borderless networks security visions - cisco · complete web security malware, acceptable use,...

33
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID Marcello Masarati [email protected] Borderless Networks Security Architecture Vision

Upload: others

Post on 19-Aug-2020

9 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Borderless Networks Security Visions - Cisco · Complete Web Security Malware, Acceptable Use, Access Control, and Data Security Cisco IronPort Web Security Appliance 1 Cisco AnyConnect

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

Marcello Masarati

[email protected]

Borderless Networks Security Architecture Vision

Page 2: Borderless Networks Security Visions - Cisco · Complete Web Security Malware, Acceptable Use, Access Control, and Data Security Cisco IronPort Web Security Appliance 1 Cisco AnyConnect

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2

Traditional Corporate Border

Corporate Border

Branch Office

Applications and Data

Corporate Office

Policy

Attackers CustomersPartners

Page 3: Borderless Networks Security Visions - Cisco · Complete Web Security Malware, Acceptable Use, Access Control, and Data Security Cisco IronPort Web Security Appliance 1 Cisco AnyConnect

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3

Mobility and CollaborationIs Dissolving the Internet Border

Corporate Border

Branch Office

Applications and Data

Corporate Office

Policy

Attackers Customers

Home Office

Coffee Shop

Airport

Mobile User Partners

Page 4: Borderless Networks Security Visions - Cisco · Complete Web Security Malware, Acceptable Use, Access Control, and Data Security Cisco IronPort Web Security Appliance 1 Cisco AnyConnect

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 4

Cloud Computing Is Dissolving the Data Center Border

Corporate Border

Branch Office

Applications and Data

Corporate Office

Policy

Attackers

Home Office

Coffee ShopCustomers

Airport

Mobile User Partners

Platformas a Service

Infrastructureas a Service

Xas a Service

Softwareas a Service

Page 5: Borderless Networks Security Visions - Cisco · Complete Web Security Malware, Acceptable Use, Access Control, and Data Security Cisco IronPort Web Security Appliance 1 Cisco AnyConnect

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 5

Customers Want Business Without Borders

Corporate Border

Branch Office

Applications and Data

Corporate Office

Policy

Attackers

Home Office

Coffee ShopCustomers

Airport

Mobile User Partners

Platformas a Service

Infrastructureas a Service

Xas a Service

Softwareas a Service

Page 6: Borderless Networks Security Visions - Cisco · Complete Web Security Malware, Acceptable Use, Access Control, and Data Security Cisco IronPort Web Security Appliance 1 Cisco AnyConnect

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6

Service dedicated to checking if a malwareexecutable is detectable by AV engines

Criminal SaaS Offerings Expand

Page 7: Borderless Networks Security Visions - Cisco · Complete Web Security Malware, Acceptable Use, Access Control, and Data Security Cisco IronPort Web Security Appliance 1 Cisco AnyConnect

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

Borderless Security Architecture Vision

Page 8: Borderless Networks Security Visions - Cisco · Complete Web Security Malware, Acceptable Use, Access Control, and Data Security Cisco IronPort Web Security Appliance 1 Cisco AnyConnect

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 8

Mobility: The Next Computing Cycle

Mini PC Networked PC Internet PC Mobile Internet

1960s 1980s 1990s 2000s 2010s

Productivity

Page 9: Borderless Networks Security Visions - Cisco · Complete Web Security Malware, Acceptable Use, Access Control, and Data Security Cisco IronPort Web Security Appliance 1 Cisco AnyConnect

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 9

Optimized Energy Use, Automated Office Control

New Video-based Experiences

Context-Based Services: Equipment Tracking, Trigger Digital Signage or Voice Services

Borderless ExperiencesAlways Connected—Wired/Wireless Access Anytime,Anywhere from Any Device

Page 10: Borderless Networks Security Visions - Cisco · Complete Web Security Malware, Acceptable Use, Access Control, and Data Security Cisco IronPort Web Security Appliance 1 Cisco AnyConnect

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 10

Borderless

Experience

Anyone Anything

AnytimeAnywhere

Employee, Partner,

Customer Communities

Always Works,

Instant Access,

Instant Response

The New Borderless Organization

Work,

Home, On the Go…

Person to Person,

Person to Device,

Device to Device

Securely, Reliably and Seamlessly

Page 11: Borderless Networks Security Visions - Cisco · Complete Web Security Malware, Acceptable Use, Access Control, and Data Security Cisco IronPort Web Security Appliance 1 Cisco AnyConnect

