Cisco SecureX Architecture Greg Griessel Consulting Systems Engineer – Security Solutions [email protected]

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco

1

Are you exploring new business models in the cloud? Do your employees use their personal smart phones/tablets/PC/other for work? Are you protected against vulnerabilities introduced by collaboration tools and social media sites? Do you proactively protect your business against newest threats? How do you cope with zero day threats? What are your compliance needs? Are you meeting them? Are you enforcing the same security policies consistently across your organization? Are your security operational cost rising with increased security complexity?

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Cisco Confidential

2

BUSINESS IMPERATIVES

Collaboration

SECURITY IMPERATIVES

Threat Defense

Business Agility

Compliance

Operational Efficiency

Any Device

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

3

How Do I Secure? Any device: tablet, smartphone New collaboration and social media Applications Data moving to the Cloud Data Center and Desktop Virtualization

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

4

Requires a NEW Security Approach

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

5

1

From piecemeal security approach to architecture-based

4

3

2

Secure any user device, always on

From physical structure-based security to secure distributed and virtual environments

© 2010 Cisco and/or its affiliates. All rights reserved.

Consistent policy and management for any access: wired, wireless, mobile, remote

5

Visibility and compliance: reporting, end-to-end encryption, management Cisco Cisco Confidential

6

= Cisco

SECURE SYSTEMS

Remote Access

Collaboration

Virtualization

Mobility

Cloud

Zero Day

Encryption

DEVICE FORENSICS AUDIT SERVICE MGMT. DATA GOV. IDENTITY POLICY APIs

DEVICE SECURITY APPLICATION SECURITY CONTENT/ DATA SECURITY NETWORK/ SYSTEM MANAGEMENT NETWORK SECURITY

AV

Lock/Wipe

Asset Mgmt

Coding/Hardening

Email

Web Application

Web

Logging

DLP

Monitoring

Firewall

Penetration

Encryption

Alerting

Directories

IDS/IPS

VPN

TRUSTED SYSTEM INFRASTRUCTURE

Physical

Device

Network

Compute

Storage

* Based on common industry models by Gartner, SANs Institute and various customer interviews © 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Cisco Confidential

7

Context Enforcement Cisco Aware Infrastructure Integrated

Overlay

Cloud

Network Visibility

Context

Control

NexusVirtual 1K and Cloud Secure and Cloud Connected Network

TrustSec Access Control

Context Aware Policy Access TrustSec Control

Secure AnyConnect Endpoint

Threat Cisco Intelligence SIO

Application Programming Interfaces Management © 2010 Cisco and/or its affiliates. All rights reserved.

Services

Partners Cisco Cisco Confidential

8

Keep Bad Stuff Out Protect the Good Stuff Keep Critical Services Running

Be Compliant Provide Visibility: Users, Devices, Activities Cost Efficient

REQUIRES AN ARCHITECTURAL APPROACH

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Cisco Confidential

9

Threat Intelligence: SIO

Network Security • • • • • •

Firewall IPS VPN Security management Virtual security Security modules

Access Control • • • • • • •

Policy Management 802.1x NAC Posture assessment Device profiling Identity Services Confidentiality

• • • • • •

Secure Mobility

Content Security

VPN Mobile security client Wireless IPS Remote worker Virtual office Mobility security

• Email Security • Web Security • Cloud-based content security services

Secure Cloud and Virtualization © 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Cisco Confidential

10

Global, Sophisticated Threats

KOOBFACE

RISK: SEVERE

Microsoft Update Malware

RISK: SEVERE

Haiti Earthquake Scam Email

RISK: MEDUIM

CHALLENGE Highly Sophisticated Blended Threats - No One Looks Like Another © 2010 Cisco and/or its affiliates. All rights reserved.

Undetected Malware Disables Security, Steals Data, Enables Remote System Access

Signature and Local DataBased Detection Limit Protection Cisco Confidential

11

Global Visibility SIO

GLOBAL INTELLIGENCE Researchers, Analysts, Developers

ISPs, Partners, Sensors Researchers, Analysts, Developers IPS

Applied Mitigation Bulletins ASA

ESA

WSA

ESA

Cisco AnyConnect

CISCO SOLUTION Largest Threat Analysis System - Blended Threat Protection

700K+ Global Sensors 5 Billion Web Requests/Day 35% Of Global Email Traffic

Reputation, Spam, Malware and Web Category Analysis, and Applications Classification

Endpoint Threat Telemetry © 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

12

External and Internal Threats Internal Threats

External Threats

Botnets

Malware

CHALLENGE Scaling Performance Requirements and Providing Timely Updates © 2010 Cisco and/or its affiliates. All rights reserved.

Lacking Global Context and Intelligence About Blended Threats to Deliver Enforcement

Poor Coordination Between Security Devices and Network Cisco Confidential

13

Threat Protection

WHERE

WHAT

WHEN HOW

WHO

Context Aware Policy IPS

ASA

WSA

ESA

NETWORK CISCO SOLUTION Full Solution: Firewalls, IPS, Cloud-Driven Web and Email Security © 2010 Cisco and/or its affiliates. All rights reserved.

