BRKCRS-1449 - DNA For Securing Enterprise Networks 2018

Digital Network
Architecture for
Securing Enterprise
Networks
Jerome Dolphin, Systems Engineer
CCIE#17805, CCDE#2013::3
jedolphi@cisco.com
BRKCRS-1449
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Abstract
There are two approaches to network security, one is to an overlay security architecture that
most of the ‘security only’ companies tend to believe in and the other approach is to have a
comprehensive, network-enabled approach to cybersecurity, which we at Cisco believe in.
In this introductory session you will learn why enterprise security has to be multilayered,
and how Cisco’s network enables you to do ‘Security Everywhere’. During the course of the
session you will learn how to quickly identify, isolate, and counter cyber-threats through
network visibility and enforcement with Cisco Stealthwatch, Cognitive Threat Analytics,
Identity Services Engine and TrustSec. You will also learn how integrated security solutions
such as Cisco Advanced Malware Protection implement effective threat defence for the
enterprise branch
Before We Start
BRKCRS-1449 = Introductory session
FOR YOUR REFERENCE = Hidden Slide / Quick glance
“More on <topic>” slide = Other sessions, links for more details
BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
And, Please Fill Out the Survey
Cisco Digital Network Architecture
Network-enabled Applications
Cloud Service Management

Policy | Orchestration
Insights and
Open APIs | Developers Environment
Experiences
Automation Analytics Automation

Principles Abstraction and Policy Control Network Data, and Assurance
from Core to Edge Contextual Insights
Security and
Open and Programmable | Standards-Based
Compliance
Virtualisation
Physical and Virtual Infrastructure | App Hosting
Cloud-enabled | Software-delivered
2017 Cisco Annual Cybersecurity Report
Expanding attack
surface
Multi-stage
multi-vector
threats
Defenders under
resourced
Flooded
with products
https://www.cisco.com/c/m/en_au/products/security/offers/annual-cybersecurity-report-2017.html
2017 Cisco Annual Cybersecurity Report
Security is Fundamentally…
Visibility Control
Context Based Visibility and Control
Allowed Traffic
Denied Traffic
Employee
Supplier Server
Clear understanding of traffic

flow with context
Network Fabric
Easier to create & apply policy Quarantine High Risk
based on such context Segment
Shared Internet
Server
Employee
For Example…
Internet
https://www.reddit.com/r/talesfromtechsupport/comments/6ovy0h/how_the_coffeemachine_took_down_a_factories/
Policy and Access
Advanced
Segmentation Malware
Protection Conclusion
Start
Policy and Behavioural Rapid Threat
Access
Analysis Containment
Cisco ISE and AnyConnect
CISCO ISE SIEM, MDM, NBA, IPS, IPAM, etc.
WHO WHEN
WHAT WHERE PxGRID

& APIs
HOW HEALTH
THREATS CVSS Partner Eco System

ACCESS POLICY
FOR ENDPOINTS FOR NETWORK
WIRED WIRELESS VPN
Role-based Access Control | Guest Access | BYOD | Secure Access
A Cisco Network Enables Device Profiling
ACTIVE PROBES Netflow DHCP DNS HTTP RADIUS NMAP SNMP AD
DEVICE SENSOR CDP LLDP DHCP HTTP H323 SIP MDNS
ANYCONNECT ACIDex ISE data collection methods for Device profiling
Endpoints send DS
interesting data,
that reveal their DS
Feed Service
device identity
Cisco ISE (Online/Offline)
ACIDex
DS Device Sensor (DS) on IOS and AireOS

`
ACIDex AnyConnect Identity Extensions
Active and Passive Methods to Build ‘User’ Context
1 DOMAIN\Jim
(AD Login)
Jim 3
2
Jim Logged in
Passive Identity
Alice?
Active Identity
Yes AD
Cisco ISE
1 2
3
Alice
Passive Identity Active Identity

