Cisco Live 2014

Network Impacts of HTTPS
Transport Encryption
BRKSEC-2525
Dan Wing, Distinguished Engineer
GSSO
Agenda
• Introduction to Proxies
• HTTP Inspection Background
• HTTPS Inspection
• Future
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
3
Abstract, in bullet points
• Background on how network security is performed on plain-text traffic
• Why network traffic is moving towards more encryption
• Decryption using TLS proxies
• Future protocols and solutions
• This presentation contains no product-specific information
• This is not a "how to" presentation
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
4
Objectives
• Review network security is performed on un-encrypted traffic
• Review TLS proxy interception
• Protocol futures
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
5
Introduction: Encryption Impacts Network Security
• Security features need access to plain text
• IPsec, SSL, TLS
• Breaking TLS
• Encrypted HTTPS is 30-40% of cellular wireless traffic, and rising
• Decryption is not always possible
• Where decryption is possible, decryption adds cost
25-35%, “SSL Performance Problems: Significant SSL Performance Loss
Leaves Much Room for Improvement,” NSS Labs, June 2013
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
TLS versus IPsec
• TLS – Transport Layer Security
– Runs over TCP – easy firewall and NAT traversal
– very widely deployed
– Typically, only server is validated (client is not validated with TLS)
• IPsec
– Designed for computer-to-computer and network-to-network (VPN)
– Lots of modes = lots of confusion
• IPsec tunnel mode, transport mode
• IPsec AH, ESP
– IP protocol 50 (ESP), 51 (AH)
• Requires NAT&firewall IPsec passthrough support
• IPsec-over-UDP, IPsec-over-TCP (non-standard)
– IKE-over-UDP exchange separate from IPsec
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
7
TLS versus IPsec
• TLS – Transport Layer Security
– Runs over TCP – easy firewall and NAT traversal
– very widely deployed
– Typically, only server is validated (client is not validated with TLS)
• IPsec
– Designed for computer-to-computer and network-to-network (VPN)
– Lots of modes = lots of confusion
• IPsec tunnel mode, transport mode
• IPsec AH, ESP
– IP protocol 50 (ESP), 51 (AH)
• Requires NAT&firewall IPsec passthrough support
• IPsec-over-UDP, IPsec-over-TCP (non-standard)
– IKE-over-UDP exchange separate from IPsec
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
7
SSL and TLS Versions
• SSL 1, SSL 2, 1995, designed by Netscape
– Contained security flaws
• SSL 3, 1996
– RC4 vulnerable, and SSLv3 block ciphers vulnerable to POODLE attack
• TLS 1.0, 1999, RFC2246
• TLS 1.1, 2006, RFC4346
– Improved security
• TLS 1.2, 2008, RFC5246
– Improved security (key derivation, SHA256)
– Improved negotiation of hashes and signatures
– Supports authenticated encryption ciphers (AES-GCM, CCM mode)
• TLS 1.3, currently Internet Draft
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
9
SSL and TLS Versions
• SSL 1, SSL 2, 1995, designed by Netscape
– Contained security flaws
• SSL 3, 1996
– RC4 vulnerable, and SSLv3 block ciphers vulnerable to POODLE attack
• TLS 1.0, 1999, RFC2246
• TLS 1.1, 2006, RFC4346
– Improved security
• TLS 1.2, 2008, RFC5246
– Improved security (key derivation, SHA256)
– Improved negotiation of hashes and signatures
– Supports authenticated encryption ciphers (AES-GCM, CCM mode)
• TLS 1.3, currently Internet Draft
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
9
Breaking Encryption
• Transport encryption
–
–
–
–
TLS: HTTPS, mail (SMTP, IMAP), others
TLS: certain applications (e.g., Dropbox client)
DTLS: WebRTC, DTLS-SRTP, Cisco AnyConnect
IPSec: VPN
• Email Object encryption
– Impacts content security
– PGP (Gmail, Yahoo), S/MIME (Apple iOS, Outlook)
Proxy with TLS client
cooperation
Generally un-breakable,
due to mutual
authentication and/or
certificate pinning
HTTPS – HTTP over SSL (TLS)
TLS – Transport Layer Security (TCP)
DTLS – Datagram Transport Layer Security (UDP)
PGP – Pretty Good Privacy
S/MIME – Secure/Multipurpose Internet Mail Extensions
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Breaking Encryption: HTTPS Instant Messaging
• Transport encryption
– TLS: HTTPS, mail (SMTP, IMAP), others
Proxy with TLS client
cooperation
– Applications using HTTPS-style authentication can be also be proxied
–
–
–
–
Facebook Messenger
Snapchat
What’app
Threema
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
When can HTTPS be proxied (decrypted)?
