“No Lights, No Power, No Service?” - Defending IoT

Glenn G. Streeter, CISSP, SFCEArchitectural Consulting Systems Engineer - Security

BRKIOT-2107

• Introduction

• Turning the Lights On with Connected Lighting• The Vision

• Phase One: POE/LED Lighting

• EnergyWise Architecture Overview

• Reference Design

• No Lights, No Power, No Service? -- Security Concerns

• Connected Lighting Security Attack Surface & Threats

• Keeping the Lights On by Doing it Right

• Black Hat EnergyWise Hacks / Mitigations & Security Best Practices

• The Rest of the Picture - Other Mitigation Measures/ Best Practices

• Conclusions

Agenda

The Journey of IoE, Enabling Digital Business

IoE

Connecting people in more relevant, valuable ways

People

Leveraging data into more useful information for decision making

Data

Delivering the right information to the right person (or machine) at the right time

Process

Physical devices and objects connected to the Internet and each other for intelligent decision making

Things

Networked Connection of People, Process, Data, Things

IoE: Connecting the Unconnected to Generate Business Value

Commercial buildings – Leveraging Your IoE Investment

Lighting

Energy/Metering

Access Control

Sensors

…

Smart Meeting Spaces

Personalized Space

…

Tenant ServicesBuilding/Ops Services

IP Telephony

Wireless

Video

Digital Signage

Physical Security

HVAC

Major Trend of Low-voltage transition, IP Convergence, IoT-enabled Applications

In the News – IoT Security Concerns

Required – A New Security Approach for IoT

BeforeDiscover

Enforce

Harden

DuringDetect

Block

Defend

AfterScope

Contain

Remediate

Attack Continuum

Network as

an Enforcer

Network as a

Mitigation Accelerator

Network as

a Sensor

The “Journey”IoE/IoT

IT/OT

Security

Connected Lighting 1.0(EFT)

The Vision

Why IoT Will Impact Lighting

The Evolution of Lighting

The Transition to Connected LightingFrom hard-wired circuits to software-defined lighting

Convergence of

AC to DC

Incremental

Energy Savings

Productivity &

Health/Comfort

Generic Lighting

Applications

Traditional Lighting

3 Networks• Power

• Control System

• Measurement

Networked LED Lighting

1 Networks• DC Power

• Real time Control

Measurement

Incremental energy

savings based on highly

dense sensor network and

individual fixture control

Electrical Load

Shedding

Personalized

Workspaces

Granular

Occupancy

Granular Daylight

Harvesting

Highly Flexible

Scheduling

Change lighting

temperature to follow

the circadian rhythm of

workers and students

Human Centric Lighting Real time

conference

room availability

Customized

lighting for

retail stores

Emergency

pathway lighting

for first

responders

Code blue visual

indicator

Examples

Light Fixtures as Sensors using UPOE

Digital ceiling unlocks the power of IoT analytics

• Light

• Occupancy /

motion

• WiFi

• LiFi

• BTLE

Integrated Sensors Integrated radios

Me

teri

ng

An

aly

tic

s

• Energy

• Space /

occupancy

• Resources

• Grouping /

interactions

First Phase:POE/LED Lighting

PoE slashes cabling cost for new construction

AC conduit Structured cabling

• Electrician wage rates

• Bending conduit

• Electrical code

• Structured cabling cost structure

• Pull bundles

• Low-voltage

Commercial Bldg. TenantReal Estate Developer

• Use of low power DC Power Over

Ethernet (PoE) cabling lowers

material & labor costs of lighting

system installation

• Improves tenant retention and loyalty

• Net new revenue from value added

commercial tenant services

• Significant energy savings

• Superior lighting experience and

improved worker productivity

• New horizontal & vertical applications

What if the Building is Leased?

1. Analog commercial lighting industry is ripe for digital

disruption with LED (light-emitting diode) lights

Cisco Connected Lighting enables an intelligent “digital

ceiling” with PoE (Power over Ethernet) technology and

Energy Management over IP

Cisco Solution is currently in development with strong

customer and partners interests and several ongoing pilots

Allows light fixtures to be sensor & radio hubs:

Occupancy/motion/Temperature

LiFi

BTLE / iBeacon

Connected Lighting - Summary

EnergyWise Architecture Overview

• Using the network to measure, monitor and manage energy.