IP to User mapping got via passive means like AD WMI IP to User mapping got via active interaction between ISE and the
events, AD Agents, Syslog, SPAN sessions and more. client via 802.1X, Web authentication, Remote access VPN, etc.
Visibility into Users and Groups
Visibility into Endpoint Applications
Who
What
When
Where
How
Wired / WLAN / VPN access
 Posture
Cisco AnyConnect 4.4 Cisco ISE Threat
Vulnerability
Application
ISE Also Checks..
Check endpoint health
Posture defines the state of compliance
with the company’s security policy
Qualys Antivirus
Posture Flow Anti Virus Vendors
AUTHENTICATE USER/DEVICE
Posture: Unknown / Non-Compliant ?
QUARANTINE
Limited Access: VLAN / dACL / SGTs
Anti-Virus?
Platform
POSTURE ASSESMENT Integrations
Check Hotfix, AV, Pin lock, Jail broken, etc. Microsoft SCCM
REMEDIATION
WSUS, Launch App, Scripts, MDM, etc.
Mobile Device
AUTHORIsATION CHANGE Management
Full Access – VLAN / dACL / SGTs. MDM Service
Authorisation – Control Access
3 Major authorisation options for ‘access control’
DACL / Named / URL ACL VLANs Scalable Group Tags

Downloadable ACL (Wired) or Dynamic VLAN Assignments
Cisco TrustSec
Named ACL or URL ACL (Wireless) (Per MAC VLANs)
Remediation
Guest
VLAN 4
Employees
Contractor VLAN 3
Employee 16 bit SGT assignment and
permit ip any any deny ip host <protected>
permit ip any any Per port / Per Domain / Per MAC SGT based Access Control
Sharing Context
Sharing is securing
Enhance Context (For Access Policy)
Threat, Vulnerability Index, MDM attributes, etc
Who
What
VulnerabilityM
anagement
When • SYSLOG NGFW Firewall
Where
• PXGRID
How
IDS/IPS
• REST API VulnerabilityM
 Posture anagement Web
Cisco ISE Security
Threat
Vulnerability
Log Cloud
Context Management Service IPAM
Contextual Actions
Identity based Firewall policies, Eco System Partners
Vulnerability based cloud access,
User / Group based behavioural analysis, etc
More on Cisco ISE
FOR YOUR REFERENCE
• Cisco Live break out sessions

• BRKCOC-2015 Inside Cisco IT: How Cisco Deployed ISE and TrustSec, Globally
• BRKSEC-2695 Building an Enterprise Access Control Architecture using ISE and TrustSec
• BRKSEC-2774 Advanced Security Integration, Tips & Tricks
• BRKSEC-3699 Designing ISE for Scale & High Availability
• Online content
• http://www.cisco.com/go/ise
• https://www.youtube.com/c/ciscoisenetworksecurity
Segmentation
Advanced
Start
Access
Traditional Segmentation is Operationally Heavy
Applications
access-list 102 deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165
access-list 102 deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428
access-list 102 permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511
access-list 102 deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945
access-list
access-list
102
102
permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116
deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959
Enforcement
access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993
access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848 IP based policies.
access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878
access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216 ACLs, Firewall
access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111
access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175
Enterprise
rules
access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462
access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
Backbone
Propagation
Aggregation Layer Carry segment context
Limitations of Traditional
Static ACL VACL over the network
Routing Segmentation through VLAN tags /
Access Layer IP address / VRF
Redundancy • Security Policy based on
DHCP Scope Topology
Classification
Address • High cost and complex
Static / Dynamic
VLAN maintenance Non-Compliant Voice Employee Supplier BYOD
VLAN assignments
Quarantine Voice Data Guest BYOD

VLAN VLAN VLAN VLAN VLAN
Introducing Cisco TrustSec
Destination
Egress Policy App_Serv Prod_Serv
Employee Permit All Deny All
Source
App_Serv Permit All Deny All
Prod_Serv Deny All Permit All
ISE Directory
Remote
Access Production
Servers
8 SGT
5 SGT Wireless Network
Employees Routers DC Firewall DC Switch Application 7 SGT

Switch Servers
Classification Propagation Enforcement
CLASSIFICATION PROPAGATION ENFORCEMENT
Classification
Dynamic Classification Static Classification
L3 Interface (SVI) to SGT L2 Port to SGT
Campus
Access Distribution Core DC Core DC Access
MAB Enterprise
Backbone
WLC Firewall Hypervisor SW
VLAN to SGT Subnet to SGT VM (Port Profile) to SGT
Propagation IETF
http://tinyurl.com/sgt-draft
http://tinyurl.com/sxp-draft
Inline Methods SGT Exchange Protocol (SXP)

