BRKCRS 1449

#CLMEL
Digital Network Architecture

for Securing Enterprise
Networks
Krishnan Thiruvengadam
Technical Marketing Engineer, Enterprise Policy and Access
BRKCRS-1449
#CLMEL
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Open the Cisco Events Mobile App
2 Find your desired session in the “Session Scheduler”
3 Click “Join the Discussion”
4 Install Webex Teams or go directly to the team space
5 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKCRS-1449
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Abstract
For most businesses today, the role of IT is more demanding than it has ever been before. The explosion of
connected devices and the digitization of systems and services are leading to new challenges for IT departments
the world over. The convergence of IT megatrends, such as mobility, big data, Internet of Things (IoT), and
cloud, is connecting more people, processes, data, and things at a faster pace. In such a case, conventional
security practices are ineffective; we need new ways to protect in the digital era.
In this introductory session, you will learn how Cisco’s Digital Network Architecture (DNA) enables you to do
‘Security Everywhere.’ During the session, you will learn how to leverage network telemetry to identify, isolate,
and counter cyber-threats quickly. How various Cisco security solutions drive value out of the network
infrastructure with consistent policy and user experience. Also, you will learn how to secure hundreds of branch
offices with similar principles of network visibility and enforcement, managed via a centralized user
experience.
#CLMEL BRKCRS-1449 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Visibility story today
Network with only perimeter visibility
192.168.19.3
10.4.51.5 10.200.21.110
Many devices in your network

without visibility
10.51.51.0/24
192.168.132.99 10.51.52.0/24
10.51.53.0/24
Visibility available for traffic
transiting through perimeter
10.43.223.221 Internet
10.85.232.4
BRKCRS-1449 5
What is needed?
Enabling visibility inside the network
192.168.19.3
10.4.51.5 10.200.21.110
Cryptic network addresses that

may change constantly
10.51.51.0/24
192.168.132.99 10.51.52.0/24
10.51.53.0/24
Difficult to manage policy
without any context
10.43.223.221 Internet
10.85.232.4
BRKCRS-1449 6
Even better
Context based visibility and control
Allowed Traffic
Denied Traffic
Employee
Supplier Server
Clear understanding of traffic

flow with context
Network Fabric
Easier to create & apply policy Quarantine High Risk
based on such context Segment
Shared Internet
Server
Contractor
BRKCRS-1449 7
Effective security depends on total visibility
KNOW SEE Understand what is Be alerted to Respond to

every host every conversation NORMAL CHANGE THREATS quickly
HQ
Network
Branch Cloud Users
Data Center
Roaming Users
Admin
A network touches everything, sees everything
An Intent based network is constantly learning, adapting, and protecting
Cisco DNA Center
Powered by intent.
Policy Automation Analytics
Informed by context.
Intent-based
network infrastructure
Switching Routers Wireless
Agenda
BEHAVIOR
ANALYSIS
SUMMARY
SECURING
BRANCH OFFICES
SECURING
ACCESS
EFFECTIVE
SEGMENTATION
Disclaimer
BRKCRS-1449
= Introductory session
FOR YOUR
REFERENCE
= Hidden Slide /
Quick glance
Securing Access
Securing Effective Summary

Access segmentation
Start
Behavioral Securing
Analysis Branch
SECURING ACCESS
Keep the good ones in

and the bad ones out
What do we need to protect access?
Granular visibility into endpoints
Poor context awareness Rich context awareness

IP ADDRESS: 192.168.2.101 WHO Bob (Employee)
Unknown WHAT Apple iPad/iOS/11.0.1
Unknown WHEN 10:30 AM PST
Unknown WHERE Floor-1, San Jose, Building 19

UNKNOWN Unknown HOW Wireless KNOWN
Without Unknown APPS Firefox, MS Word, AnyConnect With

Identity Unknown SPEC Serial number, CPU, memory Identity
Access to any device/user Authorized network access
RESULT
? ? ?
Protect access with Cisco ISE
SIEM, MDM, NBA, IPS, IPAM, etc.
WHO WHEN
CISCO ISE
Cisco Identity Services Engine WHAT WHERE PxGRID
(ISE) is an industry leading, & APIs
HOW HEALTH
Network Access Control and
Policy Enforcement platform THREATS CVSS
Partner Eco System
ACCESS POLICY
FOR ENDPOINTS FOR NETWORK
Visibility WIRED WIRELESS VPN
Context about everything
touching the network VPN
Control
Network access control and
segmentation
Compliance
Enterprises comply to
industry regulations Role-based Access Control | Guest Access | BYOD | Secure Access
Security starts with visibility
ISE can tell you what device it is
An intelligent network shares endpoint telemetry with ISE
Endpoints send DS
interesting data,
that reveal their DS
Feed Service
device identity
Cisco ISE (Online/Offline)
ACIDex
DS Device Sensor (DS) on IOS and AireOS

