Introduction to Cisco Security Products

Advanced Malware Protection (AMP)

What it is?

AMP protects computer systems from viruses and malware like ransomware, trojans, worms, spyware, adware and fileless malware.

Cisco AMP has following deployment options:

• Cisco Secure Endpoints (formerly AMP for Endpoints)
  • Endpoint protection
  • Supported OSs: Windows, Apple, Android and Linux
• AMP for Networks
  • integrated to NGIPS, Firepower and ASA with Firepower services
• Cisco AMP on ESA or WSA
  • AMP capabilities for email security or web security appliance
• Cisco AMP for Meraki MX
  • AMP as part of the Meraki MX security appliance
• Cisco Threat Grid
  • Threat Grid integrated with AMP solution in cloud or appliance

How it works?

• Before an attack – Prevention
  • AMP uses Cisco’s Talos Security Intelligence, Research Group and Threat Grid’s threat intelligence feeds to strengthen defenses and protect against known and emerging threats.
  • Prevention techniques: file reputation, antivirus, machine learning analysis, exploit prevention, script protection, behavioral protection
• During an attack – Detection
  • AMP uses Cisco Threat Grid’s dynamic malware analysis technology coupled with known file signatures to identify and block harmful files and exploit types entering the network.
  • Detection techniques: malicious activity protection, cloud-based indicators of compromise, host-based IoCs, vulnerabilities, low prevalence
• After an attack – Response
  • Follows file behavior and if “good” file starts behaving badly, it will generate an alert. AMP can provide information from where the file came, what it affected and what it doing at the moment. It also has remediation features to stop the intrusion.
  • Response techniques: dashboards and inbox, endpoint forensics, dynamic analysis, retrospective security, command line visibility, endpoint isolation, advanced search

• Supported platforms:
  • Microsoft Windows 8, 10
  • Windows server 2012 ->
  • Red Hat Enterprise Linux or CentOS 6.9 ->
  • Oracle Linux 6.10 ->
  • Apple iOS 11.3 -> 
  • Apple macOS 10.13 ->

Datasheets:
Cisco AMP for Endpoints – Cisco Secure Endpoint (formerly AMP for Endpoints) Data Sheet – Cisco
Cisco Advanced Malware Protection for Networks Data Sheet – Cisco

AnyConnect

What it is?

The AnyConnect client is a lightweight, modular security client empowering remote users secure access to a company network.

How it works?

Secures client connection and an end user device. AnyConnect client has following features:

• VPN
• 802.1X
• Compliance check
• Network visibility
• Cisco Umbrella Roaming
• Integration with Cloud Web Security
• Secure Endpoint enabler

Operating System support:

• Windows 7 ->
• Mac OS X 10.8 ->
• Linux Intel (x64)

 Datasheet:
Cisco AnyConnect Secure Mobility Client – Cisco AnyConnect Secure Mobility Client Data Sheet – Cisco

Adaptive Security Applicance (ASA)

What it is?

Cisco Adaptive Security Appliance (ASA) software is the core operating system for the Cisco ASA Family. It delivers firewall capabilities for ASA devices including VPN and IPS functionality.

How it works?

• Integrated IPS, VPN and unified communications capabilities
• Multi-site, multi-node clustering
• High availability for high resiliency applications
• Can be deployed as physical and virtual devices
• Context awareness with Cisco TrustSec security group tags and identity-based firewall technology
• Dynamic routing and site-to-site VPN on a per-context basis
• Integrades with Cisco Cloud Web Security solution.

Datasheet:
Cisco ASA Software Release 9.0 Data Sheet – Cisco

Cloudlock

What it is?

Cloudlock is Cloud native Cloud Access Security Broker (CASB), which protects cloud users, data and applications.

How it works?

• Cloudlock uses APIs to manage and advanced machine learning to detect anomalies.
• Data Loss Protection (DLP) is used continuously to detect and secure sensitive information.
• Cloudlock Apps Firewall discovers and controls cloud applications giving crowd-sourced Community Trust Rating to the applications. Based on the trust rating an application can be ban or allowed.

Datasheet:
cisco-cloudlock-cloud-data-security-datasheet.pdf

Digital Network Architecture – DNA (SD-Access)

What it is?

Cisco Digital Network Architecture (DNA) is Cisco’s solution to provide Software Defined Access network to centrally manage and monitor switches, wireless controllers and access points.

