Cisco Network Insider Series: Securing Your Branch for DIA

Hai Bo Ma, Product Manager, Cisco
December 8, 2015
Securing Your Branches
for Direct Internet Access
Cisco Network Insider Series

2© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
What You Will Learn
•  Enterprise Challenges and Trends
•  Direct Internet Access (DIA) at Branch
Offices: Benefits and Challenges
•  Branch DIA Use Cases
•  Cisco FirePOWER™ Threat Defense
for ISR
•  Snort IPS
•  Cloud Web Security (CWS)
•  Next Steps

Enterprise Challenges and Trends
80%
30%
20-50%
BRANCH
OS
Updates
HD
Video
Omni-channel
Apps
Mobile
Apps
Online
Training
SaaS Enterprise
Apps
Social
Media
Guest
WiFi
Digital
Displays
MORE
USERS
MORE
APPS
MORE
THREATS
Of employee and
customers are served in
branch offices*
Increase in Enterprise
bandwidth per year
through 2018**
Of advanced threats will
target branch offices by
2016 (up from 5%) **
*Tech Target, Branch Office Growth Demands New Devices., 2013
**Gartner, Forecast Analysis: Worldwide Enterprise Network Services, Q2 2014 Update
*** Gartner: “Bring Branch Office Network Security Up to the Enterprise Standard, Jeremy D’Hoinne, 26 April. 2013.
73%MORE
DEVICES Growth in in mobile
devices from 2014 - 2018**

DIA in the Branch Delivers Major Benefits…
Eliminate Backhauling Internet Traffic Across the WAN
•  Increased Reliability of Internet for WAN Transport
•  Lower IT Spend
•  Meet Budget Challenges
•  Improved User Experience
•  Enhanced Experience with Public Cloud Applications
•  Better Business Application Performance
•  Higher Guest Wi-Fi Satisfaction
Improve Branch User Experiences while Reducing Costs

… But DIA Also Introduces New Risks
•  Greater Threat Risks
•  Increased Attack Surface
•  Lack of Appropriate Security Protection at the Branch
•  Lost Visibility into DIA Traffic
•  Operational Risks
•  Additional Sensors to Manage; Additional Rack Space Costs
•  Overwhelming Amount of False Positives
•  Inability to Zero in on Key Threats Quickly
•  Lost Revenue-Generating Square Footage Due to Increased Footprint
Threat and Operational Risks Can Be Mitigated!

Use Case: You Will Meet Compliance Needs
Corporate
Branch
Employees
Corporate + Internet Traffic
Examples:
Retail stores
Hospitals / Pharmacies
Value Prop
Ø  Best of Routing & Security at Head Quarters
Ø  Good Enough Security at the Branch to Meet Compliance
Ø  Advanced Behavior Analysis at the Head-end
VPN Tunnel
Internet
Enterprise
Network
Firewall IPS
Firewall

Internet
Use Case: Partial DIA Guest Internet Access
Corporate
Branch
Examples:
Retail stores / Auto Dealerships
Hospitals / Pharmacies
Financials
Schools / Universities
Ø VLAN separation, guest and employees network are separated
Ø ZBFW blocks guest to employees traffic and vice versa
Ø Cisco Cloud Web Security provides content filtering and policy enforcement
Ø Snort Powered IPS provides basic intrusion protection
Ø Corporate devices reach Internet via HQ
Corporate + Employees Internet Traffic
Employees
Guest
Guest Internet Traffic
Enterprise
Network
VPN Tunnel
Firewall IPS
Firewall

Use Case: Full DIA
Examples:
Retail stores accessing Supplier websites
Hospital / Pharmacy accessing Insurance websites
Cloud based enterprise service (WebEx, Salesforce
etc.)
Internet Corporate
Branch
Corporate Traffic
Employees
Guest
Guest Internet Traffic
Enterprise
Network
VPN Tunnel
Employee Internet Traffic
Ø VLAN separation, guest and employees network are separated
Ø ZBFW blocks guest to employees traffic and vice versa
Ø FirePOWER URL Filtering provides web reputation and category based filtering
Ø Corporate and Guest devices reach Internet directly from the Branch
Ø FirePOWER provides IPS, AVC and AMP
Firewall
Firewall

Branch DIA use cases
Use Case Vertical Security requirements Security Technology
PCI and Regulatory
Compliance
Retail, Healthcare,
Financial, government
FW, IPS, content filtering
(optional)
ZBFW, Snort IPS
Guest User Wi-fi Retail, Healthcare,
Hospitality
FW, Web Security, IPS
(optional)
ZBFW, Snort IPS
Partial Direct Internet
Access (public cloud,
partner sites)
Retail, Healthcare,
manufacturing
FW, Web Security, IPS Snort IPS or
FirePOWER Threat
Defense, CWS
Full Direct Internet
Access
Retail, Healthcare,
manufacturing
FW, Web Security, IPS,
Malware Protection, AVC
FirePOWER Threat
Defense

FirePOWER Threat Defense
for ISR

Positioning IPS/IDS Solution for the WAN
ISR 4321
50-100 Mbps
ISR 4331
100-300 Mbps
ISR 4351
200-400 Mbps
ISR 4451 - 2Gbps
ISR 4431 – 1 Gbps
Regulatory/ PCI
Compliance
Internet guest
access
MSSP
Direct Internet access to partner sites or public cloud
(i.e. Office365, Salesforce.com)
Partial DIA
Full DIA
Note: FirePOWER also supports
Cisco ISR G2 Series

