential 1 tacccio: cisco security strategies cesar...
Post on 06-May-2018
222 Views
Preview:
TRANSCRIPT
Cisco Confidential 1© 2010 Cisco and/or its affiliates. All rights reserved.
TACCCIO: Cisco Security StrategiesCesar Chavez, Cisco Security Consultant
CCIE #16943, CISSP
Cisco Confidential 2© 2010 Cisco and/or its affiliates. All rights reserved.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
McKinsey and Company, June 2011
―
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
―Value continues to migrate online, and digital data have become more pervasive‖
Student and staff records, home addresses, payroll, grade manipulation
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Delivering an exceptional learning and teaching experience securely
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
ACADEMIC
FREEDOM
SECURITY IMPERATIVES
Compliance
Any Device
Faculty Collaboration
Open Network Access
Remote Campus
Threat Defense
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Requires a NEW Security Approach
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
1From piecemeal security approach to architecture-based
2 From physical structure-based security to secure distributed and virtual environments
4 Consistent policy and management for any access: wired, wireless, mobile, remote
3 Secure any user device, always on
5 Visibility and compliance: reporting, end-to-end encryption, management
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Keep Bad Stuff Out
Protect the Good Stuff
Be Compliant
Keep Critical Services Running
Cost Efficient
Provide Visibility: Users, Devices, Activities
REQUIRES AN ARCHITECTURAL APPROACH
Cisco Confidential 12© 2010 Cisco and/or its affiliates. All rights reserved.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Management Services Partners
Application Programming Interfaces
Secure
Endpoin
t
Secure
Virtu
al and C
loud
Cisco Infrastructure
ControlVisibility Context
Network
CloudIntegrated Overlay
Context Aware Enforcement
Context Aware Policy
Access C
ontr
ol
Access C
ontr
ol
Tru
stS
ec
Tru
stS
ec
AnyC
onnect
Nexus 1
K a
nd C
loud
Connecte
d N
etw
ork
Cisco SIOThreat Intelligence
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Network Security
AccessControl
Secure Mobility
Secure Cloud and Virtualization
Content Security
• Firewall
• IPS
• VPN
• Security management
• Virtual security
• Security modules
• Policy Management
• 802.1x
• NAC
• Posture assessment
• Device profiling
• Identity Services
• Confidentiality
• VPN
• Mobile security client
• Wireless IPS
• Remote worker
• Virtual office
• Mobility security
• Email Security
• Web Security
• Cloud-based content
security services
Threat Intelligence: SIO
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Global, Sophisticated Threats
Highly Sophisticated
Blended Threats - No One
Looks Like Another
Undetected Malware
Disables Security, Steals
Data, Enables Remote
System Access
Signature and Local Data-
Based Detection Limit
Protection
CHALLENGE
RISK: RISK: RISK:SEVERE SEVERE MEDUIM
Microsoft Update Malware
KOOBFACEHaiti Earthquake
Scam Email
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Global Visibility
Largest Threat Analysis
System - Blended Threat
Protection
700K+ Global Sensors
5 Billion Web Requests/Day
35% Of Global Email Traffic
Endpoint Threat Telemetry
Reputation, Spam,
Malware and Web
Category Analysis, and
Applications Classification
CISCO SOLUTION
ISPs, Partners,
Sensors
IPS ASA WSA
SIO GLOBAL INTELLIGENCEResearchers, Analysts, Developers
ESA
Applied
Mitigation
Bulletins
Researchers,
Analysts,
Developers
ESA
Cisco AnyConnect
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Highly Mobile Students
Require Access to Network
and Datacenter Services
Variety of User-Owned
Devices Blend User and
Faculty Profiles
Device Loss/Theft –
highest risk of Corporate
Data Loss, and
Compliance Breach
462 million
CHALLENGE
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Any User, Any Device Support
Industry’s only
Unified Client
Solution; Always On
Security
Broad Device Support: Windows
XP/7,MAC OSX, Linux, Apple
iOS (iPhone & iPad), Nokia
Symbian, Webos, Windows
Mobile, Android* (soon)
Secure Connectivity
End-to-End Encryption
With MACsec
Hybrid Web Security
CISCO SOLUTION
ASA WSAISRAccess
Switches
Cisco AnyConnect
Internal, Cloud & Social Applications
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Access From Any Device
Identity-Aware and
Role-Based Access Control
Guests Access
Policy Enforcement From
Any User Device to Data
Center
Network-Wide
Confidentiality Protection
CHALLENGE
ClassroomPUB
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Access Control
Consistent Identity-Aware
Policy from Any Device to
Data Center – Based on
Business Needs
Policy Distribution and
Intelligence Through the
Network
Security Group Tagging
Scales Context-Aware
Enforcement
CISCO SOLUTION
POSTURE-BASED PERMISSIONS1. Permit/Deny based on policy
2. Authorized devices tagged with policy
3. Policy tags enforced by the network
VPN
Data Center
Virtual DC Machines
ALLOWED
DENIED
WHO
WHAT
WHERE
WHEN
HOW? ? ?