Client
TLS Proxy
Cannot Decrypt
Internet
Server
Can Decrypt
• Endpoint does not cooperate
• Endpoint cooperates
– Internet Service Provider
– Guest WiFi
• Install additional root certificate
on client (operationally complex)
• Certain applications
• Decrypt TLS, examine or modify, reencrypt TLS
– (Dropbox, iTunes, …)
• Expensive to decrypt TLS
everywhere
– Hardware and Operational / debugging
complexity
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Reasons Sites Use HTTPS Encryption
Subscriber Benefit
• Subscriber privacy
– Health research
• Avoid passive
surveillance
• Lock icon (🔒)
• Avoid malware injection
Benefits both
• Avoid broken
caches/proxies
• HTTP2
• Prevent ISP from
degrading user
experience
– Video quality degradation
• Avoid Chrome HTTP
warning (future)
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Site Benefit
• Account information
– credit card, bank
information, passwords
• Prevent ISP from:
– Selling subscriber web
history
– Injecting advertising
– Breaking page operation
• Better Google ranking
Reasons Sites Avoid HTTPS Encryption
• Loss of caching
• Certificate cost ($50-$1500/year)
• Slower page load times
• Equipment cost
• Client CPU and battery consumption
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Reasons Sites Avoid HTTPS Encryption
• Loss of caching
future: Sub-Resource Integrity
• Certificate cost ($50-$1500/year)
www.LetsEncrypt.org
• Slower page load times
HTTP2 and TLS 1.3 improve page
load times
• Equipment cost
• Client CPU and battery consumption
(minor)
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Reasons ISPs / Enterprises Dislike HTTPS Encryption
ISPs
Enterprises
• Optimize network with caching
– Streaming or live video
– Static images
• Content and priority policies
• Inject advertising
– Deep Packet Inspection (DPI), legal
requirements (stock broker, bank)
• Sell customer traffic data
• “good proxies”
• “bad proxies”
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
• Increased cost and complexity of
content security
Cisco Public
Good Proxies / Bad Proxies
• Good proxy: provide value to end user or the network owner
– Block malware
– Block spam
– Cache content
• Bad proxy: harm the end user
– Intercept user’s traffic
• banking transaction, credit card number, health-related searches
• Creates legal liability (risk)
– Interfere with protocol features
• HTTP 1.1 pipelining, HTTP2, HTTP DELETE method
– Inject malware
– Break web page functionality
• advertising injection, video quality degradation
• A proxy can be both good and bad, depending on perspective!
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
18
The Trouble with Proxies
• Proxies harm protocol evolution
– Measured 20% failure rate trying to use “Upgrade: HTTP2” over un-encrypted TCP
– Mis-handling HTTP 1.1 features (especially pipelining)
• “Erosion of the moral authority of transparent middleboxes”
– Joe Hildebrand (Internet Architecture Board, Cisco), Patrick McManus (Mozilla)
– Discusses how middleboxes (proxies) harm protocol evolution
http://tools.ietf.org/html/draft-hildebrand-middlebox-erosion
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
19
Industry Encryption Efforts
• Encryption by default: Google, Gmail, Facebook, Twitter, …
– Started over a year before Snowden
• IETF IAB
– Statement of Internet Confidentiality
– Stack Evolution in a Middlebox Internet (SEMI) workshop this week in Zürich
• W3C TAG, Securing the Web
• TLS 1.3 improvements
– Fewer messages for faster set up
– Encrypts TLS handshake, including server’s (and client’s) certificate
• Let’s Encrypt
https://www.iab.org/2014/11/14/iab-statement-on-internet-confidentiality
https://w3ctag.github.io/web-https
http://www.iab.org/activities/workshops/semi/
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
20
Let’s Encrypt
• Free certificates for servers
• Non-profit organization
• Sponsored by Cisco, Mozilla, Akamai, EFF, and IdenTrust
• Software will:
–
–
–
–
Automatically prove to the Let’s Encrypt CA that you control the website
Obtain a browser-trusted certificate and set it up on your web server
Keep track of when your certificate is going to expire, and automatically renew it
Help you revoke the certificate
• https://letsencrypt.org
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
$ sudo apt-get install lets-encrypt
$ lets-encrypt example.com
