策略驅動的安全混合云架構.pdf

《策略驅動的安全混合云架構.pdf》由會員分享，可在線閱讀，更多相關《策略驅動的安全混合云架構.pdf（67頁珍藏版）》請在三個皮匠報告上搜索。

1、#CiscoLive#CiscoLiveDavid Jansen CCIE 5952Distinguished ArchitectBRKSEC-2191Policy Driven Secure Hybrid Cloud Architecture 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicA little bit about DavidCisco role:Distinguished Architect,work with customers dailyUnofficial Title:“A person t

2、hat needs to learn how to say,“No.”Experience:been at Cisco my life.Fun fact 1:An awesome husband;Father of a daughter and twin boysFun fact 2:Written/published 4 books;4 video series and working on my last one Fun fact 3:Enjoy the outdoors,music,working out,running,etc.BRKSEC-21913 2023 Cisco and/o

3、r its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App 4Questions?Use Cisco Webex App to chat with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex

4、spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12344https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKSEC-2191 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAbstractThis session

5、 will introduce how users/devices connect to public and private application with hybrid multi cloud design;users and workloads are everywhere.We will discuss security services using multi-tenancy,segmentation to provide security controls.As customers continue to regulations,we will discuss security

6、services and provide policy compliance and regulatory.The goal is to outline a security framework architecture that highlights critical security technologies to help customers.Employing this foundational blueprint across Branch/Campus,on-premises Data Centers/co-location and cloud workloads.Included

7、 in this design and covered in this session are the following key technology pillars that represent the security baseline:Identity managementSegmentation&multi-tenancyVisibility&telemetrySecurity&policy communicationsBRKSEC-21915 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cisc

8、oLiveProblem StatementWhere do I start with ZTNA?What solution(s)do I leverage for a given use-case?There are a multiple personas in modern IT technology stacksCloud continues to be the disruptor and our customers have been on this Cloud journey for several years.BRKSEC-21916 2023 Cisco and/or its a

9、ffiliates.All rights reserved.Cisco Public#CiscoLiveGoals of this sessionProvide use-cases and solutions to help with the ZTNA JourneySharing real-world experience with customer deployments and problems experiencedEnforcing the sentiment that ZTNA is a journey!Application(CASB/HTTPS)NetworkNGFW/IPSZ

10、ero TrustBRKSEC-21917Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicTrends on Customer and Industry transformationArchitectural Building BlocksDesigning PolicyUse Cases:Security Service Edge(SSE)Secure Access Service Edge(SASE)Software Defined Cloud Interconnection(SDCI)Exte

11、nding Policy to Public IaaSSecure Workload Identity with ISEValidating PolicySummaryBRKSEC-21918 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePerimeter security appliancesPerimeter security appliancesto protect networkto protect networkInternet/Cloud-CentricUserUser-tot

12、o-applicationapplicationSiteSite-toto-sitesiteThe Customer and Industry transformationSite-to-site connectivityMPLS transportCore routing servicesPerimeter securityConnectivity SLACloud OnRampSD-WAN/OverlaysCloud-delivered securityUsers/Devices/ThingsApplication SLADigital Digital ExchangeExchangeIn

13、ternetInternetMPLSMPLSBRKSEC-21919 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMPLSRemote SiteMPLSData CenterData CenterRemote UserWhat has changed?BRKSEC-219110-The Customers Network and Security Enterprise Perimeter/Edges are no longer the physical borders of physica

14、l locations or street addresses.-This has resulted in the new PerimeterSo where is the new perimeter?Wherever security controls and capabilities are to protect users/devices,things,applications and data;the security perimeter is everywhere.Architectural Building Blocks 2023 Cisco and/or its affiliat

15、es.All rights reserved.Cisco Public#CiscoLiveWhat is Middle-Mile?The Internet is changing from a network-of-networks to a network-of-servicesWAN is Evolving to a Service ExchangeDiscrete circuits connecting locationsConsumption OptionsOptimize Traffic FlowsCloud ConnectivityRemote location+Geo(s)WAN

