Post on 27-Mar-2018
Welcome to Your Cisco Connect & Grow Series: Heat Up Your Sales with Cisco Security for SMB
BEFORE WE TAKE OFF… This webinar is being recorded and will be available 48 hours after the event at www.ingrammicro.com/ciscowebinars
This is your event – So please ask questions! Utilize the Q&A box or take the opportunity to call in and ask your question live during the broadcast. We love to hear from you!
And now, let’s get going…
Thank you for being a valued Cisco partner!
Cisco Connect & Grow Series
Incentive Drawing
Three $50 AmEx Gift Cards will be drawn at the close of the session
Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro’s express written permission.
Cisco Connect & Grow Series Heat Up Your Sales with Cisco Security for SMB Peter Avino Solution Center Engineer/Instructor Cori Hahn Tech Support Specialist II (Cisco Security Lead),Ingram Micro June 24th, 2015
• Security Threats • ASA 5500X • Meraki MX • Demo • Q&A
Today’s Agenda
Cisco Confidential 6 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
CISCO ASA
Identity-Policy Control & VPN
ASA + Sourcefire = New, Adaptive, Threat-focused NGFW
URL Filtering (subscription)
FireSIGHT Analytics & Automation
Advanced Malware Protection (subscription)
Intrusion Prevention (subscription)
Application Visibility & Control
Network Firewall Routing | Switching
Clustering & High Availability
WWW
Cisco Collective Security Intelligence Enabled
Built-in Network Profiling
SMBs Are Underserved by Legacy Solutions
Legacy next-generation firewall and unified threat management (NGFW + UTM) solutions were never designed for advanced threat protection.
• UTMs are less effective
• Legacy NGFWs and point solutions are costly and impractical to administer
• Point solutions bring major integration risks and questionable security efficacy
ASA for SMB
Superior Threat Defense Featuring integrated,
best-of-breed security technologies
Continually updated with superior threat
intelligence feeds
Superior Product Value Small footprint devices capable
of running superior, next-generation,
threat-focused capabilities
Flexible Management Simplified, integrated, local
management for single-instance deployments
Centralized management for threat data correlation across
the distributed enterprise
A New Way Forward for SMBs and Distributed Enterprises
Cisco Next-Generation Firewalls for SMBs, Distributed Enterprises, and Industrial Control
Desktop Model Integrated Wireless Access Point
Higher Performance Ruggedized
100% NGFW - Ships with AVC
Wireless can be managed locally or through WLC
1RU; New value-focused
price-performance points
NGFW for industrial control and critical infrastructure
5506-X 5506W-X 5508-X 5516-X
5506H-X
Perfect for Cisco® ASA
5505 Refreshes
Performance Comparison
Category Features ASA 5506-X/5506H-X/5506W-X ASA 5508-X ASA 5516-X
Performance
Maximum stateful firewall throughput 750 Mbps 1 Gbps 1.8 Gbps
VPN throughput 100 Mbps 175 Mbps 250 Mbps
Maximum AVC throughput 250 Mbps 450 Mbps 850 Mbps
Maximum AVC and NGIPS throughput 125 Mbps 250 Mbps 450 Mbps
AVC or IPS sizing throughput [440 B] 90 Mbps 180 Mbps 300 Mbps
Maximum concurrent sessions 50,0001 100,000 250,000
Maximum CPS 5000 10000 20000
~1.5x to 2x ~1.5x to 2x
Model Comparison
Category Features ASA 5506-X ASA 5506W-X ASA 5506H-X ASA 5508-X ASA 5516-X
Hardware
Form factor Desktop Desktop Desktop 1RU 1RU
CPU Multicore@1.25 GHz Multicore@1.25 GHz Multicorex 1.25 GHz Multicorex 2 GHz Multicorex 2.4 GHz
Memory - RAM 4 GB 4 GB 4 GB 8 GB 8 GB
Flash 8 GB 8 GB 8 GB 8 GB 8 GB
Fan No No No Yes Yes
I/O 8x GE 8x GE; Wi-Fi 8x GE 8 x GE 8 x GE
Software
Stateful firewall Yes Yes Yes Yes Yes
FirePOWER™ services (all) Yes Yes Yes Yes Yes
User (node) support Unlimited (default) Unlimited (default) Unlimited (default) Unlimited (default) Unlimited (default)
High availability Yes - Active/Standby only1
Yes - Active/Standby only1
Yes - Active/Standby only1
Yes (Active/Active)
Yes (Active/Active)
Security context No No No Yes2 Yes2
Clustering No No No No Planned
Platform Features
• The product has a reset pin. If it is pressed after more than three seconds, it will restore the factory configuration, clear passwords, and erase Rommon variables.
