Lancope and-cisco-asa-for-advanced-security

  • 297 views
Uploaded on

By collecting and analyzing data from Cisco ASA with Lancope’s StealthWatch System, organizations can: …

By collecting and analyzing data from Cisco ASA with Lancope’s StealthWatch System, organizations can:

• Increase visibility and security context at the network edge
• Consume and stitch together NAT data to more accurately pinpoint the source of issues such as MPAA/RIAA copyright infringements
• Audit firewall rules through flow analysis
• Achieve better performance and scalability for network and security monitoring
• Save vast amounts of time and money spent correlating data points from various sources
• More confidently demonstrate compliance with regulations such as PCI

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
297
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
24
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Lancope and Cisco ASA for Advanced Security Context
  • 2. Agenda The need for more information and context – The Cyber Threat Defense What is NSEL? How NSEL and StealthWatch work together Examples Summary
  • 3. Cyber Threat Defense Solution Devices Internal Network Visibility, Context, and Control Use NetFlow Data to Extend Visibility to the Access Layer Unify Into a Single Pane of Glass for Detection, Investigation and Reporting Enrich Flow Data With Identity, Events and Application to Create Context WHO WHAT WHERE WHEN HOW Hardware-enabled NetFlow Switch Cisco ISE Cisco ISR G2 + NBAR Cisco ASA + NSEL Context
  • 4. What is NSEL? NetFlow Security Event Logging Provides visualization into policy enforcement points Created as an efficient event reporting mechanism: – Syslog (Traditional Firewall event reporting mechanism) Verbose, text based, single event per packet ~30% processing overhead – NetFlow Compact, binary, multiple events per packet ~7-10% processing overhead
  • 5. NSEL Implementation Details Cisco NSEL slightly deviates from standard NetFlow – NSEL flow is bidirectional – NSEL flow is equivalent to an ASA connection – NSEL events are generated per ASA connection Event Based – Records were originally generated based on the 3 connection status events – In ASA v8.4.5 flow update events are generated on activity timers – Denied connections also generate NSEL records NSEL records are issued for the following events – Flow creation - Issued for every flow that is created – Flow teardown - Issued for every successfully created flow when it ends. – Flow denial - Issued when a flow is denied by an ACL
  • 6. How NSEL works Flow Created StealthWatch FlowCollector StealthWatch Management Console Client Server Cisco ASA NSEL Record Exported
  • 7. How NSEL works Flow Tear Down StealthWatch FlowCollector StealthWatch Management Console Client Server Cisco ASA NSEL Record Exported
  • 8. How NSEL works Flow Denied StealthWatch FlowCollector StealthWatch Management Console Client Server Cisco ASA NSEL Record Exported
  • 9. Flow Action  StealthWatch defines the NSEL flow event field as a Flow Action  Can provide additional context – Identity – Device Type – Application Data
  • 10. Flow Denied Events  Useful inspection point  Identify suspicious activity
  • 11. Flow Action as part of Concern Index  Concern Index points are accumulated for Flow Denied events
  • 12. NAT Stitching  Pre and Post NAT stitching inside StealthWatch  Decrease investigation time
  • 13. Examples RIAA notices PCI Compliance Firewall rule auditing Tracking down outbound attacks Better scalability and performance
  • 14. Summary Provides Flow and Event Visibility and Context Reports details of a flow and associated events Provides Threat Visibility and Context Single pane of glass that unifies threat detection, visibility, forensics analysis, and reporting+ + NSEL FlowCollector StealthWatch Management Console Cisco ASA
  • 15. Thank you!!
  • 16. Get Engaged with Lancope Follow us at @Lancope and @NetFlowNinjas Subscribe to Lancope updates at http://feeds.feedburner.com/NetflowNinja s Attend complimentary NetFlow 101 Seminars http://www.lancope.com/news- events/university-of-netflow/ Join NetFlow Ninjas http://www.linkedin.com/groups/NetFlow- Ninjas-2261596/about Access StealthLabs Intelligence Center (SLIC) Reports http://lancope.com/SLIC Download “NetFlow Security Monitoring for Dummies” http://www.lancope.com/netflow-for-dummies/ © 2012 Lancope, Inc. All rights reserved.16 Please email sales@lancope.com or