通過思科安全防火墻保持網絡安全.pdf

《通過思科安全防火墻保持網絡安全.pdf》由會員分享，可在線閱讀，更多相關《通過思科安全防火墻保持網絡安全.pdf（64頁珍藏版）》請在三個皮匠報告上搜索。

1、#CiscoLive#CiscoLiveAndrew OssipovDistinguished Engineer,Portfolio CTOBRKSEC-2236Keeping Up onNetwork Security withCisco Secure Firewall 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveYour Speaker3BRKSEC-2236Andrew ODistinguished EngineerPortfolio CTO for Network Security

2、Firewall Architecture,Threat Visibility,Hybrid Cloud,SSE 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App 4Questions?Use Cisco Webex App to chat with the speaker after the sessionFind this session in the Cisco Live Mobile AppCli

3、ck“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12344https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKSEC-2236Agenda 2023 Cisco and/o

4、r its affiliates.All rights reserved.Cisco PublicIntroductionPlatformsThreat ProtectionConnectivityPrivate and Public CloudManagementSecure WorkloadConclusionBRKSEC-22365ASA9.19FTD7.3 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure Firewall:Inspect,Infer,and Coopera

5、te6BRKSEC-2236TCP inside:192.168.1.11/54397 outside:203.0.113.100/443 TCP inside:192.168.2.110/34624 DC:172.16.45.200/443TCP outside:198.51.100.231/13945 DC:172.16.45.201/443CampusCustomersAppsRemoteMapping network flows to specific user Mapping network flows to specific user actions via cloud appli

6、cation API and CASBactions via cloud application API and CASBNew-Normal FirewallSaaSSecure ClientClient context discovery via passive fingerprinting Client context discovery via passive fingerprinting and trusted endpoint agent cooperationand trusted endpoint agent cooperationContinue to decrypt inb

7、ound for full app threat protection Continue to decrypt inbound for full app threat protection(IPS,WAF,AMP,API)with minimal functional impact(IPS,WAF,AMP,API)with minimal functional impactInboundInboundOutboundSecure WorkloadWorkload isolation,posture enforcement,Workload isolation,posture enforceme

8、nt,host OS and cloud native API protectionhost OS and cloud native API protectionDynamic Attribute ConnectorCloudLockUmbrella 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFirewall Vision:Network,Workload,and Cloud7LogicVM 1DBVM 2SecureWorkloadFirewallFirewallPrivate Clo

9、udSecure Workload Secure Workload protects host OS at process and file levels,selectively inspects network and service mesh traffic with inline FirewallFirewall and API controls,integrates with public cloud and cloud-native orchestrators for posture and policy,consumes policy as code from DevOps too

10、ls.Private or cloud-delivered FirewallFirewall inspects application edge,implements Zero Trust Network Access(ZTNA),continuously applies full stack of inline security services.ExtranetVM 3FirewallSecure WorkloadFrontFirewallSecureWorkloadFrontFirewallSingle security management plane to abstract end-

11、to-end policy intent from enforcement point specific configuration.BRKSEC-2236 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFirewall Threat Defense 7.2.4 SoftwareDeliberate quality checkpoint in FTD 7.2 feature trainDatabase engine hardening across FTD and FMCResolve re

12、maining Snort 3 operational issuesTripled automated system test cases and resolved defectsIntense focus on customer experience and outcomesValidated against 100+actual production deploymentsSelect enhancements to improve deployment times and scaleBackport to 7.0.x and baseline for 7.4.x release trai

13、ns8BRKSEC-2236FTD7.2.4Platforms 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure Firewall 4200 Overview1RUApplianceAppliance-Mode Security Platform for Mode Security Platform for FTDFTD or or ASAASA ApplicationApplicationFixed configurations:4215,4225,4245Lightweight

14、 virtual Supervisor module w/MultiMulti-Instance Instance and ClusteringIntegrated Datapath FPGA w/Flow Offload and Crypto EngineRear dual redundant power supplies and triple fan traysSFP Data InterfacesSFP Data Interfaces8x1/10/25GE/5050GEExpansion Network ModulesExpansion Network ModulesStandard:8

15、x1/10GE,8x1/10/25/5050GE,4x10/40GE,2x100GE,4x40/100/200GE,2x200/400GE2x200/400GE SFP+Fail-to-Wire:8x1GE Copper;6x10GE or 6x25GE SFP+(SR and LR variants)NVMeNVMe DrivesDrivesUp to 2x900GB in RAID1 on 4215/4225Up to 2x1.8TB in RAID1 on 4245ASA 9.20FTD 7.4BRKSEC-223610 2023 Cisco and/or its affiliates.