• Cisco® Trust Anchor is implemented to validate the source of the image file and to also protect against hardware tampering and counterfeiting.
Superior Threat Defense
Integrated Threat Defense
URL Filtering (Subscription)
On-box or Centralized
Management
Advanced Malware
Protection (AMP) (Subscription)
Application Visibility and Control
(AVC)
Network Firewall Routing | Switching
WWW
VPN
Next-Generation Intrusion Prevention
(NGIPS) (Subscription)
Threat protection is our #1 differentiator.
• Same features and licenses as the larger Cisco® ASA with FirePOWER™ Services models when used with FireSIGHT®
• Simplified NGFW offering with on-box ASDM 7.3.x
Functional Distribution of Features
Advanced Malware Protection
File Type Filtering Application Visibility and Control
NGIPS
URL Category and Reputation
*File Capture FirePOWER™ Services
IP Fragmentation
IP Option Inspection
TCP Intercept
TCP Normalization
ACL
NAT
VPN Termination
Routing ASA
Cisco FirePOWER Provides Superior Visibility for Accurate Threat Detection and Adaptive Defense
Cisco Advanced Malware Protection Built on Superior Collective Security Intelligence
101000 0110 00 0111000 111010011 101 1100001 110 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
1001 1101 1110011 0110011 101000 0110 00
• 1.6 million global sensors
• 100 TB of data received per day
• 150 million+ deployed endpoints
• 600 engineers, technicians, and researchers
• 35% worldwide email traffic
101000 0110 00 0111000 111010011 101 1100001 110 1100001110001110 1001 1101 1110011 0110011
1001 1101 1110011 0110011 101000 0110 00 Cisco®
Collective Security
Intelligence
Web
WWW
Endpoints Devices
Networks Email IPS
Cisco Collective Security Intelligence Cloud
Automatic Updates Every 3–5 Minutes
• 13 billion web requests
• 24-hour daily operations
• 4.3 billion web blocks per day
• 40+ languages
• 1.1 million incoming malware samples per day
• AMP community
• Private/public threat feeds
• Talos security intelligence
• AMP threat grid intelligence
• AMP Threat Grid dynamic analysis 10 million files/monthly
• Advanced Microsoft and industry disclosures
• Snort and ClamAV open source communities
• AEGIS program
Cisco Confidential 19 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Five Subscription Packages to Choose From for Each Appliance
URL
IPS
URL
• AVC is part of the default offering
• 1, 3 and 5 year terms
• SMARTnet is ordered separately with the appliance
IPS
AMP
IPS
“NGFW” Packages
“NGIPS” Packages
AMP
URL
IPS
Key ASA Features
ASA 9.3.2 Release (Key Features) • REST API • Transport Layer Security (TLS) 1.2 • ECMP support, IPV6 Border Gateway Protocol (BGP) • Standards-based IKE v.2 support; Citrix HTML5 browser support • VPN clients Windows 7, 8.1, 8.1 phone client, iOS8, Knox, Strong Swan • Cisco AnyConnect® 4.0
ASA 9.4.1 Release (Key Features) • Policy-based routing • REST API phase 2, SNMP enhancement • Client less tagging, WebVPN support for OWA2013 and XenDesktop7.5 • Full VX LAN support
Diverse Endpoint Support for Greater Flexibility
Flexible Options
Advanced VPN Capabilities AnyConnect 4.0 Secure Mobility
Corporate File Sharing
Access Granted
Rich, Granular Security Integrated into the Network
Superior Threat Defense
Always on for seamless experience and performance
Superior Value
Data-Loss Prevention
Threat Prevention
Acceptable Use
Access Control
Skype Youtube
Salesforce.com
Centralized or Local Management
Flexible Management Options
Centralized Management
• Management for multiple devices
• Comprehensive visibility and control over network activity
• Optimal remediation through infection scoping and root-cause determination
Provides Security Teams with:
Centralized Management: Same as Larger Models - Uses CSM and FireSIGHT™
BEFORE Discover Enforce Harden
DURING Detect Block
Defend
AFTER Scope
Contain Remediate
NEW - Integrated Onbox Management
• The Cisco® Adaptive Security Device Manager (ADSM) 7 combines control of access policy and advanced threat defense functions
• The enhanced UI provides quick views on trends and the ability to navigate to more details
• Centralized management is optionally available with FireSIGHT® + Cisco Security Manager
Better Together Continuous Visibility and Control
!
