1. Security Newsletter
Dear Security Partner,
The Swiss Borderless Networks Team would like to update you on the latest Security information that happened over the
Please let us know if you have any question related to the information provided below.
Jean-François Pujol & the Cisco Switzerland Borderless Networks Team
What is this Newsletter about ?
This is the 3rd Security interest newsletter. The Swiss Borderless Networks team consolidates announcements and
technology updates into this condensed newsletter. It’s manually composed, so it contains only the information required
for your benefits. Pass this newsletter to your colleagues and inform us by mail to email@example.com so we can
add them to the mailing list. If you would like to unsubscribe, just drop a mail. Most of the links given require a CCO login
(some with partners rights).
Application Centric Infrastructure (ACI) Security Solutions
The new Cisco ACI Security Solution family enables data center customers to uniquely integrate Cisco’s Adaptive Security
Appliance data center security products into the Application Centric Infrastructure.
This announcement delivers four significant changes to the Data Center security product line:
A new virtual appliance called the Cisco Adaptive Security Virtual Appliance (ASAv) for traditional tiered data center
networks and the Application-Centric Infrastructure. The ASAv was built from the ground up for full featured fabric
integration, and is designed to protect the new generation of data centers where east-west traffic dominates. It has
the complete ASA feature set, works with multiple hypervisors and vSwitches, and comes with a new flexible
Cisco has also opened up the ASA platform for seamless service insertion into network fabrics for both virtual and
physical appliances. This is done through open APIs, native VXLAN, and tag support.
Deep integration with ACI provides a comprehensive security solution for the ACI fabric. This includes physical ASA
5585-Xs operating in a cluster for vertical scaling up to 640Gbps, limitless virtual scaling using the new ASAv, and
the integration of Sourcefire next-generation IPS technologies for advanced threat and malware protection.
Centralized security policy life-cycle management of ASAs using ACI's Application Policy Infrastructure Controller
for deployment, management, auditing, and IT governance.
More information can be found at the following links :
• ACI Security Solution
• Press Releases: Cisco Pioneers Real-Time Application Delivery in Global Data Centers and Clouds to Enable Greater
Business Agility Technology Leaders Rally Behind Cisco's Application Centric Infrastructure
New ASA-CX version 9.2.1 is available
are the key new features in ASA-CX 9.2.1 ?
IPS on NGFW
PRSM support for basic ASA management functionality
NGFW support on SSP40 and SSP60 for multi-gigabit Internet gateways
Rate-limiting based on NGFW policy
For other enhancements, see the link below here :
Cisco ASA CX and Cisco Prime Security Manager New Features By Release
Will we require customers to purchase a separate license for IPS on NGFW?
Yes. The new IPS license on NGFW will be made available as a standalone license as well as a bundled licensing with other
popular options (Web Security Essentials, AVC, etc).
Are there differences from the current ASA IPS?
Yes. For example, the signatures available for IPS on NGFW are focused on threats that are prevalent for the Internet
Edge. In other words, IPS on NGFW is not optimized for Datacenter server protection in Peregrine timeframe.
Will there be a performance impact from turning on IPS on NGFW?
Yes. We will provide updated data sheets with the corresponding information. In the near future, sizing metrics will be
shared to ensure environments are properly sized.
Release notes : Release Notes for ASA CX and Cisco Prime Security Manager 9.2
2. Documentation : Finding ASA CX and Cisco Prime Security Manager Documentation
Anyconnect Secure Mobility Client
Anyconnect is now supported on Windows 8.1 (available as of version 3.1.04072), on Android 4.4 (KitKat), and MacOS-X
However, due to some issues with those software platforms, early adopters may encounter some limitations.
Please check availability and software updates on Cisco.com or our dedicated Facebook web page.
Cisco statement regarding some competitor’s misleading advertisements
To clarify some recent misleading communication sent out by others, we want to assure you that Cisco continues to
aggressively invest in the ASA 5500-X Next-Generation Firewall (NGFW) so you get the market-leading security you need
to stay ahead of today's sophisticated threats.
Backed by the world's largest security and threat research organization, Next-Generation Firewalls from Cisco help you see
risks, eliminate threats, and gain consistent controls from the small office to the data center.
In fact, just last week Cisco released major new updates to the ASA 5500-X Next-Generation Firewall that:
Combine new NGFW, NGIPS, integrated Web security and application control to proactively protect you from known
and emerging threats at the Internet edge
Increase NGFW scalability from the smallest branch to the highest internet edge deployments
Simplify NGFW administration to reduce operational costs and complexity with a single, unified management
Our commitment to security has never been stronger.
With our recent acquisition of Sourcefire, and industry-leading ASA firewall, next-generation IPS and advanced malware
protection your investment will only get stronger.
