《使用 Cisco+ 安全连接在云中为安全远程工作者部署和扩展 SASE.pdf》由会员分享,可在线阅读,更多相关《使用 Cisco+ 安全连接在云中为安全远程工作者部署和扩展 SASE.pdf(49页珍藏版)》请在三个皮匠报告上搜索。
1、#CiscoLive#CiscoLiveEric EddyPrincipal Technical Marketing Engineer,Cisco Securityhttps:/ericeddy.blogBRKSEC-2129Deploy&Scale SASE for Secure Remote Worker in the CloudCisco+Secure Connect 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco
2、Webex App Questions?Use Cisco Webex App to chat with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker
3、 until June 9,2023.12343https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKSEC-21293 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAbout MeEric EBlog:www.ericeddy.blogPrincipal TME,CloudSec12 years CiscoCCIE Sec#47300 Husband+Father(6&7)World Tra
4、veler,Reef keeperBRKSEC-21294Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicIndustry trends and SASECisco+Secure ConnectUse CasesCapabilities and ArchitectureDemo Browser-based Access(ZTNA)Demo Remote AccessWrap-up&Call to ActionBRKSEC-21295Introduction 2023 Cisco and/or its
5、 affiliates.All rights reserved.Cisco Public#CiscoLiveChanges that led to SASECloud revolution and hybrid workRemote workersRemote workersCloud applications Cloud applications exploded,but traffic was still routed through the central firewall at the data center.1:Gartner survey of 500 Enterprise bus
6、inesses.Gartner Market Guide for Digital Experience Monitoring,August 2020 of business respondents cited reliable network reliable network performance as the#1 challengeperformance as the#1 challenge for hybrid work adoption.145%45%VPNBranch officesBranch officesMPLSInternetData centerData centerMPL
7、SInternetVPNBranch officesBranch officesVPNCampusCampusPrivate cloudPublic cloudInternetBranch security Branch security was redesigned differently at each site,leading to inconsistent security policies.Remote workers Remote workers connecting through regional VPNs introduced stress points,resulting
8、in poor user experience.SaaSAdobeOffice 365SalesforceSAPOracleGoogleWorkspaceBRKSEC-21297 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveConvergence of networking and security services including SWG,CASB,DNS protection,firewall-as-a-service,SD-WAN,and zero trust network a
9、ccessGartner:Secure Access Service Edge(SASE)Gartner,The Future of Network Security Is in the Cloud,Neil MacDonald,Aug 30,2019Benefit rating:TransformationalMarket penetration:Less than 1%of target audienceMaturity:EmergingBRKSEC-2129 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public
10、#CiscoLiveSASE Capabilities9BRKSEC-2129Secure Web GatewayRemote Browser Isolation Zero Trust Network AccessCloud Access Security BrokerData Loss Prevention SD-WANRoutingFirewall as a serviceCloud App Discovery Threat Prevention/Detection DNS-Layer Security Network Encrypt/Decrypt Web Application Fir
11、ewallRemote AccessUser Entity Behavior Analytics 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEmerging offers&growingSingle network&security platformAll components from the same vendorSingle management dashboardAligns with lean&unified IT teamsOften more mature&feature-
12、richMore offers to choose fromAligns disjointed NetOps&SecOps teams Multi&single vendor solutions possibleMultiple policy&management Disaggregated SASESASE Market Landscape&Cisco SASEBRKSEC-212910Aggregated/Unified SASECisco+Secure ConnectCisco Security CloudSec:Cisco Secure Access*,Umbrella,Duo,Net
13、:Meraki&Cisco SD-WAN,Thousand Eyes*Announced at Cisco live 2023 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSASE is enabling a hybrid workforce modelCampusCampusRemote workersRemote workersBranch officeBranch officeOne experienceOne experienceCisco can provide a soluti
14、on beyond SASECisco can provide a solution beyond SASESASE can provide anywhere connectivityanywhere connectivity,always-on cloud securitycloud security,and an improved worker improved worker experienceexperience no matter where you work.Private cloudPublic cloudInternetSaaSSASESASEEnsure user endpo
15、ints are safe Ensure user endpoints are safe to connect to the network or operate offlineMeet or exceed application Meet or exceed application SLAs for the best in worker experienceAddress the latest security threats Address the latest security threats with industry-leading Talos intelligenceHave fa
16、ster time to value Have faster time to value of the newest technology innovations deployed effortlessly at the pace of your businessBRKSEC-212911Cisco+Secure Connect 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecurely connect people,applications and things from anywhe