• Ethernet Inline Tagging: (EtherType:0x8909) 16-Bit SGT • IP-to-SGT binding exchange over 64999/TCP
encapsulated within Cisco Meta Data (CMD) payload.
• Cisco ISE can be a SXP speaker / Listener
• IPSec / L3 Crypto: Cisco Meta Data (CMD) uses protocol 99, and is
inserted to the beginning of the ESP/AH payload.
• LISP: SGT (16 bit) insertion in the Nonce field (24 bit) Routers
(SXP Aggregation) Firewall
Switches Routers
6 10.4.9.5
ETHERNET IPSEC
6 10.4.9.5
Switches 5 10.0.1.2
Speaker Listener
5 10.0.1.2
Switches
TrustSec Enforcement Policy
Consistent Policy Deployment

TRUSTSEC POLICY MATRIX Push and deploy TrustSec
policies consistently across
switching, wireless and
routing infrastructure
Deploy
CATALYST NEXUS VIRTUAL INDUSTRIAL WIRELESS ROUTING

SWITCHES SWITCHES SWITCHES SWITCHES ACCESS POINTS PLATFORMS
TrustSec Reduces Operational Costs for
Segmentation
“Based on the results of the PCI validation and PCI Internal Network Penetration and
Segmentation Test, it is Verizon’s opinion that Cisco TrustSec can successfully perform
network segmentation, for the purpose of PCI scope reduction.”
http://bit.ly/pci-trustsec-report
“Cisco has made great strides in integrating support for the TrustSec framework across its
product lines” - “Flexibility to Segregate Resources Without Physical Segmentation or
Managing VLANs” - “Reduction in ACL Maintenance, Complexity and Overhead”
http://blogs.cisco.com/security/gartners-perspective-on-cisco-trustsec
“Cisco TrustSec enabled the organisations interviewed, to reduce operational costs by
avoiding additional IT headcount, deploy new environments faster, and implement consistent
and effective network segmentation resulting in lower downtime.”
http://bit.ly/ts-forrester-report
More on Cisco TrustSec
FOR YOUR REFERENCE
• Cisco Live sessions

• BRKSEC-2695 Building an Enterprise Access Control Architecture using ISE and TrustSec
• BRKCRS-2810 Cisco SD-Access – A Look under the Hood
• BRKCRS-3811 Cisco SD-Access – Policy from Campus to DC
• BRKSEC-3690 Advanced Security Group Tags: The Detailed Walkthrough
• Online content
• https://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/index.html
Behavioural Analysis
Advanced
Start
Access
Stealthwatch in a Nutshell
Actionable Outcomes
Identity
Analytics
Network Transactional Contextual Intelligence
Engine
Data Model Classification
Cisco Stealthwatch: Is a collector and aggregator of network telemetry for the purposes of data
modelling, security analysis and monitoring.
Conversational Flow Record => The General Ledger
Who What Who
How
More context
When Where
• Stitched and de-duplicated

• Conversational representation
• Highly scalable data collection and compression
• Months of data retention
Stealthwatch System Components
Stealthwatch Cloud
• Cloud hosted; SaaS
Stealthwatch Enterprise
• Public cloud (IaaS) monitoring
• On-premises appliances
• On-prem visibility for small
• On-premises visibility and
deployments
telemetry collection
Stealthwatch
Cloud
(Coming 6.10.2)
Stealthwatch Enterprise System Components
Threat Intelligence
Cognitive Analytics Stealthwatch • Known C&C Servers
• Cloud hosted Analytics Cloud Threat • TOR Entrance & Exits
Cognitive
• Global Risk Map Intelligence
Analytics
License
Stealthwatch Management Console Cisco Security Packet Analyser

• Management and reporting • Rolling full packet capture
• Up to 25 Flow Collectors • 2 physical models
• Up 6 million fps globally
• 2 physical and virtual models
• High Availability
Stealthwatch Flow Collector
UDP Director • Collect and analyse
• UDP Packet copier • Up to 4000 exporters
• Forward to multiple destinations • Up to sustained 240,000 fps
• High Availability • 4 physical and 3 virtual models
• 2 physical and virtual models
Stealthwatch Flow Sensor
Endpoint License Concentrator • Generate IPFIX from SPAN/TAP
• Collect AnyConect NVM flow data • 256 bytes of payload
and forward to Flow Collector • Physical and virtual models
• Virtual Appliance BRKCRS-1449 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Stealthwatch Cloud System Components
Stealthwatch
Cloud
https API https
Stealthwatch Cloud Stealthwatch

