of 54 /54
Next-Generation Encryption (NGE) and the Commercial Solutions for Classified (CSfC) Program Neil Lovering CCIE #1772 Consulting Systems Engineer – Security [email protected] March 3, 2016 Navy Tech Day – San Diego

Nge navy tech day

Embed Size (px)

Text of Nge navy tech day

Cisco Live 2014

Next-Generation Encryption (NGE) and the Commercial Solutions for Classified (CSfC) ProgramNeil LoveringCCIE #1772Consulting Systems Engineer [email protected] 3, 2016Navy Tech Day San Diego

2016 Cisco and/or its affiliates. All rights reserved.Cisco Public

13/2/16Cisco Live 2014

AgendaNext-Generation Encryption OverviewNGE and the Commercial Solution for Classified ProgramCSfC Use-CaseCisco NGE Innovation Focus AreasSummary2

2016 Cisco and/or its affiliates. All rights reserved.Cisco Public

2016 Cisco and/or its affiliates. All rights reserved.Cisco Public

2Cisco Live 20143/2/16

Next-Generation Encryption Overview3

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicGive some examples of the current environmentGiven the last few monthsLets all put our hacker faces onNow lets put our IT Security analyst faces onIts not goodCisco Live 20143/2/163

CryptographyCryptography is embedded in all Cisco productsCryptography is critical to every solution and marketCryptography is vital to Cybersecurity efforts across all markets

On the flip side Cryptography makes network traffic invisible

The Universal Security Feature

4

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicCryptographic Mechanisms5

EncryptionData AuthenticationKey EstablishmentSignaturesHashing

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicSecurity at Different Layers6

2016 Cisco and/or its affiliates. All rights reserved.Cisco Public802.11 WPA2 Wireless Security7

ApplicationPresentationSessionTransportNetworkLinkPhysical802.11i

802.11i

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicEthernet MACSec8ApplicationPresentationSessionTransportNetworkLinkPhysical

MACSec802.1AEMACSec

2016 Cisco and/or its affiliates. All rights reserved.Cisco Public

IPSec9ApplicationPresentationSessionTransportNetworkLinkPhysical

IPSec

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicTransport Layer Security (TLS) 10ApplicationPresentationSessionTransportNetworkLinkPhysical

TLS

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicSecure Shell (SSH)11

SSHApplicationPresentationSessionTransportNetworkLinkPhysical

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicSecure RTP12

SRTPApplicationPresentationSessionTransportNetworkLinkPhysical

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicDefense in Depth13ApplicationPresentationSessionTransportNetworkLinkPhysical

IPSec

802.11i

MACSec

TLS

SRTP

SSH

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicWhat is Next-Generation Encryption (NGE)?14

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicNext-Generation Encryption: Why is it Important?Crypto moves in ten-year investment waves/cycles Starting with Governments, Financials, etc.The explosion of mobile devices (BYOD)Low-power endpoint evolution driving need for more efficient, stronger crypto Higher data throughputs driving scalability needsCurrent cryptographic implementations *will not* scale to 10G, 40G and 100GVulnerabilities and threats continue to change, and hackers are becoming more skilled and funded15

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicNext-Generation Encryption: Why is it Needed?Cryptography is a fundamental underpinning of nearly all security products, solutions, and architecturesCisco has increased the R&D and innovation focus on its Security portfolioNGE is the strongest and most efficient commercial cryptographyLeverages standards-based solutionsElliptic Curve, AES-GCM (Galois Counter Mode), etcNetworking technologies continue to evolve:Ethernet (10/100Mb,1Gb,10Gb, 40Gb, 100Gb, ) Wi-Fi (11, 54, 150, 300, 450, etc )Cryptography (3DES, AES-CBC, AES-GCM)16

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicNext-Generation Encryption Protocol Suite