• The network is the command and control plane for power management

• Protocol, Management or both?

• Control vs. Energy Management

Deeper Dive - See “BRKIOT-2401 - Cisco EnergyWise Fundamentals: The Network

as the Platform for Energy Management (2014 San Francisco)

What is Cisco EnergyWise?

Cisco EnergyWise Architecture

21

Unifies Device Energy Management

IT DEVICES BUILDING FACILITIES

Building Management

Systems

Energy Management

Applications

MANAGEMENT APPLICATIONS

Building Devices

EnergyWise Management API

Network Management

Applications

Catalyst Switching Network Gateways

Cisco and Partner Devices

EnergyWise SDK / APIs POE / POE+ / UPOE

POE Powered Devices

Building Protocols

SDK

APIParents

Children

Cisco EnergyWise Security

Management SecretAuthenticates communication between Cisco EnergyWise Domain members and the management station

Endpoint SecretAuthenticates communication between Cisco EnergyWise Domain members and Cisco EnergyWise endpoints.

!

!

Domain Member

Application

Domain Member

Endpoint Device

Incorrect Password

Application

Incorrect Timestamps

Endpoint Device

Cisco EnergyWise Domain SecretAuthenticates communication among members of the Cisco EnergyWise Domain

Connected Lighting Reference Design

Connected Lighting Reference Architecture

Lighting

Endpoints

Lighting

Domain

Management

Apps

POE/POE+/UPOE LED Fixtures

Room or Zone

Wall Switches

and Sensors

Building/Lighting

Policy Engine

Local Policy

Bypass Engine

EW SDK EW SDK EW SDK EW SDK

Cisco Catalyst Switches

Cisco EnergyWise:Security

Group Control

Scale

Energy Reporting

WOL Support

Switch Hibernation

POE,

POE+,

and/or

UPOE

Ports

Cisco IOS

EW MAPI

EW MAPI

Partner

Ecosystem

Emergency Lighting,

Sensors, & essential

building devices

Possible Impact to Enterprise Network ArchitecturePotential Impact to the Access Layer

Dist.

Critical

Access

(IDF)

Non-Critical

Access

UP

S P

ow

ere

d

Critic

al In

frastru

ctu

re

• 4 Layer Architecture May Emerge

Hybrid of Centralized and Distributed topologies

Access functionality may be divided between critical and non-critical infrastructure

• Critical Infrastructure:

Requires Maximum uptime, redundant power, UPS backup (emergency phones, sensors, exit path lighting, etc)

Home run to wiring closet

Low-Density wireless - always available

• Non-Critical Infrastructure (no UPS backup requirement)

Switch placement in room or in ceiling

High Density Wireless can be power down after hoursNon-essential

Lighting &

building devices

What if Switch Gets Rebooted?Answer: Perpetual Power over Ethernet ( PPOE)

PoE devices connected to switch stay

powered on even on switch reboot!

PoE devices continue to get last negotiated power

Minimum software version: 3.7E1 (H1CY2015)

Not applicable when switch is in hibernation mode

Port ConfigurationEnter configuration commands, one per line. End with CNTL/Z.

Switch(config)#inter gi0/1 Switch(config-if)#power inline port

poe-ha Switch(config-if)#

Switch reboot!

“No Lights, No Power, No Service?” -Security Concerns

Schneier on ‘really bad’ IoT security:

security within the (network)

Bruce Schneier Network World April 13th, 2015 -URL

What Can Breach IoT Networks?

• What can’t?

• Billions of connected devices – Increased Attack Surface

• Secure and insecure locations

• Security may or may not be built in

• Possibly not owned or controlled by IT … but data flows through the network

• Low cost devices

• Emerging Protocols

Any node on your network can potentially provide access to the core

Information Technology

(IT)

Smart

Objects

• IoT still evolving

• Multiple protocols emerging for IoT

• Open Source and open standards for widespread adoption

• CoAP gaining traction in the industry

New IoT protocols - are they secure?

