Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2770
Views
23
Helpful
16
Replies

Ask the Expert: Threat Defense for a Secure Enterprise Branch

Monica Lluis
Level 9
Level 9

‎01-19-2016 02:49 PM - edited ‎03-10-2019 12:34 AM

Join the Discussion : Cisco Ask the Expert      

Welcome to this Cisco Support Community Ask the Expert conversation.  This is a continuation of the Webcast Event. This is an opportunity to learn and any ask questions about how to secure your network using tools such as ZBFW, Snort IPS, CWS, FirePower & TrustSec and how to deploy and manage security policies using Cisco Prime and FireSight

Ask questions from Tuesday March 22 to Friday April 1st, 2016


The branch network is key to service delivery and success of many enterprises. After all, most staff don’t work (or shop!) at the data center—they are out in the branches. With the recent massive breaches on the news, security is top of mind concern for many enterprise customers, especially those looking to offload Internet access from their branches directly.
Threat landscape has evolved and attackers have become sophisticated at taking advantage of gaps in security to hide and conceal malicious activity. Traditionally, branch users Internet access was provided through Data Center where sophisticated security tools and policies were in place to protect the users. With the direct Internet breakout, the branch network must provide a good experience with robust security to any user as a part of any new initiative.
This session provides an overview of threat landscape, risks and integrated security tools and techniques available on ISR branch routers to prevent/protect/mitigate these threats.

FeaturedSpeakers

Kureli Sankar  started with Cisco in Aug, 2006 as a TAC engineer in the firewall team in Research Triangle Park, North Carolina. As a TAC engineer she supported Cisco's security products. Since, May 6th 2013, she has taken up a new role as Technical Marketing Engineer, Enterprise Infrastructure and Solutions Group responsible for security features on Cisco's IOS and XE products. She has presented at Cisco Live US in 2013, 2014 and Cisco Live Berlin 2016. She has also done quite a few Live Web Casts and ATE (Ask The Expert) events for our forum. Prior to joining Cisco, Sankar worked for John Morrell Co., Cincinnati, Ohio where she was the network administrator in charge of the company's enterprise network covering 27 locations in the United States. She also was an adjunct professor at the University of Cincinnati, teaching undergraduate level networking courses. Sankar holds an engineering degree in Electrical and Electronics Engineering from Regional Engineering College, Trichirappalli, India, CCSP and CCIE Security #35505 certifications. While working full time, she volunteers at various organizations like Citizen School, Durham Performance Learning Center, NC First Robotics, Girl Scouts - Carolina, Raleigh Rescue Mission and gives back to the community.

Kural Arangasamy has over 20 years of experience in the networking field and has been with Cisco since 2005. He, is a Technical Marketing Engineer in the Enterprise Infrastructure and Solutions Group. He is responsible for SNORT IPS on ISRs/CSRs and MACSec security features.  Kural lives in San Jose, California with his wife and son.



Kureli and Kural  might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Other Security Subjects Community

Find other  https://supportforums.cisco.com/expert-corner/events.

**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions

Join the Discussion : Cisco Ask the Expert      

I hope you and your love ones are safe and healthy
Monica Lluis
Community Manager Lead
1 person had this problem
Labels:
0 Helpful
16 Replies 16

elite2010
Level 3
Level 3

‎03-24-2016 06:01 AM

Hi,

Does snort feature can we enabled on c3900 router

?

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to elite2010

‎03-25-2016 06:16 AM

No. Presently Snort IPS/IDS is only supported on our ISR 4K routers.

-Kureli

0 Helpful

bluesea2010
Level 5
Level 5
In response to Kureli Sankar

‎03-25-2016 09:41 AM

Hi,

Asa 5585 -SSP10 can have source fire module ?

Thanks

0 Helpful

bluesea2010
Level 5
Level 5
In response to Kureli Sankar

‎03-28-2016 08:29 PM

Hi,

The  question is out of context .

Cisco ships ASA 5585x -ssp10 without  IPS  or source fire module?

Thanks

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to bluesea2010

‎03-31-2016 12:54 PM

I believe so.  I do not cover ASA 5585-SSP-10. Please reach out to your local account team for a concrete answer.

-Kureli

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to bluesea2010

‎03-31-2016 01:14 PM

bluesea2010  

Yes. ASA5585-S10X-K9 has neither the FirePOWER nor older IPS module.

0 Helpful

Monica Lluis
Level 9
Level 9

‎03-24-2016 01:42 PM

Kureli and Kural,

Thank you for the excellent presentation. There were few questions that were not answered during the live Webcast. Here is the first one:

Does Snort IPS include Malware also?

I hope you and your love ones are safe and healthy
Monica Lluis
Community Manager Lead
0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to Monica Lluis

‎03-25-2016 06:15 AM

Snort IPS on ISR 4K is a pure signature based IPS/IDS solution.  It does not offer AMP.

-Kureli

0 Helpful

Monica Lluis
Level 9
Level 9

‎03-24-2016 01:43 PM

Another question:

Is Zone Base Firewall different from Cisco ASA?

I hope you and your love ones are safe and healthy
Monica Lluis
Community Manager Lead
0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to Monica Lluis

‎03-25-2016 06:14 AM

These are not apples to apples comparison at all.  I get asked this very same question a lot.

ISRs are excellent routers.  It can also be configured to do stateful firewalling using Zone Based Firewall. It doesn't have all the fancy L-7 inspections that the ASAs offer.  I do know because I used to be a TAC engineer for 6 1/2 years supporting ASAs, FWSMs, ISRs and ASRs.

ASAs are firewalls and they can be configured to do some routing.  They offer many L-7 inspections compared to ZBF but these days just the basic tcp, udp, icmp and ftp inspections are good enough as due to the vast threat landscape we are forced to use IPS, AVC, AMP and other URL filtering solutions to protect the network and devices.

Monica Lluis
Level 9
Level 9

‎03-24-2016 01:44 PM

Another question:

Why is that the default policy on the CWS Tower has to be "Allow All" for traffic to be allowed irrespective of whether a URL filtering rule has been created for a Group. Why not Deny all, then selectively allow HTTP traffic based on Group policy.

I hope you and your love ones are safe and healthy
Monica Lluis
Community Manager Lead

Kureli Sankar
Cisco Employee
Cisco Employee
In response to Monica Lluis

‎03-25-2016 06:09 AM

You can do it either way. Policy is a list of rules that are evaluated top to bottom, first match and out.


If none of the rules are hit then there is the default rule at the end in lowest priority
that can be allow all or block all

-Kureli

Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-24-2016 08:03 PM

Can you please compare and contrast CWS with ISR vs. Open DNS?

Customers Also Viewed These Support Documents