MACSec
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Limited IT and Security
Resources in Branch,
Cost Multiplier
SaaS and Cloud Drive Split
Tunnel —Introduce New
Security Challenges
Compliance
Requirements
Remote Faculty
Remote Campus
CHALLENGE
Data Center
Main
CampusSAS
Internet
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
VPN (IPSEc, GET VPN,
DMVPN, SSL), FW, IPS,
ScanSafe client
Best ROI (simplicity,
consistency, integrated), Cost
savings and performance
from split tunneling
WAN optimization
Wireless LAN/WAN
Ethernet Switch
Integrated Server
Full Branch Security Features
Best ROI (Replicable)
Security + Application
Optimization
$
+
ISGR2
CISCO SOLUTION
Main
Campus
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
New Security Blind
Spots, and Lack of Cloud
Visibility
Unfamiliar with New
Technologies and Lack
of Consistency
Significant Scaling
Demands
CHALLENGE
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
High-Performance
Security Solutions
Optimized for the
Data Center
Unified Security for Physical
and Virtual Environments;
Granular Zone-Based,
Context Aware Policy
Policy Traversal
Secure Application Traversal
Vmotion Aware
Secure VM Segmentation
Secure Cloud Segmentation
CISCO SOLUTION
Nexus 1000v
ASA 5585-X & ASA-SM
IPS Sensors
SECURE PRIVATE CLOUDS SECURE PUBLIC CLOUDS
Virtual Security Gateway
SECURE HYBRID CLOUDS
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Make information security a strategic component of your
decision making process
Classify and assign values to the data and applications on your network
Build an access policy around those assets
Build a perimeter defense around the datacenter and inside the virtual infrastructure
Create a threat response plan
Revisit and refresh information security access policies, data classification, and data values
Work with your peers to find better ways to protect your data, applications, and infrastructure
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
1 Pervasive Network Visibility and Control
2 Consistent Enforcement of Context-aware Policy
3Security Intelligence (SIO) Protects Against Next Generation of Threats
4 Network Integration Delivers Scalable Security from Endpoints to Data Center
5
Industry’s Richest, Most Innovative Security Portfolio and Professional Services
Cisco Confidential 30© 2010 Cisco and/or its affiliates. All rights reserved.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Mobile Users
Technology
Savvy
Fast Adopters of New
Technology—Arrive on
Campus With an Array
of Mobile Devices and
Applications
Administration,
Facilities,
Security, and
Staff
Needs Access
to Tools, Records
and Resources
for Administration,
Maintenance and Safety
Real and Virtual
Classrooms and
Office Hours
Needs Access
to E-Mail, Office
and Administration
Tools, Web 2.0
Applications, and
Research
Information
Enhance Learning
Experience for
Prospective Students,
Increase Alumni
Connection and
Accelerate Decision
Making
Prospective
Students, Alumni,
Vendors, and
Guests
Students AdministrationFaculty Visitors
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
IT Resources Stay the Same
Late 90sEarly 90s Today
Effectively Support Users
with Box Management
Fixed User
• Wired access
• One user, one device
Mobile User
• Wireless access
• One user, local devices
Borderless User
• Anytime, anywhere access
• One user, many devices
Access Evolution
Need for Policy and
Control
Need for Operational
Efficiency
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Outdoor CampusFaculty and
Staff Home
The
Mobile
Campus
Sporting VenuesCommunity
Spaces
Indoor CampusStudent
Residences
Locations and Places
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Use
r
Lo
ca
tio
n
Tim
e
De
vic
e
Att
rib
ute
X
IT Is Struggling With:
• Classifying managed vs
unmanaged endpoints
• ID devices that cannot authenticate
• Users to devices
But There are Barriers:
• Multiple access mediums
• Endpoint certainty
• No automated way to discover
new endpoints
PC and Non-PC Devices
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Full Access to Campus Resources
Differentiated Access
No Access through Campus Network
• Low maintenance• High risk
• Low maintenance• Low risk
• High maintenance• Moderate risk
Simplified, Scalable Access Policy
Converged Monitoring and Troubleshooting
Unified Access
Management
• Low maintenance• Low risk
Can I get my
iPad onto the
network?Centralized
PolicyEngine
Student
Differentiated Access
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Purpose-Built, Complete, and Reliable Profiling
• Cisco ISE uses SNMP, NetFlow, DNS, RADIUS, HTTP, and DHCP to increase accuracy, reduce spoofability
• Works across wired and wireless
• Completely integrated with RADIUS/AAA
• Includes additional services (posture, guest/portal, etc.)
Scalable Policy Enforcement
• Switch, WLAN controller, and VPN as an enforcement point
• Flexible control (VLAN, dACL/ACL, QoS, SGA, etc.) based on any contextual attributes (user, device, group, location, time, etc.)
Unified Management
• ISE detailed reports and troubleshooting tools (user, device, session, etc.) can be accessed from within NCS 1.0 providing a single pane of glass into user, device, and network across wired and wireless infrastructure
User
Lo
ca
tio
n
Tim
e
Devic
e
Att
rib
ute
X
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
• Move to an architecture-based, strategic approach to security
• Demand embedded security from your security manufacturers
• Policy can be built to enable BYOD and secure mobility
Thank you.
top related