“no lights, no power, no service?” - defending iot · “no lights, no power, no service?” -...
TRANSCRIPT
“No Lights, No Power, No Service?” - Defending IoT
Glenn G. Streeter, CISSP, SFCEArchitectural Consulting Systems Engineer - Security
BRKIOT-2107
• Introduction
• Turning the Lights On with Connected Lighting• The Vision
• Phase One: POE/LED Lighting
• EnergyWise Architecture Overview
• Reference Design
• No Lights, No Power, No Service? -- Security Concerns
• Connected Lighting Security Attack Surface & Threats
• Keeping the Lights On by Doing it Right
• Black Hat EnergyWise Hacks / Mitigations & Security Best Practices
• The Rest of the Picture - Other Mitigation Measures/ Best Practices
• Conclusions
Agenda
The Journey of IoE, Enabling Digital Business
IoE
Connecting people in more relevant, valuable ways
People
Leveraging data into more useful information for decision making
Data
Delivering the right information to the right person (or machine) at the right time
Process
Physical devices and objects connected to the Internet and each other for intelligent decision making
Things
Networked Connection of People, Process, Data, Things
IoE: Connecting the Unconnected to Generate Business Value
Commercial buildings – Leveraging Your IoE Investment
Lighting
Energy/Metering
Access Control
Sensors
…
Smart Meeting Spaces
Personalized Space
…
Tenant ServicesBuilding/Ops Services
IP Telephony
Wireless
Video
Digital Signage
Physical Security
HVAC
Major Trend of Low-voltage transition, IP Convergence, IoT-enabled Applications
In the News – IoT Security Concerns
Required – A New Security Approach for IoT
BeforeDiscover
Enforce
Harden
DuringDetect
Block
Defend
AfterScope
Contain
Remediate
Attack Continuum
Network as
an Enforcer
Network as a
Mitigation Accelerator
Network as
a Sensor
The “Journey”IoE/IoT
IT/OT
Security
Connected Lighting 1.0(EFT)
The Vision
Why IoT Will Impact Lighting
The Evolution of Lighting
The Transition to Connected LightingFrom hard-wired circuits to software-defined lighting
Convergence of
AC to DC
Incremental
Energy Savings
Productivity &
Health/Comfort
Generic Lighting
Applications
Traditional Lighting
3 Networks• Power
• Control System
• Measurement
Networked LED Lighting
1 Networks• DC Power
• Real time Control
Measurement
Incremental energy
savings based on highly
dense sensor network and
individual fixture control
Electrical Load
Shedding
Personalized
Workspaces
Granular
Occupancy
Granular Daylight
Harvesting
Highly Flexible
Scheduling
Change lighting
temperature to follow
the circadian rhythm of
workers and students
Human Centric Lighting Real time
conference
room availability
Customized
lighting for
retail stores
Emergency
pathway lighting
for first
responders
Code blue visual
indicator
Examples
Light Fixtures as Sensors using UPOE
Digital ceiling unlocks the power of IoT analytics
• Light
• Occupancy /
motion
• WiFi
• LiFi
• BTLE
Integrated Sensors Integrated radios
Me
teri
ng
An
aly
tic
s
• Energy
• Space /
occupancy
• Resources
• Grouping /
interactions
First Phase:POE/LED Lighting
PoE slashes cabling cost for new construction
AC conduit Structured cabling
• Electrician wage rates
• Bending conduit
• Electrical code
• Structured cabling cost structure
• Pull bundles
• Low-voltage
Commercial Bldg. TenantReal Estate Developer
• Use of low power DC Power Over
Ethernet (PoE) cabling lowers
material & labor costs of lighting
system installation
• Improves tenant retention and loyalty
• Net new revenue from value added
commercial tenant services
• Significant energy savings
• Superior lighting experience and
improved worker productivity
• New horizontal & vertical applications
What if the Building is Leased?
1. Analog commercial lighting industry is ripe for digital
disruption with LED (light-emitting diode) lights
Cisco Connected Lighting enables an intelligent “digital
ceiling” with PoE (Power over Ethernet) technology and
Energy Management over IP
Cisco Solution is currently in development with strong
customer and partners interests and several ongoing pilots
Allows light fixtures to be sensor & radio hubs:
Occupancy/motion/Temperature
LiFi
BTLE / iBeacon
Connected Lighting - Summary
EnergyWise Architecture Overview
• Using the network to measure, monitor and manage energy.