16、All rights reserved.Cisco Public#CiscoLiveSecure Firewall 4200 ArchitectureSystem BusEthernetInternal Switch FabricInternal Switch FabricOn-board 8x1/10/25/5050GE fiber interfaces8x25/5050Gbpsx86 CPU Complexx86 CPU Complex4215:1 CPU(64 cores)4225:1 CPU(128 cores)4245:2 CPUs(256 cores)2x1/10/25GE SFP

17、 ManagementRAMRAM4215:256GB4225:512GB4245:1TBCrypto Crypto EnginesEnginesFlow OffloadFlow OffloadEnginesEnginesHot-swappable interface expansion module2x25GbpsCrypto Crypto OffloadOffloadChip-to-Chip LinkASA 9.20FTD 7.4BRKSEC-22361116x25/5050Gbps16x25/5050Gbps4215/4225:100Gbps4245:2x100GbpsHot-swapp

18、able interface expansion module 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive421542254245Up to 4x4xBoost in IPsec VPNSecure Firewall 4200 PerformanceIPsec VPN1024B Avg Packet50Gbps50Gbps(50Gbps 50Gbps per tunnel)85Gbps85Gbps(57Gbps57Gbps per tunnel)95Gbps95Gbps(57Gbps57

19、Gbps per tunnel)FW+AVC+IPS1024B Avg Packet70Gbps70Gbps90Gbps90Gbps148Gbps148GbpsAll performance estimates are subject to change in public release.Over 2x2xBoost in FW+AVC+IPSUp to 3x3xBoost inTLS DecryptASA 9.20FTD 7.4BRKSEC-223612 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Ci

20、scoLiveConfigurable CPU Core AllocationFTD had a static CPU core allocation between Data Plane and SnortTailor FTD to a specific use case with a configurable allocationSelect from a few templates in FTD 7.3;dynamic in the futurefutureVPN headend or basic stateful firewall would use more Data Plane c

21、oresHeavy IPS and file inspection would bias toward more“Snort”cores13FTD on Firepower 4145Data Plane(32 Cores)“Snort”Advanced Inspection(52 Cores)System(2 cores)FTD 7.3BRKSEC-2236Threat Protection 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnhance Firewall with Umbre

22、lla Cloud SecurityEdge firewall is less effective against some outbound trafficDynamically changing DNS and undecryptable TLS connectionsSelectively redirect DNS,SaaS,and other traffic to Umbrella insteadCloud-delivered DNS blocks most threats early with no local cycles spentNo SaaS traffic decrypti

23、on with Cloud Security Access Broker(CASB)15BRKSEC-2236CampusBranchSaaSInternetCloudLockUmbrellaFTDFTDDNS Filtering and CASB for SaaSTraditional Firewall 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDNS Redirection to UmbrellaFMC registered with Umbrella for bi-directio

24、nal integrationUmbrella DNS policies can be attached to FTD Access Control PolicyFTD includes inline organization and device identifiers,original client IP16BRKSEC-2236UmbrellaFTDFTDFirewall Management Firewall Management CenterCenterCampusBranch2.Client DNS request to any DNS server.2.Client DNS re

25、quest to any DNS server.3.FTD intercepts DNS request,applies 3.FTD intercepts DNS request,applies local policy,and then redirects to Umbrella local policy,and then redirects to Umbrella with organizational and client metadata.with organizational and client metadata.1.FMC is configured with Umbrella

26、1.FMC is configured with Umbrella tenancy,imports available DNS policies.tenancy,imports available DNS policies.4.Umbrella sends DNS response.4.Umbrella sends DNS response.5.Umbrella response transparently 5.Umbrella response transparently delivered to client.delivered to client.FTD 7.2 2023 Cisco a

