With Jazib Frahim
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn from Cisco subject matter expert Jazib Frahim why enterprise network segments get compromised despite their state-of-the-art network security technologies and products that are deployed. Do they get compromised because of product or technology limitations or are there other factors that cause the network infrastructure to be exposed to attackers? Jazib (CCIE 5459) is a technical leader in the Worldwide Security Services Practice of Cisco's Advanced Services for Network Security. He was previously a technical leader for Cisco's Technical Assistance Center (TAC) Security team, leading engineers in resolving complicated security and VPN technologies. He holds two CCIE certifications, one in routing and switching and the other in security. He has presented at Cisco Live on multiple occasions and has written numerous technical documents and books, including Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance (1st and 2nd editions);Cisco Network Admission Control, Volume II; and Cisco SSL VPN Solutions.
Jazib holds a bachelor's degree in computer engineering from the Illinois Institute of Technology and a master of business administration (MBA) degree from North Carolina State University.
Remember to use the rating system to let Jazib know if you have received an adequate response.
Jazib might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the, discussion forum shortly after the event. This event lasts through September 23, 2011. Visit this forum often to view responses to your questions and the questions of other community members.
Thank you for a good reply.
Sorry for the late reply.
1) Thank you. It is getting all to complex and takes too long as it is today. It would be one thing if it took a couple of hours but in general 5 working days from order placement to actually beeing able to send in the "paperwork" for key generation is to long when it is this complex.
2) I know the Anyconnect is the way Cisco wants to go, but I just cant bear myself to like it or trust it. The ipsec client feels better and have prooven itself.
Thank you for the answer.
3) I did not know this, Great information and link ! Thank you.
4) I think the question was a little misunderstood. I was talking about knowing what actually is let through and testing rulebases and that sort of things. ie that the total of the configuration does what i think it should do.
I agree with the automation process, but I also test with fx portscanners that the configuration does what I think it should do when it comes to access-lists and Nat ing and so on.
I would love to have the EEM in all switches routers and firewalls. It is one of the best tools out there!
you can do so much for security with it.
5) New question:
What are the main areas that you think is overlooked in securing a small "LAN" style network and why ?
(small company 1-500 users localized)
What are the main areas that you think is overlooked in securing a large "WAN" style network and why ?
(large corporation 10K+ users wide spread over many locations)