Cisco Public
21
Email Encryption (Object Encryption)
• Content security needs access to plaintext
• End-to-end encryption prevents access to plaintext
– PGP
– S/MIME
• Today, most users simply delete encrypted email
– So encrypted spam/malware is not a threat
• Tomorrow, if encrypted email is easier, it becomes easy vector for malware and
phishing
• Ongoing research
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
22
HTTP Inspection
Overview of Network Inspection
• Packets cross packet boundaries
– Overlapping TCP segments
• JavaScript Obfuscation
• IPv4/IPv6
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
24
Application Inspection
TCP stream
re-assembly
Inspect
Server
Client
Inspect
TCP stream
re-assembly
• Inspect request URL against blacklist and reputation database
• Inspect response data for malicious payloads
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
25
Payloads across Packet Boundaries
• Happens naturally at packet boundaries
– 1500 bytes
GET INDEX.HTML HTTP/1.1
• Can happen maliciously
• Solution: re-assemble TCP
GET IN
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
DEX.HTM
L HTTP/1.1
TCP
TCP
TCP
IP
IP
IP
26
Obfuscation to break pattern matching
• Request http:://example.com///index.htm
• Response:
document.write('<'+'ifr'+'ame '+'
sr'+'c'+'='+'"http://etetyum.ZZZ/...
Document.write(‘<iframe
src=“http://etetyum.ZZZ/...
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
27
Dual Stack Complications
• Malware might be split between IPv6 / IPv4
– Get part “A” of malware via IPv4, part “B” over IPv6
• Requires identifying hosts, rather than assuming host has one IP address
• Ongoing research
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
28
HTTPS Inspection
HTTPS Inspection
• Operation of TLS Proxy
• Performance
• How TLS proxy performs its job
• Certificate Pinning, Lawful Intercept
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
30
Reminder: Application Inspection without TLS
TCP stream
re-assembly
Inspect
Server
Client
Inspect
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
31
TCP stream
re-assembly
TLS inspection
authenticate
& decrypt
Inspect
authenticate
& encrypt
Server
Client
Authenticate
& encrypt
Inspect
Authenticate
& decrypt
TLS Proxy
• TLS session start up: public key calculations (RSA, EC, DH)
• TLS session ongoing: authenticate (SHA1) and encrypt/decrypt (AES)
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
32
TLS Performance Impact: 20-30% of rated speed
10
8
HTTP
50% HTTPS
100% HTTPS
6
4
2
0
Cisco-1
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco-2
Cisco Public
33
HTTPS through TLS proxy
• Browser and operating system trust 100’s of certificate authorities
• Method 1: add another CA to the client’s trust list
– Most common
• Method 2: purchase an intermediate root certificate
– Violates terms and conditions
• With either method, TLS proxy authenticates using your certificate’s private key
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Breaking HTTPS: method 1, install additional root on
client
1. Generate public/private key and root certificate
2. install that root certificate on client devices
Web Browser
3. Visit
website
TLS proxy
4. TLS Hello
HTTPS Server
5. TLS Hello
6. Server Certificate
7. Validate certificate
8. Generate (spoofed) certificate,
signed by our private key from (1)
9. (Spoofed) Server
Certificate
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Certificate Stores: OS or Application
Browsers using OS cert store
Browsers using their own cert store
• Mobile Safari (iOS), Safari (Mac)
• Firefox: Preferences, Advanced,
Certs
• Chrome, Chrome for Mobile
• Opera: Settings > Preferences >
Advanced > Security > Manage Certs
• Internet Explorer
• Android: Settings > Personal > Security > Credential storage > Install
• iOS: Configuration Profile (email or iPhone Configuration Utility)
• Windows: Management Console (MMC) or Group Policy Manager
• OS X: Keychain Access
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
36
“User-Installed Certificate” has Scoping Problem
• “User-installed certificate” is intended for enterprise Certificate Authorities
– Intent is abused by TLS proxies
– TLS proxy can assert itself as any website
– In the future, this abuse might be closed
• TLS proxy’s private key could be stolen, and examine/modify traffic
– Don’t lose the private key!