Key EstablishmentECDH-P256/384/521

Digital Signatures

ECDSA-P256/384/521

HashingSHA-256/384/512

Authenticated EncryptionAES-128/256-GCM

AuthenticationHMAC-SHA-256/384/512

EntropySP800-90

17

2016 Cisco and/or its affiliates. All rights reserved.Cisco Public

What is Suite B?NSA encryption guidance titled Suite Bhttp://www.nsa.gov/ia/_files/SuiteB_Implementer_G-113808.pdfSuite B is not a protocol It is a profile for consistent security when using multiple cryptographically strong protocolsIt enables government customers to conform to Suite B requirementsSuite B offers the best technologies for future-proof cryptography, setting the trend for the industryCNSSP-15 Policy Compliant (Committee on National Security Systems Policy)(6) The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET levelTOP SECRET information will require use of either the 192 or 256 key lengths. The implementation of AES in products intended to protect national security systems and/or information must be reviewed and certified by NSA prior to their acquisition and use.18

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicStandards and ProtocolsThe following documents provide guidance for using Suite B cryptography with Internet protocols:19Source: http://www.nsa.gov/ia/programs/suiteb_cryptography/

RFC 6239: "Suite B Cryptographic Suites for Secure Shell (SSH)RFC 6318: "Suite B in Secure/Multipurpose Internet Mail Extensions (S/MIME)RFC 6380: "Suite B Profile for Internet Protocol Security (IPSec)RFC 6460: "Suite B Profile for Transport Layer Security (TLS)RFC 7030: Enrollment over Secure Transport

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicCisco NGE and Suite BNGE is a super set of Suite B Cisco has additional Cipher SuitesUpgrades all crypto mechanisms New/Upgraded algorithms, key sizes, protocols and entropyCompatible with existing security architectures, e.g., DMVPN, GETVPN, P2P SAsStandards-based components, available today in next-generation solutionsTargets Suite B (US), FIPS-140 (US/Canada), NATO20

NGE(Cisco)Suite B(NSA)

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicNext-Generation Encryption vs. Suite B

EncryptionData AuthenticationKey EstablishmentDigital SignaturesHashing

AES-128-GCM

ECDH-P256

SHA-256ECDSA-P256

AES-256-GCMECDH-P384SHA-384ECDSA-P384ECDH-P521SHA-512ECDSA-P521AES-192-GCM

Suite BmLoS 12821

Suite BmLoS 192

mLoS = Minumum Level of Security

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicNGE, Suite B and the Commercial Solution for Classified Program22

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicGive some examples of the current environmentGiven the last few monthsLets all put our hacker faces onNow lets put our IT Security analyst faces onIts not goodCisco Live 20143/2/1622

CNSSP-15CNSSP-15 (Committee on National Security Systems Policy 15), National Information Assurance Policy (NIAP) on the Use of Public Standards for Secure Sharing of Information Among National Security SystemsCNSSP-15 states:IA and IA-enabled IT products with integrated cryptography acquired to protect NSS and information therein shall adhere to the following:After 1 October 2015, the appropriate Suite B cryptographic algorithms or a commensurate suite of NSA-approved cryptographic algorithms shall be included;Prior to 1 October 2015, the appropriate Suite B cryptographic algorithms and/or the appropriate legacy cryptographic algorithms, or a commensurate suite of NSA-approved cryptographic algorithms shall be included;Be compliant with NSA-approved public key and key management infrastructures as appropriate; andSuccessfully complete security protocol interoperability testing by an NSA-approved security protocol interoperability testing service.23

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicNGE Target Use-Cases24NGE for UnclassifiedUse: For protection of unclassified dataStrengthens existing data protection needsOpportunity to leverage NGE for advanced protectionTraditional deployment modelsUpgrade cipher suites for added securityCNSSP-15 compliance

Why not?