27、nd/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAutomatic Umbrella Tunnel for SASESASE Topology in FMC redirects all-port traffic to Umbrella SIGBuilds on DNS Connector feature to simplify bi-directional provisioningModeled as a Virtual Tunnel Interface(VTI)for policy-based redirectio

28、nLoad-balancing across multiple tunnels with per-tunnel custom IKE ID17FTD 7.3BRKSEC-2236 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSnort 3 IPS EngineThwart modern threats with the trusted NGIPS engine updateMuch higher efficacy and performance with a multi-threaded

29、architectureNative support for modern protocols,such as HTTP/2 and QUICImproved human-readable signature languageTunable inspection level within a single policy with Rule GroupsMultiple must-have new capabilities require Snort 3Encrypted Visibility Engine(EVE)for ML-enabled securityComprehensive Por

30、tscan attack detection and preventionNative TLS 1.3 DecryptionElephant Flow detection and impact mitigationFTD 7.0+BRKSEC-223618 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveGenerate unique fingerprints for client Generate unique fingerprints for client applications bas

31、ed on outer packet applications based on outer packet fields;use for policy matching and fields;use for policy matching and context enrichment with TLS and QUIC.context enrichment with TLS and QUIC.TLS ClientHelloTLS ClientHelloEncrypted Visibility Engine(EVE)19BRKSEC-2236TCP/TLS 192.168.2.110/34624

32、-172.16.45.200/443 TCP/TLS 192.168.2.110/21013-203.0.113.154/443 Confidence:99.94%Process:firefox.exeVersion:76.0.1Category:browserOS:Windows 10 19041.329Destination FQDN:Firewallhttps:/ 10 19041.329Destination FQDN:nsksdlkoup.meFTD 7.1 2023 Cisco and/or its affiliates.All rights reserved.Cisco Publ

33、ic#CiscoLiveEVE-enriched Unified Events20BRKSEC-2236Client process name and detection confidence score;the name can be linked to a custom AppID for enforcement in FTD 7.2FTD 7.2.Inference-based threat alert and confidence level.FTD 7.1 2023 Cisco and/or its affiliates.All rights reserved.Cisco Publi

34、c#CiscoLive21AppID Portal:https:/BRKSEC-2236Mirrors full AppID information that is available in Firewall Management Center.Full AppID database update information,including EVE fingerprint data.Now 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePortscan Detection and Preve

35、ntionEvolved Portscan protection engine directly within Data PlaneMuch higher performance and detection efficacyRecognizes single-host,decoy-based,distributed,and port sweep scansOptional time-based blocking of potential attackersGranular configuration profiles at Access Control Policy level22BRKSEC

36、-2236FTD 7.2 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSimplified TLS Decryption PolicyDecryption is not required for all visibilityURL Filtering and some AppID work withoutIPS and File/Malware policies imply full decryptionNative TLS 1.2 and 1.3 decryptionWizard-sty

37、le flow for Decryption policyOutbound is ineffective for most SaaS appsInbound gives full control with access to app server23FTD 7.3BRKSEC-2236Connectivity 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveApplication-Aware Policy RoutingNative support for Policy Based Routi

38、ng configuration in FMCCommonly used SaaS applications can be used as matching criteriaDNS snooping to Trusted Servers to support domain pattern matchingData Plane maps app names to IP addresses with Network Service GroupsUsed in Direct Internet Access(DIA)breakout in WAN deploymentsFTD 7.1SaaS appl

39、ication aware first packet match.Flexible egress interface selection policy,including ECMP over cleartext or VPN tunnels.BRKSEC-223625 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePath Monitoring and Quality-Based RoutingPolicy-based interface selection can be influence

40、d by path qualityICMP-based next-hop or external IP monitoring on each interfaceHTTP(S)-based SaaS app tracking in FTD 7.4FTD 7.426BRKSEC-2236FTD 7.2 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLoopback InterfaceAbstract to-and from-device connectivity from physical in

41、terfacesIPv4/IPv6 addressing in routed and transparent(except for VTI)modesHA/failover and clustering(except for VTI)support 27ASA9.18.2FTD 7.3+FTD/ASALoopback0Static/Dynamic VTIIPsec VPNBGPASA,FTD 7.4:SSHASA,FTD 7.4:SNMP,ICMP,SyslogASA only:RADIUSBRKSEC-2236 2023 Cisco and/or its affiliates.All rig