Network Remote
Remediation
Discover infections Find the root cause Understand threats
Mobile Deep Visibility and Control (Remediate)
*Note: Blocking on the network is available in version 5.2
Network Visibility and Control* (Block)
OS Hypervisor
APP OS
APP OS
APP OS
Hypervisor Vmware vSphere
VM VM VM SVM
AV
Cisco/Meraki Cloud Managed MX Security Appliance
Cloud-managed networking architecture
Network endpoints securely connected to the cloud
Cloud-hosted centralized management platform
Intuitive browser-based dashboard
Out of band cloud management in every product
Scalable – Unlimited throughput, no bottlenecks – Add devices or sites in minutes
Reliable – Highly available cloud with multiple datacenters – Network functions even if connection to cloud is interrupted
Secure – No user traffic passes through cloud – Fully HIPAA / PCI compliant (level 1 certified) – 3rd party security audits, daily penetration testing
Future-proof – New features pushed through firmware, guided by customer feedback – Automatic firmware and security updates (user-scheduled) – Reliability and security information at meraki.cisco.com/trust
Management data (1 kb/s) WAN
MX security appliances
A complete unified threat management solution
7 models scaling from teleworker and small branch to campus / datacenter
Feature highlights
Application Control Traffic Shaping, Content Filtering, Geo Firewall Rules
Security NG Firewall, Client VPN, Site to Site VPN, IDS/IPS
Networking NAT/DHCP, 3G/4G Cellular, Static Routing, Link Balancing
Stateful firewall
Site to site VPN
Branch routing
Link bonding and failover
Application control
Web caching
Client VPN
`
All enterprise features, plus: Content filtering (with Google SafeSearch)
Kaspersky Anti-Virus and Anti-Phishing
SourceFire IPS / IDS
Geo-based firewall rules
MX security appliances: Licenses
Enterprise License Advanced Security License
Designed for security and availability
Redundancy & availability Increased uptime of mission-critical
infrastructure
Increase reliability with multi-hub VPN and warm spare failover (HA)
Comprehensive Security Granular control over phishing, foreign-
originated and malicious traffic
Monitor and prevent threats based on severity, specific signatures, and region
Multi-site connectivity IPSec VPN connections with flexible
topology and security policies
Reduce VPN configuration time to seconds and complexity to a few clicks
Teleworker
Z1
- 1-5 users
- Dual-radio wireless
- FW throughput: 50 Mbps
MX security appliances: Models
Users Unique features Throughput
Small branch
MX64 / MX64W ~50 - Wireless (MX60W) 200 Mbps
Medium branch
MX80 ~100 - Large WAN Opt cache (1 TB) 250 Mbps
MX100 ~500 - Gigabit uplinks
- Large WAN Opt cache (1 TB) 500 Mbps
Large branch / campus
MX400 ~2,000
- High-speed uplinks
- Built-in redundancy
- Modular interface
- Large WAN Opt cache (1TB)
1 Gbps
MX600 ~10,000
- High-speed uplinks
- Built-in redundancy
- Modular interface