• The network is the command and control plane for power management
• Protocol, Management or both?
• Control vs. Energy Management
Deeper Dive - See “BRKIOT-2401 - Cisco EnergyWise Fundamentals: The Network
as the Platform for Energy Management (2014 San Francisco)
What is Cisco EnergyWise?
Cisco EnergyWise Architecture
21
Unifies Device Energy Management
IT DEVICES BUILDING FACILITIES
Building Management
Systems
Energy Management
Applications
MANAGEMENT APPLICATIONS
Building Devices
EnergyWise Management API
Network Management
Applications
Catalyst Switching Network Gateways
Cisco and Partner Devices
EnergyWise SDK / APIs POE / POE+ / UPOE
POE Powered Devices
Building Protocols
SDK
APIParents
Children
Cisco EnergyWise Security
Management SecretAuthenticates communication between Cisco EnergyWise Domain members and the management station
Endpoint SecretAuthenticates communication between Cisco EnergyWise Domain members and Cisco EnergyWise endpoints.
!
!
Domain Member
Application
Domain Member
Endpoint Device
Incorrect Password
Application
Incorrect Timestamps
Endpoint Device
Cisco EnergyWise Domain SecretAuthenticates communication among members of the Cisco EnergyWise Domain
Connected Lighting Reference Design
Connected Lighting Reference Architecture
Lighting
Endpoints
Lighting
Domain
Management
Apps
POE/POE+/UPOE LED Fixtures
Room or Zone
Wall Switches
and Sensors
Building/Lighting
Policy Engine
Local Policy
Bypass Engine
EW SDK EW SDK EW SDK EW SDK
Cisco Catalyst Switches
Cisco EnergyWise:Security
Group Control
Scale
Energy Reporting
WOL Support
Switch Hibernation
POE,
POE+,
and/or
UPOE
Ports
Cisco IOS
EW MAPI
EW MAPI
Partner
Ecosystem
Emergency Lighting,
Sensors, & essential
building devices
Possible Impact to Enterprise Network ArchitecturePotential Impact to the Access Layer
Dist.
Critical
Access
(IDF)
Non-Critical
Access
UP
S P
ow
ere
d
Critic
al In
frastru
ctu
re
• 4 Layer Architecture May Emerge
Hybrid of Centralized and Distributed topologies
Access functionality may be divided between critical and non-critical infrastructure
• Critical Infrastructure:
Requires Maximum uptime, redundant power, UPS backup (emergency phones, sensors, exit path lighting, etc)
Home run to wiring closet
Low-Density wireless - always available
• Non-Critical Infrastructure (no UPS backup requirement)
Switch placement in room or in ceiling
High Density Wireless can be power down after hoursNon-essential
Lighting &
building devices
What if Switch Gets Rebooted?Answer: Perpetual Power over Ethernet ( PPOE)
PoE devices connected to switch stay
powered on even on switch reboot!
PoE devices continue to get last negotiated power
Minimum software version: 3.7E1 (H1CY2015)
Not applicable when switch is in hibernation mode
Port ConfigurationEnter configuration commands, one per line. End with CNTL/Z.
Switch(config)#inter gi0/1 Switch(config-if)#power inline port
poe-ha Switch(config-if)#
Switch reboot!
“No Lights, No Power, No Service?” -Security Concerns
Schneier on ‘really bad’ IoT security:
security within the (network)
Bruce Schneier Network World April 13th, 2015 -URL
What Can Breach IoT Networks?
• What can’t?
• Billions of connected devices – Increased Attack Surface
• Secure and insecure locations
• Security may or may not be built in
• Possibly not owned or controlled by IT … but data flows through the network
• Low cost devices
• Emerging Protocols
Any node on your network can potentially provide access to the core
Information Technology
(IT)
Smart
Objects
• IoT still evolving
• Multiple protocols emerging for IoT
• Open Source and open standards for widespread adoption
• CoAP gaining traction in the industry
New IoT protocols - are they secure?