16、 service,Internet or private networks CSP network,ASN or private networks SP core network,SDCI,CSP,SSE/SASE,private network First mile Last mile Middle-mile Transport Local access Cloud provider network Customer premises Colocation/PoP Colocation/PoP Interconnect transport Regional Peering Edge/Serv

17、ice ExchangeRegional Peering Edge/Service ExchangeBRKSEC-219113 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhat is SD-WAN?Fabric for any to any communicationBetter application experienceApplication Aware RoutingSecurityOptimized cloud connectivitySimplified management

18、BRKSEC-219114 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePutting it all TogetherZero Trust,SDWAN,SASE and SSEMarket convergenceConnect ItSecure ItFirewall as a Service(FWaaS)Secure Web Gateway(SWG)Cloud Access Security Broker(CASB)Zero Trust Network Access(ZTNA)SSESAS

19、EOn-ramp into Public IaaS and Private Cloud*SD-WAN Analytics(including Internet Intelligence)Secure SD-WANFabric*Performance-based Internet RoutingSD-WANOn-prem UnifiedThreat ManagementCapabilitiesCapabilitiesPrinciplePrincipleZero Trust MethodologyArchitectureArchitectureBRKSEC-219115 2023 Cisco an

20、d/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecurity Stack for the cloud edgeBRKSEC-219116Designing Policy1BRKS 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhere should you start?Business case/objective regulatory PCI,HIPPA,GOVt,BSI,SSI results in seg

21、mentation(put scope around the segmentation)Exec sponsor is a must haveStart with PIN vs use-case;i.e.start at the DC first or do you start with the users(start small)What tools to help with process?BRKSEC-219118CISO:How do I deploy segmentation without getting fired?2023 Cisco and/or its affiliates

22、.All rights reserved.Cisco Public#CiscoLive19Introducing TrustSecPrinter 1Printer 2SGT_Contractor SGT_BuildingManagementSGT_EmployeeContractor 1Contractor 2Contractor 3Contractor 4Employee 1Employee 2Employee 3Employee 4SGT_FinanceServerSGT_PrintersFin 1Fin 2Temperature Device 1Temperature Device 2S

23、urveillanceDevice 1SurveillanceDevice 25050Simplified access control with Group Based PolicyClassificationPropagationEnforcementSGT(s)embedded into NetFlowBRKSEC-2191 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePolicy and Segmentation is a ProcessObjectivesObjectives:S

24、uccess criteriaDefine SegmentsDefine Segments:Memberships and relationshipsValidationValidation:Would it work?EnforcementEnforcement:Active EnforcementVerificationVerification:Is intent captured correctly?BRKSEC-219120i.e.Regulatory Compliance&Reduced Threat Surfacei.e.Who measures success?(Auditor)

25、2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveStarting a DesignPolicy Policy Enforcement Enforcement PointsPointsIdentify assets Identify assets to protectto protectMethods of Methods of ClassificationClassificationPCI Data,Production Systems,Intellectual Property.Static

26、Static Dynamic Dynamic FirewallUmbrellaRoute/Switch(TrustSec)Propagation Propagation MethodsMethodsInline TaggingOut of band overlayImpliedBRKSEC-219121Best Practice:Start Small,you dont have to do everything at once 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure N

27、etwork AnalyticsTrustSec Policy Analytics BRKSEC-219122 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTrustSec Analytics ReportBRKSEC-219123Designed to provide visibility into SGT traffic:How do I decide what policies should exist between my groups?How do I know that my

28、policies are correct and wont disrupt operations?Gray no trafficGreen there is traffic and a permit IP ACL existsRed there is traffic and a deny IP ACL existsBlue custom policy 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBusiness Centric SegmentationEngineersNon-Beer D

