Cisco Security Architecture

Sourcefire Seminar Series 2014 North American Roadshow

2 © 2014 Cisco and/or its affiliates. All rights reserved.

The Silver Bullet Does Not Exist…

“Self Defending Network”

“It matches the pa8ern”

“No false posi9ves, no false nega9ves.”

Applica9on Control

FW/VPN

IDS / IPS UTM

NAC

AV PKI

“Block or Allow”

“Fix the Firewall”

“No key, no access”

Sandboxing

“Detect the Unknown”


BEFORE Discover Enforce Harden

AFTER Scope

Contain Remediate

Attack Continuum

Network Endpoint Mobile Virtual Cloud

Detect Block

Defend

DURING

Point in Time Continuous

The New Security Model


Sourcefire’s Security Solutions

COLLECTIVE SECURITY INTELLIGENCE

Management Center APPLIANCES | VIRTUAL

NEXT- GENERATION

FIREWALL

NEXT- GENERATION INTRUSION

PREVENTION

ADVANCED MALWARE

PROTECTION

CONTEXTUAL AWARENESS HOSTS | VIRTUAL MOBILE

APPLIANCES | VIRTUAL


Covering the Entire Attack Continuum

Visibility and Context

Firewall

NGFW

NAC + Identity Services

VPN

UTM

NGIPS

Web Security

Email Security

Advanced Malware Protection

Network Behavior Analysis


AFTER Scope

Contain Remediate

Attack Continuum

Detect Block

Defend

DURING

Sourcefire NGIPS and NGFW


Leadership The Path “Up and Right”

Sourcefire has been a leader in the Gartner Magic

Quadrant for IPS since 2006.

As of December 2013 Source: Gartner (December 2013)


2012 NSS Labs IPS SVM


NSS Labs Security Value Map (SVM) for Breach Detection Systems

Secu

rity

Effe

ctiv

enes

s

TCO per Protected-Mbps


FirePOWER™ InnovaDons

LCD Display Quick and easy headless configura3on

Device Stacking Scale monitoring capacity through stacking

ConnecDvity Choice Change and add connec3vity inline with network requirements

Hardware AcceleraDon For best in class throughput, security, Rack size/Mbps, and price/Mbps

Lights Out Management Minimal opera3onal impact SSD

Solid State Drive for increased reliability

Configurable Bypass or Fail Closed Interfaces For IDS, IPS or Firewall deployments


IPS

Per

form

ance

and

Sca

labi

lity

Data Center Campus Branch Office SOHO Internet Edge

FirePOWER 7100 Series 500 Mbps – 1 Gbps

FirePOWER 7120/7125/8120 1 Gbps - 2 Gbps

FirePOWER 8100/8200 2 Gbps - 10 Gbps

FirePOWER 8300 Series 15 Gbps – 60 Gbps

Platforms and Places in the Network

FirePOWER 7000 Series 50 Mbps – 250 Mbps


Collective Security Intelligence

IPS Rules

Malware Protection

Reputation Feeds

Vulnerability Database Updates

Sourcefire AEGIS™ Program

Private and Public

Threat Feeds Sandnets FireAMP™

Community Honeypots

Advanced Microsoft

and Industry Disclosures

SPARK Program

Snort and ClamAV

Open Source Communities

File Samples (>380,000 per

day)

Sourcefire VRT®

(Vulnerability Research Team)