Sensor(s) Amazon Web Services
Cloud Sensor(s)
Other AWS Data

• Cloud Trail Other Public
• Cloud Watch VPC Flow Logs Cloud
NetFlow/IPFIX SPAN • Inspector
• IAM
Network • Config
• Lambda
Private Network Monitoring Public Cloud Monitoring
Data Analysis with Stealthwatch:
Visibility and Discovery
• Identify business critical applications and services across the network
• Policy and segmentation modelling and monitoring
Identify Indicators of Compromise (IoC)

• Policy & Segmentation
• Network Behaviour & Anomaly Detection (NBAD)
Accelerated response to an IOC:

• Leverage the “General Ledger” for retrospective investigation
Host Groups: Logical Buckets of IP Space
Hierarchical structure
Examples:
IP Address list
• My DNS Servers are 10.1.1.10 and 10.1.1.11
• All my POSs are 10.20.20.0/24
• My HQ is 10.0.0.0/8
• Etc.
• A host can exist in multiple Host Groups

• A Host can not be simultaneously Inside and Outside
Monitoring of Traditional Segmentation Policies
PCI Zone Map

Forbidden Relationship
Inter-system relationships
Stealthwatch Learning Engines
Stealthwatch “On Box” Cognitive Analytics Stealthwatch Cloud
• Behavioural Analysis • Cloud Hosted • SaaS delivered
• Anomaly detection through • Multi-layer Machine Learning • Behavioural Analysis
statistical learning • Anomaly detection through • Anomaly detection through
• Unsupervised Learning Engine statistical learning statistical learning
• User Defined Behaviour Analysis • Supervised Learning Engine • Role Classification
• Malware classification
Stealthwatch Enterprise © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Stealthwatch Enterprise “On-Box” Security Model
Track and/or measure behaviour/activity Notification of security event generated
Algorithm Security Alarm

Event
Suspicious behaviour observed or anomaly detected
Alarm Categories
Each category accrues points.
Modeling Group Policy in Stealthwatch
Custom event triggers Rule name and

on traffic condition description
Source Tag Destination Tag
Trigger on traffic in both directions;

Successful or unsuccessful
Stealthwatch Engine Placement
Cognitive
Analytics
• Proxy log table
• Bi-flows for:
• From Inside to Outside (default)
• DNS from inside to anywhere Detections
• From configured groups to outside returned
and other configured groups
HTTPS
Management SSO UI Pivot

weblogs
HTTPS and reporting
Telemetry
Sources
NetFlow &
IPFIX
Flow Collector:
• Create the “General Ledger”
• Policy and Behavioural Analytics
• Statistical Learning, Anomaly detection
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Cognitive Analytics and Supervised Learning
Find this session online:

BRKSEC-2444 – CTA Detecting Advanced Malware with Machine Learning
Encrypted Traffic Analytics
New NetFlow Fields:
• Sequence of Packet Lengths and Times (SPLT)
• Initial Data Packet (IDP)
Enhanced NetFlow
Exporter
Major Use Cases:
• Cryptographic Compliance Audit
• Threat detection without decryption
Crypto Compliance (ETA)
Are my services cryptographic compliant.
Filter/sort results on cryptographic information

(ex. SSL vs TLS)
Encrypted Traffic Analytics Support FOR YOUR REFERENCE
Solution Element Software Version License
Included in Cisco DNA™

Enterprise switches
Cisco IOS® XE 16.6.2 Advantage license/
(Cisco® Catalyst® 9000 Series)*
Cisco ONE™ Advanced
Branch routers
(ASR 1000 Series, 4000 Series ISR, Cisco IOS® XE 16.6.2 Included in SEC/k9 license
CSR, ISRv)
Stealthwatch® with CA v6.9.1 (Available now) Management Console,

Flow Collector,
Stealthwatch® with CA and ETA v6.9.2 Flow Rate License
More on Cisco Stealthwatch
FOR YOUR REFERENCE
• Cisco Live sessions

• BRKSEC-2026 Building Network Security Policy Through Data Intelligence
• BRKSEC-3014 Security Monitoring with StealthWatch: The detailed walkthrough
• Online content
• http://www.cisco.com/go/stealthwatch
• http://cs.co/ats-youtube
• Cognitive Analytics:
• https://www.ciscolive.com/global/on-demand-library/?search=BRKSEC-
2444#/session/1473287217533001vYSn
• https://www.cisco.com/c/en/us/solutions/enterprise-networks/enterprise-network-security/eta.html
• https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/bartos
Advanced Malware Protection
Advanced
Malware
Segmentation Protection
Conclusion
Start
Access
It’s Impossible to Block 100% of Threats, 100% of the Time
Known threats are blocked