29、rinkersBottling LineBRKSEC-219124Business-based groups and membershipsBusiness-based groups and membershipsBusiness-centric relationships between groupsUse CasesSecure Access Service Edge Secure Access Service Edge(SASE)(SASE)1 12 23 3Security Service Edge(SSE)(SSE)Software Defined Cloud Software De

30、fined Cloud Interconnection(SDCI)Interconnection(SDCI)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveArchitectureCisco Cisco SASE/SSE/SDCISASE/SSE/SDCIData CenterApplication DestinationsUsers/Devices/ThingsMiddle Mile/coloMiddle Mile/coloPrivate TransportPrivate Transport

31、Public TransportPublic TransportSite nRemoteUserRemote UserProxy/DNGSite 1 Use-case based Everything will not behind a common enforcement point Ability to choose how to enforce Ability to choose where to enforce Course-gain and fine-grain policyBRKSEC-219126Use Cases:Cisco Secure Access(SSE)Cisco+Se

32、cure Connect(SASE)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Cisco Secure AccessAccessData CenterApplication DestinationsPrivate TransportPrivate TransportPublic TransportPublic TransportRemoteUserRemote UserProxy/DNGCisco Secure Access(SSE)Transparently

33、secures users-to-applicationsInternet:Redirected transparently to SSE cloudDNS/Web ApplicationsSaaS ApplicationsCASB/DLP protections inline and via API.App bypass also supportedPrivate modern ApplicationsZTNA gives controlled access to selected applicationsPrivate Traditional ApplicationsRA-VPN give

34、s full network access for existing applicationsSecure Client*or ClientlessBRKSEC-219128Secure Client*or ClientlessUser Authentication and Device TrustZTNA per app tunneling*formerly known as AnyConnect 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Cisco Secu

35、re AccessAccessData CenterApplication DestinationsPrivate TransportPrivate TransportPublic TransportPublic TransportSite nSite 1Cisco Secure Access(SSE)Transparently secures users-to-applications29BRKSEC-2191Internet:Redirected transparently to SSE cloudDNS/Web ApplicationsSaaS ApplicationsCASB/DLP

36、protections inline and via API.App bypass also supportedPrivate modern ApplicationsZTNA gives controlled access to selected applicationsBranch/Campus 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Cisco Secure AccessAccessData CenterApplication DestinationsPr

37、ivate TransportPrivate TransportPublic TransportPublic TransportSite nSite 1Cisco Secure Access(SSE):Transparently secures users-to-applicationsSDWAN+SecurityInternet:Redirected transparently to SSE cloudDNS/Web ApplicationsSaaS ApplicationsCASB/DLP protections inline and via API.App bypass also sup

38、portedPrivate modern ApplicationsZTNA gives controlled access to selected applicationsPrivate Traditional ApplicationsRA-VPN gives full network access for existing applicationsSASE/SSE Bypass/DIA:Getting the right traffic to the right place-not every application has to go thru SASE/SSE.For example,O

39、ffice365 no proxy/SWG.Value of ISE users/trusted devicesSDWAN FabricSDWAN Fabric(Meraki/Viptela)(Meraki/Viptela)BRKSEC-219130Cisco+Cisco+Secure Secure ConnectConnect(SASE)(SASE)Users,DevicesSGT EnforcementISE 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Cis

40、co Secure AccessAccessData CenterApplication DestinationsPrivate TransportPrivate TransportPublic TransportPublic TransportSite nSite 1Cisco Secure Access(SSE):Transparently secures users-to-applicationsSDWAN+SecuritySASE/SSE Bypass/DIA:Getting the right traffic to the right place-not every applicat

41、ion can go thru SASE/SSE.For example,Office365 no proxy/SWG.Today:SGT Tags not supported in SSE CloudHowever,the firewall/router can enforce on the tag CPE;SGT Enforcement route a specific tunnel via the IOT tag/tunnel can have a different policy for IOT/AD-groups/subnets/tunnel-id in the policy as

