tacccio: cisco security strategies · cisco confidential 1 tacccio: cisco security strategies cesar...

Cisco Confidential 1© 2010 Cisco and/or its affiliates. All rights reserved.

TACCCIO: Cisco Security StrategiesCesar Chavez, Cisco Security Consultant

CCIE #16943, CISSP


McKinsey and Company, June 2011

―


―Value continues to migrate online, and digital data have become more pervasive‖

Student and staff records, home addresses, payroll, grade manipulation


Delivering an exceptional learning and teaching experience securely


ACADEMIC

FREEDOM

SECURITY IMPERATIVES

Compliance

Any Device

Faculty Collaboration

Open Network Access

Remote Campus

Threat Defense


Requires a NEW Security Approach


1From piecemeal security approach to architecture-based

2 From physical structure-based security to secure distributed and virtual environments

4 Consistent policy and management for any access: wired, wireless, mobile, remote

3 Secure any user device, always on

5 Visibility and compliance: reporting, end-to-end encryption, management


Keep Bad Stuff Out

Protect the Good Stuff

Be Compliant

Keep Critical Services Running

Cost Efficient

Provide Visibility: Users, Devices, Activities

REQUIRES AN ARCHITECTURAL APPROACH


Management Services Partners

Application Programming Interfaces

Secure

Endpoin

t

Secure

Virtu

al and C

loud

Cisco Infrastructure

ControlVisibility Context

Network

CloudIntegrated Overlay

Context Aware Enforcement

Context Aware Policy

Access C

ontr

ol

Access C

ontr

ol

Tru

stS

ec

Tru

stS

ec

AnyC

onnect

Nexus 1

K a

nd C

loud

Connecte

d N

etw

ork

Cisco SIOThreat Intelligence


Network Security

AccessControl

Secure Mobility

Secure Cloud and Virtualization

Content Security

• Firewall

• IPS

• VPN

• Security management

• Virtual security

• Security modules

• Policy Management

• 802.1x

• NAC

• Posture assessment

• Device profiling

• Identity Services

• Confidentiality

• VPN

• Mobile security client

• Wireless IPS

• Remote worker

• Virtual office

• Mobility security

• Email Security

• Web Security

• Cloud-based content

security services

Threat Intelligence: SIO


Global, Sophisticated Threats

Highly Sophisticated

Blended Threats - No One

Looks Like Another

Undetected Malware

Disables Security, Steals

Data, Enables Remote

System Access

Signature and Local Data-

Based Detection Limit

Protection

CHALLENGE

RISK: RISK: RISK:SEVERE SEVERE MEDUIM

Microsoft Update Malware

KOOBFACEHaiti Earthquake

Scam Email


Global Visibility

Largest Threat Analysis

System - Blended Threat

Protection

700K+ Global Sensors

5 Billion Web Requests/Day

35% Of Global Email Traffic

Endpoint Threat Telemetry

Reputation, Spam,

Malware and Web

Category Analysis, and

Applications Classification

CISCO SOLUTION

ISPs, Partners,

Sensors

IPS ASA WSA

SIO GLOBAL INTELLIGENCEResearchers, Analysts, Developers

ESA

Applied

Mitigation

Bulletins

Researchers,

Analysts,

Developers

ESA

Cisco AnyConnect


Highly Mobile Students

Require Access to Network

and Datacenter Services

Variety of User-Owned

Devices Blend User and

Faculty Profiles

Device Loss/Theft –

highest risk of Corporate

Data Loss, and

Compliance Breach

462 million

CHALLENGE


Any User, Any Device Support

Industry’s only

Unified Client

Solution; Always On

Security

Broad Device Support: Windows

XP/7,MAC OSX, Linux, Apple

iOS (iPhone & iPad), Nokia

Symbian, Webos, Windows

Mobile, Android* (soon)

Secure Connectivity

End-to-End Encryption

With MACsec

Hybrid Web Security

CISCO SOLUTION

ASA WSAISRAccess

Switches

Cisco AnyConnect

Internal, Cloud & Social Applications

http://aws.amazon.com/


Access From Any Device

Identity-Aware and

Role-Based Access Control

Guests Access

Policy Enforcement From

Any User Device to Data

Center

Network-Wide

Confidentiality Protection

CHALLENGE

ClassroomPUB


Access Control

Consistent Identity-Aware

Policy from Any Device to

Data Center – Based on

Business Needs

Policy Distribution and

Intelligence Through the

Network

Security Group Tagging

Scales Context-Aware

Enforcement

CISCO SOLUTION

POSTURE-BASED PERMISSIONS1. Permit/Deny based on policy

2. Authorized devices tagged with policy

3. Policy tags enforced by the network

VPN

Data Center

Virtual DC Machines

ALLOWED

DENIED

WHO

WHAT

WHERE

WHEN

HOW? ? ?