42、hts reserved.Cisco Public#CiscoLiveElephant Flow DetectionPer-flow tracking replaces Intelligent Application Bypass(IAB)28BRKSEC-2236FTD 7.2Throughput threshold to qualify as an Elephant FlowOptional flow-specific CPU resource consumption and packet drop thresholds for remediation.Optional flow reme

43、diation actions.2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveClient Zero Trust Network Access(ZTNA)ZTNA expands beyond network admission control aloneUser activity must be continuously tracked throughout the app sessionFirewall,TLS Decryption,IPS,and File/Malware protec

44、tion are criticalSecure Client(formerly AnyConnect)delivers ZTNA with FirewallDynamic Policies and Access Lists for granular posture-driven app accessSingle Sign-On(SSO)with SAML for unified authenticationCertificate-based and Duo Passwordless authentication for ease of useLoad-Balancing across phys

45、ical and virtual appliances for scalable accessClient profile management and distribution with XDR Device Insights29BRKSEC-2236FTD 7.2 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveClientless Zero Trust App Access(ZTAA)Expand Captive Portal capabilities into a full rever

46、se proxyExternal Identity Provider(IdP)integration with posture assessmentFuture support for internal(“BeyondCorp”)segmentation30CCP-1409Remote UsersCampus UsersPosture AgentTimesheetsEmailSalesIdPInternetFTDFTDFTD FTD 7.47.4AppApp-specific inbound flows are terminated specific inbound flows are ter

47、minated and authenticated in full proxy mode prior and authenticated in full proxy mode prior to to establishing the internal connectionestablishing the internal connection.Single SignSingle Sign-On(SSO)with On(SSO)with an IdP redirect for multian IdP redirect for multi-factor validation and factor

48、validation and posture assessment.posture assessment.Internal campus users authenticate inline or via a Internal campus users authenticate inline or via a portal to enable multiple access rules at onceportal to enable multiple access rules at once.Clients source IP addresses may be Clients source IP

49、 addresses may be preserved or hidden behind proxypreserved or hidden behind proxy.2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveXDR Device Insights:Client Profile Editor31BRKSEC-2236NowPrivate and Public Cloud 2023 Cisco and/or its affiliates.All rights reserved.Cisco P

50、ublic#CiscoLiveConsistent Protection in Hybrid CloudPrivate CloudPrivate CloudPublic CloudPublic CloudSecure Secure FirewaFirewall ll CapabilitiesCapabilitiesInfrastructureInfrastructure-asas-Code and Code and Automation for agilityAutomation for agilityAcceleratedAccelerated NetworkingNetworkingInt

51、egration with cloud services Integration with cloud services and managementand managementSnapshotSnapshot-Based InstantiationBased InstantiationDynamic Policy Dynamic Policy Gateway LoadGateway Load-Balancer Balancer insertion and insertion and FWaaSFWaaSSmart&Tiered LicensingSmart&Tiered LicensingC

52、lustering&Auto ScalingClustering&Auto ScalingFTD 7.2BRKSEC-223633 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAutomation with Infrastructure-as-CodeSecure Firewall instantiation with public cloud templatesDeclarative Teraform templates for ASA and FTD(via FMC)FTD Dynam

53、ic Object integration with HashiCorp ConsulImperative Ansible tasks for ASA and FTD(FDM and FMC)Continuously updated Cisco DevNet repositorieshttps:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNetwork firewall service insertion for inbound and outbound flowsRedirectio

54、n with GEneric NEtwork Virtualization Encapsulation(GENEVE)Bring-your-own TLS decryption with available software capabilitiesAutoscale and snapshot-based instantiation in FTD 7.2 FTD 7.2 and ASA 9.18ASA 9.181Gateway Load-Balancer in and Gateway Load BalancerInternet gatewayGateway Load Balancer Endp

55、ointAppliance VPCInternetAWS CloudApplication VPCEC2 InstancesFTDUsers273645ASA9.17+FTD 7.1+BRKSEC-223635 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveClustering for Virtual FirewallsClustering combines multiple firewalls into one logical deviceSeamless scalability up t