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 11

New InnovationsArchitecture for Agile Delivery of the Borderless Experience

Borderless NetworksIn

frastru

ctu

re

Borderless End-Point/User Services

Mobility WorkplaceExperience

Video

AnyConnect

Borderless Network Services

Security:TrustSec

Performance MobilityVideo: Medianet

Green:EnergyWise

Borderless Management

and Policy

Page 12: Borderless Networks Security Visions - Cisco · Complete Web Security Malware, Acceptable Use, Access Control, and Data Security Cisco IronPort Web Security Appliance 1 Cisco AnyConnect

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 12

Bo

rde

rless

Da

ta C

en

ter

3

Bo

rde

rless

Inte

rne

t

2

Bo

rde

rless

En

d Z

on

es

1

Cisco’s Architecture for Borderless Network Security

Policy

Corporate Border

Branch Office

Applications and Data

Corporate Office

Policy(Access Control, Acceptable Use, Malware, Data Security)4

Home Office

AttackersCoffee ShopCustomers

Airport

Mobile User Partners

Platformas a Service

Infrastructureas a Service

Xas a Service

Softwareas a Service

Page 13: Borderless Networks Security Visions - Cisco · Complete Web Security Malware, Acceptable Use, Access Control, and Data Security Cisco IronPort Web Security Appliance 1 Cisco AnyConnect

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 13

Intelligent End Point Traffic Routing

Pillar 1: Borderless End Zone

Persistent Connectivity

Always On, Location Aware

Auto Head-end Discovery

IPsec , SSL VPN, DTLS

Advanced Security

Strong Authentication

Fast, Accurate Protection

Consistent Enforcement

Broadest Coverage

Most OS’s and Protocols

Windows Mobile

Apple iPhone

Page 14: Borderless Networks Security Visions - Cisco · Complete Web Security Malware, Acceptable Use, Access Control, and Data Security Cisco IronPort Web Security Appliance 1 Cisco AnyConnect

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 14

ChoiceDiverse Endpoint

Support for Greater Flexibility

SecurityRich, Granular Security

Integrated Into the network

ExperienceAlways-on Intelligent

Connection for SeamlessExperience and

Performance

Cisco AnyConnect Secure Mobility Web Security with Next Generation Remote Access

Acceptable Use

Access Control

Intranet

Corporate File Sharing

Access Granted

Data Loss Prevention

Threat Prevention

Page 15: Borderless Networks Security Visions - Cisco · Complete Web Security Malware, Acceptable Use, Access Control, and Data Security Cisco IronPort Web Security Appliance 1 Cisco AnyConnect

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 15

AnyConnect Secure MobilitySolution Overview

Next Generation Remote Access―It just works‖

Broad device support

Complete Web SecurityMalware, Acceptable Use, Access Control, and Data Security

Cisco IronPort Web Security Appliance

Cisco AnyConnect1 2

NEW

Cisco Web Security Appliance

Information Sharing Between ASA Firewall and Web

Security Appliance

Corporate AD

ASAAnyConnect

News Web-Based Email

Social Networking Enterprise SaaS

Combined SolutionSeamless Access and Security

Page 16: Borderless Networks Security Visions - Cisco · Complete Web Security Malware, Acceptable Use, Access Control, and Data Security Cisco IronPort Web Security Appliance 1 Cisco AnyConnect

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 16

Do I Have a Consistent Access Policy Architecture

Across My Network for all Users and Devices?

―Guest‖ AccessPolicy

IT Devices Changed Manually

Consultant fora Project

Cisco TrustSec: Guest Access Made Easy

Page 17: Borderless Networks Security Visions - Cisco · Complete Web Security Malware, Acceptable Use, Access Control, and Data Security Cisco IronPort Web Security Appliance 1 Cisco AnyConnect

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 17

Infrastructure

Components

Endpoint

Components

Policy and

Security

Components

NAC Client

802.1X Supplicant

NAC Manager, Server, Profiler, Guest Server

Access Control System

Cisco® Catalyst®

and Nexus®

Switches

Announcing: Cisco TrustSec

Identity-

aware

Networking

NEW

Policy-based

Access

Control

Data Integrity

and

Confidentiality

Future

AnyConnect

Page 18: Borderless Networks Security Visions - Cisco · Complete Web Security Malware, Acceptable Use, Access Control, and Data Security Cisco IronPort Web Security Appliance 1 Cisco AnyConnect