How it works?

• Cisco DNA Center provides a single-pane-of-glass to manage and monitor the environment. It integrates Cisco ISE, switches, wireless controllers and access points combining them to a fabric.
• The fabric includes Scalable Group Tags (SGT) feature to provide native security inside the fabric using stateless access lists (ACL).
• To avoid L2 loops and problems due to spanning-tree the fabric has two layers, underlay on overlay.
• Fabric uses IS-IS and BGP routing protocols to form L3 fabric underlay network.
• Fabric overlay is based on LISP as a control plane protocol and VxLAN as dataplane protocol.
• Automates network provisioning, device management and security products integration.
• Assurance utilizes AI/ML with Cisco best practices to optimize network performance and reduce troubleshooting time.
• Cisco DNA Center can be also used to manage and monitor traditional switching and wireless networks, but then lacks automation and ease of network operation.

SD-Access fabric CVD:
Software-Defined Access Medium and Large Site Fabric Deployment Guide – October, 2019 (cisco.com)

Duo

What it is?

Duo is multi-factor authentication (MFA) and zero-trust security platform.

How it works?

Duo provides two-factor authentication for VPN, email, web portal, cloud services, etc. After successful primary authentication, users simply approve a secondary authentication request. Other options to the secondary authentication are a phone call or a one-time passcode generated by the Duo Mobile app, a compatible hardware token, or received via SMS.

Firepower

What it is?

Cisco ASA stateful firewall provides access control and traffic filtering, but Cisco Firepower is Cisco’s Next-Generation Firewall (NGFW) providing also application visibility and control, integrating Next-Generation IPS and Advanced Malware Protection (AMP). Also, URL filtering capabilities prevents access to malicious sites.

How it works?

• Cisco Secure Firewall Management Center is the single pane of glass for administrative tasks.
• Firepower series include:
  • Firepower 1000 for SMB and branch offices
  • Firepower 2100 for large branch and commercial and enterprise needs.
  • Firepower 4100 for large campus and datacenters.
  • Firepower 9300 for service providers and high-performance datacenters.
  • ASA 5500-X with Firepower Services for small and mid-size organizations.
  • Cisco Firepower NGFW Virtual (NGFWv) available on VMware, KVM, and the Amazon Web Services (AWS) and Microsoft Azure

Datasheet:
Cisco Secure Firewall Management Center (formerly Firepower Management Center) Data Sheet – Cisco
Cisco Firepower 1000 Series Data Sheet – Cisco
Cisco Firepower 2100 Series Data Sheet – Cisco
Cisco Firepower 4100 Series Data Sheet – Cisco
Cisco Firepower 9300 Series Data Sheet – Cisco
Cisco ASA 5500 Series Data Sheet – Cisco
Cisco Firepower NGFW Virtual – Cisco Threat Defense Virtual (formerly NGFWv) Appliance Data Sheet – Cisco

ISE = Identity Service Engine

What it is?

Cisco Identity Services Engine (ISE) is authentication, authorization and accounting (AAA) server for network services. It enables creation and enforcement of access policies for end-devices network access and network devices administrative access.

How it works?

• Cisco ISE runs Radius and TACACS+ services
• Includes device profiling, posture and BYOD service, guest portals
• Deployment includes following personas, which can run on a single platform or distributed deployment.
  • Policy Administration Node (PAN)
  • Monitoring  Node (MnT)
  • Policy Services Node (PSN)
• Hardware appliances
  • Secure Network Server 3615 – Small – Endpoint support 10 000
  • Secure Network Server 3655 – Medium – Endpoint support 25 000 or dist. 50 000
  • Secure Network Server 3695 – Large – Endpoint support 50 000 or dist. 100 000
• Virtual appliance
  • Virtual appliances are supported on VMware ESX/ESXi 5.x and 6.x and KVM on RedHat Enterprise Linux (RHEL) 7.
  • Virtual appliances should be run on hardware that equals or exceeds the configurations of the physical platforms

Datasheets and ordering guide:
Cisco Identity Services Engine – Cisco Identity Services Engine Data Sheet – Cisco
Cisco Identity Services Engine – Cisco Identity Services Engine Ordering Guide – Cisco
Cisco Identity Services Engine – Cisco Secure Network Server Data Sheet – Cisco

SD-WAN (Viptela)

What it is?