17、repeople,applications and things from anywhereSimpleSimpleSecureSecureIntelligentIntelligentTurn-key SASE solution with easy to onboard and consume as-a-service subscriptionProtect every point of service,including those closest to threats-user,device,application Translate insights into action to pre
18、dict and remediate the application experienceCisco+Secure ConnectSpeed and simplify your SASE with a Unified SolutionOptimize your hybrid work experience with a unified turn-key SASE solution that is quick to deploy and easy to manageBRKSEC-212913 2023 Cisco and/or its affiliates.All rights reserved
19、.Cisco Public#CiscoLiveCisco+Secure ConnectSecure internet accessProvide users with safe access to the internet and cloud applications from any location and block malicious activityand threatsSecure private accessDeliver secure connections to company assets in private data centers or in the private
20、cloud.InterconnectDramatically simplify architecture and configuration by inherently interconnecting anything you connect to the SASE FabricCampusCampusRemote workersRemote workersBranch officeBranch officeOne experienceOne experiencePrivate cloudPublic cloudInternetSaaSSASESASEBRKSEC-212915 2023 Ci
21、sco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLower overall IT spendLower overall IT spendwith a simple consumption model and pay as you grow for SASE at yourSASE at your paceEnable a hybrid workforceEnable a hybrid workforcewith a turn-key solution for consistent access and us
22、er experienceCisco+Secure Connectfor a hybrid workforceIncrease worker productivityIncrease worker productivitywith anywhere connectivity and improved application performanceReduce security riskReduce security riskand maintain your securitysecuritycompliancecompliance requirementsOutcomesOutcomesWha
23、t challengeschallenges do we face in achieving these outcomes?BRKSEC-212916Use Cases 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco+Secure ConnectSecure Remote WorkerSecureremote workerPublic applicationsInternet/SaaSPrivate cloudIaaSMFAsupportDevice postureand heal
24、thTraffic SteeringPrivate applicationsInternet trafficPrivate trafficTunnelSecureConnectPrivateapplicationsBranch/HQCASBDNS securitySWGLayer 7 firewallCore elementsCore elements Internet Security DNS-Layer Sec SWG Proxy CASB DLP Cloud Firewall Private access Device posture SAML Auth Access controlBR
25、KSEC-212918 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBrowser-Based Access Clientless ZTNA connectivityClient BrowserManaged or Unmanaged DeviceCisco+Secure Cisco+Secure ConnectConnectPrivate data centerPrivate trafficTunnelIaaSIdentity&posture,access controlNo clien
26、t/agent requiredSAML authenticationZTNA ProxySimple Turnkey Solution:Frictionless end user experienceCisco provided certificatesAuto-generated external FQDNLeast Privileged Access to Private Apps:User identity-based authentication Endpoint posture based authorization Application specific access poli
27、ciesAWSAzureGCPCertificate&DNS Cisco managedBRKSEC-212919Architecture&Capabilities 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHigh-level architectureAcquire informationAcquire informationfrom the edgefrom the edge1 1Customer edgeCustomer edgeUn-managedendpointContract
28、orManaged w/clientEmployeeIn branch/on networkEmployeeAcquire traffic Acquire traffic into the data centerinto the data center2 2Service edgeService edgeCloud Traffic Acquisition3 3Gather missing informationGather missing informationand authorize the flowand authorize the flowCloud-control planeClou
29、d data planeZero-trust proxyCloud securityInterconnectPlatformPlatformPostureIdentityDashboardConnect to cloud or Connect to cloud or back to customer edgeback to customer edge4 4Customer Customer environmentsenvironmentsSanctioned SaaSGeneral internetPrivate applicationsHQ/branchServicesServicesInt
30、erconnectOffice 365WebexSalesforceBRKSEC-212921 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIdentity-based access controlIdentityIdentity-based access control allows customers tobased access control allows customers toDefine and manage applications for use in access po
31、liciesControl applications with access policies so only authorized users can access themHave identity-based access control for remote access users to public and private applicationsHave network IP-based access control for branch traffic to public and private applicationsService edgeService edgeCloud
32、 Traffic AcquisitionService chainService chainPlatformPlatformDashboardIdentityReportingCustomer environmentsCustomer environmentsPrivate applicationsPublic applicationsCustomer edgeCustomer edgeManaged w/thick clientEmployeeIn branch/on networkEmployeeCloud data planeCloud SecurityInterconnectBRKSE