Because they said soNGE for ClassifiedUse: For protection of classified dataNSA-led CSfC programWell-defined Deployment ArchitecturesMore stringent deployment policies than Civilian/non-DoD customersLeverages a Layered Architectural Approach

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicNGE Enabled Encryption Architectures:Available Today25Remote Access VPNsASA Firewall

CSM / ASDM

GM4GM5GM6GM7GM8GM9GM1GM2GM3KS

GETVPN*&^*RTW#(*J^*&*sd#J$%UJ&(

802.1XSupplicantwithMACSec

Guest User

MACSec Capable Devices&^*RTW#(*J^*&*sd#J$%UJWD&(

Data sent in clear

MACSec LinkEncryptDecryptAuthenticated UserMACSec

Spoke-3

..

.

Site-to-Site, DMVPN and FlexVPN

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicCommercial Solutions for Classified ProgramNSA/CSS's Commercial Solutions for Classified (CSfC) Program has been established to enable commercial products to be used in layered solutions protecting classified NSS dataThis will provide the ability to securely communicate based on commercial standards in a solution that can be fielded in months, not yearsCSfC program requirements are customer-driven CSfC vendors do not request features or drive requirements26

http://www.nsa.gov/ia/programs/csfc_program/index.shtml

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicWhy is CSfC Interesting to Customers?Leverages well-known COTS encryption solutions and operation modelsOperational SimplicityOperational expense complexity of COTS is not new and risk has diminishedWell understood capabilities, troubleshooting, etc.Quicker time-to-market of innovationCan leverage COTS technology, speeds/feeds, innovation and scale testing by vendorsWill not lag industry best practices and SW feature innovations Reduced CostCOTS TCO will be lower given open market chip sets, silicon and vendor familiarityAvailabilityEAR export restrictions mean fewer availability, handling issuesRapid Deployment: Allows field to deploy solutions more rapidly27

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicCSfC Layered Architectures for ClassifiedArchitectural, defense-in-depth (e.g. layers), approach to securitySECRET require 2 Layers of countable Crypto mLoS 128TOP SECRET requires 2 layers of countable Crypto mLoS 192

Example: 1+1 = 2 countable layers sufficient for protecting SECRET information

28

Suite B VPN / Countable Layer #1

Suite B Application Layer Security / Countable Layer #2

Approved Encryption Technologies can vary at each LayerOuter TunnelInner Tunnel

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicCSfC Components29VPNMobilityCampus WLANMust be validated against an approved PPNDPP v1.1 minimumVPNGW EPSIP ServerApplication (VPN, VoIP, etc.)WLANFIPS 140-2Capability PackagesNIAP EvaluationsFIPSMemorandum of Agreement (MoA) is entered between the CSfC Program office and the VendorThe MoA states that the vendors product must be NIAP certified, FIPS certified, and that the vendor agrees to fix vulnerabilities in a timely fashionThe MoA may also reference technology-specific selections for NIAP testing

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicWhat is a Capabilities Package (CP)?Contain product-neutral information that will allow customers/integrators to successfully implement their own solutionsCustomers/integrators make product selections while following the guidelines/restrictions to create an architecture with specific commercial products configured in a particular mannerProvide sufficient guidance for accreditors to make informed decisions on whether solutions meet their mission and security requirements30Source: CSfC Website (http://www.nsa.gov/ia/programs/csfc_program/)

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicNGE vs Suite B vs CSfC (1)NGE is a super-set of Suite BIncludes older, transitional ciphers as well as Suite B compliant and stronger ciphersSuite B is a consistent and specific implementation of cryptographic ciphers CSfC is a layered architecture of Suite B compliant COTS equipment31

NGE(Cisco)Suite B(NSA)

CSfC(NSA)

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicNGE vs Suite B vs CSfC (2)Therefore Suite B = NGE but NGE > Suite BCSfC = two compliant layers of Suite BCustomers can deploy Suite B and be compliant with CNSSP-15 and not require a CSfC ArchitectureCustomers that are tasked with protecting CLASSIFIED material must adhere to the CSfC requirements32

NGE(Cisco)Suite B(NSA)

CSfC(NSA)

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicManufacturer Diversity RequirementCSfC layered solutions, with a single vendor is now permitted under certain conditionsThe manufacturer must document the similarities and differences between the two products, including: cryptographic HW components, SW code base (i.e. operating system), software cryptographic libraries, and development teamsNSA will review the information of solutions and determine if they meet the requirements for independent layersCiscos variation of OSs, across certain platforms are targeting this single-vendor solution that is compliant with the CSfC guidelines33The manufacturer diversity requirement for CSfC layered solutions has been modified to permit, subject to certain conditions, single-manufacturer implementations of both layers.