Good files make ? Unknown threats are
it through passed to the next system
✓ ?
?
Current defence in- ✓ ?

depth approach
is built on binary ✓ ?
detection
✓ ?
✓ ?
✓ ?
NGFW NGIPS ESA WSA Endpoint ISR
Single points of inspection have their limitations
Do Security Different!
• Plan A: Prevention • Plan B: Retrospection
• Speed: Real-time, dynamic • Track system behaviours
decisions trained on real- regardless of disposition
world data
• “In-flight” correction
• High accuracy, low false (machine learning)
positives / negatives
• Contain & correct damage,
• Raise the bar, reduce attack expel embedded intruders
surface
• Reveals malicious activity
• Mode: Constant Security
• Mode: Continuous Incident
Control
Response
AMP Everywhere Threat Defence
Visibility
Threat
Intelligence
AMP Intelligence Sharing
WWW
Endpoint Network Web Email
AMP Everywhere Architecture
Threat Grid
Talos
AMP Cloud
NGFW NGIPS ISR CES / ESA WSA / Umbrella Endpoint
AMP for Endpoints – Next Generation Endpoint
Security
▪ Cloud Managed, subscription based SaaS

▪ Option of cloud or private cloud deployment
▪ Protects Windows, Mac, Linux CentOS and
RedHat, Android, iOS
▪ Meets and exceeds capabilities of a solution
required for PCI and HIPAA compliance
▪ AMP Everywhere integrated architecture
AMP for Endpoints Philosophy
Prevent Detect Respond

Prevent attacks and block Continuously monitor Accelerate investigations
malware in real time to reduce time and remediate faster and
to detection more effectively
How Does it Work?
shorter Time To Detection longer
AMP Unity – See Once, Protect Everywhere
Common Objects Global Trajectory
Whitelists Blacklists
AMP Cloud
Endpoints Network Appliances Content Appliances
WWW
NGIPS NGFW WSA ESA/CES
Advanced Malware Protection Summary
Make the unknown, See once, block Accelerate security

known everywhere response
More on Advanced Malware Protection
FOR YOUR REFERENCE

• BRKSEC-2051 It's all about Securing the Endpoint!
• BRKSEC-2140 How to Defend Against Ransomware Threats So You Don’t Become a Hostage
• BRKSEC-2769 Endpoint Security, Your Last Line of Defence
• BRKSEC-3230 A Deep Dive on how AMP Threat Grid, AMP for Endpoint and Cisco Umbrella Integrate and Support IR
Investigations and Response Strategies
• Online content
• http://www.cisco.com/go/amp
• http://cs.co/ats-youtube
Rapid Threat Containment
Advanced
Malware
Conclusion
Start
Access
Threat Containment
Rapid Threat Containment w/
Stealthwatch & ISE
2. SW is Also 1. SW is Analysing
Merging Identity Flows from Flow
Data from ISE Collector
3. Admin is Alerted of
Suspicious Behaviour
WWW
Controller
NGFW
Flow Collector
FMC
i-Net
Threat Containment
Stealthwatch & ISE
4. Admin Initiates
Endpoint Quarantine
(EPS over pxGrid)
WWW
Controller
5. Endpoint
Assigned Quarantine
NGFW + CoA-Reauth Sent
Flow Collector
FMC
i-Net
Threat Containment
Stealthwatch & ISE
6. New Traffic Rules
apply to the new state
of the endpoint
6a. Could Deny