33、C-212922 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHighly Flexible Remote Worker ProtectionInternetDNS LAYER SECURITYSELECTIVE PROXYDNSNATSIG+Private AccessDNSCDFWSWGIPSDNSDNS DIRECTSelective proxyDLPCASBDNS and SWGDNSSWGPublic/private appsAll ports/protocolsPublic c
34、loud/SaaSInternetPrivate apps/netsCo-location netsNon-Tunneled Internet Traffic DNS Roaming security DNS Roaming Security+Selective Proxy DNS Roaming Security+SWGTunneled Private/IaaSCDFW&PostureInternet trafficPrivate trafficTunneled TrafficDIA&Split TunnelTunneled Internet TrafficSSL VPN,Traffic S
35、teering(Split Tunnel),DNS,CDFW,SWG,IDS,DLPNon-Tunneled Private/IaaSClientless Private App Access,CDFW,PostureClientlessZTNA 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMeraki branch interconnectSimple and easy setup to connect Meraki branches Meraki SD-WAN direct conne
36、ction to Secure Connect with Auto VPN Advanced security capabilities for branch sites High Availability via SD-WAN Fabric Private applications accessby remote users via SD-WAN fabric Easy addition and removal of sites from Cisco+Secure ConnectMeraki Meraki SDSD-WAN WAN fabricfabricData centerMBranch
37、Cisco+Secure ConnectBRKSEC-212924 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEdge Security ServicesSD-WANON/OFF NETWORK DEVICESCisco+Secure ConnectIntegrated security platformSecureXDNS-layersecurityCloud-deliveredfirewall(w/IPS)Secure webgatewayCloud accesssecurity b
38、rokerInteractive threat intelligenceFile SandboxingDatalosspreventionCloud malware detectionVisitour website to learn AccessZTNA Browser-based accessBRKSEC-212925 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOutbound Layer 7 Cloud-delivered firewallInternetRequest Reque
39、st originating from originating from client userclient userRequest originating from the internetInternet bound Internet bound firewall for traffic filteringGlobally distributed cloud firewall with a single cloud managed policy Layer 7 App visibility and rules(Control app usage)Cloud IPS powered by S
40、nort26 2022 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-2129BRKSEC-212926 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLayer 7 application visibility and controlTunnel all client-driven traffic to Cisco+Secure ConnectBlock high-risk appl
41、ications and protocols(layer-7 application visibility and control)Centrally manage IP,port,protocol,and application rules(layers 3,4,and 7 with Cisco IOS IPS)Forward web traffic(ports 80/443)to secure web gatewayTunnel termination requiredInternet/SaaSTunnel(IPsec)SWGCDFW80/443Non-web/site exclusion
42、sSecureConnectDevices on networkBRKSEC-212927 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure web gateway(SWG)Multiple functions and aggregated reportingMalware scanning includes two anti-virus engines and secure endpoint(Cisco SD-WAN AMP)lookupFile type controlsFul
43、l or selective SSL decryption Category or URL filtering for content control Secure Malware Analytics(formerly Threat Grid)file sandboxingApplication visibility and granular controls Full URL-level reportingInternet/SaaSEndpoint Tunnelsvia Cisco AnyConnectOn/off network devicesCisco+Secure ConnectBRK
44、SEC-212928 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveContent categories Apply policy to many sitesContent categories are used for“acceptable use policies”Security categories are used for security policies Talos categories are used for both content and security Over 1
45、00+categories Dynamic cloud updates(full dataset)BRKSEC-212929 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveInline data loss preventionCloud-native proxy DLPLeverages SWG for connectivity,routing,and SSL decryptionRobust DLP classification80+built-in data classifiersCus
46、tom keywordsFlexible DLP policyApply to specific identities and destinations with defined data classificationsRobust reportingIncludes identity,file name,destination,classification,pattern match,excerpt,triggered rule,and moreBRKSEC-212930 2023 Cisco and/or its affiliates.All rights reserved.Cisco P
47、ublic#CiscoLiveApplication discovery and controlsVisibility into shadow IT and control of cloud applications Full list of cloud applications in use Reports by category and risk level Number of users and amount of incoming and outgoing traffic Blocking of high-risk categories or individual applicatio
48、nsBRKSEC-212932 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveGranular controls for over 40 popular SaaS applications(CASB)TwitterDropboxPinterestMessengerGmailFacebookLinkedInSlackInstagramGoogle DriveSlideShareYouTubeVimeoWhatsAppSmartsheetPastebin Block posts/shares B