2 Gbps All devices support 3G/4G
CISCO CLOUD MANAGED CISCO ENTERPRISE
Cisco Enterprise and Cloud Managed primary positioning
Easy to deploy and manage over the web
Out-of-the-box optimized feature set
Ongoing managed upgrades and enhancements
Optimized for lean IT, with limited requirement for 3rd Party integration
Flexible deployment and configuration options
Highly customizable and advanced feature set
Advanced professional services, extended support
Extensive integration capabilities
Both portfolios offer significant professional services opportunities
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Partner Demo Promotion - ASA5506-K9 Get 1 unit of the New Cisco ASA5506-K9 with Firepower Services At 99.9% discount to Demo with Your Customers. Includes a Free 45 day trial of Firepower Services (URL AMP and IPS) and Cisco Support
STEP by STEP • Partner contacts their Distributor of Choice to Register • Partner will use CCW ( Cisco Commerce Workspace) to order the ASA5506-K9 DEMO Unit at 99.9% discount • Partner agrees to obtain their Cisco Express Security Specialization(ESS) within 45 Business once registered • Partner will be registered by their distributor and show a special incentive (ASA5506 Demo Promotion) in CCW • CCW Deal ID is approved, Product is shipped from Distributor to Partner. Note - Partner has the option to conduct FirePower Services Demos with their Customers (or) Install the product at a Customer Site, for a potential sale, and later offer the suite of Firepower Services (1yr AMP URL or IPS licenses ) with Smartnet * after the 45 day trial licenses expire. For questions please contact: Scott Schweizer, SBDM Americas Distribution sschweiz@cisco.com
Experience Center How can Cisco and Ingram Enable You to Fly Higher?
Strength in Numbers
300+ $2.5B
18+
$150M+
145+
Years Cisco Experience
Annual Cisco Revenue
Years Cisco Partnership
Inventory Industry Leader
Dedicated Cisco Specialists
Partner Enablement & Services
State of the Art Experience Center
Technical & Business Sales Training
Config to Order
Professional Services
Build to Order
World Class Tech Support
Dedicated Field Engineers
Flexible Financing Opportunities
Partner Programs & Promotions
Just Switch It
Fast Track
Unified Access
Collaborate Now
UCS Advantage
ASA Migration Program
Mobility Express Bundles
Security Ignite
Experience Center
Hands on Technology from ALL Cisco Architectures
$10M+ Cisco Equipment
Product Demos
Dedicated Cisco Engineering Team
Solution Proof-of-Concepts
Exec. Meeting Presence w/ Latest Video Conf
End Users & Staff Training
Live or Remote Demos/Trainings
Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro’s express written permission.
Questions? Peter Avino Solution Center Engineer/Instructor, Ingram Micro Peter.avino@ingrammicro.com
Cori Hahn Tech Support Specialist II (Cisco Security Lead),Ingram Micro Cori.Hahn@ingrammicro.com
Incentive Drawing
And the winner is …..
