borderless networks security visions - cisco · complete web security malware, acceptable use,...
TRANSCRIPT
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Marcello Masarati
Borderless Networks Security Architecture Vision
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
Traditional Corporate Border
Corporate Border
Branch Office
Applications and Data
Corporate Office
Policy
Attackers CustomersPartners
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3
Mobility and CollaborationIs Dissolving the Internet Border
Corporate Border
Branch Office
Applications and Data
Corporate Office
Policy
Attackers Customers
Home Office
Coffee Shop
Airport
Mobile User Partners
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 4
Cloud Computing Is Dissolving the Data Center Border
Corporate Border
Branch Office
Applications and Data
Corporate Office
Policy
Attackers
Home Office
Coffee ShopCustomers
Airport
Mobile User Partners
Platformas a Service
Infrastructureas a Service
Xas a Service
Softwareas a Service
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 5
Customers Want Business Without Borders
Corporate Border
Branch Office
Applications and Data
Corporate Office
Policy
Attackers
Home Office
Coffee ShopCustomers
Airport
Mobile User Partners
Platformas a Service
Infrastructureas a Service
Xas a Service
Softwareas a Service
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6
Service dedicated to checking if a malwareexecutable is detectable by AV engines
Criminal SaaS Offerings Expand
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Borderless Security Architecture Vision
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 8
Mobility: The Next Computing Cycle
Mini PC Networked PC Internet PC Mobile Internet
1960s 1980s 1990s 2000s 2010s
Productivity
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 9
Optimized Energy Use, Automated Office Control
New Video-based Experiences
Context-Based Services: Equipment Tracking, Trigger Digital Signage or Voice Services
Borderless ExperiencesAlways Connected—Wired/Wireless Access Anytime,Anywhere from Any Device
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 10
Borderless
Experience
Anyone Anything
AnytimeAnywhere
Employee, Partner,
Customer Communities
Always Works,
Instant Access,
Instant Response
The New Borderless Organization
Work,
Home, On the Go…
Person to Person,
Person to Device,
Device to Device
Securely, Reliably and Seamlessly
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 11
New InnovationsArchitecture for Agile Delivery of the Borderless Experience
Borderless NetworksIn
frastru
ctu
re
Borderless End-Point/User Services
Mobility WorkplaceExperience
Video
AnyConnect
Borderless Network Services
Security:TrustSec
Performance MobilityVideo: Medianet
Green:EnergyWise
Borderless Management
and Policy
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 12
Bo
rde
rless
Da
ta C
en
ter
3
Bo
rde
rless
Inte
rne
t
2
Bo
rde
rless
En
d Z
on
es
1
Cisco’s Architecture for Borderless Network Security
Policy
Corporate Border
Branch Office
Applications and Data
Corporate Office
Policy(Access Control, Acceptable Use, Malware, Data Security)4
Home Office
AttackersCoffee ShopCustomers
Airport
Mobile User Partners
Platformas a Service
Infrastructureas a Service
Xas a Service
Softwareas a Service
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 13
Intelligent End Point Traffic Routing
Pillar 1: Borderless End Zone
Persistent Connectivity
Always On, Location Aware
Auto Head-end Discovery
IPsec , SSL VPN, DTLS
Advanced Security
Strong Authentication
Fast, Accurate Protection
Consistent Enforcement
Broadest Coverage
Most OS’s and Protocols
Windows Mobile
Apple iPhone
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 14
ChoiceDiverse Endpoint
Support for Greater Flexibility
SecurityRich, Granular Security
Integrated Into the network
ExperienceAlways-on Intelligent
Connection for SeamlessExperience and
Performance
Cisco AnyConnect Secure Mobility Web Security with Next Generation Remote Access
Acceptable Use
Access Control
Intranet
Corporate File Sharing
Access Granted
Data Loss Prevention
Threat Prevention
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 15
AnyConnect Secure MobilitySolution Overview
Next Generation Remote Access―It just works‖
Broad device support
Complete Web SecurityMalware, Acceptable Use, Access Control, and Data Security
Cisco IronPort Web Security Appliance
Cisco AnyConnect1 2
NEW
Cisco Web Security Appliance
Information Sharing Between ASA Firewall and Web
Security Appliance
Corporate AD
ASAAnyConnect
News Web-Based Email
Social Networking Enterprise SaaS
Combined SolutionSeamless Access and Security
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 16
Do I Have a Consistent Access Policy Architecture
Across My Network for all Users and Devices?