IoT protocols, many options…EnergyWise CoAP MQTT XMPP
End device OS
support
Any, OpenRTOS Contiki, RIOT, TinyOS,
mbed, iOS, Android
Posix, windows Linux, iOS,
Android, windows,
OSX, OpwnWRT
Transport Protocol TCP/UDP UDP TCP TCP
Standard Proprietary &
Open
Open Open Open
Development
community
Cisco & Cisco
Partners
Cisco, ARM, Eclipse,
libcoap,
Eclipse
Mosquitto/Paho
Allseen alliance
Implementation
languages
C, Java C, Java, Python, Go,
C#, Ruby,
C, Java, Python,
Lua, C++
C, Java,Perl, Ruby,
PHP, Lisp, Python,
Haskell, TCL, JS
Standards body Cisco / IETF IETF OASIS IETF
Security PSK, TLS DTLS TLS TLS
Industry adoption
trend
Cisco, Cisco
partners
ARM, Cisco,
Ericsson, Philips,
Huawei, Alcatel-lucent
IBM, Elecsys,
Eurotech
Qualcomm, Alseen,
Cisco
Phase I Scope
Service DisruptionUnauthorized
Network Access Traditional Threats
• Vulnerabilities on Lighting Endpoints
• Vulnerabilities on Management Applications.( i.eLighting Control/Monitoring)
• EnergyWise as an attack vector
• Potential network entry point
• Unauthorized POE Devices
• Lighting End Points support only MAB –MAC spoofing risk
• Snooping of EnergyWise and Control traffic
• IP/MAC spoofing
• MAC flooding
• DHCP related attacks
• DDoS
• DNS poisoning
• MITM
Security Threats for Lighting
Keeping the Lights on –Doing it Right
EnergyWise Security Best Practices
• Scanned Internet – port scan 43440 and host discovery.
• Replay Attack – Used replayed packets to change power state of devices.
• Reverse Engineering – Sniffed to RE clear-text protocol and grab HMAC’s.
• Packet Structure Manipulation – Cracked secrets to hijack domain.
• DoS bug identified – Fuzzing attack to crash switched with malformed packet.
Black Hat Hacks - ProblemsWhat did they do actually?
http://www.securitytube.net/video/11555
Best case: No hijacking or denial of service possible
Most likely case (at least): Shut down all servers in your segment
Worst case: Shut down the whole data center!
• Scanned Internet: RFC 1918 w/NAT
• Block Internet access for switches
• Reverse Engineering: No hubs, DTP off, no VLAN 1, CIFS!
• Segmentation and 802.1x
• IPS/Anti sniffing tools
• Packet Structure Manipulation: Encryption/MACSec
• Use 3 Unique Strong Passwords
• Replay Attack: NTP time validation
• energy domain [domain-name] security ntp-shared-secret [domain-password]
• DoS bug identified – Keep switch SW up to date
• General: Change default ports
• Disable power control if not used: no energywise allow query {save | set}
• Specify IP or Interface for EnergyWise communications
Black Hat Hacks - Mitigations
If you are not doing this,
what’s the saying?
Did (they/we) Say…. Segmentation & Filtering?!!!!!
• Segmentation: Use different EnergyWise Domains where possible
• Restrict EnergyWise ports to local subnet
• Segment Device management traffic
• Infrastructure ACL – control traffic towards EnergyWise
• ACLs on boundaries
• Purge Configs on decommissioned equipment!
“The EnergyWise protocol contains security mechanisms that can protect the
environment against the attack vectors …, given that a strong PSK is used
and the correct domain security model is configured.”
The Rest of the Picture -Other Mitigation Best
Practices
Secure Network as the Foundation
Connected Lighting – Security Attack Surface
3.
1.
2.
4.
5.