IoT protocols, many options…EnergyWise CoAP MQTT XMPP

End device OS

support

Any, OpenRTOS Contiki, RIOT, TinyOS,

mbed, iOS, Android

Posix, windows Linux, iOS,

Android, windows,

OSX, OpwnWRT

Transport Protocol TCP/UDP UDP TCP TCP

Standard Proprietary &

Open

Open Open Open

Development

community

Cisco & Cisco

Partners

Cisco, ARM, Eclipse,

libcoap,

Eclipse

Mosquitto/Paho

Allseen alliance

Implementation

languages

C, Java C, Java, Python, Go,

C#, Ruby,

C, Java, Python,

Lua, C++

C, Java,Perl, Ruby,

PHP, Lisp, Python,

Haskell, TCL, JS

Standards body Cisco / IETF IETF OASIS IETF

Security PSK, TLS DTLS TLS TLS

Industry adoption

trend

Cisco, Cisco

partners

ARM, Cisco,

Ericsson, Philips,

Huawei, Alcatel-lucent

IBM, Elecsys,

Eurotech

Qualcomm, Alseen,

Cisco

Phase I Scope

Service DisruptionUnauthorized

Network Access Traditional Threats

• Vulnerabilities on Lighting Endpoints

• Vulnerabilities on Management Applications.( i.eLighting Control/Monitoring)

• EnergyWise as an attack vector

• Potential network entry point

• Unauthorized POE Devices

• Lighting End Points support only MAB –MAC spoofing risk

• Snooping of EnergyWise and Control traffic

• IP/MAC spoofing

• MAC flooding

• DHCP related attacks

• DDoS

• DNS poisoning

• MITM

Security Threats for Lighting

Keeping the Lights on –Doing it Right

EnergyWise Security Best Practices

• Scanned Internet – port scan 43440 and host discovery.

• Replay Attack – Used replayed packets to change power state of devices.

• Reverse Engineering – Sniffed to RE clear-text protocol and grab HMAC’s.

• Packet Structure Manipulation – Cracked secrets to hijack domain.

• DoS bug identified – Fuzzing attack to crash switched with malformed packet.

Black Hat Hacks - ProblemsWhat did they do actually?

http://www.securitytube.net/video/11555

Best case: No hijacking or denial of service possible

Most likely case (at least): Shut down all servers in your segment

Worst case: Shut down the whole data center!

• Scanned Internet: RFC 1918 w/NAT

• Block Internet access for switches

• Reverse Engineering: No hubs, DTP off, no VLAN 1, CIFS!

• Segmentation and 802.1x

• IPS/Anti sniffing tools

• Packet Structure Manipulation: Encryption/MACSec

• Use 3 Unique Strong Passwords

• Replay Attack: NTP time validation

• energy domain [domain-name] security ntp-shared-secret [domain-password]

• DoS bug identified – Keep switch SW up to date

• General: Change default ports

• Disable power control if not used: no energywise allow query {save | set}

• Specify IP or Interface for EnergyWise communications

Black Hat Hacks - Mitigations

If you are not doing this,

what’s the saying?

Did (they/we) Say…. Segmentation & Filtering?!!!!!

• Segmentation: Use different EnergyWise Domains where possible

• Restrict EnergyWise ports to local subnet

• Segment Device management traffic

• Infrastructure ACL – control traffic towards EnergyWise

• ACLs on boundaries

• Purge Configs on decommissioned equipment!

“The EnergyWise protocol contains security mechanisms that can protect the

environment against the attack vectors …, given that a strong PSK is used

and the correct domain security model is configured.”

The Rest of the Picture -Other Mitigation Best

Practices

Secure Network as the Foundation

Connected Lighting – Security Attack Surface

3.

1.

2.

4.

5.

1. Services - NTP, DHCP, DNS

2. Application – Lighting

control and management applications

3. Infrastructure Devices - Unauthorized

access, privilege escalation, DDoS

4. Network – Unauthorized POE

devices

5. Endpoints – Lights,

Sensors, Drivers (eg: Intellidrive)

Service DisruptionUnauthorized

Network Access Traditional Threats

• Vulnerabilities on Lighting Endpoints

• Vulnerabilities on Management Applications.( i.eLighting Control/Monitoring)

• EnergyWise as an attack vector

• Potential network entry point

• Unauthorized POE Devices

• Lighting End Points support only MAB –MAC spoofing risk

• Snooping of EnergyWise and Control traffic

• IP/MAC spoofing

• MAC flooding

• DHCP related attacks

• DDoS

• DNS poisoning

• MITM

Security Threats for Lighting

Protect the Interior

• Authentication

• 802.1x Authentication, WebAuth, MAB

• CISF (Cisco Integrated Security Features):