42、well.Value of ISE IOT and workloadSDWAN FabricSDWAN Fabric(Meraki/Viptela)(Meraki/Viptela)BRKSEC-219131Cisco+Cisco+Secure Secure ConnectConnect(SASE)(SASE)SGT EnforcementIoTISEUse Cases:Software Defined Cloud Interconnection(SDCI)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cisc

43、oLiveSDCISDCIData CenterApplication DestinationsPrivate TransportPrivate TransportPublic TransportPublic TransportSDWAN FabricSDWAN Fabric(Meraki/Viptela)(Meraki/Viptela)SDCI:Transparently secures users-to-applicationsDIY/SaaS consumption-Single pane via vManage,end-to-end network automationEnd to E

44、nd Network+Security automationEnd to End Policy,Encryption and Segmentation;ability to carry segmentationSecurity Stack,PEP Enforcement PointsAbility to do egress enforcement with Viptela/Meraki SDWANAbility to provide Remote Users/Site connectivity and security to different destinations.SaaS,Privat

45、e and Public ApplicationsAbility to carry VN/VRF and SGT end to endAbility to choose enforcement optionsIdentity integration with on-prem ISESecure Client*or Clientless VPN/ZTNAEncrypted SD-WAN FabricBRKSEC-219133-Secure Client*-Clientless-Branch/Campus-IOTSite nRemoteUserSite 1RemoteUserRemote User

46、Proxy/DNGISE 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSDCISDCIData CenterApplication DestinationsPrivate TransportPrivate TransportPublic TransportPublic TransportSDWAN FabricSDWAN Fabric(Meraki/Viptela)(Meraki/Viptela)SDCI:Transparently secures users-to-application

47、sSDWAN+Secure FirewallEncrypted SD-WAN FabricBRKSEC-219134SDWAN+Secure FirewallIdentity-Based FirewallSGT-Based FirewallAbility to carry+Enforce VN/VRF and SGT end to endAbility to choose enforcement optionsDeployment Options:Base:FWAdvanced:Identity-based FW integration w/ISEAdvanced:SGT-based Fire

48、wallLeverage on-prem ISE InvestmentISESite nRemoteUserSite 1RemoteUserRemote UserProxy/DNG 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSDCISDCIData CenterApplication DestinationsPrivate TransportPrivate TransportPublic TransportPublic TransportSDWAN FabricSDWAN Fabric(

49、Meraki/Viptela)(Meraki/Viptela)SDCI:Transparently secures users-to-applicationsSDWAN+NGFWvEncrypted SD-WAN FabricBRKSEC-219135ISESite nRemoteUserSite 1RemoteUserRemote UserProxy/DNGNGFWvRequire Advanced NGFWSDWAN+FW NGFWv automated to offer secure policy enforcement point(PEP).vManage Day0/1,and FW

50、manager(SecOps)Day 2+Identiy+ISEAbility to carry VN/VRF and SGT end to endAbility to choose enforcement optionsIdentity integration with on-prem ISENGFWv Deployment Options:Base:NGFWvAdvanced:Identity-based FW integration w/ISEAdvanced:SGT-based FirewallLeverage on-prem ISE Investment 2023 Cisco and

51、/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUnified Security policy and intentSDWAN+cEdge Firewall36BRKSEC-2191ContractorDeny AllPermit AllDeny AllEmployeePLCContractorEmployeePermit AllPermit AllDeny AllSourceDestinationZBFW PolicyIAAS,SAASPrivate AppsISEEmployeeEmployeeContractorC

52、ontractorPxGridPxGridFW policyActive DirectoryGranular Security Control at User/Group LevelIP to User/Group MappingOMP:IP to User/Group mappingIdentity-Based FirewallSGT-Based FirewallUser/Device to SGT mappingOMP:IP to SGT mapping 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Ci

53、scoLiveCisco Cisco SASE/SSE/SDCISASE/SSE/SDCIData CenterApplication DestinationsMiddle Mile/coloMiddle Mile/coloPrivate TransportPrivate TransportPublic TransportPublic TransportSite nRemoteUserRemote UserProxy/DNGSite 1Users/Devices/ThingsEnd to End Segmented Traffic+EnforcementUser to ApplicationN