`
ACIDex AnyConnect Identity Extensions
Building user context with ISE
1 DOMAIN\Jim
(AD Login)
Jim 3
2
Jim Logged in
Passive Identity
Alice?
Active Identity
Yes AD
Cisco ISE
1 2
3
Alice
Passive Identity Active Identity

IP to User mapping got via passive means like AD WMI IP to User mapping got via active interaction between ISE and the
events, AD Agents, Syslog, SPAN sessions and more. client via 802.1X, Web authentication, Remote access VPN, etc.
Context Visibility into Users and Groups
Visibility into Endpoint Applications and process
Cisco Anyconnect 4.4+

with ‘Posture’ module
Identity based secure access
PROTECTED SHARED SERVICES PUBLIC NETWORK
SERVERS
Certificates / Passwords
EMPLOYEE
NETWORK ACCESS
CONTRACTOR alice
*****
AUTHENTICATION AUTHORIZATION
Who are you? What you can do?
Authorization options
Beyond RADIUS ‘ACESS-ACCEPT’ / ‘ACCESS-REJECT’
DACL or Named ACL VLANs Security Group Tags

Downloadable ACL (Wired) or
Dynamic VLAN Assignments Cisco SD Access
Named ACL (Wired + Wireless)
Remediation
Guest
VLAN 4
Employees
VLAN 3
Employee Contractor 16 bit SGT assignment and SGT
permit ip any any deny ip host <critical> based Access Control
permit ip any any Per port / Per Domain / Per MAC
Behavioral Analysis

Access segmentation
Start
Behavioral Securing
Analysis Branch
BEHAVIORAL ANALYSIS
Inspecting, analyzing
activity after letting in
The network is a valuable data source
Know more with less using Flexible NetFlow
What it provides: Flow Information Packets

• A trace of every conversation 10.1.8.3
SOURCE ADDRESS 10.1.8.3
in your network
DESTINATION ADDRESS 172.168.134.2
• Collection of records all across the network
SOURCE PORT 47321
(routers, switches, firewalls)
DESTINATION PORT 443
• Network usage metrics Switches INTERFACE Gi0/0/0
• Ability to view north-south as well as east- IP TOS 0x00
west communication IP PROTOCOL 6
• Lightweight visibility compared to Switched Routers
NEXT HOP 172.168.25.1
Port Analyzer (SPAN)-based traffic analysis TCP FLAGS 0x1A
• Provide hints to Indications of compromise SOURCE SGT 100

(IOC) : :
• Security group information Internet

APPLICATION NAME NBAR SECURE-HTTP
172.168.134.2
Security analytics with Cisco Stealthwatch Enterprise
Global threat intelligence
(powered by Talos)
Intelligence of global threat campaigns mapped
Multilayered machine learning to local alarms for faster mitigation
Combination of supervised and unsupervised techniques to
convict advanced threats with high fidelity
Data collection
Behavioral modeling Rich telemetry from the existing
Behavioral analysis of every activity within the
network to pinpoint anomalies
Stealthwatch
Encrypted Traffic Analytics

Malware detection without any decryption using
enhanced telemetry from the new Cisco devices
Conversational Flow
As seen in Stealthwatch Enterprise
eth0/1
eth0/2
10.201.3.146 port 20765 108.160.160.160 port 80
HOW WHAT WHERE
WHEN WHO HOW
• Highly scalable (enterprise class) collection