1. Services - NTP, DHCP, DNS
2. Application – Lighting
control and management applications
3. Infrastructure Devices - Unauthorized
access, privilege escalation, DDoS
4. Network – Unauthorized POE
devices
5. Endpoints – Lights,
Sensors, Drivers (eg: Intellidrive)
Service DisruptionUnauthorized
Network Access Traditional Threats
• Vulnerabilities on Lighting Endpoints
• Vulnerabilities on Management Applications.( i.eLighting Control/Monitoring)
• EnergyWise as an attack vector
• Potential network entry point
• Unauthorized POE Devices
• Lighting End Points support only MAB –MAC spoofing risk
• Snooping of EnergyWise and Control traffic
• IP/MAC spoofing
• MAC flooding
• DHCP related attacks
• DDoS
• DNS poisoning
• MITM
Security Threats for Lighting
Protect the Interior
• Authentication
• 802.1x Authentication, WebAuth, MAB
• CISF (Cisco Integrated Security Features):
• Port Security (Limit MACs)
• IPv4 and IPv6 DHCP Snooping (Prevent rogues)
• IP Source Guard (No false IPs)
• Dynamic Arp Inspection (Prevent rogues)
• StormControl
• Rate Limiting
• Access Control Lists/VLANS
• Identity Services Engine / TrustSec
L2/3 Network Security Features
CISF (Cisco Integrated Security Features)
• Port Security prevents MAC flooding attacks and DHCP Starvation Attacks
• DHCP snooping prevents client attack on the switch and server
• Dynamic ARP Inspection adds security to ARP using DHCP snooping table
• IP Source Guard adds security to IP source address using DHCP snooping table
• All features work on switchports
4500#sh run
ip dhcp snooping
ip dhcp snooping vlan 2-10
ip arp inspection vlan 2-10
!
interface fa3/1
swithport port-security
switchport port-security max 3
ip arp inspection limit rate 100
ip dhcp snooping limit rate 100
!
Interface gigabit1/1
ip dhcp snooping trust
ip arp inspection trust
AutoSecure Feature Auto Secure
IOS-XE 3.6.0E / IOS 15.2(2)E
(Amur) release
Auto Secure – Actual Config & show Commandsauto security
!
interface GigabitEthernet3/3
description Connected to wired PC
switchport access vlan 11
switchport mode access
auto security-port host
!
interface TenGigabitEthernet1/1
description Trunk Port
switchport mode trunk
auto security-port uplink
Switch#sh auto security configuration
%AutoSecure provides a single CLI config 'auto secure'
to enable Base-line security Features like
DHCP snooping, ARP inspection and Port-Security
Auto Secure CLIs applied globally:
---------------------------------
ip dhcp snooping
ip dhcp snooping vlan 2-1005
no ip dhcp snooping information option
ip arp inspection vlan 2-1005
ip arp inspection validate src-mac dst-mac ip
Auto Secure CLIs applied on Access Port:
----------------------------------------
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
switchport port-security
ip arp inspection limit rate 100
ip dhcp snooping limit rate 100
Auto Secure CLIs applied on Trunk Port:
--------------------------------------
ip dhcp snooping trust
ip arp inspection trust
switchport port-security maximum 100
switchport port-security violation restrict
switchport port-security
Switch#sh auto security
Auto Secure is Enabled globally
AutoSecure is Enabled on below
interface(s):
-----------------------------------
---------
TenGigabitEthernet1/1
GigabitEthernet3/1
GigabitEthernet3/3
GigabitEthernet3/4
GigabitEthernet3/5
GigabitEthernet3/6
Switch#
For YourReference
Service DisruptionUnauthorized
Network Access Traditional Threats
• Vulnerabilities on Lighting Endpoints
• Vulnerabilities on Management Applications.( i.eLighting Control/Monitoring)
• EnergyWise as an attack vector
• Potential network entry point
• Unauthorized POE Devices
• Lighting End Points support only MAB –MAC spoofing risk
• Snooping of EnergyWise and Control traffic
• IP/MAC spoofing
• MAC flooding
• DHCP related attacks
• DDoS
• DNS poisoning
• MITM
Security Threats for Lighting
TrustSec Security Group Access OverviewTranslating Business Policy to the Network
TrustSec lets you define policy in meaningful business terms
Business Policy
Context Classification
Security Group TagTAG
Source
Destination
Lights
Prod HRMS
HR
Database
Light Mgt EW Domain HR
EW Domain X
X
Distributed Enforcement throughout
Network
Switch Router DC FW DC Switch
• Policy Based Access
Control
• Identity Aware
Networking
• Data Confidentiality
• Data Integrity
X
X
X
X
Policy and Segmentation Without TrustSec
Voice Data Lights GuestHVAC
Access Layer
Aggregation Layer
VLAN Addressing DHCP Scope
Redundancy Routing Static Filtering
Simple Segmentation with 2 VLANsMore Policies using more VLANs
Design needs to be replicated for floors, buildings,
offices, and other facilities. Cost could be extremely
high
ACL
Policy and Segmentation with TrustSec
Data Center Firewall
Voice Data Lights Guest HVAC
Retaining initial VLAN/Subnet Design
Regardless of topology or location,
policy (Security Group Tag) stays
with users, devices, and servers
Access Layer
Data Tag
Lights Tag
Guest Tag
HVAC Tag
Aggregation Layer
How
What
Who
Where
When
Cisco Identity Services Engine (ISE)Delivering the Visibility and Control for Secure Network Access
Network
Partner Context Data
Consistent SecureAccess Policy
Cisco ISE
What is profiling?
