lancope and-cisco-asa-for-advanced-security

Lancope and Cisco ASA for Advanced Security Context

Agenda

The need for more information and context

– The Cyber Threat Defense

What is NSEL?

How NSEL and StealthWatch work together

Examples

Summary

Cyber Threat Defense Solution

Devices Internal Network

Visibility, Context, and Control

Use NetFlow Data to Extend Visibility to the Access Layer

Unify Into a Single Pane of Glass for Detection, Investigation and

Reporting

Enrich Flow Data With Identity, Events and Application to Create Context

WHO

WHAT WHERE

WHEN

HOW

Hardware-enabled

NetFlow Switch

Cisco ISE

Cisco ISR G2 + NBAR

Cisco ASA + NSEL

Context

What is NSEL?

NetFlow Security Event Logging

Provides visualization into policy enforcement points

Created as an efficient event reporting mechanism:

– Syslog (Traditional Firewall event reporting mechanism)

Verbose, text based, single event per packet

~30% processing overhead

– NetFlow

Compact, binary, multiple events per packet

~7-10% processing overhead

NSEL Implementation Details

Cisco NSEL slightly deviates from standard NetFlow – NSEL flow is bidirectional

– NSEL flow is equivalent to an ASA connection

– NSEL events are generated per ASA connection

Event Based – Records were originally generated based on the 3 connection status events

– In ASA v8.4.5 flow update events are generated on activity timers

– Denied connections also generate NSEL records

NSEL records are issued for the following events – Flow creation - Issued for every flow that is created

– Flow teardown - Issued for every successfully created flow when it ends.

– Flow denial - Issued when a flow is denied by an ACL

How NSEL works

Flow Created

StealthWatch FlowCollector

StealthWatch Management

Console

Client

Server

Cisco ASA

NSEL Record Exported

How NSEL works

Flow Tear Down

StealthWatch FlowCollector

StealthWatch Management

Console

Client

Server

Cisco ASA

NSEL Record Exported

How NSEL works

Flow Denied

StealthWatch FlowCollector

StealthWatch Management

Console

Client

Server

Cisco ASA

NSEL Record Exported

Flow Action

StealthWatch defines the NSEL flow event field as a Flow Action

Can provide additional context

– Identity

– Device Type

– Application Data

Flow Denied Events

Useful inspection point

Identify suspicious activity

Flow Action as part of Concern Index

Concern Index points are accumulated for Flow Denied events

NAT Stitching

Pre and Post NAT stitching inside StealthWatch

Decrease investigation time

Examples

RIAA notices

PCI Compliance

Firewall rule auditing

Tracking down outbound attacks

Better scalability and performance

Summary

Provides Flow and Event Visibility and Context

Reports details of a flow and associated events

Provides Threat Visibility and Context

Single pane of glass that unifies threat detection, visibility, forensics analysis, and reporting +

+ NSEL

FlowCollector StealthWatch Management

Console

Cisco ASA

Thank you!!

Get Engaged with Lancope

Follow us at @Lancope and @NetFlowNinjas

Subscribe to Lancope updates at http://feeds.feedburner.com/NetflowNinja

s

Attend complimentary NetFlow 101 Seminars

http://www.lancope.com/news-events/university-of-netflow/

Join NetFlow Ninjas http://www.linkedin.com/groups/NetFlow-

Ninjas-2261596/about

Access StealthLabs Intelligence Center (SLIC) Reports

http://lancope.com/SLIC

Download “NetFlow Security Monitoring for Dummies”

http://www.lancope.com/netflow-for-dummies/

© 2012 Lancope, Inc. All rights reserved. 16

Please email sales@lancope.com or