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicCisco as the Single Vendor Multi-Platform for CSfCAllows Cisco ASA to be used as an Inner or Outer VPN Gateway when paired with an approved IOS/IOS-XE VPN router34

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicCSfC Use-Cases35

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicGive some examples of the current environmentGiven the last few monthsLets all put our hacker faces onNow lets put our IT Security analyst faces onIts not goodCisco Live 20143/2/1635

Some Quick TerminologyCSfC Commercial Solutions for Classified an NSA-sponsored programRed NetworkRed Data consists of unencrypted classified data including Voice and Video36

Gray NetworkGray Data consists of classified data (including Voice/Video) that has been encrypted once (TLS/SRTP/IPSec)Black NetworkBlack Data consists of classified data (including Voice/Video) that has been encrypted twice (typically but not limited to IPSec)

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicCSfC VPN Compatibility Package37

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicGive some examples of the current environmentGiven the last few monthsLets all put our hacker faces onNow lets put our IT Security analyst faces onIts not goodCisco Live 20143/2/1637

CSfC Site-to-Site VPN38 Solution BoundaryOuter IPSec Tunnel 2nd encryptionInner IPSec Tunnel 1st encryptionCustomer Traffic - unencryptedSource: CSfC Website (http://www.nsa.gov/ia/programs/csfc_program/ )* SECRET requires mLoS 128** TOP SECRET requires mLoS 192

2016 Cisco and/or its affiliates. All rights reserved.Cisco Public

CSfC Multiple Security Levels39Source: CSfC Website (http://www.nsa.gov/ia/programs/csfc_program/ )* SECRET requires mLoS 128** TOP SECRET requires mLoS 192 Solution BoundaryOuter IPSec Tunnel 2nd encryptionInner IPSec Tunnel 1st encryptionCustomer Traffic - unencrypted

2016 Cisco and/or its affiliates. All rights reserved.Cisco Public

CSfC Client-to-Site (Remote Access)40Source: CSfC Website (http://www.nsa.gov/ia/programs/csfc_program/ )* SECRET requires mLoS 128** TOP SECRET requires mLoS 192 Solution BoundaryOuter IPSec Tunnel 2nd encryptionInner IPSec Tunnel 1st encryptionCustomer Traffic - unencrypted

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicCisco NGE Innovation Focus AreasOptical EncryptionMACSec41

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicGive some examples of the current environmentGiven the last few monthsLets all put our hacker faces onNow lets put our IT Security analyst faces onIts not goodCisco Live 20143/2/1641

Foundations of High Speed Crypto42

IPSec Encryption

Layer 3

Layer 2

Layer 1Cisco Product Lines: ISRs, ASR1K, ASR9K 802.11AE (aka MACSec) Ethernet EncryptionCisco Product Lines: Cat 2k,3K,4K,6K; Nexus 7K; ISRNG, ASR1K, ASR9KOTN EncryptionCisco Product Lines: ONS 15454OSI Layers

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicDWDM Encryption Architecture43

256 bitAES

Key exchange over OTU2 GCCOTU2 Payload Encrypted with 256-bit AES

DWDM Wavelength(s)EthernetFibre ChannelOTNEthernetFibre ChannelOTN

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicWhy MACSec in the WAN?Ethernet services have moved beyond the campusEthernet is growing rapidly as a WAN/Metro wire-line transport serviceWAN/Metro SP offerings are replacing existing T1, ATM/FR, and SONET OC-x with EthernetEthernet services apply to:WAN links for core, edge, remote branch back-haulPE-CE backhaulMetro-E service hand-offs (E-LINE, E-LAN, E-TREE)Current IPSec encryption rates cannot run line-rate, for all packet sizes beyond 40GbpsCiscos goal is to integrate MACsec as part of new Ethernet interface/LC development moving forward44