Access (ingress)
WWW
Controller
6b. Could Filter it

within network
(egress)
NGFW
Flow Collector
FMC
i-Net
Threat Containment
Rapid Threat Containment with Firepower
Management Centre and ISE
WWW
Controller MnT
3. pxGrid EPS
1. Security Action: Quarantine
Events / IOCs + Re-Auth
NGFW Reported
2. Correlation
FMC
Rules Trigger
i-Net Remediation Action
Threat Containment
Rapid Threat Containment with Firepower
Management Centre and ISE
WWW
4. Endpoint
Assigned Quarantine
+ CoA-Reauth Sent
Controller MnT
NGFW
FMC
i-Net
Threat Containment
Rapid Threat Containment with AMP,
FMC and ISE
WWW
1. Threat /
IOCs Reported
Controller MnT
3. pxGrid EPS
Action: Quarantine
+ Re-Auth
NGFW
2. Correlation
FMC
Rules Trigger
i-Net Remediation Action
Threat Containment
Rapid Threat Containment with AMP,
FMC and ISE
WWW
4. Endpoint
Assigned Quarantine
+ CoA-Reauth Sent
Controller MnT
NGFW
FMC
i-Net
More on Rapid Threat Containment
FOR YOUR REFERENCE

• Online content
• http://www.cisco.com/go/rtc
Conclusion
Advanced
Malware
Conclusion
Start
Access
Complete Your Online
Session Evaluation
• Give us your feedback and
receive a Cisco Live 2018 Cap
by completing the overall event
evaluation and 5 session
evaluations.
• All evaluations can be completed
via the Cisco Live Mobile App.
Don’t forget: Cisco Live sessions will be
available for viewing on demand after the
event at www.CiscoLive.com/Global.
Digital Network Architecture for Enterprise Security
Visibility and Control Everywhere

WAN
SERVICES
BRANCH OFFICE
Network Integrated Security Data Center
Network Campus Internet
Network
Respond to threats faster Public

DATA CENTER Cloud
Centralised policy, control and reporting CAMPUS NETWORK
‘Infrastructure’ to secure ‘Information’
Thank you

BRKCRS-1449 - DNA For Securing Enterprise Networks 2018

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKCRS-1449 - DNA For Securing Enterprise Networks 2018

Uploaded by

Copyright:

Available Formats

Digital Network

BRKCRS-1449 = Introductory session

FOR YOUR REFERENCE = Hidden Slide / Quick glance

“More on <topic>” slide = Other sessions, links for more details

Cloud Service Management

Automation Analytics Automation

Clear understanding of traffic

WHAT WHERE PxGRID

THREATS CVSS Partner Eco System

WIRED WIRELESS VPN

Role-based Access Control | Guest Access | BYOD | Secure Access

ACTIVE PROBES Netflow DHCP DNS HTTP RADIUS NMAP SNMP AD

DEVICE SENSOR CDP LLDP DHCP HTTP H323 SIP MDNS

ANYCONNECT ACIDex ISE data collection methods for Device profiling

DS Device Sensor (DS) on IOS and AireOS

Passive Identity Active Identity

Posture Flow Anti Virus Vendors

3 Major authorisation options for ‘access control’

DACL / Named / URL ACL VLANs Scalable Group Tags

• Cisco Live break out sessions

Quarantine Voice Data Guest BYOD

5 SGT Wireless Network

Employees Routers DC Firewall DC Switch Application 7 SGT

Classification Propagation Enforcement

Dynamic Classification Static Classification

L3 Interface (SVI) to SGT L2 Port to SGT

WLC Firewall Hypervisor SW

VLAN to SGT Subnet to SGT VM (Port Profile) to SGT

Inline Methods SGT Exchange Protocol (SXP)

TrustSec Enforcement Policy

Consistent Policy Deployment

CATALYST NEXUS VIRTUAL INDUSTRIAL WIRELESS ROUTING

• Cisco Live sessions

Data Model Classification

• Stitched and de-duplicated

Stealthwatch Management Console Cisco Security Packet Analyser

https API https

Stealthwatch Cloud Stealthwatch

Other AWS Data

Identify Indicators of Compromise (IoC)

Accelerated response to an IOC:

• A host can exist in multiple Host Groups

PCI Zone Map

Track and/or measure behaviour/activity Notification of security event generated

Algorithm Security Alarm

Suspicious behaviour observed or anomaly detected

Each category accrues points.

Custom event triggers Rule name and

Source Tag Destination Tag

Trigger on traffic in both directions;

Management SSO UI Pivot

Find this session online:

Filter/sort results on cryptographic information

Solution Element Software Version License

Included in Cisco DNA™

Stealthwatch® with CA v6.9.1 (Available now) Management Console,

• Cisco Live sessions

Known threats are blocked

Current defence in- ✓ ?

NGFW NGIPS ESA WSA Endpoint ISR

Single points of inspection have their limitations

AMP Intelligence Sharing

Endpoint Network Web Email