Collection Classification
Classifies based on Device fingerprint
• Process of collecting data to be used
for identifying devices
• Uses Probes for collecting device attributes
NMAP
SNMPHTTP
Radius DHCP
LLDP
NetFlow
&^*RTW#(*J^*&*sd#J$%UJ&(
• Provides “WLAN / VPN equivalent” encryption (128bit AES GCM) to LAN connection
• NIST approved* encryption (IEEE802.1AE) + Key Management (IEEE802.1X-2010/MKA)
• Allows the network to continue to perform auditing (Security Services)
Media Access Control Security (MACSec)
802.1X
Supplicant
with
MACSec
Guest User
MACSec
Capable Devices
&^*RTW#(*J^*&*sd#J$%UJWD&(
Data sent in clear
MACSec Link
Encrypt DecryptAuthenticated
User
* National Institute of Standards and Technology Special Publication 800-38D
Encryption -MACSec
Service DisruptionUnauthorized
Network Access Traditional Threats
• Vulnerabilities on Lighting Endpoints
• Vulnerabilities on Management Applications.( i.eLighting Control/Monitoring)
• EnergyWise as an attack vector
• Potential network entry point
• Unauthorized POE Devices
• Lighting End Points support only MAB –MAC spoofing risk
• Snooping of EnergyWise and Control traffic
• IP/MAC spoofing
• MAC flooding
• DHCP related attacks
• DDoS
• DNS poisoning
• MITM
Security Threats for Lighting
Harden Endpoints per manufacturer recommendations
Restrict traffic via ACL or FW.
Implement L2 security features on switch ports
Install Updated patches and software
Explore individual vendor devices to check for security features
Mitigation – Endpoints
Mitigation – Application and Services
Architecture
Located in Datacenter
Protected by Firewall and IPS
Remote Access
VPN RA only
VPN Traffic termination at or before FW & IPS
DMZ Segmentation
Patch Management
Jump Servers
Service DisruptionUnauthorized
Network Access Traditional Threats
• Vulnerabilities on Lighting Endpoints
• Vulnerabilities on Management Applications.( i.eLighting Control/Monitoring)
• EnergyWise as an attack vector
• Potential network entry point
• Unauthorized POE Devices
• Lighting End Points support only MAB –MAC spoofing risk
• Snooping of EnergyWise and Control traffic
• IP/MAC spoofing
• MAC flooding
• DHCP related attacks
• DDoS
• DNS poisoning
• MITM
Security Threats for Lighting
Connected Lighting – Gold Model
ISE
SGT(Trustsec)
802.1x / MAB / ISE profiled
End point
MACSEC Encrypted
NDAC
Conclusions
Segmentation is a Powerful Security Tool
“Network segmentation… is one of the most effective controls an agency can implement to mitigate the second stage of a network intrusion, propagation or lateral movement”
“Good network and role segmentation will do wonders for
containing an incident.”
“Effective network segmentation… reduces the extent to which an adversary can move across the network”
“Segregate networks, limit allowed protocols usage and limit
users’ excessive privileges.”
2014 DATA BREACH
INVESTIVATIONS REPORT
The Untold Story of the Target Attack
Step by StepAortato Labs, August 2014
Nothing new to see here!
