01-19-2016 02:49 PM - edited 03-10-2019 12:34 AM
Welcome to this Cisco Support Community Ask the Expert conversation. This is a continuation of the Webcast Event. This is an opportunity to learn and any ask questions about how to secure your network using tools such as ZBFW, Snort IPS, CWS, FirePower & TrustSec and how to deploy and manage security policies using Cisco Prime and FireSight
Ask questions from Tuesday March 22 to Friday April 1st, 2016
The branch network is key to service delivery and success of many enterprises. After all, most staff don’t work (or shop!) at the data center—they are out in the branches. With the recent massive breaches on the news, security is top of mind concern for many enterprise customers, especially those looking to offload Internet access from their branches directly.
Threat landscape has evolved and attackers have become sophisticated at taking advantage of gaps in security to hide and conceal malicious activity. Traditionally, branch users Internet access was provided through Data Center where sophisticated security tools and policies were in place to protect the users. With the direct Internet breakout, the branch network must provide a good experience with robust security to any user as a part of any new initiative.
This session provides an overview of threat landscape, risks and integrated security tools and techniques available on ISR branch routers to prevent/protect/mitigate these threats.
FeaturedSpeakers
Kureli Sankar started with Cisco in Aug, 2006 as a TAC engineer in the firewall team in Research Triangle Park, North Carolina. As a TAC engineer she supported Cisco's security products. Since, May 6th 2013, she has taken up a new role as Technical Marketing Engineer, Enterprise Infrastructure and Solutions Group responsible for security features on Cisco's IOS and XE products. She has presented at Cisco Live US in 2013, 2014 and Cisco Live Berlin 2016. She has also done quite a few Live Web Casts and ATE (Ask The Expert) events for our forum. Prior to joining Cisco, Sankar worked for John Morrell Co., Cincinnati, Ohio where she was the network administrator in charge of the company's enterprise network covering 27 locations in the United States. She also was an adjunct professor at the University of Cincinnati, teaching undergraduate level networking courses. Sankar holds an engineering degree in Electrical and Electronics Engineering from Regional Engineering College, Trichirappalli, India, CCSP and CCIE Security #35505 certifications. While working full time, she volunteers at various organizations like Citizen School, Durham Performance Learning Center, NC First Robotics, Girl Scouts - Carolina, Raleigh Rescue Mission and gives back to the community.
Kural Arangasamy has over 20 years of experience in the networking field and has been with Cisco since 2005. He, is a Technical Marketing Engineer in the Enterprise Infrastructure and Solutions Group. He is responsible for SNORT IPS on ISRs/CSRs and MACSec security features. Kural lives in San Jose, California with his wife and son.
Kureli and Kural might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Other Security Subjects Community
Find other https://supportforums.cisco.com/expert-corner/events.
**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions
03-24-2016 06:01 AM
Hi,
Does snort feature can we enabled on c3900 router
?
03-25-2016 06:16 AM
No. Presently Snort IPS/IDS is only supported on our ISR 4K routers.
-Kureli
03-25-2016 09:41 AM
Hi,
Asa 5585 -SSP10 can have source fire module ?
Thanks
03-25-2016 11:13 AM
03-28-2016 08:29 PM
Hi,
The question is out of context .
Cisco ships ASA 5585x -ssp10 without IPS or source fire module?
Thanks
03-31-2016 12:54 PM
I believe so. I do not cover ASA 5585-SSP-10. Please reach out to your local account team for a concrete answer.
-Kureli
03-31-2016 01:14 PM
Yes. ASA5585-S10X-K9 has neither the FirePOWER nor older IPS module.
03-24-2016 01:42 PM
Kureli and Kural,
Thank you for the excellent presentation. There were few questions that were not answered during the live Webcast. Here is the first one:
Does Snort IPS include Malware also?
03-25-2016 06:15 AM
Snort IPS on ISR 4K is a pure signature based IPS/IDS solution. It does not offer AMP.
-Kureli
03-24-2016 01:43 PM
Another question:
Is Zone Base Firewall different from Cisco ASA?
03-25-2016 06:14 AM
These are not apples to apples comparison at all. I get asked this very same question a lot.
ISRs are excellent routers. It can also be configured to do stateful firewalling using Zone Based Firewall. It doesn't have all the fancy L-7 inspections that the ASAs offer. I do know because I used to be a TAC engineer for 6 1/2 years supporting ASAs, FWSMs, ISRs and ASRs.
ASAs are firewalls and they can be configured to do some routing. They offer many L-7 inspections compared to ZBF but these days just the basic tcp, udp, icmp and ftp inspections are good enough as due to the vast threat landscape we are forced to use IPS, AVC, AMP and other URL filtering solutions to protect the network and devices.
03-24-2016 01:44 PM
Another question:
Why is that the default policy on the CWS Tower has to be "Allow All" for traffic to be allowed irrespective of whether a URL filtering rule has been created for a Group. Why not Deny all, then selectively allow HTTP traffic based on Group policy.
03-25-2016 06:09 AM
You can do it either way. Policy is a list of rules that are evaluated top to bottom, first match and out.
If none of the rules are hit then there is the default rule at the end in lowest priority
that can be allow all or block all
-Kureli
03-24-2016 08:03 PM
Can you please compare and contrast CWS with ISR vs. Open DNS?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide