Cisco Secure Endpoint (AMP?) isolated network configuring

acfreema · ‎10-23-2023

I am part of a team doing a deployment for a customer, and they have chosen to use the Cisco Secure Endpoint, Endpoint Protection, AMP, whatever it is called. This is the first problem, because I can't find any consistent documentation for assistance with this installation or configuring. Second, Cisco telephone support is of no use, because I don't have any of the product license information, and they just direct me to a Cisco partner (even though I'm an employee of a Cisco partner, and no one here has ever used this product). Third, the customer doesn't seem to understand the product, and maintains control of it, so I can't actually see how anything is configured for the account or license.

Now that that is out of the way: How can this product be configured for a network that is isolated from the internet by a DMZ, and a firewall? Will all of the installations complain about "no internet"? What components will work? What components won't work? Will there be warning flags on the management web interface for all of the systems that are offline?

Ken Stieers · ‎10-23-2023

Yes. In general it wants an internet connection. SPP, Behavior and Tetra run without a live connection but all the updates are from the web and much of the console doesn't work without it. It's all port 443, so standard browser access is enough.

If the workstations are truly isolated, someone needs to get a Cisco Security Sales team involved so you figure out what the customer really needs.

And maybe your team should go to a training class on the product before you go any further.

Roman Valenta · ‎10-23-2023

In addition to what Ken said you need to make sure that these required server addresses are allowed on your FW or Proxy for your specific region.

Required Server Addresses for Proper Cisco Secure Endpoint & Malware Analytics Operations
https://www.cisco.com/c/en/us/support/docs/security/sourcefire-amp-appliances/118121-technote-sourcefire-00.html

If the client will be not able to reach out to the cloud nothing will work and the service will eventually STOP

The other thing that your client can consider is Virtual Private Cloud this solution can be either done as virtual machine or physical appliance in either "cloud proxy mode” or “air-gap mode.”

https://www.cisco.com/c/en/us/products/collateral/security/fireamp-private-cloud-virtual-appliance/datasheet-c78-742267.html

Note: Only physical appliance can be in air-gap mode

Marvin Rhoads · ‎10-23-2023

Also see the introduction page and deployment strategy guide found here:

https://console.amp.cisco.com/docs

If you are a Cisco partner, there are also lots of free training resources available on SalesConnect. See the Black Belt Academy pages where there are specific learning paths for both presales SEs and post sales (deployment) FEs.

acfreema · ‎10-24-2023

Thank you all. This morning, I learned that we aren't actually deploying _everything_ for the Secure Endpoint, just handling the connector installation on all of the systems in the isolated network. Since we are already building the DMZ, and configuring the firewall and proxy, this suddenly became more manageable.

Ken, I completely agree about the additional training. That question is exactly what needed to be asked, because it prompted the revelation above. It is funny how discussing adding time and money to an already in progress project gets better cooperation.

Roman, the customer's internal VM topology and newly learned revised scope don't suggest a virtual private cloud environment.

Marvin, thank you, that looks like a great storehouse of knowledge.