56、o 16 FTD units with no traffic disruptionStateful handling of asymmetric traffic and failure recoverySingle point of management and unified reportingBetter elasticity and failure handling in hybrid cloud with clusteringIndividual data interface IP addresses instead of a single Port-channelVxLAN-base

57、d Cluster Control Link for unicast control planeNo source NAT requirement for handling traffic asymmetryExisting flow re-hosting on failure in supported environments ClustervPCvPCvPCvPCFTDFTDFTDFTDASA9.17+FTD 7.1+BRKSEC-223636 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLi

58、veAttribute-Based PoliciesLabelLabelIP AddressIP AddressWebApp_LogicWebApp_Logic192.168.1.151Windows_OSWindows_OS192.168.1.120-130DB_ClusterDB_Cluster172.16.45.90Custom OrchestratorPush ModelPush Model:FMC REST API for populating/updating attribute mappings synchronously.Pull ModelPull Model:Orchest

59、rator-specific Connectors for subscribing to near-real-time updates.Real-time mapping updates without a full configuration deployment.FMCFTDFTDFTDFTD7.0+Dynamic Attribute ConnectorBRKSEC-223637 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFirewall Policy Abstraction38Se

60、cure Workload Scopes,Dynamic ObjectsEndpoint Groups(EPG)andEndpoint Security Groups(ESG)Attribute-Based PolicyUser-defined,Global,Regional Service Tags Scalable Group Tags(SGT),802.1x and AD/LDAP Users,Endpoint ProfilesExchange,SharePoint,Skype for BusinessCustom Dynamic Attributes with open REST AP

61、IUser-Defined Tags Workflow Dynamic Object atomic actionsESXi and NSX Workload Meta DataUser-Defined TagsGitHub Public ServicesDynamic Attribute ConnectorFirewall Management CenterFTD7.0+2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Multicloud DefenseComprehensive

62、and consistent VPC edge security in public cloudsMulticloud Defense Gateway:Firewall,IPS,WAF,DLP,reverse proxyInter-cloud and private cloud IPsec interconnect with ASAv/FTDvFully orchestrated by Multicloud Defense Controller in CDO39BRKSEC-2236Defense GatewayFirewallVirtualAppDefense GatewayFirewall

63、VirtualAppDefense GatewayFirewallVirtualAppExtranetCisco Defense OrchestratorDefense ControllerNowManagement 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFTD Health Dashboard41BRKSEC-2236CPU(DP+Snort+System)Memory UtilizationInterface ThroughputDisk UsageConnections and

64、 NATCritical Processes and AlertsFMC 6.7+2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive42Cluster Health DashboardBRKSEC-2236FMC 7.3Cluster member status at your fingertips.Aggregated and minimum/maximum metrics over the selected time period across the entire cluster.Deta

65、iled load statistics on per-member basis.2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUnified Events with Live View43BRKSEC-2236FMC 7.0Switch to Live view for real-time event streaming.Filter on any field and save commonly used search templates.Expand each event to see

66、all connection fields.2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSelective change deployment and detailed audit transcripts in FMCIndividual configuration changes can be filtered and deployed by userEmergency rollback to one of 10 previous configuration versionsTicket

67、-based change commit mode is in the futureChange ManagementResponsible UserModifiedNewAffected Configuration44FMC 7.0BRKSEC-2236 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive“Shallow”Access Policy LockingFMC 7.2BRKSEC-223645 2023 Cisco and/or its affiliates.All rights r

68、eserved.Cisco Public#CiscoLive46Simplified Access Control Policy(ACP)ViewBRKSEC-2236FMC 7.2 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSimplified ACP Rule Editor47BRKSEC-2236FMC 7.2Inline rule navigation.Direct access to all advanced actions.Wizard-style object defini

69、tion for all source and destination properties.2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveVPN Monitoring Dashboard48BRKSEC-2236FMC 7.3Never miss headend identity certificate expiration again!Group active sessions by device,tunnel type,Client version,OS,or profile.Head

70、end session utilization heatmap to avoid oversubscription.Active session list with ability to terminate a single session or all sessions for a user.2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCloud-Delivered Firewall Management CenterFull FMC experience within Cisco De