MACSec


Limited IT and Security

Resources in Branch,

Cost Multiplier

SaaS and Cloud Drive Split

Tunnel —Introduce New

Security Challenges

Compliance

Requirements

Remote Faculty

Remote Campus

CHALLENGE

Data Center

Main

CampusSAS

Internet


VPN (IPSEc, GET VPN,

DMVPN, SSL), FW, IPS,

ScanSafe client

Best ROI (simplicity,

consistency, integrated), Cost

savings and performance

from split tunneling

WAN optimization

Wireless LAN/WAN

Ethernet Switch

Integrated Server

Full Branch Security Features

Best ROI (Replicable)

Security + Application

Optimization

$

+

ISGR2

CISCO SOLUTION

Main

Campus


New Security Blind

Spots, and Lack of Cloud

Visibility

Unfamiliar with New

Technologies and Lack

of Consistency

Significant Scaling

Demands

CHALLENGE


High-Performance

Security Solutions

Optimized for the

Data Center

Unified Security for Physical

and Virtual Environments;

Granular Zone-Based,

Context Aware Policy

Policy Traversal

Secure Application Traversal

Vmotion Aware

Secure VM Segmentation

Secure Cloud Segmentation

CISCO SOLUTION

Nexus 1000v

ASA 5585-X & ASA-SM

IPS Sensors

SECURE PRIVATE CLOUDS SECURE PUBLIC CLOUDS

Virtual Security Gateway

SECURE HYBRID CLOUDS


Make information security a strategic component of your

decision making process

Classify and assign values to the data and applications on your network

Build an access policy around those assets

Build a perimeter defense around the datacenter and inside the virtual infrastructure

Create a threat response plan

Revisit and refresh information security access policies, data classification, and data values

Work with your peers to find better ways to protect your data, applications, and infrastructure


1 Pervasive Network Visibility and Control

2 Consistent Enforcement of Context-aware Policy

3Security Intelligence (SIO) Protects Against Next Generation of Threats

4 Network Integration Delivers Scalable Security from Endpoints to Data Center

5

Industry’s Richest, Most Innovative Security Portfolio and Professional Services


Mobile Users

Technology

Savvy

Fast Adopters of New

Technology—Arrive on

Campus With an Array

of Mobile Devices and

Applications

Administration,

Facilities,

Security, and

Staff

Needs Access

to Tools, Records

and Resources

for Administration,

Maintenance and Safety

Real and Virtual

Classrooms and

Office Hours

Needs Access

to E-Mail, Office

and Administration

Tools, Web 2.0

Applications, and

Research

Information

Enhance Learning

Experience for

Prospective Students,

Increase Alumni

Connection and

Accelerate Decision

Making

Prospective

Students, Alumni,

Vendors, and

Guests

Students AdministrationFaculty Visitors


IT Resources Stay the Same

Late 90sEarly 90s Today

Effectively Support Users

with Box Management

Fixed User

• Wired access

• One user, one device

Mobile User

• Wireless access

• One user, local devices

Borderless User

• Anytime, anywhere access

• One user, many devices

Access Evolution

Need for Policy and

Control

Need for Operational

Efficiency


Outdoor CampusFaculty and

Staff Home

The

Mobile

Campus

Sporting VenuesCommunity

Spaces

Indoor CampusStudent

Residences

Locations and Places


Use

r

Lo

ca

tio

n

Tim

e

De

vic

e

Att

rib

ute

X

IT Is Struggling With:

• Classifying managed vs

unmanaged endpoints

• ID devices that cannot authenticate

• Users to devices

But There are Barriers:

• Multiple access mediums

• Endpoint certainty

• No automated way to discover

new endpoints

PC and Non-PC Devices


Full Access to Campus Resources

Differentiated Access

No Access through Campus Network

• Low maintenance• High risk

• Low maintenance• Low risk

• High maintenance• Moderate risk

Simplified, Scalable Access Policy

Converged Monitoring and Troubleshooting

Unified Access

Management

• Low maintenance• Low risk

Can I get my

iPad onto the

network?Centralized

PolicyEngine

Student

Differentiated Access


Purpose-Built, Complete, and Reliable Profiling

• Cisco ISE uses SNMP, NetFlow, DNS, RADIUS, HTTP, and DHCP to increase accuracy, reduce spoofability

• Works across wired and wireless

• Completely integrated with RADIUS/AAA

• Includes additional services (posture, guest/portal, etc.)

Scalable Policy Enforcement

• Switch, WLAN controller, and VPN as an enforcement point

• Flexible control (VLAN, dACL/ACL, QoS, SGA, etc.) based on any contextual attributes (user, device, group, location, time, etc.)

Unified Management

• ISE detailed reports and troubleshooting tools (user, device, session, etc.) can be accessed from within NCS 1.0 providing a single pane of glass into user, device, and network across wired and wireless infrastructure

User

Lo

ca

tio

n

Tim

e

Devic

e

Att

rib

ute

X


• Move to an architecture-based, strategic approach to security

• Demand embedded security from your security manufacturers

• Policy can be built to enable BYOD and secure mobility

Thank you.

tacccio: cisco security strategies · cisco confidential 1 tacccio: cisco security strategies cesar...

Documents