Connecting to Cisco SD-WAN, each network device can find and select the best path to the application or service residing in the data center or public cloud. Cisco SD-WAN can use any transport method including Internet, MPLS, 5G/LTE. Used to be under brand Viptela until Cisco bought it.

How it works?

Cisco SD-WAN flexibility implements overlay, underlay, physical, and virtual networks. It has separate and dedicated control plane, data plane, and management and orchestration of the WAN.

• Cisco SD-WAN supports:
• Voice and Unified Communications (UC) support
• IPv6 support (BGP, OSPF)
• IP multicast support
• Provides multicast capability across platforms (PIM-SSM, IGMPv2, and IGMPv3)
• Flexible multicloud deployment options (Cloud OnRamp)
  • IaaS
  • SaaS
  • Colocation
• Built-in security or cloud security with Cisco Umbrella Secure Internet Gateway (SIG)
• Integrated auto-registration and auto-configuration of cloud-delivered Cisco Umbrella from SD-WAN
• Talos integration
• On-premise security with application-aware enterprise firewall, Snort IPS, encryption, URL filtering, AMP for networks

Datasheet:
Solutions – Cisco SD-WAN Data Sheet – Cisco

Cisco Secure Network Analytics (formerly Stealthwatch)

What it is?

How it works?

Secure Network Analytics provides network visibility and applies advanced security analytics to detect and respond to threats in real time. Secure Network Analytics provides end-to-end visibility of traffic, on-premises as well as in private and public clouds. This visibility includes knowing every host—seeing who is accessing which information at any given point.

How it works?

Secure Network Analytics is agentless solution and collects telemetry data generated by existing network infrastructure. From the data a baseline “normal behavior” for a particular user or host is established and alerts instantly if any change happens in the baseline.

• Secure Network Analytics offers different deployment models:
  • on-premises as a hardware appliance
  • a virtual machine
  • cloud-delivered as a Software-as-a-Service (SaaS) solution
• ETA = Encrypted Data Analysis
  • Encrypted data without decrypt can be analysed using new types of data elements or telemetry that are independent of protocol details. This enhanced encrypted traffic telemetry is generated by Cisco routers, switches, and wireless controllers, as well as the Secure Network Analytics Flow Sensor. Secure Network Analytics analyses this enhanced telemetry to detect threats in encrypted traffic as well as to ensure cryptographic compliance.
• Solution components
  • Management console
  • Flow collector – collects NetFlow, IPFIX (Internet Protocol Flow Information Export) and telemetry data
  • Flow rate license required
  • Optional – Flow sensor and UDP director
  • Cloud based Machine Learning (cognitive intelligence) can be enabled without extra costs

Datasheet:
Cisco Stealthwatch Enterprise – Cisco Secure Network Analytics (formerly Stealthwatch) – Cisco

Talos

What it is?

Cisco Talos is the threat intelligence organization an group of security experts providing protection with Cisco products and services. Talos has seven key areas: Threat Intelligence & Interdiction, Detection, Research, Engineering & Development, Vulnerability Research & Discovery, Communities, Global Outreach and Incident Response.

How it works?

Cisco Security portfolio is broad across NGFW, IPS, Email, endpoint, DNS, NTA, and more provides Cisco tons of telemetry data to investigate. Also, over 185 industry partnerships, customer feedback, hunting intel, actor tracking, and even forward-looking vulnerability discovery contribute vital intelligence and context. This way Talos indentifies vulnerabilities and generates detection content to mitigate threats.

Whitepaper:
TALOS INTELLIGENCE-talos_whitepaper (cisco.com)
Reputation lookup and etc.
Cisco Talos Intelligence Group – Comprehensive Threat Intelligence

Cisco Secure Workload (Tetration)

What it is?

Cisco Secure Workload (formerly Tetration) delivers a zero-trust approach to securing application workloads across any cloud and on-premises data center environments by reducing the attack surface, preventing lateral movement, identifying workload behavior anomalies, and remediating threats quickly.

How it works?

 Cisco Secure Workload uses software agents on virtual machines, bare metal or containers to collect telemetry data and to enforce zero-trust policy. Secure Workload also integrates with Cisco AnyConnect and Cisco ISE to bring user and endpoint context into the segmentation policy. 

Datasheet:
https://www.cisco.com/c/en/us/products/collateral/data-center-analytics/tetration-analytics/datasheet-c78-737256.html