Our new model for security through a visibility-driven, threat-centric, and platform-based approach means your ASA 5500X NGFW investment will evolve ahead of tomorrow's threats.
Protect your investment. Initiate migration to the Cisco ASA 5500-X NGFW today.
If you have any questions, do not hesitate to contact the Cisco Swiss Security team at firstname.lastname@example.org.
And thanks for being a highly valued Cisco partner.
To learn more about Cisco ASA 5500-X NGFW, please visit:
Cisco ASA 5500-X Series Next-Generation Firewalls
Cisco ASA Next-Generation Firewall Services
Cisco Prime Security Manager
New x80 Series Content Security Appliances
The x80 series is built on Cisco’s market-leading Unified Computing System (UCS) server platform, a Gartner Magic
Quadrant leader, rated highest by customers over Dell, IBM, and HP (TheInfoPro, 2012). The x80 series takes full
advantage of the robust Cisco UCS platform to deliver significant enhancements over previous generations of
• Up to 60% performance improvement over previous generations
• 2x increase in days allocated for reporting on Cisco SMA
• DC power option and remote power cycling
Greater scalability and reliability
Product Data sheets: WSA, ESA, and SMA
3. vESA and vWSA demo licenses available on cisco.com
Cisco Web and Email Security Virtual Appliance 45-day evaluation licenses are now available for request at the
cisco.com licensing portal for BOTH Cisco field and partners. These evaluation licenses, along with ESAV and WSAV
software, are available at no cost to customers, and can significantly speed up and simplify the evaluation and sales
Conditions: Please note that only one license per product may be requested for each opportunity. A second trial license
can be requested at the end of first 45-days, if an extension is needed. Please also note that there is no TAC support
associated with these licenses.
Here’s What You Do:
• Step One: Fill out the ESAV/WSAV demo license request form here:
• Step Two: Download the ESAV or WSAV software image:
The Web Security Appliance is available here:
The Email Security Appliance is available here:
• Step Three: Load the software image onto an appropriate server and apply the license. There are several different
models available, with different hardware resource allocation requirements. One software license can be applied to
as many virtual appliances as needed.
Partner specific tools and resources
Check the following link: Web Security Partner Central
Cisco Security Manager CSM
Cisco Security Manager (CSM) version 4.4 Service Pack 2 is now available for download on CCO.
Security Manager 4.4 Service Pack 2 provides fixes for various problems. For more information, see Resolved Caveats—
Release 4.4 Service Pack 2.
This service pack also provides IPS 7.0.9 version support for following platforms:
• Cisco Catalyst 6500 Series Intrusion Detection System (IDSM-2) Services Module
• Cisco Intrusion Prevention System Network Module Enhanced (NME)
• Cisco Intrusion Prevention System Advanced Integration Module (AIM) for Cisco1841, 2800, and 3800 Series
Integrated Services Routers.
See the release notes here:
EoL announcement of Cisco IPS 7.0
Cisco IPS Sensor Software Version 7.0 will reach External end-of-life announcement on 01-AUG-2013.
For more details, refer to EoL announcement (EOL9284) on :
Cisco IPS 4500—New PIDs and Pricing Changes
Cisco announced the availability of the new Cisco IPS 4520-XL Sensor, the highest performance IPS Sensor from Cisco’s
IPS product family. The 4520-XL secures data center infrastructure and applications from advanced threats and
sophisticated attacks. The IPS 4520-XL is an enhanced version of the 4520 Sensor, with 2 IPS blades offering up to 20
Gbps of max inspection performance.
Announcement for EoS and EoL for the Cisco Small Business ISA500 Series Integrated Security Appliances
Cisco announces the end-of-sale and end-of-life dates for the Cisco Small Business ISA500 Series Integrated Security
Appliances. The last day to order the affected product(s) is Nov. 14th, 2013. Customers will continue to receive phone
support from the Cisco Small Business Support Center (SBSC). For customers with active product warranties, support will
be available as stated in the product warranty terms and conditions, even if this date exceeds the Last Date of Support.
Product Migration options
There is no direct replacement available for the Cisco ISA500 Integrated Security Appliances at this time. Customers may,
however, consider migrating to the Cisco ASA 5512-X Series Next-Generation Firewalls, Cisco ASA 5505 Adaptive Security
Appliance, or Cisco MX60 and MX60W Cloud Managed Security Appliances.
Information about these products can be found at the links below.