Sandboxing Machine Learning

Big Data Infrastructure


2 SEU/SRU, 1 VDB updates per week

2 380,000 samples per day

>300,000 sandbox convic3ons per month

4,310 new IPS rules

100% Same-‐day protec3on for MicrosoL vulnerabili3es

99.4% Vulnerability coverage per NSS Labs IPS group test*

Protecting Your Network 2013 Output

* Source: NSS Labs Data Center IPS Comparative Analysis, 2014


Robust Partner Ecosystem

Combined API Framework

BEFORE Policy and

Control

AFTER Analysis and Remediation

Identification and Block

DURING

Infrastructure & Mobility

NAC Vulnerability Management Custom Detection Full Packet Capture

Incident Response

SIEM Visualization Network Access Taps


FireSIGHT™ Visibility CATEGORIES

EXAMPLES

SOURCEFIRE FireSIGHT

TYPICAL IPS

TYPICAL NGFW

Threats Attacks, Anomalies ✔ ✔ ✔

Users AD, LDAP, POP3 ✔ ✗ ✔

Web Applications Facebook Chat, Ebay ✔ ✗ ✔

Application Protocols HTTP, SMTP, SSH ✔ ✗ ✔

File Transfers PDF, Office, EXE, JAR ✔ ✗ ✔

Malware Conficker, Flame ✔ ✗ ✗

Command & Control Servers C&C Security Intelligence ✔ ✗ ✗

Client Applications Firefox, IE6, BitTorrent ✔ ✗ ✗

Network Servers Apache 2.3.1, IIS4 ✔ ✗ ✗

Operating Systems Windows, Linux ✔ ✗ ✗

Routers & Switches Cisco, Nortel, Wireless ✔ ✗ ✗

Mobile Devices iPhone, Android, Jail ✔ ✗ ✗

Printers HP, Xerox, Canon ✔ ✗ ✗

VoIP Phones Avaya, Polycom ✔ ✗ ✗

Virtual Machines VMware, Xen, RHEV ✔ ✗ ✗

Contextual Awareness Information Superiority

FireSIGHT Demo


Save Money and Improve Security

IT Insight Spot rogue hosts, anomalies, policy

violaDons, and more

Impact Assessment Threat correlaDon reduces

acDonable events by up to 99%

Automated Tuning Adjust IPS policies automaDcally

based on network change

User Iden9fica9on Associate users with security

and compliance events


One of the world’s 3 largest credit reporting agencies: •  20,000 nodes •  7,500 employees

Generic Work Rate: $75/hour

FireSIGHT™ Operational Savings

Source: SANS "Calcula3ng TCO on Intrusion Preven3on Technology“ whitepaper, December 2013


Customer Testimonial: Nathan Romine, Western Union

Policy Demo


Benefits of Application Control

Social: Security and

DLP

Mobile: Enforce BYOD

Policy

Bandwidth: Recover Lost

Bandwidth

Security: Reduce Attack

Surface


Application Control is Cool!

AMP: Advanced Malware Protection


In Spite of Layers of Defense

Malware is geUng through

control based defenses

Malware PrevenDon is NOT 100%

Breach

ExisDng tools are labor intensive and require

experDse

Attack Continuum


AFTER Scope

Contain Remediate

Detect Block

Defend

DURING

Point in Time Continuous


APT / Advanced Malware A tool for financial gain

•  Uses formal Development Techniques •  Sandbox aware •  Quality Assurance to evade detecDon •  24/7 Tech support available

•  Has become a math problem •  End Point AV Signatures ~20 Million •  Total KNOWN Malware Samples ~100 M •  AV Efficacy Rate ~50%


When Malware Strikes, You Have Questions

Where did it come from?

Who else is infected?

What is it doing?

How do I stop it?


Visibility and Control


AMP Everywhere

AMP for Networks

AMP for Endpoints

ESA Email

WSA Web

CWS Web

AMP for FirePOWER and FireAMP Demo


When Malware Strikes, Have Answers

Where did it come from?

Who else is infected?

What is it doing?

How do I stop it?

Device Trajectory File Trajectory

File Analysis Automated Remediation


Right in the Middle Of…

Better Together


Visibility

FirePower FireAMP Intelligence Spark

Sensors 20

100 Detections

30 Exploit Kits

595K Lookups

293K New files

6450 Detections

33M Lookups

10K Detections

28M Network lookups

3K Network Blocks

600K Files

100K Sandbox

60K IPS

100K Detections

Retrospective Intelligence

Sourcefire Vulnerability Research


Visibility

FirePower FireAMP Intelligence Spark

Sensors 20

100 Detections

30 Exploit Kits

595K Lookups

293K New files

6450 Detections

33M Lookups

10K Detections

28M Network lookups

3K Network Blocks

600K Files

100K Sandbox

60K IPS

100K Detections

Retrospective Intelligence

ESA/WSA CWS

93B Messages

4.5B Blocks

20K New Files

80M Web Blocks

16B Web Requests

1M Blocks

20K New Files

Sourcefire+Cisco Vulnerability Research


Cisco Security Architecture

SMB / Branch

Campus Data Center

Internet

ASA

ISR

IPS

ASA

Email

Web ISE

AD Wireless

Switch

Router

Content Policy

ISR-G2 Integrated Services

CSM

ASA

ASAv ASAv ASAv ASAv

Hypervisor

Virtual Data Center

Physical Data Center

Global Threat Intelligence

Remote Devices

Acc

ess

Cloud Security Gateway

Cloud Security Gateway

ASAv in the

Fabric (SDN)