• Port Security (Limit MACs)

• IPv4 and IPv6 DHCP Snooping (Prevent rogues)

• IP Source Guard (No false IPs)

• Dynamic Arp Inspection (Prevent rogues)

• StormControl

• Rate Limiting

• Access Control Lists/VLANS

• Identity Services Engine / TrustSec

L2/3 Network Security Features

CISF (Cisco Integrated Security Features)

• Port Security prevents MAC flooding attacks and DHCP Starvation Attacks

• DHCP snooping prevents client attack on the switch and server

• Dynamic ARP Inspection adds security to ARP using DHCP snooping table

• IP Source Guard adds security to IP source address using DHCP snooping table

• All features work on switchports

4500#sh run

ip dhcp snooping

ip dhcp snooping vlan 2-10

ip arp inspection vlan 2-10

!

interface fa3/1

swithport port-security

switchport port-security max 3

ip arp inspection limit rate 100

ip dhcp snooping limit rate 100

!

Interface gigabit1/1

ip dhcp snooping trust

ip arp inspection trust

AutoSecure Feature Auto Secure

IOS-XE 3.6.0E / IOS 15.2(2)E

(Amur) release

Auto Secure – Actual Config & show Commandsauto security

!

interface GigabitEthernet3/3

description Connected to wired PC

switchport access vlan 11

switchport mode access

auto security-port host

!

interface TenGigabitEthernet1/1

description Trunk Port

switchport mode trunk

auto security-port uplink

Switch#sh auto security configuration

%AutoSecure provides a single CLI config 'auto secure'

to enable Base-line security Features like

DHCP snooping, ARP inspection and Port-Security

Auto Secure CLIs applied globally:

---------------------------------

ip dhcp snooping

ip dhcp snooping vlan 2-1005

no ip dhcp snooping information option

ip arp inspection vlan 2-1005

ip arp inspection validate src-mac dst-mac ip

Auto Secure CLIs applied on Access Port:

----------------------------------------

switchport port-security maximum 2

switchport port-security maximum 1 vlan access

switchport port-security maximum 1 vlan voice

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ip dhcp snooping limit rate 100

Auto Secure CLIs applied on Trunk Port:

--------------------------------------

ip dhcp snooping trust

ip arp inspection trust

switchport port-security maximum 100

switchport port-security violation restrict

switchport port-security

Switch#sh auto security

Auto Secure is Enabled globally

AutoSecure is Enabled on below

interface(s):

-----------------------------------

---------

TenGigabitEthernet1/1

GigabitEthernet3/1

GigabitEthernet3/3

GigabitEthernet3/4

GigabitEthernet3/5

GigabitEthernet3/6

Switch#

For YourReference

Service DisruptionUnauthorized

Network Access Traditional Threats

• Vulnerabilities on Lighting Endpoints

• Vulnerabilities on Management Applications.( i.eLighting Control/Monitoring)

• EnergyWise as an attack vector

• Potential network entry point

• Unauthorized POE Devices

• Lighting End Points support only MAB –MAC spoofing risk

• Snooping of EnergyWise and Control traffic

• IP/MAC spoofing

• MAC flooding

• DHCP related attacks

• DDoS

• DNS poisoning

• MITM

Security Threats for Lighting

TrustSec Security Group Access OverviewTranslating Business Policy to the Network

TrustSec lets you define policy in meaningful business terms

Business Policy

Context Classification

Security Group TagTAG

Source

Destination

Lights

Prod HRMS

HR

Database

Light Mgt EW Domain HR

EW Domain X

X

Distributed Enforcement throughout

Network

Switch Router DC FW DC Switch

• Policy Based Access

Control

• Identity Aware

Networking

• Data Confidentiality

• Data Integrity

X

X

X

X

Policy and Segmentation Without TrustSec

Voice Data Lights GuestHVAC

Access Layer

Aggregation Layer

VLAN Addressing DHCP Scope

Redundancy Routing Static Filtering

Simple Segmentation with 2 VLANsMore Policies using more VLANs

Design needs to be replicated for floors, buildings,

offices, and other facilities. Cost could be extremely

high

ACL

Policy and Segmentation with TrustSec

Data Center Firewall

Voice Data Lights Guest HVAC

Retaining initial VLAN/Subnet Design

Regardless of topology or location,

policy (Security Group Tag) stays

with users, devices, and servers

Access Layer

Data Tag

Lights Tag

Guest Tag

HVAC Tag

Aggregation Layer

How

What

Who

Where

When

Cisco Identity Services Engine (ISE)Delivering the Visibility and Control for Secure Network Access

Network

Partner Context Data

Consistent SecureAccess Policy

Cisco ISE

What is profiling?