– Long certificate lifetime is riskier; changing certificates on client is $$
– Forward secrecy reduces risk (discussed later)
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Breaking HTTPS: method 2, Intermediate root
• Clients already trust. Easy! No client configuration!
• Costs USD $120,000
• Contract states the certificate is “not for intercepting TLS”
• A significant risk to the Internet
• Browser vendors working to detect and disallow these certificates
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
User Detection of TLS Proxy
How users notice TLS interception proxy
• Certificate warning error
– Unfortunately, users are accustomed to seeing errors (“OK to Continue”)
• Check certificate manually
– Awkward
• Browser plugin to “ask friends” about expected certificate
– Network notary / Perspectives
• Certificate pinning
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
39
Certificate Pinning
• Shipping in Firefox and Chrome
• Solves two problems: rogue CAs, and $100,000 subordinate root certificates
• Specifies which CAs can authenticate a site
– Instead of ~300 CAs, now only 2 can authenticate a site
– Reduces man-in-the-middle attacks due to compromised CAs
• User-installed root certificates (“enterprise certificates”) ignore key pinning
– Firefox and Chrome
– TLS proxying works in conjunction with key pinning
– This means enterprises key pinning generates no error with enterprise certificates
• Applications enforcing pinning
– Dropbox client, iTunes, others
HTTP Public Key Pinning (HPKP), http://tools.ietf.org/html/draft-ietf-websec-key-pinning
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Lawful Intercept
• Lawful Intercept
– Concept based on wiretapping
– Basic idea: duplicate packets
– Law enforcement can utilize metadata, even if data is encrypted
• Intercept target should not notice intercept
– Assuming average technical sophistication
– Certificate pinning makes TLS proxy more obvious
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
41
Future
Future
• Encryption Tussle
• New model: opt-in
• Caching with HTTPS
• Optimizing TLS proxy encryption and decryption
• HTTP2 (“SPDY”) and brief note on Google QUIC
• TLS 1.3
• Netflow for security
• Forward secrecy
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Encryption Tussle
Government
Encryption
Companies
Citizens / Users
http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/privacy-and-data-protection-by-design
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
44
Future: Browser opts-in to network value add
• Recall the good/bad proxies
– Good proxy: provide value to end user or the network owner
• Block malware, spam
– Bad proxy: harm the end user
• Instead of an all-powerful implicit proxy, provide specific features to browser
–
–
–
–
Cache objects
Content security service
Data loss prevention service
Network bandwidth information (to optimize audio/video quality versus bandwidth)
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
45
Explicit Content Cache
• New model: explicit content cache
• Fetch integrity-protected object from somewhere nearby
– Another nearby device (Bluetooth, WiFi, cellular, optical)
– Nearby network storage (ISP cache, home router)
• A step towards Named Data Networking
• SubResource Integrity (SRI)
– Standardized by W3C, http://www.w3.org/TR/SRI
– Uses “ni” URI scheme (RFC6920)
– Available in Chrome
<script src="https://code.jquery.com/jquery-1.10.2.min.js"
integrity="ni:///sha-256;C6CB9UI...TQmYg?ct=application/javascript">
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Optimize Decryption: Do TLS and DPI once
DPI and action on each device
today
TLS, inspection, and action on each device
Naïve and
expensive
Tomorrow:
Do TLS
once
BRKSEC-2525
TLS
TLS
TLS
TLS
TLS
TLS
TLS and inspection once, and do action on each device
© 2015 Cisco and/or its affiliates. All rights reserved.
TLS
Cisco Public
TLS
Optimizing TLS
• Each new TLS connection is an expensive public key operation (RSA)
• Each byte of encrypted data is expensive (AES, SHA-1)
• Make them easier!
