Threat Defense for a Secure Enterprise Branch

Cisco Moderador · ‎04-12-2016

Introduction
Threat Defense for a Secure Enterprise Branch
Related Information

Introduction

FeaturedSpeakers

Kureli Sankar started with Cisco in Aug, 2006 as a TAC engineer in the firewall team in Research Triangle Park, North Carolina. As a TAC engineer she supported Cisco's security products. Since, May 6th 2013, she has taken up a new role as Technical Marketing Engineer, Enterprise Infrastructure and Solutions Group responsible for security features on Cisco's IOS and XE products. She has presented at Cisco Live US in 2013, 2014 and Cisco Live Berlin 2016. She has also done quite a few Live Web Casts and ATE (Ask The Expert) events for our forum. Prior to joining Cisco, Sankar worked for John Morrell Co., Cincinnati, Ohio where she was the network administrator in charge of the company's enterprise network covering 27 locations in the United States. She also was an adjunct professor at the University of Cincinnati, teaching undergraduate level networking courses. Sankar holds an engineering degree in Electrical and Electronics Engineering from Regional Engineering College, Trichirappalli, India, CCSP and CCIE Security #35505 certifications. While working full time, she volunteers at various organizations like Citizen School, Durham Performance Learning Center, NC First Robotics, Girl Scouts - Carolina, Raleigh Rescue Mission and gives back to the community.

Kural Arangasamy has over 20 years of experience in the networking field and has been with Cisco since 2005. He, is a Technical Marketing Engineer in the Enterprise Infrastructure and Solutions Group. He is responsible for SNORT IPS on ISRs/CSRs and MACSec security features. Kural lives in San Jose, California with his wife and son.

You can download the slides of the presentation in PDF format here. The related Ask The Expert sessions is available here. The complete recording of this live Webcast can be accessed here.

Q: Is zone based firewall different from Cisco ASA?

A: Yes, it is. It's an IOS integrated firewall that provides perimeter control, segmentation of the network into zones and protocol inspection.

Q. Is it a separate hardware?

A: All the security capabilities presented in this Webcast series are integrated in the ISR branch routers, you don't need any additional device to be deployed at the branch.

Q. Is there any additional license needed?

A: Depending on the specific capabilities you would need SEC or AX license on the ISR router + a term subscription. For example, for Zone Based Firewall you only need SEC license on ISR.

Q: Is Snort only available on the 4K router or can you run it on a ISRG2 with a UCS-E blade?

A: Only on ISR4K and only running on service container, not on UCS-E.

Q. What is use of IPV4 UNICAST cmd?

A: BGP supports multiprotocol.. it means you can redistribute eigrp/rip etc into bgp, so the command ipv4 unicast prepares the router for this capability
Refer this link for more info, -http://www.cisco.com/c/en/us/td/docs/ios/iproute_bgp/command/reference/irg_book/irg_bgp1.html#wp1110597

Q. Where is teh CSR in this flow?

A: The CSR is in the cloud in front of the CWS Tower.

Q: Must Certificate Import on the ISR be done? I can't recall doing this for Guest use case, which required no authentication?

A: Certificate is needed for the router to establish a secure connection to the CWS cloud. This is needed in the ISR tunnel based redirection.

Q: Snort IPS include Malware also?

A: Snort IPS on ISR 4K is a pure signature based IPS/IDS solution. It does not offer AMP. On the other hand, FirePOWER has Advanced Malware protection and is available on signature based inspection only.

Q: Why is that the default policy on the CWS Tower has to be “Allow All” for traffic to be allowed irrespective of whether a URL filtering rule has been created for a Group. Why not Deny all, then selectively allow HTTP traffic based on Group policy?

A: You can do it either way. Policy is a list of rules that are evaluated top to bottom, first match and out. If none of the rules are hit then there is the default rule at the end in lowest priority that can be allow all or block all

P: Is zone based firewall different from Cisco ASA?

A: These are not apples to apples comparison at all. I get asked this very same question a lot.
ISRs are excellent routers. It can also be configured to do stateful firewalling using Zone Based Firewall. It doesn't have all the fancy L-7 inspections that the ASAs offer. I do know because I used to be a TAC engineer for 6 1/2 years supporting ASAs, FWSMs, ISRs and ASRs.
ASAs are firewalls and they can be configured to do some routing. They offer many L-7 inspections compared to ZBF but these days just the basic tcp, udp, icmp and ftp inspections.