ASA CX Focus Today
ASA CX © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 • How To Sell ASA CX • How To Compete • Product Roadmap • Demo © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 At the end of the session, the participants should be able to: • Understand and execute on the go-to-market strategy • Identify ASA CX updates in the last 6 months • Understand high-level roadmap for the next 12 months • Demonstrate key use cases to customers © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 ASA CX Focus Today Apps, Users Web Security IPS © 2010 Cisco and/or its affiliates. All rights reserved. • Security teams love the visibility • Sometimes real use cases like block P2P applications • Often ‘sold’ to management • Consolidation of web proxy device with FW • Easier management • Consolidation of IPS device with FW • Easier management Cisco Confidential 5 ASA CX “solution” CX capabilities Apps, Users URL Filtering Web Reputation (SIO) Industry’s most widely deployed stateful inspection FW & remote access solution © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 ASA CX SSP-10 SSP-20 Multi-core 64-bit Multi-core 64-bit Maximum Memory 12 GB (6 GB per blade) 24 GB (12 Gb per blade) Maximum Storage 8 GB eUSB, 600 GB Hard Disk Raid1 / Hotswappable 8 GB eUSB, 600 GB Hard Disk Raid1 / Hotswappable 2 x 10 Gb SFP+ 8 x 1Gb Cu 2 x 1Gb Cu Mgmt 2 x 10Gb SFP+ 8 x 1Gb Cu 2 x 1Gb Cu Mgmt Yes Yes Processors Ports Crypto Chipset © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 ASA CX SSP-10 ASA CX SSP-20 Throughput (Multi-protocol) 2 Gbps 5 Gbps Concurrent Connections 500,000 1,000,000 New Connections / Second 40,000 75,000 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 Hardware Software Redundant hot-swappable power supplies and hard disks Software Failover OIR capable SFP/ SFP+ modules © 2012 Cisco and/or its affiliates. All rights reserved. CX fail-open and fail-close support Cisco Confidential 9 Cisco ASA CX Context-Aware Threat Aware Classic ASA Firewall © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 Business Problem Addressed By ASA CX Bandwidth misuse View usage of Peer-to-Peer applications Sensitive company data uploaded to the cloud Control usage of file sharing applications Employee productivity Block non-productivity-related applications, while still allowing general access to social networking Malware writers taking control of machines through remote control apps Block remote control applications, while allowing WebEx Malware masquerading as a wellknown app Identify and control applications that operate on wellknown open ports © 2010 Cisco and/or its affiliates. All rights reserved. Example Apps Cisco Confidential 11 Business Problem Addressed By ASA CX Enforcing HR acceptable use policy Block certain web site categories for everyone: Adult, Child Abuse Content, Gambling, Hate Speech, Illegal Activities, etc Creating a safe learning environment Deny students but allow faculty access to the following web site categories: Entertainment, Arts, Dining and Drinking, Online Trading Maintaining employee productivity Deny employees access to the following web site categories: Sports and Recreation, Travel, Photo Search and Images Controlling bandwidth-hungry sites Deny users access to the following web site categories: File Transfer Services, Freeware and Shareware, Illegal Downloads, Internet Telephony Users circumventing policy Block proxies that allow you to surf the internet anonymously © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 Competitor Displacement Opportunity • • • • Websense URL filters sitting next to ASA Customer problem 1: Scalability issues with WCCP redirection Customer problem 2: Multiple boxes to maintain and troubleshoot Customer problem 3: Expensive per-user pricing ASA Attach Opportunity • E.g. Trend Micro URL Filtering on older ASA CSC Module • Customer problem 1: Multiple vendors to deal with • Customer problem 2: Trend Micro’s efficacy, and unsatisfactory support © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 Business Problem Addressed By ASA CX Zero-day malware getting through traditional defenses Malware gets constantly tweaked so that desktop/network AV does not detect it. New malware is released in the wild for <24 hours. Web Reputation is always able to block it even if the payload had changed. Social engineering attacks You get a URL link in Facebook chat, saying “Check out this cool video!”