Context-Aware Policy Better Aligns with Business Security Needs

Ease of Deployment and Distributed Enforcement

Cisco Confidential

14

462 million CHALLENGE Highly Mobile Workers Require Access to Network and Cloud Services © 2010 Cisco and/or its affiliates. All rights reserved.

Variety of User-Owned Devices Blend User and Corporate Profiles

Device Loss/Theft – highest risk of Corporate Data Loss, and Compliance Breach Cisco Confidential

15

Any User, Any Device Support

Cisco AnyConnect Access Switches

ISR

ASA

WSA

Internal, Cloud & Social Applications

CISCO SOLUTION Industry’s only Unified Client Solution; Always On Security © 2010 Cisco and/or its affiliates. All rights reserved.

Broad Device Support: Windows XP/7,MAC OSX, Linux, Apple iOS (iPhone & iPad), Nokia Symbian, Webos, Windows Mobile, Android* (soon)

Secure Connectivity End-to-End Encryption With MACsec Hybrid Web Security Cisco Confidential

16

Access From Any Device

PUB OFFICE

CHALLENGE Identity-Aware and Role-Based Access Control Guests Access © 2010 Cisco and/or its affiliates. All rights reserved.

Policy Enforcement From Any User Device to Data Center

Network-Wide Confidentiality Protection

Cisco Confidential

17

Access Control

WHERE WHAT

?

?

?

WHEN HOW

WHO

Virtual DC Machines

VPN

POSTURE-BASED PERMISSIONS 1. Permit/Deny based on policy 2. Authorized devices tagged with policy 3. Policy tags enforced by the network

MACSec

DENIED

Data Center

ALLOWED

CISCO SOLUTION Consistent Identity-Aware Policy from Any Device to Data Center – Based on Business Needs © 2010 Cisco and/or its affiliates. All rights reserved.

Policy Distribution and Intelligence Through the Network

Security Group Tagging Scales Context-Aware Enforcement Cisco Confidential

18

SAS

HQ

Branch Internet

Data Center

Remote Worker

CHALLENGE Limited IT and Security Resources in Branch, Cost Multiplier © 2010 Cisco and/or its affiliates. All rights reserved.

SaaS and Cloud Drive Split Tunnel —Introduce New Security Challenges

Compliance Requirements

Cisco Confidential

19

HQ

Full Branch Security Features

$

Best ROI (Replicable)

+

Security + Application Optimization ISGR2

CISCO SOLUTION VPN (IPSEc, GET VPN, DMVPN, SSL), FW, IPS, ScanSafe client © 2010 Cisco and/or its affiliates. All rights reserved.

Best ROI (simplicity, consistency, integrated), Cost savings and performance from split tunneling

WAN optimization Wireless LAN/WAN Ethernet Switch Integrated Server

Cisco Confidential

20

CHALLENGE New Security Blind Spots, and Lack of Cloud Visibility © 2010 Cisco and/or its affiliates. All rights reserved.

Unfamiliar with New Technologies and Lack of Consistency

Significant Scaling Demands

Cisco Confidential

21

SECURE HYBRID CLOUDS

SECURE PRIVATE CLOUDS

SECURE PUBLIC CLOUDS

Virtual Security Gateway Nexus 1000v ASA 5585-X & ASA-SM IPS Sensors

CISCO SOLUTION High-Performance Security Solutions Optimized for the Data Center © 2010 Cisco and/or its affiliates. All rights reserved.

Unified Security for Physical and Virtual Environments; Granular Zone-Based, Context Aware Policy

Policy Traversal Secure Application Traversal Vmotion Aware Secure VM Segmentation Secure Cloud Segmentation

Cisco Confidential

22

1

Pervasive Network Visibility and Control

4

3

Network Integration Delivers Scalable Security from Endpoints to Data Center

Security Intelligence (SIO) Protects Against Next Generation of Threats

5 2

© 2010 Cisco and/or its affiliates. All rights reserved.

Industry’s Richest, Most Innovative Security Portfolio and Professional Services

Consistent Enforcement of Context-aware Policy

Cisco Cisco Confidential

23

Assess Your Security Status Based on the 7 Security Questions

© 2010 Cisco and/or its affiliates. All rights reserved.

Learn more About Cisco Security Solutions from a Cisco Security Expert

Perform a Security Assessment with Cisco or a Cisco Partner

Cisco Cisco Confidential

24

Are you exploring new business models in the cloud? Do your employees use their personal smart phones/tablets/PC/other for work? Are you protected against vulnerabilities introduced by collaboration tools and social media sites? Do you proactively protect your business against newest threats? How do you cope with zero day threats? What are your compliance needs? Are you meeting them? Are you enforcing the same security policies consistently across your organization? Are your security operational cost rising with increased security complexity?

© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Cisco Confidential

25

Thank you.