• High compression → Long term storage
• Months of data retention
Deeper context with lighter data
URL information Endpoint process details
NBAR
Network Based Application Anyconnect with Network
Recognition Visibility Module
Analyzing behavior
C&C SERVER MAIL SERVER
Download Email
INTERNAL NETWORK Port Scan User Auth
Bulk upload Firmware
INTERNAL HOST
A network wide view of transactions and behaviors
Context and threat containment via ISE integration
Without any business disruption
PX Grid Mitigation
Information shared with

other network and
security products
Context Quarantine or Unquarantine infected host
Cisco® Stealthwatch
Identity Services Engine Management Console
A lot of the data, however, is encrypted
Even malicious ones
Cisco Encrypted Traffic Analytics (ETA)
Visibility and malware detection without decryption
Cryptographic Malware in
Compliance Encrypted Traffic
Understanding behavior of encrypted transactions,
Without decrypting them
TCP/IP DNS TLS SPLT
Prevalent Typical fingerprint

cisco.com
address Typical cert
Benign Google search
traffic
Watchlist c15c0.com Unusual fingerprint C2 Message

address afb32d75.com Unusual cert Data Exfiltration
Malware
Self-Signed Certificate
traffic
Bestafera
Sequence of Packet Lengths and Times (SPLT)

The “system” for ETA
Enhanced NetFlow from Cisco’s newest switches, routers & Wireless
CTA
Power of multilayered machine learning
Increase fidelity of detection using best-in-class security analytics
Prioritized high fidelity Relationship Confirmed Incidents

incidents modeling
Entity Modeling Incidents
Global Risk Map Event classification Malicious Events
Trust modeling
Anomalous Traffic
Network telemetry Anomaly detection
Effective Segmentation

Access segmentation
Start
Behavioral Securing
Analysis Branch
ACTIVE SEGMENTATION
Group based access

control and threat
containment
SD-Access Segmentation
Software Defined Access
DC Servers
Traditional Segmentation SDA Segmentation

DC Firewall / Switch
Static ACL
Enterprise Micro/Macro Segmentation Enterprise
Routing Backbone Backbone ISE
Redundancy Central Policy Provisioning
DHCP Scope No Topology Change Policy
Aggregation Layer
Address VACL
No VLAN Change
VLAN
Access Layer Access Layer
Non-Compliant Voice Employee Supplier BYOD Voice Non-Compliant Employee Supplier BYOD
Employee Tag
Quarantine Voice Data Guest BYOD Voice Data
VLAN VLAN VLAN VLAN VLAN
Supplier Tag VLAN VLAN
Non-Compliant Tag
Security Policy based on Topology Use existing topology and automate security
High cost and complex maintenance policy to reduce OpEx
SDA Segmentation Overview
Segmenting with Scalable Group Tags (SGTs) Destination
Egress Policy App_Serv Prod_Serv
Employee Permit All Deny All
Source
App_Serv Permit All Deny All
Prod_Serv Deny All Permit All
Cisco ISE
Remote VPN
Access Production
Servers
8 SGT
5 SGT Wireless Network
Employees Routers DC Firewall DC Switch Application 7 SGT

Switch Servers
Classification Propagation Enforcement

CLASSIFICATION PROPAGATION ENFORCEMENT
Classification
Dynamic Classification Static Classification
L3 Interface (SVI) to SGT L2 Port to SGT
Campus
Access Distribution Core DC Core DC Access
Enterprise
802.1X
Backbone
Hypervisor SW
WLC Firewall
VLAN to SGT Subnet to SGT VM (Port Profile) to SGT
Two ways to propagate

DATA PLANE PROPOGATION CONTROL PLANE PROPOGATION
10.1.1.1 = SGT-5
SW1 R1 SW2 SW1 R1 SW2
IP 5 IP 5 IP IP
10.1.1.1 10.20.20.1 10.1.1.1 10.20.20.1

5/Employees 7/WebServers 5/Employees 7/WebServers
SGT carried inline in the data traffic. Methods include, SGT over: IP-to-SGT data shared over control protocol. No SGT in the data
plane. Methods include, IP-to-SGT exchange over:
Ethernet MACSec LISP/VxLAN SXP pxGrid
IPSec DMVPN GETVPN
Segmentation policy on ISE
Presentation ID
Click and deploy

Push and deploy Group based
policies consistently across
switching, wireless and
routing infrastructure
Deploy
CATALYST SWITCHES NEXUS VIRTUAL INDUSTRIAL WIRELESS ACCESS ROUTING

SWITCHES SWITCHES SWITCHES POINTS PLATFORMS
Policy and automation via Cisco DNA Center
FABRIC POLICIES
Source Destination
CISCO
DNA CENTER
Contract
Employees Contractors
DENY
API
CISCO ISE Employees Production Contractors Development
POLICY DOWNLOAD
FABRIC NODES
From Campus to Data Center
SD Access Policy Domain ACI Policy Domain
Cisco DNA Center Cisco ISE Cisco APIC-DC
ISE creates matching