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicConfidentiality and Integrity: 802.1AE based EncryptionMACSec provides Layer-2 hop-by-hop encryption and integrity, based on IEEE 802.1AE standard128bit AES-GCM (Galois/Counter Mode) NIST ApprovedLine-rate Encryption/Decryption for 1/10/40/100GbE interfacesReplay protection of each and every frame802.1AE encryption to protect CMD field (SGT value)45

802.1AE

Customer BenefitsProtects against man-in-the-middle attacks (snooping, tampering, replay)Standards-based frame format and algorithm (AES-GCM) 802.1X-2010/MKA addition supports per-device security associations in shared media environments (e.g. PC vs. IP Phone) to provide secured communicationNetwork service amenable hop-by-hop approach compared to end-to-end approach (e.g. Microsoft Domain Isolation/virtualization)

2016 Cisco and/or its affiliates. All rights reserved.Cisco Public802.1AE (MACSec) TaggingFrames are encrypted and protected with an integrity check value (ICV)MACSec Ethertype is 0x88e5No impact to IP MTU/FragmentationL2 Frame MTU Impact*: ~ 40 bytes = less than baby giant frame (~1600 bytes with 1552 bytes MTU)46

D-MACS-MAC

802.1AE Header

802.1Q

CMD

E-Type

Payload

ICV

CRC

MACSec EtherType

TCI/AN

SL

Packet Number

SCI (optional)TrustSec Frame Format

Encrypted

0x88e5

Authenticated

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicNGE and Cisco VPNs47

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicGive some examples of the current environmentGiven the last few monthsLets all put our hacker faces onNow lets put our IT Security analyst faces onIts not goodCisco Live 20143/2/1647

VPN ReviewThe players in large, multi-site VPN deployments:Site-to-site (S2)Dynamic Multipoint VPN (DMVPN)Group Encrypted Transport VPN (GETVPN)FlexVPN48

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicDMVPN Deployment Scenario49

2016 Cisco and/or its affiliates. All rights reserved.Cisco Public

DMVPN Benefits (1)Cisco IOS DMVPN provides the following benefits:Dynamic Routing over VPN: EIGRP, OSPF, and BGPReduced Configuration Overhead No crypto maps tied to the physical interfaceFor a 1000-site deployment, DMVPN reduces the hub from 3900 lines to 13 linesAdding new spokes to the VPN requires no changes at the hubCentralized configuration change at the hub controls the split tunneling behaviorZero-Touch Deployment: Easy Secure Device Deployment Devices can be bootstrapped remotely, no extensive staging operationsDynamic Spoke-to-Spoke Tunnels Reduces latency Improves scalability50

2016 Cisco and/or its affiliates. All rights reserved.Cisco Public

DMVPN Benefits (2)Cisco IOS DMVPN provides the following benefits:Dynamic Addressing for Spoke Routers: think cable/DSL connectionsNetwork Address Translation (NAT) Traversal DMVPN routers can be behind NATIP Multicast Support: between hub and spokesQoS Support: hub to spoke (or spoke group)High Availability: two or more hubsScalability: additional hubs and/or hierarchical hubsVRF Awareness: allows separation of customer trafficMultiprotocol Label Switching (MPLS) Support (2547oDMVPN) MPLS networks can be encrypted over DMVPN tunnels

51

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicGETVPN Deployment Scenario52

2016 Cisco and/or its affiliates. All rights reserved.Cisco Public

GETVPN BenefitsCisco IOS GETVPN provides the following benefits:Native any-to-any mesh topologyFor Multiprotocol Label Switching (MPLS) networks, maintains network intelligence (such as full-mesh connectivity, natural routing path, and QoS)Grants easy membership control with centralized key serversDirect site-to-site communications: low latencyIP Address Preservation: original outer IP headerEnables features like QoS and Multicast in the core53

