Overview de Cisco Security Portfolio

Redouane MEDDANE
Consultant en Collaboration et Security
 Cisco Products Naming

Cisco SecureX threat response (Formerly Cisco Threat Response)

Cisco global threat alerts (Formerly Cognitive Threat Analytics or CTA)

Cisco Secure Network Analytics (Formerly Stealthwatch)

Secure Web Appliance (Formerly Web Security Appliance)

 Cisco Products Naming

Cisco Secure Email (Formerly Email Security Appliance)

Cisco Secure Firewall (Formerly Firepower Threat Defense)

Secure Client (Formerly AnyConnect Secure Mobility Client)

Secure Endpoint (Formerly Advanced Malware Protection or AMP for endpoints)

 Cisco Products Classification

Network Security Endpoint Security Cloud Security

Firepower AMP 4 Endpoint Umbrella

Web Security AnyConnect Stealthwatch

Email Security DUO MFA Email Security

ISE CASB

Stealthwatch
 Attack Continuum

Cisco Security Products in the Attack Continuum

Before During After

Umbrella
Umbrella
WSA SNA
ISE
ESA AMP
NGFW
NGIPS

Enforce Detect Contain

Harden Block Remediate
Cisco Firewall
 Traditional Firewall

• Stateful
• L3/4 Filtering Identity Awarness?
jdoe
• L7 Filtering

jdoe
Wired VPN
ASA Firewall
jdoe
Wireless

HTTPS ? Allow Port TCP/443

Application Awarness?
File Sharing News
FB
Youtube Webmail File Sharing = Malware?
 Next-Generation Firewall

ASA-X with
Legacy FirePOWER Firepower Threat
FirePOWER Services Cisco Secure Firewall
Company Sourcefire Defense
Module
Cisco Secure Firewall Features

• Prefilter Policy – L3/4

• Security Intelligence – Talos
• Access Control Policy Rules – L 3/4/7
• SSL Decryption
• Network Discovery
• Malware/File Policy
• DNS Policy
• Identity Policy
• QoS Policy
• NAT Policy
• Correlation Policy
 Deployment Modes

FTD

Inside Outside
Routed Mode
10.1.1.2 10.1.1.1 10.2.2.1 10.2.2.2

FTD

Inside Outside
Transparent Mode
10.1.1.2 10.1.1.1
 Packet Flow

Deep Packet
Inspection

Security SSL Access Control Malware/

Prefilter File Policy
Intelligence Decryption Policy

IPS Policy
Topology

12
Cisco Web Security Appliance
 Cisco Web Security Appliance Features

Features www.google.com
Proxy (HTTP/HTTPS/FTP)
Caching
URL Filtering (par category)
Application Visibility Control
Reputation WBRS (Web Based Reputation Score)
Block [-10 à -9], Scan [-8.9 à 5.9], allow [6 à 10].
Dynamic Content Analysis
User Authentication
Bandwidth Limits Proxy (WSA)
Time Quotas
File Detection
- AMP, local AV (McFee, Sophos)
SSL Decryption
L4TM L4 Traffic Monitor
jdoe
 Explicit Forward Mode

www.google.com

Traffic Web is sent directly to WSA.

-Manual: Proxy Parameters Web Browser

-Automatic: PAC file

Considerations WSA ASA

-DNS resolution by WSA

-Destination IP = WSA

jdoe
 Transparent Mode

www.google.com
Web Traffic redirected to WSA
-Redirection by Network Devices
-Redirection with WCCP protocol

Considerations
-DNS Resolution by Client
WSA ASA
-Destination IP = google.com

jdoe
 Packet Flow

Web Request Identification Profile Access Policy Decryption Policy

Conditions: Conditions: Conditions:

❑ Subnet ❑ Identification Profile ❑ Identification Profile
❑ Protocol ❑ user/AD Group ❑ user/AD Group
❑ Port
Filtres Filtres
❑ User Agent
• Protocol/User Agent • URL Filtering
Résultat • URL Filtering • WBRS
• Authentication • Applications
• Objects (File Type) Action
• No authentication
• Anti-Malware/Réputation ✓ Decrypt
✓ Passthrough
Action ✓ Drop
✓ Block, Monitor, Warn, ✓ Monitor
✓ Quota Based, Time Based,
✓ Bandwidth Limit (application)
Cisco Umbrella Secure Internet Gateway
Cisco Umbrella as DNS Service

DNS precede IP connection

 DNS first line of defense

IP of cool.com?
Dilemma IP of bad.com?
IP of CnC SRV?
1. How to redirect to an Exploit kit server
Find CnC Server
2. How to reach out to CnC server?
Encrypted Key Ransomware
3. What to do with infected host? Legitimate Request