SGTs for EPGs
APIC
ISE exchanges IP-SGT/EPG

‘Name bindings’
IP-ClassId, VNI bindings
Scalable Groups Policy and Automation End Point Groups
WAN
(GETVPN DMVPN
IPSEC)
User Switch Router Router Firewall ASR 1K Nexus9000 Nexus9000 Servers

SGT Spine Leaf
Classification IPSec / DMVPN /
over
Ethernet GETVPN / SXP
ACI: Application Centric Infrastructure

Monitoring segmentation policies with Stealthwatch
Identify every asset on the
network
Set policies based on hosts as Employee Desktops VPN Users

well as applications
Confidential Datacenter
Servers
Model policies before
enforcing them
Get alerts upon policy Branch Office Guest Wireless

violations
Branch Security

Access segmentation
Start
Behavioral Securing
Analysis Branch
Limitations with traditional WAN topology
SaaS IaaS Bad user experience
• Traffic must be backhauled to
datacenters for security
Internet • Latency in connection to cloud
applications
Remote Expensive to deploy

• New devices and clouds require
Corporate new configurations
Software • Deployment is not centrally
Users Devices managed
Data Center Edge
Critical
Branch
WAN Edge
Infrastructure
IOT Users Mobile
(guests) devices Complex management
Traffic Backhaul • Multi-cloud environments are the
(MPLS) new normal
• Branches and device policy require
manual configuration
Data
Center Enterprise WAN
SD-WAN enables digital transformation
SaaS IaaS Faster access
• Access cloud applications directly
to decrease latency
Internet
Cloud Edge
Remote Ease of deployment

• Configure new devices and
Corporate
policies at scale
Software
Users Devices • Turnkey solution
Critical • Zero touch deployment
Branch
Data Center Edge
WAN Edge
Infrastructure
IOT Users Mobile
SD-WAN Fabric (guests) devices Simple management
• Manage all security and
networking from a central
Data Transport command
Center Independence
• Increased visibility
SD-WAN exposes new security challenges
SaaS IaaS Outside-in threats
• Exposed connections as traffic is no
longer backhauled to the data
Internet center
• Unauthorized access
Cloud Edge
• Denial of service attacks
Remote • Ransomware
Outside-in
Corporate threats
Software Inside-out threats
Users Devices • Threats inside the network
Inside-out inevitably lead to inside-out traffic
Critical
threats Branch to malicious infrastructures
Data Center Edge
WAN Edge
Infrastructure
IOT Users Mobile
SD-WAN Fabric (guests) devices • Malware infection
Data • Command & control

Transport
Center Independence • Phishing attacks
• Insider threat
Point-solution security has gaps
Multi-vendor solutions
SaaS/IaaS/ Backhaul traffic

Private Cloud • Pro: Security is simple
• Con: Poor user experience
Secure Web Gateway

• Pro: Improves user experience
• Con: Lack of traffic filtering
Edge router with security

• Pro: Better performance
• Con: Lack of advanced security
Data Center Branch
Cloud Security Firewall/IPS UTM
Integrated branch-to-cloud edge security
Cisco SD-WAN security architecture
Secure Internet gateway Software-defined WAN

Secure access to the Internet and multicloud Secure elastic connectivity and dynamic
applications with threat protection over all segmentation for and by the cloud with
ports application performance assurance
Edge firewall flexibility Trusted Access

Next-gen or enterprise firewall options to Give secure access to all applications based
secure onsite services, devices and for on the trustworthiness of users and devices
compliance
Comprehensive SD-WAN security
SaaS IaaS
Internet
Cloud Edge
Remote
Corporate
Software
Users Devices
Critical
Branch
Data Center Edge
Infrastructure
WAN Edge
IOT Users Mobile
SD-WAN Fabric (guests) devices
Data Transport
Center Independence
Outside-in security
SaaS IaaS
Internet
Cloud Edge
Firewall/IPS/
Remote URL Filtering
Corporate
Software
Users Devices Enterprise branch security
Critical • Advanced security embedded
Branch
Data Center Edge
Infrastructure
WAN Edge
IOT Users Mobile • Single console to manage
SD-WAN Fabric (guests) devices routing and security
• Shortest time to threat
Data Transport detection powered by Talos
Center Independence
Inside-out security
SaaS IaaS
Internet
Cloud Edge
Remote Umbrella &