―Guest‖ AccessPolicy
IT Devices Changed Manually
Consultant fora Project
Cisco TrustSec: Guest Access Made Easy
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 17
Infrastructure
Components
Endpoint
Components
Policy and
Security
Components
NAC Client
802.1X Supplicant
NAC Manager, Server, Profiler, Guest Server
Access Control System
Cisco® Catalyst®
and Nexus®
Switches
Announcing: Cisco TrustSec
Identity-
aware
Networking
NEW
Policy-based
Access
Control
Data Integrity
and
Confidentiality
Future
AnyConnect
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 18
Use Case: TrustSec in a Conference Room
Devices
ToolsInternet Internal Data and Resources
Users Network
AuthenticationAuthorizationDevice Profiling
EmployeesContractorsGuests
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 19
Pillar 2: Borderless Security ArrayAdvanced Scanning and Enforcement Capabilities
Access Control | Acceptable Use | Data Security |Threat Protection
Integrated into the Fabric of the Network
Cisco IronPortEmail Security
Appliance
Cisco AdaptiveSecurity Appliance
Cisco IntegratedServices Routers
Cisco IronPortWeb Security
Appliance
19
VM Software Security Module Hybrid HostedAppliance
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 20
AppServer
DatabaseServer
WebServer
Physical Security Device
Virtual Contexts
Pillar 3: Secure Virtualized Data Center
AppServer
DatabaseServer
WebServer
Hypervisor
Physical Security Device
Virtual ContextsVIRTUAL SECURITY
AppServer
DatabaseServer
WebServer
Hypervisor
Connect Physical Security to Virtual Machines with Cisco’s SIA
2Secure Physical Infrastructure1
Embed Security in the Virtual Switch3
Service Chaining
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 21
Pillar 4: Rich Policy Enables “Ubiquitous”, Consistent Control
Who? What? When? Where? How?
3Policy On and Off Premise
2Dynamic Containment Policy
1Access
Policy
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Cisco Security IntelligenceOperations Overview
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 23
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 24
Cisco Security Intelligence OperationsThree Defense Pillars
Threat Operations Center
Dynamic UpdatesSensorBase
Comprehensive Threat Intelligence
Researchers and Automated Analysis
Real-Time Updates and Best Practices
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 25
Threat Intelligence Benefits
SensorBase
700,000+ global sensors
Historical library of 40,000 threats
30% of global email and web traffic
500 third-party feeds, 100 news feeds, open source and vendor partnerships
360 degree dynamic threat visibility
Understanding of vulnerabilities and exploit technologies
Visibility into highest threat vehicles
Latest attack trends and techniques
Over 1000 servers process over 500GB of threat data per day
Depth of Coverage
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 26
Threat Operations Center
Researchers and Analysts Benefits
Network security best practices and mitigation techniques
Insight into threat trends and future outlook
Quality assurance, reduced false positives
Around-the-clock global coverage
500 analysts and White Hat engineers
80+ PhDs, CCIEs, CISSPs, MSCEs
Human-aided rule creation and QC
Penetration testing, botnet infiltration, malware reverse engineering, vulnerability research
24 x 7 x 365 operations in five centers
95% of Internet languages covered
Security Expertise
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 27
Dynamic Updates
Updates Benefits
Automated Defense
Automated updates delivered to Cisco security devices every 3–5 minutes
Reputation updates for real-time protection
Reduces exposure window
Minimizes security management overhead
Cisco Security Intelligence Operations
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 28
Advanced, Proactive Threat ProtectionCisco Security Intelligence Operations
GlobalThreat
Telemetry
GlobalThreatTelemetry
8:03 GMT Sensor Detects Hacker Probing
Bank Branchin Chicago
Ad Agency HQ in London
ISP Datacenterin Moscow
8:00 GMT Sensor Detects New Malware
8:07 GMT Sensor Detects New Botnet
8:10 GMTAll Cisco Customers Protected
Cisco
SensorBase
Threat
Operations Center
Advanced
Algorithms
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 28
Higher Threat Coverage, Greater Accuracy, Proactive Protection
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 29
Products and Services
Latest Announcements
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3030
Introducing: Cisco Integrated Services Router Generation 2
Pe
rfo
rman
ce
, Sca
lab
ility
, Ava
ilab
ility
3925, 3945
Enhancing the Borderless Experience
Virtual Office
SecureMobility
SecureCollaboration
Scalable Rich-Media Services
2901, 2911, 2921, 2951
860, 880, 890
1941, 1941W
Customizable Applications
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3131
NEW Intelligent Secure Access Fixed Switching Solutions
Addressing Business Transformation
Bu
sin
ess C
ontin
uity
Business Agility
Converged Services
Intelligent Services
Evolves With
Your Business
Catalyst 2960-S w/ LAN Base
Catalyst 3K-X w/ IP BaseCatalyst 3K-X
w/ LAN Base
Catalyst 3K-X w/ IP Services
Cisco EnergyWise
Reliable Voice, Video Scalable Medianet
Automated Smart Operations Non Stop, Self Preserving
Tailored to Meet
Business Needs
New
NewNew
NewNewThreat Intelligence Role-based Access, Secure Traffic
Entry-Level to Cisco
Experience
Catalyst 2960-S w/ LAN Lite
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3232
Borderless Security: Building the System
End Zone
Enforcement
Points
Security as a
Service
Adaptive
Security
Appliance
IPS with
Global
Correlation
Hybrid Hosted
Email Security
Coming Soon:
Hosted Web
Security
NACAnyConnect
Cisco Security
Intelligence
Operations
Web Security
Gateway
Security
Gateway
Secure
Router
wwwwww
CVO
wwwwww
Switch
Security
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 33