Download   Report
  1. No category

ASA CX Focus Today

ASA CX
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
1
• How To Sell ASA CX
• How To Compete
• Product Roadmap
• Demo
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
2
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
3
At the end of the session, the participants should be able to:
• Understand and execute on the go-to-market strategy
• Identify ASA CX updates in the last 6 months
• Understand high-level roadmap for the next 12 months
• Demonstrate key use cases to customers
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
4
ASA CX Focus Today
Apps, Users
Web Security
IPS
© 2010 Cisco and/or its affiliates. All rights reserved.
• Security teams love the visibility
• Sometimes real use cases like block P2P applications
• Often ‘sold’ to management
• Consolidation of web proxy device with FW
• Easier management
• Consolidation of IPS device with FW
• Easier management
Cisco Confidential
5
ASA CX “solution”
CX capabilities
Apps, Users
URL Filtering
Web Reputation (SIO)
Industry’s most widely deployed stateful inspection FW & remote access solution
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
6
ASA CX
SSP-10
SSP-20
Multi-core 64-bit
Multi-core 64-bit
Maximum Memory
12 GB (6 GB per blade)
24 GB (12 Gb per blade)
Maximum Storage
8 GB eUSB,
600 GB Hard Disk
Raid1 / Hotswappable
8 GB eUSB,
600 GB Hard Disk
Raid1 / Hotswappable
2 x 10 Gb SFP+
8 x 1Gb Cu
2 x 1Gb Cu Mgmt
2 x 10Gb SFP+
8 x 1Gb Cu
2 x 1Gb Cu Mgmt
Yes
Yes
Processors
Ports
Crypto Chipset
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
7
ASA CX SSP-10
ASA CX SSP-20
Throughput (Multi-protocol)
2 Gbps
5 Gbps
Concurrent Connections
500,000
1,000,000
New Connections / Second
40,000
75,000
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
8
Hardware
Software
 Redundant hot-swappable power
supplies and hard disks
 Software Failover
 OIR capable SFP/
SFP+ modules
© 2012 Cisco and/or its affiliates. All rights reserved.
 CX fail-open and
fail-close support
Cisco Confidential
9
Cisco ASA CX
Context-Aware
Threat Aware
Classic ASA Firewall
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
10
Business Problem
Addressed By ASA CX
Bandwidth misuse
View usage of Peer-to-Peer applications
Sensitive company data uploaded
to the cloud
Control usage of file sharing applications
Employee productivity
Block non-productivity-related applications, while still
allowing general access to social networking
Malware writers taking control of
machines through remote control
apps
Block remote control applications, while allowing
WebEx
Malware masquerading as a wellknown app
Identify and control applications that operate on wellknown open ports
© 2010 Cisco and/or its affiliates. All rights reserved.
Example Apps
Cisco Confidential
11
Business Problem
Addressed By ASA CX
Enforcing HR acceptable use policy
Block certain web site categories for everyone: Adult, Child Abuse Content,
Gambling, Hate Speech, Illegal Activities, etc
Creating a safe learning environment
Deny students but allow faculty access to the following web site categories:
Entertainment, Arts, Dining and Drinking, Online Trading
Maintaining employee productivity
Deny employees access to the following web site categories: Sports and
Recreation, Travel, Photo Search and Images
Controlling bandwidth-hungry sites
Deny users access to the following web site categories: File Transfer Services,
Freeware and Shareware, Illegal Downloads, Internet Telephony
Users circumventing policy
Block proxies that allow you to surf the internet anonymously
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
12
Competitor Displacement Opportunity
•
•
•
•
Websense URL filters sitting next to ASA
Customer problem 1: Scalability issues with WCCP redirection
Customer problem 2: Multiple boxes to maintain and troubleshoot
Customer problem 3: Expensive per-user pricing
ASA Attach Opportunity
• E.g. Trend Micro URL Filtering on older ASA CSC Module
• Customer problem 1: Multiple vendors to deal with
• Customer problem 2: Trend Micro’s efficacy, and unsatisfactory support
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
13
Business Problem
Addressed By ASA CX
Zero-day malware getting through
traditional defenses
Malware gets constantly tweaked so that desktop/network AV does not detect
it. New malware is released in the wild for <24 hours. Web Reputation is
always able to block it even if the payload had changed.
Social engineering attacks
You get a URL link in Facebook chat, saying “Check out this cool video!”. You
click the link. Web Reputation blocks that specific transaction, while allowing
general access to Facebook.
Infected machines sending data out
ASA’s Botnet Traffic Filter detects and blocks all attempts to contact commandand-control centers / Botnet masters
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
14
• Web Reputation protects Cisco’s 100K users from web-based threats
300 transactions blocked every minute by reputation
Supports Cisco IT’s BYOD strategy: protects all devices irrespective of OS, browser used, or what client
anti-virus software is installed
Enabled Cisco IT to reduce malware case load by 43%
Cisco-on-Cisco case study on Web Reputation (WSA):
http://www.cisco.com/web/about/ciscoitatwork/borderless_networks/ironport_web_security_appliance.html
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
15
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
16
Apps, Micro-apps and App Behavior
Broad…
… classification
of all traffic
1,000+ apps