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 18

Use Case: TrustSec in a Conference Room

Devices

ToolsInternet Internal Data and Resources

Users Network

AuthenticationAuthorizationDevice Profiling

EmployeesContractorsGuests

Page 19: Borderless Networks Security Visions - Cisco · Complete Web Security Malware, Acceptable Use, Access Control, and Data Security Cisco IronPort Web Security Appliance 1 Cisco AnyConnect

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 19

Pillar 2: Borderless Security ArrayAdvanced Scanning and Enforcement Capabilities

Access Control | Acceptable Use | Data Security |Threat Protection

Integrated into the Fabric of the Network

Cisco IronPortEmail Security

Appliance

Cisco AdaptiveSecurity Appliance

Cisco IntegratedServices Routers

Cisco IronPortWeb Security

Appliance

19

VM Software Security Module Hybrid HostedAppliance

Page 20: Borderless Networks Security Visions - Cisco · Complete Web Security Malware, Acceptable Use, Access Control, and Data Security Cisco IronPort Web Security Appliance 1 Cisco AnyConnect

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 20

AppServer

DatabaseServer

WebServer

Physical Security Device

Virtual Contexts

Pillar 3: Secure Virtualized Data Center

AppServer

DatabaseServer

WebServer

Hypervisor

Physical Security Device

Virtual ContextsVIRTUAL SECURITY

AppServer

DatabaseServer

WebServer

Hypervisor

Connect Physical Security to Virtual Machines with Cisco’s SIA

2Secure Physical Infrastructure1

Embed Security in the Virtual Switch3

Service Chaining

Page 21: Borderless Networks Security Visions - Cisco · Complete Web Security Malware, Acceptable Use, Access Control, and Data Security Cisco IronPort Web Security Appliance 1 Cisco AnyConnect

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 21

Pillar 4: Rich Policy Enables “Ubiquitous”, Consistent Control

Who? What? When? Where? How?

3Policy On and Off Premise

2Dynamic Containment Policy

1Access

Policy

Page 22: Borderless Networks Security Visions - Cisco · Complete Web Security Malware, Acceptable Use, Access Control, and Data Security Cisco IronPort Web Security Appliance 1 Cisco AnyConnect

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

Cisco Security IntelligenceOperations Overview

Page 23: Borderless Networks Security Visions - Cisco · Complete Web Security Malware, Acceptable Use, Access Control, and Data Security Cisco IronPort Web Security Appliance 1 Cisco AnyConnect

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 23

Page 24: Borderless Networks Security Visions - Cisco · Complete Web Security Malware, Acceptable Use, Access Control, and Data Security Cisco IronPort Web Security Appliance 1 Cisco AnyConnect

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 24

Cisco Security Intelligence OperationsThree Defense Pillars

Threat Operations Center

Dynamic UpdatesSensorBase

Comprehensive Threat Intelligence

Researchers and Automated Analysis

Real-Time Updates and Best Practices

Page 25: Borderless Networks Security Visions - Cisco · Complete Web Security Malware, Acceptable Use, Access Control, and Data Security Cisco IronPort Web Security Appliance 1 Cisco AnyConnect

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 25

Threat Intelligence Benefits

SensorBase

700,000+ global sensors

Historical library of 40,000 threats

30% of global email and web traffic

500 third-party feeds, 100 news feeds, open source and vendor partnerships

360 degree dynamic threat visibility

Understanding of vulnerabilities and exploit technologies

Visibility into highest threat vehicles

Latest attack trends and techniques

Over 1000 servers process over 500GB of threat data per day

Depth of Coverage

Page 26: Borderless Networks Security Visions - Cisco · Complete Web Security Malware, Acceptable Use, Access Control, and Data Security Cisco IronPort Web Security Appliance 1 Cisco AnyConnect