54、GFWvISEKeep specific on its own“rail”VN/VRF is ability to get traffic to the FirewallMicro-segmentation can also be appliedUse Security Policy to x-connect“rail”to“rail”policy/communicationResulting in:Resulting in:Security Policies that are aligned user and group vs IP AddressesSDWAN embedded secur

55、ity stack is now aware of user identity and apply policy.Identity Firewall capability provides granular access control based on user identityZTNA trust assertion based on user and device contextTrust based establishmentGuest Internet VN/VRF/SGTGuest Internet VN/VRF/SGTThings VN/VRF/SGTThings VN/VRF/

56、SGTNGFWvNGFWvNGFWvNGFWvNGFWvBRKSEC-219137NGFWvUsers/Apps VN/VRF/SGTUsers/Apps VN/VRF/SGT 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveData CenterApplication to ApplicationPrivate TransportPrivate TransportPublic TransportPublic TransportSDCI:Transparently secures Applic

57、ation-to-ApplicationsSDWAN+NGFWv38BRKSEC-2191Web to DatabaseAuto-scaled ApplicationContainer ApplicationsCloud to CloudCloud to on-prem Data CenterAPI to API via HTTPSData CenterNGFWvSDCISDCI 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveData CenterApplication to Applica

58、tionPrivate TransportPrivate TransportPublic TransportPublic TransportEnd to End Segmented Traffic+EnforcementApplication to Application39BRKSEC-2191Keep specific on its own“rail”VN/VRF is ability to get traffic to the FirewallMicro-segmentation can also be appliedUse Security Policy to x-connect“ra

59、il”to“rail”policy/communicationWeb to DatabaseAuto-scaled ApplicationContainer ApplicationsCloud to CloudCloud to on-prem Data CenterAPI to API via HTTPSData CenterNGFWvSDCISDCIWeb Front EndWeb Front EndDatabasesDatabasesFinance ApplicationFinance ApplicationNGFWvNGFWvNGFWvNGFWvNGFWvNGFWvNGFWvNGFWvU

60、se Case(s):Extending Policy to Public IaaS 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnabling Group-based PoliciesIaaSCat8KvNGFWvNGFWvISECat8KvBRKSEC-219141 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveExtending Policy&Control into AWSLe

61、verage Security Group Tags(SGT)within IaaS EnvironmentConfigure SGTs and ISE controls on the CAT8Kv/NGFWv within the AWS Transit VPC environment.Then manually create policy groups within ISE to manage segmentation and control between VPCs.BRKSEC-219142 2023 Cisco and/or its affiliates.All rights res

62、erved.Cisco Public#CiscoLiveDevDev(VPC1)(VPC1)Prod Prod(VPC2)(VPC2)CiscoLive CiscoLive(VPC3)(VPC3)InternetInternetEmployeeEmployeeDeveloperDeveloperDev VPCDev VPCProd VPCProd VPCCiscoLiveCiscoLiveXXXXXTransit VPCAZ1AZ2VPC1AWS Transit VPCSimplifying Segmentation and Control Direct ConnectEmployee Tag

63、Developer TagISEIdentity&Access ControlPolicy EnforcementDevVPC2ProdVPC3CiscoLive-Control Spoke to Spoke-Control User to App-Control App to App-Control InternetControl Traffic between VPCsSimplify Security ConfigurationsScale Security Group ControlSingle Control PointSecure Internet Breakout by enab

64、ling Snort IPS on CAT8KvData Center192.168.0.0/1620.0.0.0/16CAT8KvCAT8KvCAT8000Cisco Live TagDev VPC TagProd VPC Tag30.0.0.0/16192.168.0.6192.168.1.2Dynamic Route Peering40.0.0.0/16Control Access to spoke VPCs based on SGT Tags and Policy Enforcement within the Transit VPC Hub CAT8Kvs43 2023 Cisco a