Connect & Grow Upcoming Webinars June 25
July 8
July 7 CSCC Quoting
Build Next-Gen Automated Data Center w/ Nexus 9k
Introduction to Cisco Services
July 9 CSCC Quoting
July 15 Cisco 101: Onboarding Steps for New Registered and Select Partners
Contact Us
Hardware
Partner Development
Services
Public Sector
(800) 456-8000 ext. 76471 Option 1: Hardware
(800) 456-8000 ext. 76799 myciscoteam@ingrammicro.com
(800) 456-8000 ext. 76471 Option 2: Services
(800) 456-8000 ext. 76471 Opt 1: HW Opt. 2: Services
Cisco Confidential 45 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 46 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Security "Expert" Level Series For Partner SE/FE’s, TAC Level NPI Training
• Featured ASA Courses – ASAv & ASA 9.2 NGFW – ASA 9.0 Firewall Features (Clustering, Suite B,
etc.) – ASA 9.0.1 Remote Access VPN – ASA (Cloud Web Security- CWS) – ASA CX/PRSM Advanced Topics – AnyConnect 3.1
• Featured ISE
– ISE 1.2 BYOD – The Identity Services Engine Design/ Install -Part
1 – The Identity Services Engine Design/Install -Part
2 "Certificates & EAP-TLS“
• Featured Management – CSM 4.3 – CSM 4.4
https://communities.cisco.com/docs/DOC-26324
Cisco Confidential 47 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Security Voice of the Engineer
• Slides and recordings posted to Partner Community
• All Sessions are 1:00 – 2:00 Eastern Time
Date Topic
July 29 Adaptive Security Appliance
September 9 Identity Services Engine
October 7 Content Security (ESA, WSA, CWS)
November 4 Sourcefire
Target Date Topic
March 13 Cisco’s Intelligent Cybersecurity for the Real World
March 27 TrustSec 4.0 Launch
April 11 Sourcefire AMP Updates Launch
April 24 Secure Data Center Solutions
May 1 Sourcefire 5.3 Launch
May 29 ISE Licensing
June 12 ASA 9.2 Launch
September 18 FirePOWER Services for ASA Launch
September 25 ISE 1.3 Launch
October 9 ASA Licensing
https://communities.cisco.com/docs/DOC-52899
https://communities.cisco.com/docs/DOC-30718
Rebranded
Cisco Confidential 48 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Tech Talks – Security Deep-Dives Recorded Sessions & Slides https://communities.cisco.com/docs/DOC-30977
AnyConnect • AnyConnect VPN – 1/15/13 • AnyConnect NAM – 1/29/13 • AnyConnect Mobile – 2/12/13 • Advanced AnyConnect Configuration – 2/26/13 • AnyConnect TAC Tips – 3/12/13
Content Security • ESA Architecture & Deployment Best Practices - 3/5/13 • WSA Architecture & Deployment Best Practices– 3/19/13 • CWS Architecture & Deployment Best Practices – 4/2/13 • ASA CX Architecture & Deployment Best Practices – 4/16/13 • TAC Tips: Email – 4/30/13 • TAC Tips: Web – 5/14/13
Identity Services Engine (ISE) • TrustSec & ISE Overview - 9/25/12 • AAA, 802.1X, MAB - 10/9/12 • ISE Profiling – 10/23/12 • Web Auth, Guest & Device Registration – 11/6/12 • Bring Your Own Device & EAP Chaining – 11/20/12 • Posture & Security Group Access – 12/4/12 • Best Practices – 12/18/12 • TAC Tips: Processes, Trends, Troubleshooting – 1/8/13 • TAC Tips: Documentation, Tools, Troubleshooting – 1/22/13
SourceFire • System Overview – 5/28/14 • Threat Control – 6/11/14 • Application Control – 7/2/14 • File Control – 7/16/14 • FireAMP Overview – 7/30/14 • FireAMP Outbreak Control – 8/6/14
Adaptive Security Appliance
• ASA Overview – 10/1613 • Data Center & HA – 10/30/13 • Next Generation Firewall – 11/20/13 • IPS for NGFW – 12/4/13 • ASA Management – 12/18/13
Cisco Confidential 49 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ASA FirePOWER Services launched Sept. 16, 2014. Pricing & Orderable on CCW now. Generally Available August 1, 2014.