Collection Classification

Classifies based on Device fingerprint

• Process of collecting data to be used

for identifying devices

• Uses Probes for collecting device attributes

NMAP

SNMPHTTP

Radius DHCP

LLDP

NetFlow

&^*RTW#(*J^*&*sd#J$%UJ&(

• Provides “WLAN / VPN equivalent” encryption (128bit AES GCM) to LAN connection

• NIST approved* encryption (IEEE802.1AE) + Key Management (IEEE802.1X-2010/MKA)

• Allows the network to continue to perform auditing (Security Services)

Media Access Control Security (MACSec)

802.1X

Supplicant

with

MACSec

Guest User

MACSec

Capable Devices

&^*RTW#(*J^*&*sd#J$%UJWD&(

Data sent in clear

MACSec Link

Encrypt DecryptAuthenticated

User

* National Institute of Standards and Technology Special Publication 800-38D

Encryption -MACSec

Service DisruptionUnauthorized

Network Access Traditional Threats

• Vulnerabilities on Lighting Endpoints

• Vulnerabilities on Management Applications.( i.eLighting Control/Monitoring)

• EnergyWise as an attack vector

• Potential network entry point

• Unauthorized POE Devices

• Lighting End Points support only MAB –MAC spoofing risk

• Snooping of EnergyWise and Control traffic

• IP/MAC spoofing

• MAC flooding

• DHCP related attacks

• DDoS

• DNS poisoning

• MITM

Security Threats for Lighting

Harden Endpoints per manufacturer recommendations

Restrict traffic via ACL or FW.

Implement L2 security features on switch ports

Install Updated patches and software

Explore individual vendor devices to check for security features

Mitigation – Endpoints

Mitigation – Application and Services

Architecture

Located in Datacenter

Protected by Firewall and IPS

Remote Access

VPN RA only

VPN Traffic termination at or before FW & IPS

DMZ Segmentation

Patch Management

Jump Servers

Service DisruptionUnauthorized

Network Access Traditional Threats

• Vulnerabilities on Lighting Endpoints

• Vulnerabilities on Management Applications.( i.eLighting Control/Monitoring)

• EnergyWise as an attack vector

• Potential network entry point

• Unauthorized POE Devices

• Lighting End Points support only MAB –MAC spoofing risk

• Snooping of EnergyWise and Control traffic

• IP/MAC spoofing

• MAC flooding

• DHCP related attacks

• DDoS

• DNS poisoning

• MITM

Security Threats for Lighting

Connected Lighting – Gold Model

ISE

SGT(Trustsec)

802.1x / MAB / ISE profiled

End point

MACSEC Encrypted

NDAC

Conclusions

Segmentation is a Powerful Security Tool

“Network segmentation… is one of the most effective controls an agency can implement to mitigate the second stage of a network intrusion, propagation or lateral movement”

“Good network and role segmentation will do wonders for

containing an incident.”

“Effective network segmentation… reduces the extent to which an adversary can move across the network”

“Segregate networks, limit allowed protocols usage and limit

users’ excessive privileges.”

2014 DATA BREACH

INVESTIVATIONS REPORT

The Untold Story of the Target Attack

Step by StepAortato Labs, August 2014

Nothing new to see here!