The “Journey” is looking “Brighter”
• Design Zone for Security
• http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-security/index.html
• EnergyWise IOS Configuration Guide, EnergyWise Version 2.8
• http://www.cisco.com/c/en/us/td/docs/switches/lan/energywise/version2_8/ios/configuration/guide/b_ew_cg_2_8.html?mdfid=284654709
• EnergyWise Design Guide:
• http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Energy_Management/energywisedg.html
• Black Hat Info from ERNW: https://www.ernw.de/
• ERNW Presentation: http://www.securitytube.net/video/11555
• ERNW Whitepaper: https://www.blackhat.com/docs/us-14/materials/us-14-Luft-When-The-Lights-Go-Out-Hacking-Cisco-EnergyWise-WP.pdf
• EnergyWise Vulnerability and Mitigations Article
• http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=34962
• Protecting the Cisco Catalyst 6500 Series Switches Against Denial-Of-Service Attacks
• http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/prod_white_paper0900aecd802ca5d6.html
• Cisco TrustSec: http://www.cisco.com/go/trustsec & Cisco ISE: http://www.cisco.com/go/ise
Resources
Participate in the “My Favorite Speaker” Contest
• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)
• Send a tweet and include
• Your favorite speaker’s Twitter handle @glenn_streeter
• Two hashtags: #CLUS #MyFavoriteSpeaker
• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
Promote Your Favorite Speaker and You Could Be a Winner
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.
• Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect.
Continue Your Education
Related sessions:
• BRKSEC-2203 - Deploying TrustSec Security Group Tagging
• BRKSEC-2007 - Fundamental IOS Security
• BRKSEC-2026 - Network as a Sensor and Enforcer
• BRKIOT-2113 - Intermediate - Internet of Things for the Enterprise
• BRKIOT-1404 - How the Internet of Everything and LED Lighting Will Transform IT
• BRKIOT-2401 - Cisco EnergyWise Fundamentals: The Network as the Platform for Energy Management (2014 San Francisco)
Internet of Things (IoT) Cisco Education OfferingsCourse Description Cisco Certification
NEW! CCNA Industrial An associate level instructor led training course designed to prepare you
for the CCNA Industrial certification
CCNA® Industrial
Managing Industrial Networks with
Cisco Networking Technologies (IMINS)
This curriculum addresses foundational skills needed to manage and
administer networked industrial control systems. It provides plant
administrators, control system engineers and traditional network engineers
with an understanding of the networking technologies needed in today's
connected plants and enterprises
Cisco Industrial
Networking Specialist
Control Systems Fundamentals
for Industrial Networking (ICINS)
For IT and Network Engineers, covers basic concepts in Industrial Control
systems including an introduction to automation industry verticals,
automation environment and an overview of industrial control networks
Networking Fundamentals
for Industrial Control Systems (INICS)
For Industrial Engineers and Control System Technicians, covers basic IP
and networking concepts, and introductory overview of Automation
industry Protocols.
For more details, please visit: http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth or contact [email protected]
Security Cisco Education OfferingsCourse Description Cisco Certification
Implementing Cisco IOS Network Security (IINS)
Implementing Cisco Edge Network Security Solutions
(SENSS)
Implementing Cisco Threat Control Solutions (SITCS)
Implementing Cisco Secure Access Solutions (SISAS)
Implementing Cisco Secure Mobility Solutions
(SIMOS)
Focuses on the design, implementation, and monitoring of a comprehensive
security policy, using Cisco IOS security features
Configure Cisco perimeter edge security solutions utilizing Cisco Switches, Cisco
Routers, and Cisco Adaptive Security Appliance (ASA) Firewalls
Deploy Cisco’s Next Generation Firewall (NGFW) as well as Web Security, Email
Security and Cloud Web Security
Deploy Cisco’s Identity Services Engine and 802.1X secure network access
Protect data traversing a public or shared infrastructure such as the Internet by
implementing and maintaining Cisco VPN solutions
CCNA® Security
Securing Cisco Networks with Threat Detection and
Analysis (SCYBER)
Designed for professional security analysts, the course covers essential areas of
competency including event monitoring, security event/alarm/traffic analysis, and
incident response
Cisco Cybersecurity Specialist
Network Security Product and Solutions Training For official product training on Cisco’s latest security products, including Adaptive
Security Appliances, NGIPS, Advanced Malware Protection, Identity Services
Engine, Email and Web Security Appliances see
www.cisco.com/go/securitytraining
For more details, please visit: http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth or contact [email protected]
Thank you