FirePOWER NGIPS vs. Snort IPS
Threats Application
visibility and
control
Contextual
awareness
Impact
assessment
Automated
IPS tuning
User
identities
FireSIGHT
Snort IPS
FirePOWER
IPS and
Apps

Cisco FirePOWER Threat Defense for ISR
•  Capitalize on DIA Without
Compromising Security
•  Industry-Leading Threat
Protection for Branch and
Remote Offices
•  Consolidated Footprint Frees
Revenue-Generating
Square Footage
•  Centralized Management
with Clearly Divided Roles
and Responsibilities
•  Lower Total Cost of Ownership
Network Visibility
Granular App
Control
Modern Threat
Control
NGIPS
Security Intelligence
URL Filtering
BEFORE
Discover
Enforce
Harden
DURING
Detect
Block
Defend
AFTER
Scope
Contain
Remediate
Attack Continuum
Visibility and Automation
Advanced Malware
Protection
Retrospective Security
IoCs/Incident
Response

Cisco FirePOWER Threat Defense for ISR
Network
Visibility
Granular App
Control
Modern Threat
Control
NGIPS
Security
Intelligence
URL Filtering
BEFORE
Discover
Enforce
Harden
DURING
Detect
Block
Defend
AFTER
Scope
Contain
Remediate
Visibility and Automation
OR
Cisco ISR G2 Series
AppX + Security
License
Free Up Valuable Square Footage Generate More Revenue $$$
+
Cisco® 4000 Series ISR
Cisco UCS®
Advanced Malware
Protection
Retrospective Security
IoCs/Incident
Response

Industry-Leading Threat Defense
•  FirePOWER™ Next-Generation
Intrusion Prevention System (NGIPS)
•  Application Visibility and Control
•  Advanced Malware Protection (AMP)
for Networks
•  Reputation-Based URL Filtering
•  FireSIGHT® Management Center
Industry-leading Threat Protection

Gartner IPS Magic Quadrant
This graphic was published by Gartner,
Inc. as part of a larger research
document and should be evaluated in
the context of the entire document.
The Gartner document is available
upon request from this URL.
Gartner does not endorse any vendor, product
or service depicted in its research publications,
and does not advise technology users to select
only those vendors with the highest ratings or
designation. Gartner research publications
consist of the opinions of Gartner's research
organization and should not be construed as
statements of fact. Gartner disclaims all
warranties, expressed or implied, with respect
to this research, including any warranties of
merchantability or fitness for a particular
purpose.

Internet connection
VPN tunnel
FireSIGHT Management Center
Branch Office
HQ
Centralized monitoring
ESXi
Branch Office
ESXi
Branch Office
ESXi
Deployment Architecture

Snort IPS

Cisco Snort IPS
Lower TCO and investment protection
Built on industry leading and proven
open source components (Snort)
Helps to achieve PCI compliance
Centralized management for network
and security features
Need
Who are looking for a cost-effective yet
secure network infrastructure solution that
will provide advanced routing and multi
layered security and help meet
compliance requirements
For who
For enterprises with distributed branch
offices primarily in retail, financial sector,
hospitality, and education sectors
What
Cisco ISR with Integrated security
features (IPS, FW, VPN, Web security)

Snort IPS
A lightweight Threat Defense solution for the Branch
Help meet PCI compliance mandate at
the Branch Office
Threat protection built into ISR 4000
branch routers
Complement ISR 4000 Integrated
Security
Lightweight, Cost-Effective Threat
Defense for the Branch
Cisco ISR 4000
Snort

Snort IPS
Key Functionality
Cisco ISR 4K
Snort
•  Snort integrated into Cisco IOS XE and application container
•  Supported on ISR 4000 Series
•  IPS/IDS functionality
•  Centralized deployment with Prime template
•  Log collection via external tools (ex. Splunk)
•  Ability to whitelist signatures
•  Signature update mechanism using local update

Licensing and support model
•  IPS Engine included in SEC license at no extra charge
•  Signature update subscriptions:
•  Snort community rule set (FREE) – 1Y
•  Snort subscriber rule set – 1Y
•  Snort subscriber rule set – 3Y

Cloud Web Security (CWS)

To Internet
CSR
RADIUS
Server
CWS
Tower
Primary CWS Tower
CSR
RADIUS
Server
CWS
Tower
Secondary CWS Tower
To Internet
ISR-Dual-WAN
Branch
ISP-1
ISP-2
CWS – Tunnel Based Redirection

Next Steps
•  Contact your Cisco or partner account team to:
-  Schedule a Product/Technical Deep-Dive or
Request a Demo
-  Inquire about Pricing Details
-  Proceed with a Proof-of-Concept
•  For More Information:
-  Cisco Router Security
http://www.cisco.com/go/routersecurity
-  Branch Threat Defense
-  VPN and Highly Secure Connectivity
•  Cisco Network Insider Series:
-  Comprehensive Cybersecurity Made Simple (Dec 15th, 2015)

Cisco Network Insider Series: Securing Your Branch for DIA

Cisco Network Insider Series: Securing Your Branch for DIA

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Cisco Network Insider Series: Securing Your Branch for DIA

Similar to Cisco Network Insider Series: Securing Your Branch for DIA (20)

More from Robb Boyd

More from Robb Boyd (20)

Recently uploaded

Recently uploaded (20)

Cisco Network Insider Series: Securing Your Branch for DIA