49、lock posts/shares to social media applications Block attachments Block attachments to webmail applications Block uploads Block uploads to cloud storage,collaboration,office productivity,content management,and media applicationsUploadActionsDownloadUserPartners cloud storageBoxBRKSEC-212933 2023 Cisc
50、o and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Client(Cisco AnyConnect)Entitlement is included for use with subscription Cisco AnyConnect can be used across an entire enterprise.Both remote access and secure web gateway services coexist.Protect assets on or off networ
51、k.Roaming security offers always on protection(Web&DNS)Optimal Gateway Selection option Anycast DNS Anycast DNS *Roaming security module support limited to Win and MacOSBRKSEC-212934RA VPN RA VPN:Windows,Mac,Linux,iOS,AndroidRoaming Security ModuleRoaming Security Module:Windows,Mac 2023 Cisco and/o
52、r its affiliates.All rights reserved.Cisco Public#CiscoLiveClientClient-based based ClientlessClientlessOperating SystemCertificate CheckBrowser CheckGeolocation CheckAnti-MalwareFirewallDisk EncryptionEndpoint Compliance Options for Access Control35BRKSEC-2129Authorization check prior to applicatio
53、n accessPosture Demo3BRKS 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Client-Cloud Management Cloud Managed EndpointUnified client AnyConnect+AMP4EGroup based endpoint policies Included with Cisco+Secure ConnectBRKSEC-212938Demo:Browser-based access(ZTNA)2
54、023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRecorded Demo End user Browser-Based Access-WIP BRKSEC-212941 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRecorded Demo Admin Config Browser-Based Access-WIPBRKSEC-212942Demo:Remote Access 2023 C
55、isco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRemote Access ConfigBRKSEC-212944Wrap up&Call to Action 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSummary Cisco+Secure ConnectA unified,turn-key SASE solution for driving better IT outcomesBroad sec
56、urity controls:ZTNA,RA-VPN,SWG&DLP Simplified¢ralized visibility and managementUnified networking&Security with traffic optimization Complete SASE solution in a single subscriptionComplete SASE solution in a single subscriptionBRKSEC-212946 2023 Cisco and/or its affiliates.All rights reserved.Ci
57、sco Public#CiscoLiveSecure Connect EssentialsSecurely connect users to appsSecurityL7 Cloud Delivered Firewall+IPS,Inline Data Loss Prevention,Cloud Malware detection(all supported apps),Secure Malware Analytics(Unlimited Sandbox submissions)Remote Access/ZTNAClient Based Access,Clientless Browser B
58、ased Access(up to 10 apps),Granular user and app-based access policy,SAML authentication,Built-in IdP,posture and contextual access control,ReportingRemote Access/ZTNAClientless Browser Based Access(up to 300 apps)Secure Connect AdvantageData protection,advanced policySecure Connect EssentialsManage
59、ment Dashboard Management Dashboard-Simplified management and unified visibility of connectivity and security powered by Cisco Meraki.Connectivity Connectivity Private Access,Cisco Meraki Secure SD-WAN native integration,interconnect of sites,users and applications,Direct SaaS and IaaS Peering,Suppo
60、rt Support-24x7 support access via Email&Phone,Access to documentation portal for self-help,onboarding servicesSecuritySecure Web Gateway(Proxy and inspect web traffic,URL filtering,Secure Malware Analytics-500 samples/day),Cloud Access Security Broker(Cloud app discovery,risk scoring,blocking,Cloud
61、 Malware Detection for 2 apps),L3-L4 Cloud Firewall,DNS-Layer SecurityCisco+Secure ConnectSubscription Tier CapabilitiesBRKSEC-2129Visit the product page at ask me questions and speak with our UX teamVisit the Cisco SASE Showcase for additional demos.Talk to your sales rep about a proof of value49 2
62、023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-2129 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-bra
63、nded socks(while supplies last)!These points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in the Cisco Live Challenge for every survey completed.BRKSEC-212950 2023 Cisco and/or its affiliates.All rights reserved.Cisco
64、PublicContinue your educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL you#CiscoLive 2023 Cisco and/or its affiliates
65、.All rights reserved.Cisco Public#CiscoLive53Gamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123453 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKSEC-2129#CiscoLive