65、nd/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDevDev(VPC1)(VPC1)Prod Prod(VPC2)(VPC2)CiscoLive CiscoLive(VPC3)(VPC3)InternetInternetEmployeeEmployeeDeveloperDeveloperDev VPCDev VPCProd VPCProd VPCCiscoLiveCiscoLiveXXXXXTransit VPCAZ1AZ2VPC1AWS Transit VPCSimplifying Segmentation and

66、 Control Direct ConnectEmployee TagDeveloper TagISEIdentity&Access ControlPolicy EnforcementDevVPC2ProdVPC3CiscoLive-Control Spoke to Spoke-Control User to App-Control App to App-Control InternetControl Traffic between VPCsSimplify Security ConfigurationsScale Security Group ControlSingle Control Po

67、intSecure Internet Breakout by enabling Snort IPS on CAT8Kv20.0.0.0/16CAT8KvCAT8KvCAT8000Cisco Live TagDev VPC TagProd VPC Tag30.0.0.0/16192.168.0.6192.168.1.2Dynamic Route Peering40.0.0.0/16NGFWvNGFWv44Data Center192.168.0.0/16 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cisco

68、LiveDynamic Attributes ConnectorEngineer10.100.18.22AWS Endpoint IaaS?.?.?.?Azure Endpoint IaaS?.?.?.?FirepowerSensorFMCAccountant10.100.19.7-Instead of manually defining the IP/Group mapping;dynamically changing cloud environments-Subscribe to and pull dynamic IP feeds-Ability to assign multiple IP

69、 address to multiple dynamic Firewall objectsCSDACBRKSEC-219145DevDev(VPC1)(VPC1)Prod Prod(VPC2)(VPC2)CiscoLive CiscoLive(VPC3)(VPC3)InternetInternetEmployeeEmployeeDeveloperDeveloperDev VPCDev VPCProd VPCProd VPCCiscoLiveCiscoLiveXXXXXTransit VPCAZ1AZ2VPC1AWS Transit VPCSimplifying Segmentation and

70、 Control Direct ConnectEmployee TagDeveloper TagISEIdentity&Access ControlPolicy EnforcementDevVPC2ProdVPC3CiscoLive-Control Spoke to Spoke-Control User to App-Control App to App-Control InternetControl Traffic between VPCsSimplify Security ConfigurationsScale Security Group ControlSingle Control Po

71、intSecure Internet Breakout by enabling Snort IPS on CAT8Kv20.1.1.10030.1.1.200CAT8KvCAT8KvCAT8000Cisco Live TagDev VPC TagProd VPC Tag30.1.1.5040.1.1.50192.168.0.6192.168.1.2Dynamic Route Peering20.1.1.7540.1.1.7546Data Center192.168.0.0/16 2023 Cisco and/or its affiliates.All rights reserved.Cisco

72、 Public#CiscoLiveCisco Secure WorkloadEngineer10.100.18.22AWS Endpoint IaaSAzure Endpoint IaaSFirepowerSensorFMC20.1.1.75Accountant10.100.19.7-Segmentation policies enforcement at workloads-Virtual Machines,Containers and Bare Metal-Private and Public IaaS-Prevent East/West lateral Movement-Dynamic

73、Policy-Policy Enforcement-Policy VisibilityCisco Secure WorkloadISE30.1.1.5040.1.1.5010.1.1.10BRKSEC-219147Use Case:Secure Workload Identity with ISE 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure Workload Identity with ISE Provide the following Benefits:IP to SGT/

74、IP to SGT/User mappings:Give context to flows in a single interfaceDynamic Mappings:Support for shared devices where user changesFlow Search by Username,Group or SGT:What were the connections from user X?ADM maps reflecting SGT tags:Which devices or users are accessing the right applicationsISE publ

75、ishes update over the pxGrid message busSecure Workload consumes this message bus and annotates the hosts/end-points provided by ISEBRKSEC-219149 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveISE Provides Campus Identity to Secure Workload DCs50BRKSEC-2191Cisco Secure Wo

