Professional Documents
Culture Documents
Krishnan Thiruvengadam
Technical Marketing Engineer, Enterprise Policy and Access
BRKCRS-1449
#CLMEL
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Open the Cisco Events Mobile App
2 Find your desired session in the “Session Scheduler”
3 Click “Join the Discussion”
4 Install Webex Teams or go directly to the team space
5 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKCRS-1449
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Abstract
For most businesses today, the role of IT is more demanding than it has ever been before. The explosion of
connected devices and the digitization of systems and services are leading to new challenges for IT departments
the world over. The convergence of IT megatrends, such as mobility, big data, Internet of Things (IoT), and
cloud, is connecting more people, processes, data, and things at a faster pace. In such a case, conventional
security practices are ineffective; we need new ways to protect in the digital era.
In this introductory session, you will learn how Cisco’s Digital Network Architecture (DNA) enables you to do
‘Security Everywhere.’ During the session, you will learn how to leverage network telemetry to identify, isolate,
and counter cyber-threats quickly. How various Cisco security solutions drive value out of the network
infrastructure with consistent policy and user experience. Also, you will learn how to secure hundreds of branch
offices with similar principles of network visibility and enforcement, managed via a centralized user
experience.
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Visibility story today
Network with only perimeter visibility
192.168.19.3
10.4.51.5 10.200.21.110
10.43.223.221 Internet
10.85.232.4
BRKCRS-1449 5
What is needed?
Enabling visibility inside the network
192.168.19.3
10.4.51.5 10.200.21.110
10.43.223.221 Internet
10.85.232.4
BRKCRS-1449 6
Even better
Context based visibility and control
Allowed Traffic
Denied Traffic
Employee
Supplier Server
Network Fabric
Easier to create & apply policy Quarantine High Risk
based on such context Segment
Shared Internet
Server
Contractor
BRKCRS-1449 7
Effective security depends on total visibility
HQ
Network
Data Center
Roaming Users
Admin
A network touches everything, sees everything
An Intent based network is constantly learning, adapting, and protecting
Powered by intent.
Policy Automation Analytics
Informed by context.
Intent-based
network infrastructure
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Agenda
BEHAVIOR
ANALYSIS
SUMMARY
SECURING
BRANCH OFFICES
SECURING
ACCESS
EFFECTIVE
SEGMENTATION
Disclaimer
BRKCRS-1449
= Introductory session
FOR YOUR
REFERENCE
= Hidden Slide /
Quick glance
Securing Access
Start
Behavioral Securing
Analysis Branch
SECURING ACCESS
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
What do we need to protect access?
Granular visibility into endpoints
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Protect access with Cisco ISE
SIEM, MDM, NBA, IPS, IPAM, etc.
WHO WHEN
CISCO ISE
Cisco Identity Services Engine WHAT WHERE PxGRID
(ISE) is an industry leading, & APIs
HOW HEALTH
Network Access Control and
Policy Enforcement platform THREATS CVSS
Partner Eco System
ACCESS POLICY
FOR ENDPOINTS FOR NETWORK
Visibility WIRED WIRELESS VPN
Context about everything
touching the network VPN
Control
Network access control and
segmentation
Compliance
Enterprises comply to
industry regulations Role-based Access Control | Guest Access | BYOD | Secure Access
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Security starts with visibility
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
ISE can tell you what device it is
An intelligent network shares endpoint telemetry with ISE
Endpoints send DS
interesting data,
that reveal their DS
Feed Service
device identity
Cisco ISE (Online/Offline)
ACIDex
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Building user context with ISE
1 DOMAIN\Jim
(AD Login)
Jim 3
2
Jim Logged in
Passive Identity
Alice?
Active Identity
Yes AD
Cisco ISE
1 2
3
Alice
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Context Visibility into Users and Groups
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Visibility into Endpoint Applications and process
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Identity based secure access
PROTECTED SHARED SERVICES PUBLIC NETWORK
SERVERS
Certificates / Passwords
EMPLOYEE
NETWORK ACCESS
CONTRACTOR alice
*****
AUTHENTICATION AUTHORIZATION
Who are you? What you can do?