Corporate
Software
Users Devices Application and workload protection
Critical • Secure Internet Gateway: Filter
Branch
Data Center Edge
Infrastructure
traffic and protect data sent to
WAN Edge
IOT Users Mobile and from the cloud
SD-WAN Fabric (guests) devices
• Trusted Access: Ensure all
Data devices accessing your network
Transport
are given the right level of access
Center Independence
Internal Security
SaaS IaaS
Internet
Cloud Edge
Remote Cisco SD WAN

Corporate
Software
Users Devices Secure internal traffic
Critical • Segment traffic, user and
Branch
Data Center Edge
Infrastructure
devices on your network
WAN Edge
IOT Users Mobile
SD-WAN Fabric (guests) devices • Zero-trust authentication
• Full payload encryption
Data Transport
Center Independence
Centralized administration and monitoring
Benefits
Central Command • Configure policy efficiently through automation at scale
• Manage security and networking from one console
• Ease of manageability
• Increased visibility across the network
NA APJ
Corporate HQ Data Center IaaS & SaaS Remote User Branch
WAN Integrated Global Location Connection SD-WAN

Key Device Security policy policy policy fabric
SD-WAN Security Policy
Cisco vManage
Manage SD-WAN security and networking from one console
Firewall Monitoring IPS Monitoring URL Filtering Monitoring

Consistent security policies for hundreds of sites
Summary

Access segmentation
Start
Behavioral Securing
Analysis Branch
Effective security depends on total visibility
KNOW SEE Understand what is Be alerted to Respond to

every host every conversation NORMAL CHANGE THREATS quickly
HQ
Network
Branch Cloud Users
Data Center
Roaming Users
Admin
A network touches everything, sees everything
An Intent based network is constantly learning, adapting, and protecting
Cisco DNA Center
Powered by intent.
Policy Automation Analytics
Informed by context.
Intent-based
Switching Routers Wireless
Questions?
Stealthwatch and ETA
Stealthwatch and ETA Whitepaper
ETA-Deployment guide
Past Cisco Live sessions:
BRKCRS-1560 – Detect Threats in Encrypted Traffic without

Decryption – Kural Arangasamy
BRKSEC-3014 – Security Analytics with Stealthwatch:

https://clnv.s3.amazonaws.com/2018/anz/pdf/BRKSEC-3014.pdf
Applied Advanced Network Telemetry: ETA and Beyond

https://clnv.s3.amazonaws.com/2018/eur/pdf/BRKSEC-2809.pdf
ISE Customer Resources
http://cs.co/ise-resources
Community: http://cs.co/ise-community
Licensing Guide: http://cs.co/ise-licensing
YouTube Channel: http://cs.co/ise-videos
Compatibility Guides: http://cs.co/ise-compatibility
Ecosystem Integration Guides: http://cs.co/ise-guides
ACS to ISE Migration: http://cs.co/acstoise
ISE Betas: http://cisco.com/go/ccp > Security
SD-WAN Resources
Resources
Deployment Guide: https://community.cisco.com/t5/networking-documents/sd-wan-security-deployment-guide/ta-p/3709936
Configuration Guide: https://sdwan-
docs.cisco.com/Product_Documentation/Software_Features/Release_18.4/05Security/Configuring_the_18.4_Security_Virtual_Image
_for_IPS%2F%2FIDS_and_URL_Filtering
Troubleshooting Guide: https://community.cisco.com/t5/networking-documents/sd-wan-security-troubleshooting-guide/ta-
p/3735301
Cisco Validated Design: https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/CVD-SD-WAN-Deployment-
2018OCT.pdf
Release Notes for both 16.10.1 and 18.4: https://sdwan-