• RSA -> Elliptic Curve Cryptography (ECC)
– ECC is faster to compute
– ECC keys are shorter (for same strength), fewer bytes on the wire
– Widely available
• AES-SHA1 -> ChaCha20-Poly1305
– 300% faster than AES-GCM
– Available in Chrome and Google servers
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
48
HTTP2 (SPDY) and TLS
• Multiplex requests and responses over single TCP connection
– More efficient object retrieval
– One TCP connection to each server (avoids TCP & TLS setup delays)
• All browsers only attempt HTTP2 over TLS
– Chrome, Firefox, Safari
– Avoids difficult fallback code (like was necessary with HTTP 1.1 and middleboxes)
– Upgrades to HTTP2 using TLS extension
• Saves round trip of using HTTP’s “Upgrade:” header
• Page load time: HTTP2-over-TLS is equivalent to (plaintext) HTTP
– Eliminates TLS page load time penalty
http://caniuse.com/#feat=spdy
Daniel Stenberg’s HTTP2 tutorial paper, http://daniel.haxx.se/http2
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
49
HTTP, HTTPS, and HTTP2 Layering
http://
https://
https://
6-8 TCP connections per site
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
https://
Fewer TCP connections
Cisco Public
HTTP, HTTPS, HTTP2, and Google QUIC
http://
https://
https://
https://
https://
• QUIC provides its own security, congestion control, and interacts with HTTP2’s
prioritization and multiplexing
www.wikipedia.org/QUIC
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Partial TLS Handshake (TLS 1.0 – 1.2)
Desired server
TLS Client
TLS Server
TLS ClientHello
SNI=www.example.com
TLS ServerHello
Certificate for www.example.net
Session key (encrypted with private key)
Actual server
Server certificate can avoid decrypting if entire site is blacklisted or whitelisted
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
52
Partial TLS Handshake (TLS 1.3)
Desired server
TLS Client
TLS Server
TLS ClientHello
SNI=www.example.com
Client’s Diffie-Hellman key
TLS ServerHello
Server’s Diffie-Hellman key
{ Certificate for www.example.net }
{ Session key (encrypted with private key) }
Actual server
{Encrypted by DH}
Can only blacklist using SNI; need to decrypt to whitelist
TLS 1.3: draft-ietf-tls-tls13
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
53
Netflow for Security
• Historically, Netflow was sampled
– Reduced performance impact
– Reduced traffic visibility
• Unsampled Netflow summarizes all traffic to/from a host
• Network is the sensor
• Analysis of Netflow traffic finds compromised hosts by their traffic patterns
– Host communicates to neighbors
– Host communicates to command and control servers
• Lancope useful
• Ongoing research within Cisco
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
54
(Perfect) Forward Secrecy
• With normal RSA, the server’s public key allows decrypting all previous traffic
– Don’t lose the private key!
• With Forward Secrecy, the server’s public key doesn’t allow decrypting previous
traffic
• Forward secrecy often performed with a separate Diffie-Hellman exchange
– DH exchange is computationally expensive
– DH exchange is additional round-trip (optimized in TLS 1.3)
• TLS connection re-use means DH exchange is valid for days
– Days is not perfect, but days is better than years! Security is a trade-off
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
55
Summary
Conclusion
• HTTPS encrypted traffic is 30% of most networks, and will continue to grow
• Cisco Web Security Appliance and Cloud Web Security can inspect HTTPS
• Installing root certificate on clients will remain an operational headache
• Future will provide mechanisms to cache content
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
57
Related Sessions
• BRKSEC-3772, Advanced Web Security Deployment with WSA, Tobias Mayer
• BRKSEC-3127, Dive into Cisco’s Email Encryption Capabillities, Hrvoje Dogan
• BRKSEC-2909, In Search of the Silver Bullet for Protection, Jonny Noble
• BRKSEC-2053, Practical PKI for Remote Access VPN, Ned Zaldivar
• BRKSEC-3128, Secure your network with distributed behavioral analytics, JP
Vasseur
• BRKSEC-2136, Preventing Armageddon: Finding the threat with Netflow, Matt
Robertson
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
58
Call to Action
• Visit the World of Solutions for
– Cisco Campus – Security Booth
– Technical Solution Clinics
• Meet the Engineer
– I am available this afternoon, see me after this session
• Lunch time Table Topics
• DevNet zone related labs and sessions
• Recommended Reading: for reading material and further resources for this
session, please visit www.pearson-books.com/CLMilan2015
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
59
Complete Your Online Session Evaluation
• Please complete your online session
evaluations after each session.
Complete 4 session evaluations
& the Overall Conference Evaluation
(available from Thursday)
to receive your Cisco Live T-shirt.
• All surveys can be completed via
the Cisco Live Mobile App or the
Communication Stations
BRKSEC-2525
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Public
60