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Authorization options
Beyond RADIUS ‘ACESS-ACCEPT’ / ‘ACCESS-REJECT’
Remediation
Guest
VLAN 4
Employees
VLAN 3
Employee Contractor 16 bit SGT assignment and SGT
permit ip any any deny ip host <critical> based Access Control
permit ip any any Per port / Per Domain / Per MAC
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Behavioral Analysis
Start
Behavioral Securing
Analysis Branch
BEHAVIORAL ANALYSIS
Inspecting, analyzing
activity after letting in
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
The network is a valuable data source
Know more with less using Flexible NetFlow
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Security analytics with Cisco Stealthwatch Enterprise
Global threat intelligence
(powered by Talos)
Intelligence of global threat campaigns mapped
Multilayered machine learning to local alarms for faster mitigation
Combination of supervised and unsupervised techniques to
convict advanced threats with high fidelity
Data collection
Behavioral modeling Rich telemetry from the existing
network infrastructure
Behavioral analysis of every activity within the
network to pinpoint anomalies
Stealthwatch
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Conversational Flow
As seen in Stealthwatch Enterprise
eth0/1
eth0/2
10.201.3.146 port 20765 108.160.160.160 port 80
NBAR
Network Based Application Anyconnect with Network
Recognition Visibility Module
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Analyzing behavior
Download Email
INTERNAL HOST
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
A network wide view of transactions and behaviors
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Context and threat containment via ISE integration
Without any business disruption
PX Grid Mitigation
Cisco® Stealthwatch
Identity Services Engine Management Console
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
A lot of the data, however, is encrypted
Even malicious ones
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Cisco Encrypted Traffic Analytics (ETA)
Visibility and malware detection without decryption
Cryptographic Malware in
Compliance Encrypted Traffic
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Understanding behavior of encrypted transactions,
Without decrypting them
CTA
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Power of multilayered machine learning
Trust modeling
Anomalous Traffic
Network telemetry Anomaly detection
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Effective Segmentation
Start
Behavioral Securing
Analysis Branch
ACTIVE SEGMENTATION
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
SD-Access Segmentation
Software Defined Access
DC Servers
Non-Compliant Voice Employee Supplier BYOD Voice Non-Compliant Employee Supplier BYOD
Employee Tag
Quarantine Voice Data Guest BYOD Voice Data
VLAN VLAN VLAN VLAN VLAN
Supplier Tag VLAN VLAN
Non-Compliant Tag
Security Policy based on Topology Use existing topology and automate security
High cost and complex maintenance policy to reduce OpEx
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
SDA Segmentation Overview
Segmenting with Scalable Group Tags (SGTs) Destination
Egress Policy App_Serv Prod_Serv
Employee Permit All Deny All
Source
App_Serv Permit All Deny All
Prod_Serv Deny All Permit All
Cisco ISE
Remote VPN
Access Production
Servers
8 SGT
Classification
Dynamic Classification Static Classification
Campus
Access Distribution Core DC Core DC Access
Enterprise
802.1X
Backbone
Hypervisor SW
WLC Firewall
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
CLASSIFICATION PROPAGATION ENFORCEMENT
10.1.1.1 = SGT-5
IP 5 IP 5 IP IP
SGT carried inline in the data traffic. Methods include, SGT over: IP-to-SGT data shared over control protocol. No SGT in the data
plane. Methods include, IP-to-SGT exchange over:
Ethernet MACSec LISP/VxLAN SXP pxGrid
IPSec DMVPN GETVPN
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
CLASSIFICATION PROPAGATION ENFORCEMENT
Presentation ID
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
CLASSIFICATION PROPAGATION ENFORCEMENT
Deploy
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Policy and automation via Cisco DNA Center
FABRIC POLICIES
Source Destination
CISCO
DNA CENTER
Contract
Employees Contractors
DENY
API
POLICY DOWNLOAD
FABRIC NODES
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
From Campus to Data Center
SD Access Policy Domain ACI Policy Domain
WAN
(GETVPN DMVPN
IPSEC)
Confidential Datacenter
Servers
Model policies before
enforcing them
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Branch Security
Start
Behavioral Securing
Analysis Branch
Limitations with traditional WAN topology
SaaS IaaS Bad user experience
• Traffic must be backhauled to
datacenters for security
Internet • Latency in connection to cloud
applications
Critical
Branch
WAN Edge
Infrastructure
IOT Users Mobile
(guests) devices Complex management
Traffic Backhaul • Multi-cloud environments are the
(MPLS) new normal
• Branches and device policy require
manual configuration
Data
Center Enterprise WAN
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
SD-WAN enables digital transformation
SaaS IaaS Faster access
• Access cloud applications directly
to decrease latency
Internet
Cloud Edge
WAN Edge
Infrastructure
IOT Users Mobile
SD-WAN Fabric (guests) devices Simple management
• Manage all security and
networking from a central
Data Transport command
Center Independence
• Increased visibility
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
SD-WAN exposes new security challenges
SaaS IaaS Outside-in threats
• Exposed connections as traffic is no
longer backhauled to the data
Internet center
• Unauthorized access
Cloud Edge
• Denial of service attacks
Remote • Ransomware
Outside-in
Corporate threats