2016 Cisco and/or its affiliates. All rights reserved.Cisco Public

FlexVPN Deployment Scenario54

2016 Cisco and/or its affiliates. All rights reserved.Cisco Public

FlexVPN Benefits (1)Cisco IOS FlexVPN is a unified VPN solution and provides the following benefits:Transport network: Public internet or a private MPLS networkDeployment style: S2S and remote access VPNsFailover redundancy:Dynamic routing protocols (OSPF, EIGRP and BGP)IKEv2-based dynamic route distribution and server clusteringIPSec/IKEv2 active/standby stateful failover between two chassis (available in the future)Third-party compatibility: Compatible with any IKEv2-based third-party VPN vendors55

2016 Cisco and/or its affiliates. All rights reserved.Cisco Public

FlexVPN Benefits (2)Cisco IOS FlexVPN is a unified VPN solution and provides the following benefits:IP Multicast support: At the hub or in the transport network (future)Centralized policy control: Use of AAA/RADIUS server on a per-peer basisVRF awareness: integration with MPLS VPN networksWorks with all previous IPsec VPNsCan use GRE over IPsec or VTI as encapsulationIPv4 and IPv6 capable56

2016 Cisco and/or its affiliates. All rights reserved.Cisco Public

FlexVPN Benefits (3)Cisco IOS FlexVPN is a unified VPN solution and provides the following benefits:Multiple simultaneous functionalities Uses virtual interfaces allows per-spoke features like firewall, QoS, ACLs, etc.Remote access server and client (software and hardware) similar to EZVPNDynamic spoke to spoke tunnels similar to DMVPNEase of configuration by using defaultsBased on IKEv2: Improves many aspects of negotiation and protocol stability57

2016 Cisco and/or its affiliates. All rights reserved.Cisco Public

IKEv2 BenefitsUses less bandwidth than IKEv1Supports EAP authentication (not standard in IKEv1)Supports Mobile IKE (MOBIKE)Changing IP addressesBuilt-in NAT traversal Can detect whether a tunnel is still aliveAnti-DOS58

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicVPN Technology Comparison59FeaturesDMVPNGETVPNFlexVPN3rd Party CompatibilityxAAA attributes supportxDynamically addressed spokexxxDynamic RoutingxxxDynamic Spoke to Spoke tunnelxxxIKEv2xxPublic TransportxxIPv6xxxIP MulticastxxxNATxxNon-IPQoSxxxVRFxxx

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicFlexVPN Cisco Platforms800-Series Routers1900-Series ISRs (G2)2900-Series ISRs (G2)3900-Series ISRs (G2)4400-Series ISRs1000-Series ASRs60

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicWrap-Up61

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicGive some examples of the current environmentGiven the last few monthsLets all put our hacker faces onNow lets put our IT Security analyst faces onIts not goodCisco Live 20143/2/1661

NGE and CSfC SummaryCisco has many products that can satisfy all current CSfC CPsNGE/Suite B impacts all Federal customers (CNSSP-15)Cisco is actively engaging with the Program office to add more productsCSfC requirements are Customer led, not Vendor ledCustomers should contact [email protected] for specific Mission requirements that fall outside the Capability Packages

6262

2016 Cisco and/or its affiliates. All rights reserved.Cisco PublicNeil LoveringCCIE #[email protected]

2016 Cisco and/or its affiliates. All rights reserved.Cisco Public

63Cisco Live 20143/2/16

2016 Cisco and/or its affiliates. All rights reserved.Cisco Public

643/2/16Cisco Live 2014

Chart11128611286112861128611286

Series 1Series 2

Sheet1Series 1Series 219901128670200011286782010112868620201128693203011286101To resize chart data range, drag lower right corner of range.