Malicious Website
Malware
Cisco Umbrella Components

DNS Layer Security

Cloud Delivered Firewall

Secure Web Gateway

Cloud Access Security

Brocker
 Cisco Umbrella Packet Flow

DNS Policy Web Policy

Firewall Policy
• DNS Request • URL Category
Filtering • AVC DLP Policy
• L3/4/7 Filtering
• Intelligent Proxy • File Control
• IPS Inspection
• SSL Decryption • AMP / Threat grid
• AMP • HTTPS Inspection
 Cisco Umbrella Deployment Modes

DNS Layer Security

Deployment Cloud Delivered Secure Web Gateway
Firewall Deployment
• DNS forwarders Deployment
• Virtual Appliances • IPSec Tunnel
• Network devices • IPSec Tunnel with • Anyconnect
• Anyconnect on-prem Edge Device • PAC File
• Roaming Client
 DNS Layer Security Intelligent Proxy
Intelligent Proxy Intelligent Proxy
Disabled Enabled

DNS Layer Security DNS Layer Security

DNS Servers Intelligent Proxy DNS Servers Intelligent Proxy

146.112.0.0/16 146.112.0.0/16

DNS Answer DNS Answer

100.1.1.1 146.112.0.1
INTERNET
INTERNET

100.1.1.1 100.1.1.1
www.games.com www.games.com
DNS Query DNS Query
www.games.com www.games.com
 Intelligent Proxy vs Secure Web Gateway

DNS Layer Security Secure Web Gateway

DNS Servers Intelligent Proxy Proxy Servers

146.112.0.0/16

Selected Proxy Full Proxy

Umbrella term: Umbrella term:
Intelligent Proxy Secure Web Gateway
Inspect selected Web Traffic
Inspect All Web Traffic
for Grey Domain only
 Intelligent Proxy vs Secure Web Gateway

Web Policy
DNS Policy
• URL Category
• DNS Request Filtering • AVC
• Intelligent Proxy • File Control
• AMP But what’s the • AMP / Threat grid
• SSLSSL Decryption
Decryption • HTTPS Inspection
HTTPS Decryption
difference?

With Intelligent Proxy for

With Secure Web Gateway Additional Security:
File Inspection
• Threat Grid sandboxing
• AMP
• Application Visibility Control
• Granular logs Web Transaction and
• File Type Control
Cisco Email Security Appliance
 Comment
Cisco EmailSMTP fonctionne
Security Appliance

DNS Server
collab.com MX mail.collab.com
MX of collab.com?
mail.collab.com A 200.1.1.1

200.1.1.1
200.1.1.1
jdoe@voip.com jsmith@collab.com

jsmith@collab.com Mail Server Mail Server

voip.com collab.com
 Cisco Email Security Appliance
Comment SMTP fonctionne

DNS Server
collab.com MX mail.collab.com
MX of collab.com? mail.collab.com A 100.1.1.1

100.1.1.1
100.1.1.1 200.1.1.1
jdoe@voip.com jsmith@collab.com

Cisco ESA
Mail Server Mail Server
voip.com collab.com
 Cisco Email Security Appliance Deployment
Mail Server

Mail Server
cisco.com
10.1.1.10
Outside Inside
Mail Server

learning.com
15.1.2.13 DMZ
Listeners
Data1: 172.16.1.1 demo.com
10.1.1.11

Cisco ESA
 Cisco Email Security Filters and Actions

Actions
ANTI-SPAM
Deliver Message
ANTI-VIRUS
Quarantine Message
Reputation Messages AMP
Filters Filters Bounce Message
GRAYMAIL
Drop Message
CONTENT
FILTERS
Content Filter contient des
OUTBREAK
actions supplémentaires
FILTERS
 Mail Flow
Sender is checked based on the IP
Address Internal SMTP Server
Outgoing Mail Policy
Relayed Mail Flow Policy
Outgoing Mail Condition Sender or
From jdoe to jwhite Recipient
Relay From Connection
10.1.1.10 Behavior: Relay Inspection Engine
Sender is checked
Listener Based on the SBRS
HAT « Sender Based Reputation Score »
Incoming Mail Policy
Mail Flow Policy
Condition Sender or
Unknown Recipient
Incoming Mail List Connection
from jwhite to jdoe Behavior: Accept Inspection Engine

10.1.1.10

RAT
Recipient TO: cisco.com
jwhite Listener cisco.com jdoe Action: Accept
Cisco Secure Network Analytics
Why Network Visibility and analytics is important?

Firewall is there to protect your inside network from threats in internet. But
misconfiguration and mistake is possible, how to detect it?