76、rkload AnalyticsPlatformUsersUser:TonySGT:16(Doctors)IP:23.72.193.172Applications/Data(Software Sensor)Enforced Policies For:User:Tony or SGT:16=DoctorsApp:Patient-Data(EPG)IP:23.72.193.172May not access employee dataMay access patient recordsDynamic Policy Generated1)The sensor endpoint is sending

77、Telemetry data2)The endpoint also authenticates with ISE which notifies our identity repository via pxGrid.3)Secure Workload merges the two streams and outputs dynamically generated policy.via pxGrid 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure Client*Solution Ov

78、erview:Enable data modelling with the Secure Client Network Visibility Module(NVM)Consistent method to Identify,Discover,Group,Classify and Segment based on modelled customer policy as well as Application(consistency across Branch,Campus,DC and Cloud)Apply Zero Trust Security Model between segmented

79、 groups.Enforce Segmentation Policy on existing customer infrastructure(endpoints,routers,switches&FWs)Automate the removal of infected endpoints(rapid threat containment to isolate,protecting applications&data)*formerly known as AnyConnectBRKSEC-219151Network Visibility Module(NVM)2023 Cisco and/or

80、 its affiliates.All rights reserved.Cisco Public#CiscoLiveEnterprise Policy DiscoveryUsersUser:StevenSGT:20(Doctors)IP:23.72.193.172Applications/DataEnforced Policies For:User:Steven or SGT:20=DoctorsUser:Cisco/useridApp:Patient-Data(EPG)IP:23.72.193.172May not access employee dataMay access patient

81、 recordsDynamic Policy Generated1)Secure Client NVM Streams IPFIX to Secure Workload2)The endpoint also authenticates with ISE which notifies our identity repository via pxGrid.3)Secure Workload merges the two streams and outputs dynamically generated policy.ISE via pxGridIP:23.72.193.172 today is”S

82、teven”,could be a different user tomorrowBRKSEC-219152Cisco Secure Workload AnalyticsPlatformValidating Policy 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure Network Analytics/Secure WorkloadPolicy Analytics54BRKSEC-2191Flow CollectorManagerIdentity Services Engine

83、1.TrustSec Analytics Reports2.Direct flow analysis leveraging SGT in Flow Table3.Custom Security Events Secure ClientInfrastructure 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure Network AnalyticsTrustSec Policy Analytics Two report types introduced in Secure Netwo

84、rk Analytics v7.3.1BRKSEC-219155 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure Network AnalyticsTrustSec Policy AnalyticsBRKSEC-219156Ability to validate trusted ISE policy is being observed from near real-time network telemetry 2023 Cisco and/or its affiliates.Al

85、l rights reserved.Cisco Public#CiscoLiveSecure WorkloadFlow SearchBRKSEC-219157 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure WorkloadCompliance,Policy Validation All Flows are tracked 4 waysPermitted,bidirectional flows that match the policyMisdropped,permitted t

86、raffic where we have dropped a packetEscaped,bidirectional flows that are against the policyRejected,uni-directional flows that are against the policyBRKSEC-219158 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-219159Summary 2023 Cisco and/or its affiliates.All rig

87、hts reserved.Cisco Public#CiscoLiveSummaryProvided guidance how and where to start on the ZTNA JourneySimplified security controls and capabilities are to protect users/devices,things,applications and data to align to operational personas.Ability to define dynamic classification(source and destinati

88、on),define policy and enforcementProvided the ability to monitor,view and audit PolicyProvided capabilities to expand to the cloud not migrating to the Cloud.BRKSEC-219161 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePlease fill out the surveyDrop your email in the comm

89、ents I WILL respond!BRKSEC-219162 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!63BRKSEC-2191These p

90、oints help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in the Cisco Live Challenge for every survey completed.2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase

91、 for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL you#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive66Gamify y

92、our Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123466 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKSEC-2191#CiscoLive