71、fense OrchestratorManaged backend from platform upgrades to configuration backup49BRKSEC-2236CDOConfiguration cdFMCSecure Analytics and LoggingFTDFTDAnalytics FMCLDAP/ISESaaSPrivate CloudCloud event consumption and full analytics can co-exist or replace privately deployed FMC instances.A local FTD i

72、nstance is used to proxy Identity connections for cloud FMC instances.Privately managed FMC continues to receive events,generate dashboards and reports.Managed FMC cloud instances configure up to 1000 devices per tenant.EventsEventsDynamic Attribute ConnectorCloud-hosted DAC instance for attribute-b

73、ased policies.cdFMC7.2 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCloud Analytics Dashboard50BRKSEC-2236cdFMC7.2 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSimple Migration of FTD to Cloud ManagementNew devices can be easily on-boarded

74、by serial numberAdd privately managed FMC instances to CDO for fleet migrations51BRKSEC-2236Migrations are reversible for 14 days.Per-device co-management dispositions.cdFMC7.2Secure Workload 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure Workload Functional Overvi

75、ewBorn for app visibility(Tetration),graduated to microsegmentationEmploys host OS agents for visibility and built-in firewalls for enforcementConsumes telemetry from agents,Netflow/IPFIX,VPC flow logsApp flow discovery with Application Dependency Mapping(ADM)Policy recommendation based on observed

76、communication patternsPolicy impact prediction on existing flows to reduce business impactNumerous integrations to enrich endpoint contextWorkload attributes User context:Secure Client(formerly AnyConnect),ISE/pxGridCisco Secure Firewall,F5 and Citrix load-balancers for enforcementBRKSEC-223653 2023

77、 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEast-West Security Internal segmentation Firewall as gateway to servers and VMs Single-or multi-site,public cloudEnd-to-End Application ProtectionBranchBranchCampusCampusInternetHybrid Data CenterHybrid Data CenterSecure Workload

78、North-South Security Edge Firewall and IPS See into Campus,Branch,Internet Attribute-Based PoliciesWorkload Security Fine-grained workload isolation Network agnostic for public cloud and cloud-native Rapid automationFirewallFirewallFirewall Virtual54BRKSEC-2236 2023 Cisco and/or its affiliates.All r

79、ights reserved.Cisco Public#CiscoLiveSecure Workload Policy Extension to FirewallHybrid cloud microsegmentation with agents and network firewallsNorth-South(edge)and East-West(lateral)policy enforcementFMCWorkload3.6+FirewallFirewallSecure WorkloadEdge and agentless app policy rules are automaticall

80、y configured in applicable FMC policies.55Continuously updated Dynamic Objects within Main Access Control Policy rules.BRKSEC-2236 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure Workload Policy Orchestration in FMC56BRKSEC-2236Dynamic objects are used to replace IP

81、 addresses where applicable.Inserted rules are organized by sections.Different rulesets are scoped by domains.Outside access from workloads with known vulnerabilities based on version and CVE data can be blocked automatically.Workload3.6 2023 Cisco and/or its affiliates.All rights reserved.Cisco Pub

82、lic#CiscoLiveApplication Virtual PatchingTailoring FTD IPS policy to specific apps improves performanceWorkload will import vulnerability information(CVE)into FMCLeverage Network Discovery PolicyUpdate specific Host ProfilesImprove Firepower Recommendations57Workload3.8BRKSEC-2236Conclusion 2023 Cis

83、co and/or its affiliates.All rights reserved.Cisco Public#CiscoLive“Ive been involved in many beta programsI must say that this one has been the best organized.This beta takes a very active,hands-on approach.”Higher-Ed Beta CustomerProduct TrainingInfluence Product RoadmapBeta Software AccessEarly F

84、eedback ProgramsCisco Security Beta ProgramsSignSign-Up Now:Up Now:https:/cs.co/security-beta-nominationPresented by Security Customer InsightsPresented by Security Customer Insights59BRKSEC-2236 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys

85、!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!60BRKSEC-2236These points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in th

86、e Cisco Live Challenge for every survey completed.2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in L

87、absVisit the On-Demand Library for more sessions at www.CiscoL you#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive63Gamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123463 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKSEC-2236#CiscoLive