Software Inside-out threats
Users Devices • Threats inside the network
Inside-out inevitably lead to inside-out traffic
Critical
threats Branch to malicious infrastructures
Data Center Edge
WAN Edge
Infrastructure
IOT Users Mobile
SD-WAN Fabric (guests) devices • Malware infection
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Point-solution security has gaps
Multi-vendor solutions
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Integrated branch-to-cloud edge security
Cisco SD-WAN security architecture
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Comprehensive SD-WAN security
SaaS IaaS
Internet
Cloud Edge
Remote
Corporate
Software
Users Devices
Critical
Branch
Data Center Edge
Infrastructure
WAN Edge
IOT Users Mobile
SD-WAN Fabric (guests) devices
Data Transport
Center Independence
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Outside-in security
SaaS IaaS
Internet
Cloud Edge
Firewall/IPS/
Remote URL Filtering
Corporate
Software
Users Devices Enterprise branch security
Critical • Advanced security embedded
Branch
Data Center Edge
Infrastructure
WAN Edge
IOT Users Mobile • Single console to manage
SD-WAN Fabric (guests) devices routing and security
• Shortest time to threat
Data Transport detection powered by Talos
Center Independence
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Inside-out security
SaaS IaaS
Internet
Cloud Edge
Infrastructure
traffic and protect data sent to
WAN Edge
IOT Users Mobile and from the cloud
SD-WAN Fabric (guests) devices
• Trusted Access: Ensure all
Data devices accessing your network
Transport
are given the right level of access
Center Independence
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Internal Security
SaaS IaaS
Internet
Cloud Edge
Infrastructure
devices on your network
WAN Edge
IOT Users Mobile
SD-WAN Fabric (guests) devices • Zero-trust authentication
• Full payload encryption
Data Transport
Center Independence
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Centralized administration and monitoring
Benefits
Central Command • Configure policy efficiently through automation at scale
• Manage security and networking from one console
• Ease of manageability
• Increased visibility across the network
NA APJ
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
SD-WAN Security Policy
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Cisco vManage
Manage SD-WAN security and networking from one console
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Summary
Start
Behavioral Securing
Analysis Branch
Effective security depends on total visibility
HQ
Network
Data Center
Roaming Users
Admin
A network touches everything, sees everything
An Intent based network is constantly learning, adapting, and protecting
Powered by intent.
Policy Automation Analytics
Informed by context.
Intent-based
network infrastructure
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Questions?
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Stealthwatch and ETA
Stealthwatch and ETA Whitepaper
ETA-Deployment guide
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
ISE Customer Resources
http://cs.co/ise-resources
Community: http://cs.co/ise-community
Licensing Guide: http://cs.co/ise-licensing
YouTube Channel: http://cs.co/ise-videos
Compatibility Guides: http://cs.co/ise-compatibility
Ecosystem Integration Guides: http://cs.co/ise-guides
ACS to ISE Migration: http://cs.co/acstoise
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
SD-WAN Resources
Resources
Deployment Guide: https://community.cisco.com/t5/networking-documents/sd-wan-security-deployment-guide/ta-p/3709936
Configuration Guide: https://sdwan-
docs.cisco.com/Product_Documentation/Software_Features/Release_18.4/05Security/Configuring_the_18.4_Security_Virtual_Image
_for_IPS%2F%2FIDS_and_URL_Filtering
Troubleshooting Guide: https://community.cisco.com/t5/networking-documents/sd-wan-security-troubleshooting-guide/ta-
p/3735301
Cisco Validated Design: https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/CVD-SD-WAN-Deployment-
2018OCT.pdf
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Security session road map
Tuesday Wednesday Friday
BRKCRS-1449 BRKSEC-2721 BRKSEC-3690
Digital Network Architecture for securing Zero-Trust Model: A Model for More Advanced Security Group Tags: The
Enterprise Networks Efficient Security Detailed Walk Through
Krishnan Thiruvengadam Aaron Woland Darrin Miller
Tuesday 2:15PM-3:45PM Wednesday 4:30PM-6:00PM Friday 8:00AM-9:30AM
BRKSEC-2720
Cisco SDWAN Security
Thursday Poonguzhali Sankar
Friday 8:00PM – 9:30PM
BRKSEC-3432
Wednesday Advanced ISE – Architect, Design and BRKSEC-3383
Scale ISE for your production networks ISE Troubleshooting
Jason Kunst Shrikant Sundaresh
BRKSEC-2203
Thursday 08:30-10:30 Friday 9:40AM-11:10AM
Segmentation in SD-Access and Beyond
Kevin Regan
Wednesday 12:50PM-2:20PM
BRKCRS-1560
BRKSEC-2725
Detect Threats in encrypted traffic
Are Your Endpoints/IOT Assets Safe?
without decryption, Using Network
Krishnan Thiruvengadam
based Security Analytics.
Wednesday 2:30PM-4:00PM
Saravanan Radhakrishnan
Thursday 4:30PM-6:00PM
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Continue
your Demos in
the World
Walk-in
self-paced
Meet the
expert 1:1
Related
sessions
education of
Solutions
labs meeting
#CLMEL BRKRST-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Complete Your Online Session Evaluation
• Give us your feedback and receive a
complimentary Cisco Live 2019 Power
Bank after completing the overall event
evaluation and 5 session evaluations.
• All evaluations can be completed via the
Cisco Live Melbourne Mobile App.
• Don’t forget: Cisco Live sessions will be
available for viewing on demand after
the event at:
https://ciscolive.cisco.com/on-demand-library/
#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Thank you
#CLMEL
#CLMEL