Comprehensive Security Portfolio

IPS & NGIPS

•  Cisco IPS 4300 Series

•  Cisco ASA 5500-X Series integrated IPS

•  FirePOWER NGIPS

•  FirePOWER NGIPS w/ Application Control

•  FirePOWER Virtual NGIPS

Web Security

•  Cisco Web Security Appliance (WSA)

•  Cisco Virtual Web Security Appliance (vWSA)

•  Cisco Cloud Web Security

Firewall & NGFW

•  Cisco ASA 5500-X Series

•  Cisco ASA 5500-X w/ NGFW license

•  Cisco ASA 5585-X w/ NGFW blade

•  FirePOWER NGFW

Advanced Malware Protection

•  FireAMP

•  FireAMP Mobile

•  FireAMP Virtual

•  AMP for FirePOWER license

•  Dedicated AMP FirePOWER appliance

NAC + Identity Services

•  Cisco Identity Services Engine (ISE)

•  Cisco Access Control Server (ACS)

Email Security

•  Cisco Email Security Appliance (ESA)

•  Cisco Virtual Email Security Appliance (vESA)

•  Cisco Cloud Email

•  Cisco •  Sourcefire

UTM

•  Meraki MX

VPN

•  Cisco AnyConnect VPN


ASA 5500-X Advantages

Up to 4X faster than legacy ASA

Integrated security acceleration hardware

NG Services: Application control (AVC), Web security (WSE), Sourcefire (NGIPS - FireSIGHT)

Technology Migration Program (TMP)

•  10% off ASA-X Firewalls

•  15% off NGFW Services ASA 5512-X

1 Gbps FW Throughput

ASA 5515-X 1.2 Gbps FW Throughput

ASA 5525-X 2 Gbps FW Throughput



Cisco ASA 5585-X Firewall for Data Centers

•  World’s fastest firewall solution – up to 640 Gbps clustered

•  16 chassis clustering can be managed as a single device and across multiple data centers

•  Purpose-built data center security supports traditional, SDN, and ACI data center environments

Market-leading DC Firewall


Real-Time Protection Network / Security Devices

Cisco Unified Threat Intelligence

Actionable Intelligence

Vendor, Industry and Agency Alliances

Managed Honeypots,

Mantraps

01001001011100101001001011100110100111 0100010 01001001011100101001001011100110100111 01001001001011100101001001011100110100111 0100010 01001001011100101001001011100110100111 0100010 01001001011100101001001011100110100111

0010 010010010111001010010010111001101001110010 00010 01001001011100101001001011100110100111 0100010 01001001011100101001000100010 01001001011100101001001011100110100111 0100010 01001001011100101001001011100110100111

•  Multiple, non-integrated intelligence sources

•  Limited Intelligence footprint •  Slow, inconsistent threat updates •  No consistency between security

solutions

Challenge •  Largest unified threat database •  Global intelligence from millions of

devices, billions of websites, emails/day •  Threat updates every 3-5 minutes •  Unified intelligence: (Cisco + Sourcefire)

ASA, IPS, CWS, ESA, WSA, ISE

Solution

Global Threat Operations


Local and Global Threat Intelligence

Integrated and Centralized Policy

Embedding Security in the Infrastructure Comprehensive Visibility and Scalable Enforcement

NETWORK Sees All Traffic

Routes All Requests Sources All Data

Controls All Flows

Handles All Devices

Touches All Users

Shapes All Streams

Visibility

Enforcem

ent

Behavioral Analysis

Encryption Identity Awareness

Device Visibility

Policy Enforcement

Access Control

Threat Defense


Risk Reports

•  Samples

•  Eval Output

•  ExecuDve focus