Lancope and Cisco ASA for
Advanced Security Context
Agenda
The need for more information and context
– The Cyber Threat Defense
What is NSEL?
How NSEL and StealthWatch wor...
Cyber Threat Defense Solution
Devices Internal Network
Visibility, Context, and Control
Use NetFlow Data to Extend Visibil...
What is NSEL?
NetFlow Security Event Logging
Provides visualization into policy enforcement points
Created as an effici...
NSEL Implementation Details
Cisco NSEL slightly deviates from standard NetFlow
– NSEL flow is bidirectional
– NSEL flow i...
How NSEL works
Flow Created
StealthWatch
FlowCollector
StealthWatch
Management
Console
Client
Server
Cisco ASA
NSEL Record...
How NSEL works
Flow Tear Down
StealthWatch
FlowCollector
StealthWatch
Management
Console
Client
Server
Cisco ASA
NSEL Reco...
How NSEL works
Flow Denied
StealthWatch
FlowCollector
StealthWatch
Management
Console
Client
Server
Cisco ASA
NSEL Record ...
Flow Action
 StealthWatch defines the NSEL flow event field as a Flow Action
 Can provide additional context
– Identity
...
Flow Denied Events
 Useful inspection point
 Identify suspicious activity
Flow Action as part of Concern Index
 Concern Index points are accumulated for Flow Denied events
NAT Stitching
 Pre and Post NAT stitching inside StealthWatch
 Decrease investigation time
Examples
RIAA notices
PCI Compliance
Firewall rule auditing
Tracking down outbound attacks
Better scalability and per...
Summary
Provides Flow and Event Visibility and Context
Reports details of a flow and associated events
Provides Threat Vis...
Thank you!!
Get Engaged with Lancope
Follow us at @Lancope
and @NetFlowNinjas
Subscribe to Lancope updates at
http://feeds.feedburner....
Upcoming SlideShare
Loading in...5
×

Lancope and-cisco-asa-for-advanced-security

486

Published on

By collecting and analyzing data from Cisco ASA with Lancope’s StealthWatch System, organizations can:

• Increase visibility and security context at the network edge
• Consume and stitch together NAT data to more accurately pinpoint the source of issues such as MPAA/RIAA copyright infringements
• Audit firewall rules through flow analysis
• Achieve better performance and scalability for network and security monitoring
• Save vast amounts of time and money spent correlating data points from various sources
• More confidently demonstrate compliance with regulations such as PCI

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
486
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
38
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Lancope and-cisco-asa-for-advanced-security

  1. 1. Lancope and Cisco ASA for Advanced Security Context
  2. 2. Agenda The need for more information and context – The Cyber Threat Defense What is NSEL? How NSEL and StealthWatch work together Examples Summary
  3. 3. Cyber Threat Defense Solution Devices Internal Network Visibility, Context, and Control Use NetFlow Data to Extend Visibility to the Access Layer Unify Into a Single Pane of Glass for Detection, Investigation and Reporting Enrich Flow Data With Identity, Events and Application to Create Context WHO WHAT WHERE WHEN HOW Hardware-enabled NetFlow Switch Cisco ISE Cisco ISR G2 + NBAR Cisco ASA + NSEL Context
  4. 4. What is NSEL? NetFlow Security Event Logging Provides visualization into policy enforcement points Created as an efficient event reporting mechanism: – Syslog (Traditional Firewall event reporting mechanism) Verbose, text based, single event per packet ~30% processing overhead – NetFlow Compact, binary, multiple events per packet ~7-10% processing overhead
  5. 5. NSEL Implementation Details Cisco NSEL slightly deviates from standard NetFlow – NSEL flow is bidirectional – NSEL flow is equivalent to an ASA connection – NSEL events are generated per ASA connection Event Based – Records were originally generated based on the 3 connection status events – In ASA v8.4.5 flow update events are generated on activity timers – Denied connections also generate NSEL records NSEL records are issued for the following events – Flow creation - Issued for every flow that is created – Flow teardown - Issued for every successfully created flow when it ends. – Flow denial - Issued when a flow is denied by an ACL
  6. 6. How NSEL works Flow Created StealthWatch FlowCollector StealthWatch Management Console Client Server Cisco ASA NSEL Record Exported
  7. 7. How NSEL works Flow Tear Down StealthWatch FlowCollector StealthWatch Management Console Client Server Cisco ASA NSEL Record Exported
  8. 8. How NSEL works Flow Denied StealthWatch FlowCollector StealthWatch Management Console Client Server Cisco ASA NSEL Record Exported
  9. 9. Flow Action  StealthWatch defines the NSEL flow event field as a Flow Action  Can provide additional context – Identity – Device Type – Application Data
  10. 10. Flow Denied Events  Useful inspection point  Identify suspicious activity
  11. 11. Flow Action as part of Concern Index  Concern Index points are accumulated for Flow Denied events
  12. 12. NAT Stitching  Pre and Post NAT stitching inside StealthWatch  Decrease investigation time
  13. 13. Examples RIAA notices PCI Compliance Firewall rule auditing Tracking down outbound attacks Better scalability and performance
  14. 14. Summary Provides Flow and Event Visibility and Context Reports details of a flow and associated events Provides Threat Visibility and Context Single pane of glass that unifies threat detection, visibility, forensics analysis, and reporting+ + NSEL FlowCollector StealthWatch Management Console Cisco ASA
  15. 15. Thank you!!
  16. 16. Get Engaged with Lancope Follow us at @Lancope and @NetFlowNinjas Subscribe to Lancope updates at http://feeds.feedburner.com/NetflowNinja s Attend complimentary NetFlow 101 Seminars http://www.lancope.com/news- events/university-of-netflow/ Join NetFlow Ninjas http://www.linkedin.com/groups/NetFlow- Ninjas-2261596/about Access StealthLabs Intelligence Center (SLIC) Reports http://lancope.com/SLIC Download “NetFlow Security Monitoring for Dummies” http://www.lancope.com/netflow-for-dummies/ © 2012 Lancope, Inc. All rights reserved.16 Please email sales@lancope.com or
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×