Ordering Guide, Data Sheets, Sizing Guide, Promos, Presentations: http://www.cisco.com/c/en/us/products/security/asa-5500-series-next-generation-firewalls/partner-resources-listing.html/index.html
Sales Resources: http://www.cisco.com/c/en/us/products/security/asa-firepower-services/sales-resources-listing.html
Training: ASA with FirePOWER Services: Technical: https://communities.cisco.com/docs/DOC-53979
Training: ASA with FirePOWER Services: Sales: https://communities.cisco.com/docs/DOC-53978
Install Quick Start Guide: http://www.cisco.com/c/en/us/support/security/asa-firepower-services/products-installation-guides-list.html
Sales Acceleration Center (SAC): https://communities.cisco.com/docs/DOC-53126
Support Resources
Cisco Confidential 50 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential 51 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Available on all ASA platforms State-sharing between Firewalls for high availability L2 Transparent or L3 Routed deployment options Failover Link ASA provides valid, normalized flows to FirePOWER
module
*State sharing does not occur between FirePOWER Services Modules
Deploying ASA w/ FirePOWER Services: High Availability with ASA Failover
Cisco Confidential 52 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Up to 8 ASA5585-X IPS
Stateless load balancing by external switch
L2 Transparent or L3 Routed deployment options
Support for vPC, VSS and LACP
Cluster Control Protocol/Link
State-sharing between Firewalls for symmetry and high availability
Every session has a primary and secondary owner ASA
ASA provides traffic symmetry to FirePOWER module
*State sharing does not occur between FirePOWER Services Modules
Deploying ASA w/ FirePOWER Services: Scaling IPS with ASA5585-X Clustering
Cisco Confidential 53 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Asymmetry is an issue
• A standard Nexus deployment uses L3 routing protocol to the core and a L2 environment to the access layer where the Nexus is the default gateway for all servers in the access switch.
• The Nexus uses a virtual port channel (vPC) for connections to the Access layer. This allows the dual connection of the access layer without having spanning tree running.
• One requirement for inserting security services into this deployment is that it has to handle the fact that traffic will be asymmetric (return traffic is not guaranteed to take the same path as inbound traffic) due to the vPC and potentially routing inbound.
• These problems get worse when you move to distributed datacenters!
Asymmetric Traffic in a Nexus 7K Datacenter
N7K
Access
vPC
Core
DC Servers
vPC Peer-link
Internal Network
Cisco Confidential 54 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Clustering and Asymmetry
Traffic going to the Datacenter
• ASA 1 sees the traffic and becomes the owner
• Asymmetry is introduced on the return path
• ASA 2 sees the traffic and has never seen it before so asks, on the Cluster Control Link, who owns the flow
• ASA 1 signals that it owns the flow
• ASA 2 sends ASA 1 the packet from the flow in question over the CCL
• FirePOWER Services for ASA module inside ASA 1 sees the entire flow
• The module in ASA 2 sees no packets from that flow
Cisco Confidential 55 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Multi-Context ASA Deployments
• ASA can be configured in multi context mode such that traffic going through the ASA can be assigned different policies
• These interfaces are reported to the FirePOWER blade and can be assigned to security zones that can be used in differentiated policies.
• In this example, you could create one policy for traffic going from Context A Outside to Context A Inside. And then a different policy for Context B Outside to Context B Inside.
• Note: There is no management segmentation inside the FirePOWER module similar to the context idea inside ASA configuration.
Context A Context B
Outside
Inside
Cisco Confidential 56 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Multi-Context ASA Deployments
Admin Context Context-
1
Cisco Confidential 57 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
FirePOWER Services Demonstration Monitor-Only Mode (Demonstration Purposes Only currently)
• Monitor Mode allows FirePOWER Services to analyze traffic without being placed in the data path. The ASA is connected to a SPAN port on a switch or router, and copies of both inbound and outbound packets are sent to the FirePOWER Service. This copied traffic bypasses the ASA policy and goes directly to the FirePOWER Services which will apply policies to determine what traffic would have been blocked. After analysis of the traffic, the packets are discarded.
• https://communities.cisco.com/docs/DOC-50586
SPAN FirePOWER Services for ASA in Monitor-Only Mode
Cisco Confidential 58 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
FirePOWER devices, appliances and modules, support what is called mid session pickup.
This occurs when a flow is seen by an FP device at some point after the 3 way handshake has occurred.
FP device will attempt to sync up state for the client and server and once complete will enable the “Flow Established” flag that is required for most IPS signatures.
For customers more risk averse, “Require 3 way handshake” can be enabled that tells FirePOWER to ignore all flows where the 3 way handshake has not been seen. This prevents any possible false positives that might results from picking up a flow mid stream.
Session Failover (HA) Discussion