ASA5512-X ASA5505 MX60 and MX60W
Now Available: Identity Service Engine release 1.2
ISE 1.2 features :
ISE is an all-in-one enterprise policy control solution, securing access to wired, wireless and VPN networks With ISE, endusers and IT are more productive, which, ultimately, lowers IT operating costs. Among the many enhancements with ISE
1.2, we draw your attention to these five:
1. Broad partner eco-system that starts with MDM
The ISE MDM Integration feature enables the network to automatically determine device compliance and can allow the
user an option to enable or decline MDM. The MDM partner ecosystem is currently : Airwatch, Inc., Good Technology,
MobileIron, Inc., Zenprise, Inc., SAP Afaria, FiberLink Maas360, Cisco Mobile Collaboration Management Services (MCMS)
4. 2. Industry's first real-time profiling feed service
Cisco’s new profiling feed service allows users to get on the network with the latest consumer devices-easy for users, easy
for IT. Cisco live feed will ensure that you can recognize and onboard the latest consumer devices without requiring IT
create a manual profile as soon as a new device is introduced commercially available.
3. Mobile and Desktop Browser Support for Guest and BYOD
Support for both mobile and desktop on-boarding is now native to ISE. ISE dynamically identifies BYOD and Guest users
devices and sends them easy to use on-boarding screens customized for their device.
4. Administrative Tasks Streamlined
The new default Bootstrap wizards saves time and helps ensure the deployment is done right the first time. Just type in a
username, device type, or mac address and ISE instantly delivers a list of all matching entities. ISE's new reporting service
boasts a faster user interface, scheduled reports, and the 5000 record reporting limit has been lift so administrators can
slice and dice data across any date range.
5. Double the Scale & Performance
ISE 1.2 now supports a maximum of 250K endpoints per deployment with the ability to support more concurrent
endpoints than the competition.
Release notes : Release Notes for Cisco Identity Services Engine, Release 1.2
ISE 1.2 NFR Software.
Cisco has announced its availability and of September, and it is now orderable on marketplace:
The bundle provides partners with ISE and Services VMs they can leverage to configure a purpose built lab. The ISE image
included with the NFR kit comes with a minimal configuration for simple insertion into a lab environment. There are 20
non-expiring base and advanced licenses and the image supports upgrades. The USB drive from Marketplace includes a
configuration file that can be used to restore the base configuration and licenses. The Services image included with the
NFR kit is a Linux VM that provides key ISE services such as NTP, DNS, DHCP, LDAP, and CA. The Linux VM is
preconfigured, but can be customized to meet specific customer use cases or scenarios.
Through this Cisco Partner Community post https://communities.cisco.com/docs/DOC-32999, Cisco made information
available to stand up a pre-configured demo environment that highlights key ISE use cases.
Cisco Identity Services Engine (ISE) Extended Special Pricing on Selected SKUs
The special pricing on selected SKUs, which has been in effect since January 28, 2013, will be extended beyond the
original end of July 27, 2013 indefinitely. Please note that prices may be changed at a future date subject to applicable
requirements and notifications.
New Cisco ISE Subscription Licenses
New Cisco ISE Advanced, Wireless, & Wireless Upgrade subscription licenses are available on the GPL.
This new subscription can be identified by the “S” included in the Product ID or SKU (e.g. L-ISE-ADV-S-100= , L-ISE-W-S100=, L-ISE-WU-S-100=) and are recommend for all ISE term license sales. The new subscription licenses are priced the
same as the legacy ISE term licenses (no change in pricing), but do offer enhancements for renewal processing and
support for co-term operations. The legacy ISE term licenses will be announced for EOS shortly.
For more information on ISE Subscription Licenses please review the following documents - New Cisco ISE Subscription
License Ordering & New Cisco ISE Subscription License Reference. Both documents are located on the Cisco ATP
Now available : MX100 Security Appliance
The new MX100 Security Appliance which builds on the popular MX90 platform increases capacity for high-performance
branch networks. The MX100 addresses the growing capacity requirements of modern networks, and offers customers
looking for a mid-sized branch solution a choice that fits between the Cisco Meraki MX80 and MX400 models.
Along with this new model, we are introducing a host of new features for the entire MX line, including:
• Integrated IPS with SourceFire SNORT
• Facebook login for both wired and wireless clients
• Configuration templates for multi-MX environments
• MPLS to VPN failover
See : MX100 Security Appliance
Cisco NAC Agent compliance module
The NAC Agent compliance modules for Windows and MacOS-X have been update three times since July time frame.
See the latest supported AV/AS versions here : Cisco Identity Services Engine Supported Windows AV/AS Products Version
End-of-Sale and End-of-Life Announcement for the Cisco NAC Appliance 3315, 3355, and 3395
Migration Programs http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/eol_C51729146.html
Cisco announces the end-of-sale and end-of life dates for the Cisco NAC Appliance 3315, 3355, and 3395 Migration
Programs. The last day to order the affected product(s) is February 5, 2014.