docs.cisco.com/Product_Documentation/Getting_Started/Release_Notes/010Release_Notes_for_IOS_XE_SD-WAN_Release_16.10_and_SD-
WAN_Release_18.4
Cisco Live Session: https://clnv.s3.amazonaws.com/2019/eur/pdf/BRKCRS-2114.pdf
SDWAN FAQ: https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/sd-wan/nb-06-sd-wan-secur-faq-cte-en.pdf
Security session road map
Tuesday Wednesday Friday
BRKCRS-1449 BRKSEC-2721 BRKSEC-3690
Digital Network Architecture for securing Zero-Trust Model: A Model for More Advanced Security Group Tags: The
Enterprise Networks Efficient Security Detailed Walk Through
Krishnan Thiruvengadam Aaron Woland Darrin Miller
Tuesday 2:15PM-3:45PM Wednesday 4:30PM-6:00PM Friday 8:00AM-9:30AM
BRKSEC-2720
Cisco SDWAN Security
Thursday Poonguzhali Sankar
Friday 8:00PM – 9:30PM
BRKSEC-3432
Wednesday Advanced ISE – Architect, Design and BRKSEC-3383
Scale ISE for your production networks ISE Troubleshooting
Jason Kunst Shrikant Sundaresh
BRKSEC-2203
Thursday 08:30-10:30 Friday 9:40AM-11:10AM
Segmentation in SD-Access and Beyond
Kevin Regan
Wednesday 12:50PM-2:20PM
BRKCRS-1560
BRKSEC-2725
Detect Threats in encrypted traffic
Are Your Endpoints/IOT Assets Safe?
without decryption, Using Network
Krishnan Thiruvengadam
based Security Analytics.
Wednesday 2:30PM-4:00PM
Saravanan Radhakrishnan
Thursday 4:30PM-6:00PM
Continue
your Demos in
the World
Walk-in
self-paced
Meet the
expert 1:1
Related
sessions
education of
Solutions
labs meeting
#CLMEL BRKRST-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Complete Your Online Session Evaluation
• Give us your feedback and receive a
complimentary Cisco Live 2019 Power
Bank after completing the overall event
evaluation and 5 session evaluations.
• All evaluations can be completed via the
Cisco Live Melbourne Mobile App.
• Don’t forget: Cisco Live sessions will be
available for viewing on demand after
the event at:
https://ciscolive.cisco.com/on-demand-library/
#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Thank you
#CLMEL
#CLMEL

BRKCRS 1449

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKCRS 1449

Uploaded by

Copyright:

Available Formats

#CLMEL

Digital Network Architecture

Many devices in your network

Cryptic network addresses that

Clear understanding of traffic

KNOW SEE Understand what is Be alerted to Respond to

Branch Cloud Users

Cisco DNA Center

Switching Routers Wireless

Securing Effective Summary

Keep the good ones in

Poor context awareness Rich context awareness

Unknown WHAT Apple iPad/iOS/11.0.1

Unknown WHEN 10:30 AM PST

Unknown WHERE Floor-1, San Jose, Building 19

Without Unknown APPS Firefox, MS Word, AnyConnect With

DS Device Sensor (DS) on IOS and AireOS

Passive Identity Active Identity

Cisco Anyconnect 4.4+

DACL or Named ACL VLANs Security Group Tags

Securing Effective Summary

What it provides: Flow Information Packets

• Provide hints to Indications of compromise SOURCE SGT 100

• Security group information Internet

Encrypted Traffic Analytics

HOW WHAT WHERE

WHEN WHO HOW

• Highly scalable (enterprise class) collection

C&C SERVER MAIL SERVER

INTERNAL NETWORK Port Scan User Auth

Bulk upload Firmware

Information shared with

Context Quarantine or Unquarantine infected host

TCP/IP DNS TLS SPLT

Prevalent Typical fingerprint

Watchlist c15c0.com Unusual fingerprint C2 Message

Sequence of Packet Lengths and Times (SPLT)

Increase fidelity of detection using best-in-class security analytics

Prioritized high fidelity Relationship Confirmed Incidents

Entity Modeling Incidents

Global Risk Map Event classification Malicious Events

Securing Effective Summary

Group based access

Traditional Segmentation SDA Segmentation

5 SGT Wireless Network

Employees Routers DC Firewall DC Switch Application 7 SGT

Classification Propagation Enforcement

L3 Interface (SVI) to SGT L2 Port to SGT

VLAN to SGT Subnet to SGT VM (Port Profile) to SGT

Two ways to propagate

SW1 R1 SW2 SW1 R1 SW2

10.1.1.1 10.20.20.1 10.1.1.1 10.20.20.1

Segmentation policy on ISE

Click and deploy

CATALYST SWITCHES NEXUS VIRTUAL INDUSTRIAL WIRELESS ACCESS ROUTING

CISCO ISE Employees Production Contractors Development

Cisco DNA Center Cisco ISE Cisco APIC-DC

ISE creates matching

ISE exchanges IP-SGT/EPG

Scalable Groups Policy and Automation End Point Groups

User Switch Router Router Firewall ASR 1K Nexus9000 Nexus9000 Servers

ACI: Application Centric Infrastructure

Set policies based on hosts as Employee Desktops VPN Users