. You click the link. Web Reputation blocks that specific transaction, while allowing general access to Facebook. Infected machines sending data out ASA’s Botnet Traffic Filter detects and blocks all attempts to contact commandand-control centers / Botnet masters © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 • Web Reputation protects Cisco’s 100K users from web-based threats 300 transactions blocked every minute by reputation Supports Cisco IT’s BYOD strategy: protects all devices irrespective of OS, browser used, or what client anti-virus software is installed Enabled Cisco IT to reduce malware case load by 43% Cisco-on-Cisco case study on Web Reputation (WSA): http://www.cisco.com/web/about/ciscoitatwork/borderless_networks/ironport_web_security_appliance.html © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 Apps, Micro-apps and App Behavior Broad… … classification of all traffic 1,000+ apps MicroApp Engine Deep classification of targeted traffic 75,000+ MicroApps App Behavior Control user interaction with the application © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 Proven, Cisco-owned Solution Updates Released Every Month • 2 years, 2,500 customers • For the last 2 years • 2 Bn transaction hits every week • Same infrastructure and frequency with ASA CX © 2010 Cisco and/or its affiliates. All rights reserved. Significant Investment and Expertise in AVC • Focused on customer use cases Cisco Confidential 18 Cisco’s app support focuses on customer use cases App Customer Use Case Cisco PAN Facebook Allow general access but block games and entertainment >15 categories like Games, Business, and Entertainment 7 coarse categories like “Facebook apps” iCloud Allow access to calendar but block non-business use like uploading photos Bookmarks, Calendar, Contacts, Mail, Photos No sub-apps iTunes Allow access to iBooks but block music and video App install, iBook, Music, Video, Podcast Appstore, Base, Media Store Google Drive Block upload due to data loss concerns Document download, upload, editing, sharing No sub-apps References: PAN: http://apps.paloaltonetworks.com/applipedia Cisco (Web apps only yet, will be expanded to list all apps): https://securityhub.cisco.com/web/application_visibility_control © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 Users: Covers Wide Breadth of Identity Use Cases AD/LDAP Identity NTLM Kerberos • Non-auth-aware apps • Any platform • AD/LDAP credential TRUSTSEC* Network Identity Secure Group Tags IP Surrogate AD Agent User Authentication • Auth-Aware Apps • Mac, Windows, Linux • AD/LDAP user credential © 2010 Cisco and/or its affiliates. All rights reserved. * ASA 9.0 Cisco Confidential 20 URL: Industry-leading coverage and efficacy 60 languages 200 countries 20 mn URLs 9000 Marketing © 2010 Cisco and/or its affiliates. All rights reserved. Legal Finance customers Cisco Confidential 21 SensorBase Threat Operations Center Dynamic Updates 4 TB 750,000+ DATA RECEIVED PER DAY 30B WEB REQUESTS SensorBase GLOBALLY DEPLOYED DEVICES 100M EMAIL MESSAGES Threat Operations Center 35% WORLDWIDE TRAFFIC Dynamic Updates $100M 24x7x365 SPENT IN DYNAMIC RESEARCH AND DEVELOPMENT OPERATIONS 500 40+ 80+ ENGINEERS, TECHNICIANS AND RESEARCHERS LANGUAGES Ph.D.s, CCIE, CISSPs, MSCEs Threat Operations Center Dynamic Updates 3 to 5 6,500+ MINUTE UPDATES IPS SIGNATURES PRODUCED 20+ 200+ 8M+ PUBLICATIONS PRODUCED PARAMETERS TRACKED RULES per DAY Threat Operations Center Dynamic Updates Cisco SIO www.facebook.com © 2010 Cisco and/or its affiliates. All rights reserved. GO Cisco Confidential 26 Checkpoint and Fortinet don’t have an equivalent offering. Compare this against PAN’s WildFire. Breadth Of Data SIO: One-third of world’s internet traffic goes through SIO WildFire: No statistics available on data collected Proven Track Record SIO: Has been protecting customers for 7+ years WildFire: New, unproven solution launched in late 2011 Proactive SIO: Based on context, provides proactive protection WildFire: Based on file content, reactive, and poor uptake because customers hesitant to upload files to PAN’s cloud © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 Cisco has the best remote access & BYOD solutions of all NGFW vendors AnyConnect deployed on 150 mn+ endpoints Unified security client: RA, Posture, NAM, Web Security Identity Services Engine: Enabling BYOD Example use case 1: Block high-bandwidth consuming applications for users connecting through VPN Example use case 2: Provide differentiated access based on device type © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28 Policy Report © 2010 Cisco and/or its affiliates. All rights reserved. CX Today Future plan AnyConnect provides device type information ISE provides device type information Cisco Confidential 29 Source IP AD Group or User Any [email protected] Any Any Any Destination Security Group Security Group Port Action Guest on iPad Guest services http Allow Any Call center user on HVD CRM http Allow Any Any HR user on HVD HR database https Allow Any Any Any Any Any Deny 10.1.1.1 John Doe authenticates from a corporate asset. Because desktop AV is not up-to-date, it is assigned SGT = Quarantine, with limited network access until he remediates. © 2010 Cisco and/or its affiliates. All rights reserved. IP Action Any Jane Doe authenticates from an iPad or non corporate asset. She is assigned SGT = BYOD, and is allowed RDP access to Finance apps. Cisco Confidential 30 Thank you.
© Copyright 2024