The “Journey” is looking “Brighter”

• Design Zone for Security

• http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-security/index.html

• EnergyWise IOS Configuration Guide, EnergyWise Version 2.8

• http://www.cisco.com/c/en/us/td/docs/switches/lan/energywise/version2_8/ios/configuration/guide/b_ew_cg_2_8.html?mdfid=284654709

• EnergyWise Design Guide:

• http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Energy_Management/energywisedg.html

• Black Hat Info from ERNW: https://www.ernw.de/

• ERNW Presentation: http://www.securitytube.net/video/11555

• ERNW Whitepaper: https://www.blackhat.com/docs/us-14/materials/us-14-Luft-When-The-Lights-Go-Out-Hacking-Cisco-EnergyWise-WP.pdf

• EnergyWise Vulnerability and Mitigations Article

• http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=34962

• Protecting the Cisco Catalyst 6500 Series Switches Against Denial-Of-Service Attacks

• http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/prod_white_paper0900aecd802ca5d6.html

• Cisco TrustSec: http://www.cisco.com/go/trustsec & Cisco ISE: http://www.cisco.com/go/ise

Resources

Participate in the “My Favorite Speaker” Contest

• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)

• Send a tweet and include

• Your favorite speaker’s Twitter handle @glenn_streeter

• Two hashtags: #CLUS #MyFavoriteSpeaker

• You can submit an entry for more than one of your “favorite” speakers

• Don’t forget to follow @CiscoLive and @CiscoPress

• View the official rules at http://bit.ly/CLUSwin

Promote Your Favorite Speaker and You Could Be a Winner

Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.

• Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect.

Continue Your Education

Related sessions:

• BRKSEC-2203 - Deploying TrustSec Security Group Tagging

• BRKSEC-2007 - Fundamental IOS Security

• BRKSEC-2026 - Network as a Sensor and Enforcer

• BRKIOT-2113 - Intermediate - Internet of Things for the Enterprise

• BRKIOT-1404 - How the Internet of Everything and LED Lighting Will Transform IT

• BRKIOT-2401 - Cisco EnergyWise Fundamentals: The Network as the Platform for Energy Management (2014 San Francisco)

Internet of Things (IoT) Cisco Education OfferingsCourse Description Cisco Certification

NEW! CCNA Industrial An associate level instructor led training course designed to prepare you

for the CCNA Industrial certification

CCNA® Industrial

Managing Industrial Networks with

Cisco Networking Technologies (IMINS)

This curriculum addresses foundational skills needed to manage and

administer networked industrial control systems. It provides plant

administrators, control system engineers and traditional network engineers

with an understanding of the networking technologies needed in today's

connected plants and enterprises

Cisco Industrial

Networking Specialist

Control Systems Fundamentals

for Industrial Networking (ICINS)

For IT and Network Engineers, covers basic concepts in Industrial Control

systems including an introduction to automation industry verticals,

automation environment and an overview of industrial control networks

Networking Fundamentals

for Industrial Control Systems (INICS)

For Industrial Engineers and Control System Technicians, covers basic IP

and networking concepts, and introductory overview of Automation

industry Protocols.

For more details, please visit: http://learningnetwork.cisco.com

Questions? Visit the Learning@Cisco Booth or contact ask-edu-pm-dcv@cisco.com

Security Cisco Education OfferingsCourse Description Cisco Certification

Implementing Cisco IOS Network Security (IINS)

Implementing Cisco Edge Network Security Solutions

(SENSS)

Implementing Cisco Threat Control Solutions (SITCS)

Implementing Cisco Secure Access Solutions (SISAS)

Implementing Cisco Secure Mobility Solutions

(SIMOS)

Focuses on the design, implementation, and monitoring of a comprehensive

security policy, using Cisco IOS security features

Configure Cisco perimeter edge security solutions utilizing Cisco Switches, Cisco

Routers, and Cisco Adaptive Security Appliance (ASA) Firewalls

Deploy Cisco’s Next Generation Firewall (NGFW) as well as Web Security, Email

Security and Cloud Web Security

Deploy Cisco’s Identity Services Engine and 802.1X secure network access

Protect data traversing a public or shared infrastructure such as the Internet by

implementing and maintaining Cisco VPN solutions

CCNA® Security

Securing Cisco Networks with Threat Detection and

Analysis (SCYBER)

Designed for professional security analysts, the course covers essential areas of

competency including event monitoring, security event/alarm/traffic analysis, and

incident response

Cisco Cybersecurity Specialist

Network Security Product and Solutions Training For official product training on Cisco’s latest security products, including Adaptive

Security Appliances, NGIPS, Advanced Malware Protection, Identity Services

Engine, Email and Web Security Appliances see

www.cisco.com/go/securitytraining

For more details, please visit: http://learningnetwork.cisco.com

Questions? Visit the Learning@Cisco Booth or contact ask-edu-pm-dcv@cisco.com

Thank you