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 26

Threat Operations Center

Researchers and Analysts Benefits

Network security best practices and mitigation techniques

Insight into threat trends and future outlook

Quality assurance, reduced false positives

Around-the-clock global coverage

500 analysts and White Hat engineers

80+ PhDs, CCIEs, CISSPs, MSCEs

Human-aided rule creation and QC

Penetration testing, botnet infiltration, malware reverse engineering, vulnerability research

24 x 7 x 365 operations in five centers

95% of Internet languages covered

Security Expertise

Page 27: Borderless Networks Security Visions - Cisco · Complete Web Security Malware, Acceptable Use, Access Control, and Data Security Cisco IronPort Web Security Appliance 1 Cisco AnyConnect

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 27

Dynamic Updates

Updates Benefits

Automated Defense

Automated updates delivered to Cisco security devices every 3–5 minutes

Reputation updates for real-time protection

Reduces exposure window

Minimizes security management overhead

Cisco Security Intelligence Operations

Page 28: Borderless Networks Security Visions - Cisco · Complete Web Security Malware, Acceptable Use, Access Control, and Data Security Cisco IronPort Web Security Appliance 1 Cisco AnyConnect

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 28

Advanced, Proactive Threat ProtectionCisco Security Intelligence Operations

GlobalThreat

Telemetry

GlobalThreatTelemetry

8:03 GMT Sensor Detects Hacker Probing

Bank Branchin Chicago

Ad Agency HQ in London

ISP Datacenterin Moscow

8:00 GMT Sensor Detects New Malware

8:07 GMT Sensor Detects New Botnet

8:10 GMTAll Cisco Customers Protected

Cisco

SensorBase

Threat

Operations Center

Advanced

Algorithms

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 28

Higher Threat Coverage, Greater Accuracy, Proactive Protection

Page 29: Borderless Networks Security Visions - Cisco · Complete Web Security Malware, Acceptable Use, Access Control, and Data Security Cisco IronPort Web Security Appliance 1 Cisco AnyConnect

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 29

Products and Services

Latest Announcements

Page 30: Borderless Networks Security Visions - Cisco · Complete Web Security Malware, Acceptable Use, Access Control, and Data Security Cisco IronPort Web Security Appliance 1 Cisco AnyConnect

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3030

Introducing: Cisco Integrated Services Router Generation 2

Pe

rfo

rman

ce

, Sca

lab

ility

, Ava

ilab

ility

3925, 3945

Enhancing the Borderless Experience

Virtual Office

SecureMobility

SecureCollaboration

Scalable Rich-Media Services

2901, 2911, 2921, 2951

860, 880, 890

1941, 1941W

Customizable Applications

Page 31: Borderless Networks Security Visions - Cisco · Complete Web Security Malware, Acceptable Use, Access Control, and Data Security Cisco IronPort Web Security Appliance 1 Cisco AnyConnect

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3131

NEW Intelligent Secure Access Fixed Switching Solutions

Addressing Business Transformation

Bu

sin

ess C

ontin

uity

Business Agility

Converged Services

Intelligent Services

Evolves With

Your Business

Catalyst 2960-S w/ LAN Base

Catalyst 3K-X w/ IP BaseCatalyst 3K-X

w/ LAN Base

Catalyst 3K-X w/ IP Services

Cisco EnergyWise

Reliable Voice, Video Scalable Medianet

Automated Smart Operations Non Stop, Self Preserving

Tailored to Meet

Business Needs

New

NewNew

NewNewThreat Intelligence Role-based Access, Secure Traffic

Entry-Level to Cisco

Experience

Catalyst 2960-S w/ LAN Lite

Page 32: Borderless Networks Security Visions - Cisco · Complete Web Security Malware, Acceptable Use, Access Control, and Data Security Cisco IronPort Web Security Appliance 1 Cisco AnyConnect

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3232

Borderless Security: Building the System

End Zone

Enforcement

Points

Security as a

Service

Adaptive

Security

Appliance

IPS with

Global

Correlation

Hybrid Hosted

Email Security

Coming Soon:

Hosted Web

Security

NACAnyConnect

Cisco Security

Intelligence

Operations

Web Security

Gateway

Email

Security

Gateway

Secure

Router

wwwwww

CVO

wwwwww

Switch

Security

Page 33: Borderless Networks Security Visions - Cisco · Complete Web Security Malware, Acceptable Use, Access Control, and Data Security Cisco IronPort Web Security Appliance 1 Cisco AnyConnect

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 33