Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4929
Views
55
Helpful
9
Replies

What is the difference between AMP for Endpoints and AnyConnect AMP enabler

Go to solution
felipefom
Level 1
Level 1

‎06-03-2020 08:10 AM

Hello everyone,

 

Can someone shed some light in this question?

 

If I have a projetct that is going to have AMP for Endopoins and AnyConnect posture with ISE, should I consider using AMP Enabler Module? 

 

Do they complement each other or they perform the same tasks?

 

Best Regards in advance.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to felipefom

‎06-04-2020 08:40 PM

Each of the products/technologies you mentioned has a distinct purpose and they are complimentary to each other.

Here's a breakdown:

  • Cisco ISE - policy server and policy decision point,
  • Cisco AMP for Endpoints - endpoint protection product,
  • Cisco Umbrella/SIG - DNS security (base Umbrella) and cloud-based firewall (SIG component),
  • Cisco StealthWatch - collection and analysis of Netflow data to establish baselines and detect anomalous behavior,
  • Cisco AnyConnect (Just Posture) - reports to ISE the posture status of the endpoint (e.g is AMP installed and running, is the Umbrella service active, etc.) to allow ISE to make a policy decision to allow, deny or restrict the network access of the endpoint. That decision is then communicated to the network access device (switch, WLC or VPN headend) for enforcement.

 

View solution in original post

9 Replies 9

Go to solution
Ken Stieers
VIP
VIP

‎06-03-2020 08:56 AM

AMP enabler is a way to do the deployment of AMP from the Anyconnect install...eg via your firewall or ISE

I've never used it... I've heard that its not great and that if you have a solid deployment tool to use it. I didn't get details as to what the issues are.



Go to solution
Matthew Franks
Cisco Employee
Cisco Employee

‎06-03-2020 09:23 AM

AMP Enabler in the AnyConnect module helps you to install AMP for Endpoints.  Here is an article that can provide some more detailed information.
https://www.cisco.com/c/en/us/support/docs/security/advanced-malware-protection-endpoints/200284-Installation-and-Configuration-of-AMP-Mo.html

Thanks,
Matt

Go to solution
felipefom
Level 1
Level 1
In response to Matthew Franks

‎06-03-2020 10:10 AM

@matthew

 

Thanks for the documment,

 

So, as far as I understood, the AMP Enabler Module is just a method for deploying AMP for Endpoint, there are no differences in functionality, the only difference is the deploying method right?

 

If I have a project that encompasses AMP for Endpoints, AnyConnect (Just for Posture with ISE) and Umbrella, could I assume that the wisest choice of engagement in the beginning is to deploy AnyConnect with all the modules that are going to be used?

 

I am having these doubts, what would be the best choice of use/deployment of all these technology put together like, Cisco ISE, Cisco AMP for Endpoints, Cisco Umbrella/SIG, Cisco StealthWatch, Cisco AnyConnect (Just Posture).

 

Thanks in advance

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to felipefom

‎06-04-2020 08:40 PM

Each of the products/technologies you mentioned has a distinct purpose and they are complimentary to each other.

Here's a breakdown:

  • Cisco ISE - policy server and policy decision point,
  • Cisco AMP for Endpoints - endpoint protection product,
  • Cisco Umbrella/SIG - DNS security (base Umbrella) and cloud-based firewall (SIG component),
  • Cisco StealthWatch - collection and analysis of Netflow data to establish baselines and detect anomalous behavior,
  • Cisco AnyConnect (Just Posture) - reports to ISE the posture status of the endpoint (e.g is AMP installed and running, is the Umbrella service active, etc.) to allow ISE to make a policy decision to allow, deny or restrict the network access of the endpoint. That decision is then communicated to the network access device (switch, WLC or VPN headend) for enforcement.

 

Go to solution
Darren Lynn
Cisco Employee
Cisco Employee
In response to felipefom

‎06-09-2020 03:10 AM

If you're considering AMP and AnyConnect for Posture on the same Machine, how are you deploying the AnyConnect Agent?

 

If you are you are using something like SCCM, you can use this same process to deploy AMP4E also. In this case, you wouldn't need AnyConnect AMP Enabler.

 

The AMP Enabler for AnyConnect is a process which can be used with ISE to deploy AMP4E once the machine is in the wild and you may not have a tool like SCCM to deploy.

 

Simplified process:

For instance, a remote worker connects to the office via AnyConnect VPN to an ASA

When the user connects, the ASA pushes the AMP Enabler module to the End user and silently installs

The AMP Enabler module then connects to AMP4E Console and downloads the AMP Connector

AMP Connector installs and registers to the AMP Console. 

Go to solution
felipefom
Level 1
Level 1
In response to Darren Lynn

‎06-09-2020 05:46 AM

@Darren Lynn thanks for the answer.

 

This thread is getting even more dense, and as the project flows, new doubts begin to surface.

 

In every documentation of AMP Enabler deployment that I read, I realized that everyone is commenting the use of ASA or Firepower to push the connector, however, althought almost all of my customer appliances are Cisco, their firewall is not, so the new question that arises is:

 

Is there an obligation to use Cisco Firewall to deploy the AMP Enabler? 

 

Once again, thanks in advance.

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to felipefom

‎06-09-2020 06:27 AM

No


Any way you can push Anyconnect and its modules, you can push this one.

Its just that compared to the firewall and SCCM , almost nobody uses ISE to do it.


0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to felipefom

‎06-09-2020 06:57 AM

I see less than 5% of my clients using AMP enabler.

Most use either SCCM, GPO software install or manual install.

0 Helpful

Go to solution
Darren Lynn
Cisco Employee
Cisco Employee
In response to Marvin Rhoads

‎06-09-2020 04:48 PM

I agree. I’ve only ever used it in the lab to prove the use case.
0 Helpful
Customers Also Viewed These Support Documents