MicroApp Engine
Deep classification
of targeted traffic
75,000+ MicroApps
App Behavior
Control user interaction with the
application
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
17
Proven,
Cisco-owned Solution
Updates Released
Every Month
• 2 years, 2,500 customers
• For the last 2 years
• 2 Bn transaction hits every
week
• Same infrastructure and
frequency with ASA CX
© 2010 Cisco and/or its affiliates. All rights reserved.
Significant Investment and
Expertise in AVC
• Focused on customer use
cases
Cisco Confidential
18
Cisco’s app support focuses on customer use cases
App
Customer Use Case
Cisco
PAN
Facebook
Allow general access but block
games and entertainment
>15 categories like Games, Business,
and Entertainment
7 coarse categories like
“Facebook apps”
iCloud
Allow access to calendar but
block non-business use like
uploading photos
Bookmarks, Calendar, Contacts, Mail,
Photos
No sub-apps
iTunes
Allow access to iBooks but block
music and video
App install, iBook, Music, Video,
Podcast
Appstore, Base, Media
Store
Google
Drive
Block upload due to data loss
concerns
Document download, upload, editing,
sharing
No sub-apps
References:
PAN: http://apps.paloaltonetworks.com/applipedia
Cisco (Web apps only yet, will be expanded to list all apps): https://securityhub.cisco.com/web/application_visibility_control
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
19
Users: Covers Wide Breadth of Identity Use Cases
AD/LDAP Identity
NTLM
Kerberos
• Non-auth-aware apps
• Any platform
• AD/LDAP credential
TRUSTSEC*
Network Identity
Secure Group Tags
IP Surrogate
AD Agent
User Authentication
• Auth-Aware Apps
• Mac, Windows, Linux
• AD/LDAP user credential
© 2010 Cisco and/or its affiliates. All rights reserved.
* ASA 9.0
Cisco Confidential
20
URL: Industry-leading coverage and efficacy
60
languages
200
countries
20
mn URLs
9000
Marketing
© 2010 Cisco and/or its affiliates. All rights reserved.
Legal
Finance
customers
Cisco Confidential
21
SensorBase
Threat Operations Center
Dynamic Updates
4 TB
750,000+
DATA RECEIVED PER DAY
30B
WEB REQUESTS
SensorBase
GLOBALLY DEPLOYED DEVICES
100M
EMAIL MESSAGES
Threat Operations Center
35%
WORLDWIDE TRAFFIC
Dynamic Updates
$100M
24x7x365
SPENT IN DYNAMIC RESEARCH AND
DEVELOPMENT
OPERATIONS
500
40+
80+
ENGINEERS, TECHNICIANS
AND RESEARCHERS
LANGUAGES
Ph.D.s, CCIE, CISSPs, MSCEs
Threat Operations Center
Dynamic Updates
3 to 5
6,500+
MINUTE UPDATES
IPS SIGNATURES PRODUCED
20+
200+
8M+
PUBLICATIONS PRODUCED
PARAMETERS TRACKED
RULES per DAY
Threat Operations Center
Dynamic Updates
Cisco SIO
www.facebook.com
© 2010 Cisco and/or its affiliates. All rights reserved.
GO
Cisco Confidential
26
Checkpoint and Fortinet don’t have an equivalent offering. Compare this against PAN’s WildFire.
Breadth Of Data
SIO: One-third of world’s internet traffic goes through SIO
WildFire: No statistics available on data collected
Proven Track Record
SIO: Has been protecting customers for 7+ years
WildFire: New, unproven solution launched in late 2011
Proactive
SIO: Based on context, provides proactive protection
WildFire: Based on file content, reactive, and poor uptake because customers hesitant to upload
files to PAN’s cloud
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
27
Cisco has the best remote access & BYOD solutions of all NGFW vendors
AnyConnect deployed on 150 mn+ endpoints
Unified security client: RA, Posture, NAM, Web Security
Identity Services Engine: Enabling BYOD
Example use case 1: Block high-bandwidth consuming applications for users connecting
through VPN
Example use case 2: Provide differentiated access based on device type
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
28
Policy
Report
© 2010 Cisco and/or its affiliates. All rights reserved.
CX Today
Future plan
AnyConnect provides
device type information
ISE provides
device type information
Cisco Confidential
29
Source
IP
AD Group or User
Any
[email protected]
Any
Any
Any
Destination
Security Group
Security Group
Port
Action
Guest on iPad
Guest services
http
Allow
Any
Call center user on
HVD
CRM
http
Allow
Any
Any
HR user on HVD
HR database
https
Allow
Any
Any
Any
Any
Any
Deny
10.1.1.1
John Doe authenticates from a corporate asset.
Because desktop AV is not up-to-date, it is assigned
SGT = Quarantine, with limited network access until he
remediates.
© 2010 Cisco and/or its affiliates. All rights reserved.
IP
Action
Any
Jane Doe authenticates from an iPad or non corporate
asset. She is assigned SGT = BYOD, and is allowed
RDP access to Finance apps.
Cisco Confidential
30
Thank you.
Cisco TelePresence IX5000 Series At a Glance

Cisco TelePresence IX5000 Series At a Glance

Cisco OS Bug Scrub Engineer

Cisco OS Bug Scrub Engineer

Document 241273

Document 241273

5.5.1.11 Lab - Use the System Restore Tool in Windows... Introduction IT Essentials 5.0

5.5.1.11 Lab - Use the System Restore Tool in Windows... Introduction IT Essentials 5.0

How to Measure Agent Performance across Productivity &amp; Quality

How to Measure Agent Performance across Productivity &amp; Quality

How To Use Technology To Build An Effective Business Intelligence (BI)

How To Use Technology To Build An Effective Business Intelligence (BI)

S A - H

S A - H

A New Security Model for the IoE World Timothy Snow, CCIE Cisco

A New Security Model for the IoE World Timothy Snow, CCIE Cisco

How to Get the ICD Extension to Appear on the Contents

How to Get the ICD Extension to Appear on the Contents

E Test Hardware and Software in

E Test Hardware and Software in

abcdocz.com

© Copyright 2024