If a policy rules on firewall or WSA are changed which causes some rules placed
on the top. How to detect this?

If an authorized server is used with stolen credentials and the attacker perfoms
scanning and reconnaissance attack. How to detect this?

If you have a huge volume of exfiltration data. How to detect this?

 Why Network Visibility and analytics is important?

If you are using DNS Layer security with Umbrella as the trusted DNS server, and users are using
rogue DNS servers with risk of traffic redirection to malicious websites. How to detect this
violation?

You want to build policy segmentation on firewalls and other security products but you dont want
to disrupt critical business activities. How to to use policies without enforcing them?

You want to detect malware in encrypted traffic without decryption while maintaining Data
Integrity. How to do this?
Why Network Visibility and analytics is important?

We have data. So now what?

Security Policy Threat Detection

Analyse network behavior to Analyse network behavior

design, implement and to infer the presence of a
validate security policy threat actor
Cisco Visibility Solution

Cisco Secure Network Analytics

(Formerly Stealthwatch)

2015 – Acquisition of Lancope

Telemetry with NetFlow

Telemetry

Network Device
Telemetry with NetFlow
Stealthwatch

Telemetry

Network Device
 Stealthwatch Enterprise architecture

Management Console

Comprehensive
visibility and
security analytics ISE Threat Intelligence Cognitive Intelligence
License

Flow Collector
Other Traffic Analysis Stealthwatch
Software Cloud

UDP Director Flow Sensor Hypervisor with Flow

Telemetry for Encrypted VM VM
Sensor VE
Traffic Analytics
NetFlow

Proxy Data
NetFlow enabled routers, switches, Endpoint License Non-NetFlow enabled equipment
firewalls
 Cisco Secure Network Analytics Process

Classification
Behavioral Analytics
Modeling Alarms
Categorization
 Cisco SNA Key Features

Visibility Encrypted Rapid Threat

everywhere Traffic Analytics Containment
Analyses enterprise Only product that can Quarantine infected hosts easily
telemetry from any source analyze encrypted traffic to using the Identity Services Engine
(NetFlow, IPFIX, sFlow, detect malware and ensure (ISE) integration, collect and store
other Layer 7 protocols) policy compliance without network audit trails for deeper
across the extended decryption forensic investigations
network

Unique threat Smart

detection segmentation
Combination of multi-layer Create logical user groups
machine learning and that make sense for your
behavioral modeling provides business, monitor the
the ability to detect inside as effectiveness of
well as outside threats segmentation policies
through contextual alarms
 Rapid Threat Containment

PX Grid Mitigation

Information shared with

other network and
security products

Context Instruct Cisco ISE to Quarantine or Unquarantine infected host

Cisco® Stealthwatch
Identity Services Engine Management Console
Cisco Identity Services Engine
 Context and Visibility with Cisco ISE
Without ISE Poor Context With ISE Rich context

IP Address Jdoe-PC

Unknown Windows

Unknown Building 1 – Floor 2

Unknown 10:30 14 April

Unknown Wireless
Context and Visibility with Cisco ISE

Policies based on the Context

Contexts

Access Control Accounting

 Cisco ISE key features

Device Admin

Visibility Compliance

Access Control Byod Access

Guest Access Profiling

Context
Threat Control
Exchange
 Different Access Control

Internal
Network

NAD
Network Access
INTERNET
User User

VPN Access

Device Admin
Admin

Cisco ISE
Cisco ISE Personas

PAN Policy Administration Node

MnT Monitoring Node

PSN Policy Service Node

pXGrid Node
 Cisco ISE Deployment

Small Deployment Medium Deployment Large Deployment

PAN MnT PAN MnT PAN MnT PAN MnT PAN PAN

PSN PXG PSN PXG PXG PXG

MnT MnT

S PSN PSN PSN PSN PXG

PSN PXG
PSN PSN PSN PSN PXG

PSN PXG

PSN Max 4 PXG

PSN

Max 50 PSNs
Cisco ISE Deployment
 Cisco ISE AAA service

ISE as AAA Server

Authentication Authorization Accounting

Network Access RADIUS TACACS Device Admin

 Cisco ISE Authentication Types

ISE as AAA Server

Web Authentication 802.1X MAB

Based on Web Portal. Authentication based Authentication based

Guest and on Credentials with on MAC Address
Provisioning Supplicant without Supplicant
Global Threat Alerts
 Global Threat Alerts

Cisco Global Threat Alerts is a

cloud-based solution that
analyzes Web proxies Logs to INTERNET
detect threats in web traffic.

TC-NAC Web Logs Web Traffic

Cisco ISE

Cisco WSA

CoA Web Traffic