《在 Wi-Fi 和专用 5G 世界中构建企业安全性.pdf》由会员分享,可在线阅读,更多相关《在 Wi-Fi 和专用 5G 世界中构建企业安全性.pdf(68页珍藏版)》请在三个皮匠报告上搜索。
1、#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWelcome to our session!Please tell us more about yourself and Scan the QR CodeBRKSEC-2085Join #BRKSEC-2085#CiscoLiveMatthias Falkner,Distinguished Technical Marketing Engineer,Gino Corleto,Industry Solutions Archit
2、ect,BRKSEC-2085Architecting Enterprise Security in a Wi-Fi plus Private 5G World 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAbstractMany enterprises are looking to enhance their network with private 5Gaccess to realize new use-cases or expand wireless coverage.Introdu
3、ction of 5G challenges security practitioners to ensure that no newthreat vectors are exposed and to integrate 5G security paradigms intotheir existing policy frameworks.Thesessiondissectsprivate5Gsecurityaspects,examiningtheprocedures and policies that it can bring Enterprise networks for criticalu
4、se-cases.The security architecture and procedures of both 5G and Wi-Fiare compared.The session proposes an integrated security architectureto ensure consistent enterprise operations and policies,and how toincorporate 5G access networks into existing Cisco security portfoliodeployments.BRKSEC-2085 20
5、23 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App Questions?Use Cisco Webex App to chat with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly
6、to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12345https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKSEC-2085#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicAgendaW
7、ireless Megatrends and the case for Private 5GThe Cisco Private 5G SolutionCreating Synergies between Wi-Fi and P5G SecurityCisco ISE is the key!Integrating Private 5G into your Enterprise SecurityWhere to position FirewallsSecurity ManagementBRKSEC-2085 2023 Cisco and/or its affiliates.All rights r
8、eserved.Cisco PublicThis presentation assumes knowledge aboutCisco ISE,ASA,FTD,UmbrellaCisco Wireless SolutionsBRKSEC-2085Assumptions/PrerequisitesWireless Megatrends and the Case for Private 5G 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWe are in a Wireless-First Wor
9、ldWireless Wireless LaptopsLaptopsTablets and Tablets and PhonesPhonesDigital BuildingDigital BuildingLighting,heating,Lighting,heating,cameras,badge readercameras,badge readerWearablesWearablesAR,VR,smart watchesAR,VR,smart watchesIoTIoTRobots,infusion Robots,infusion pumps,sensors pumps,sensors Au
10、dio and Video Audio and Video Teleconferencing,VoIPTeleconferencing,VoIPReliableReliableAlways-on,low latencySecureSecureSoftware-defined fabricScalableScalableWired for wirelessEverywhere&MobileEverywhere&MobileHeterogeneous AccessBRKSEC-2085 2023 Cisco and/or its affiliates.All rights reserved.Cis
11、co Public#CiscoLiveComplementary technologiesWi-Fi and Private 5GLow-latency applications Broad geographic coverageHigh-client and endpoint densityGuest access,BYODLocalized mobilityManaging a developing IOT device ecosystem Addressing spectrum management complexityNew technology with higher operati
12、onal complexityPrivate 5GWi-Fi 6Additional considerations MSPs can addressBusiness value accelerated|Complexity minimizedWideWide-area area coveragecoverageLarge coverageProcess Process automationautomationE2E latency 10 msAutomated Automated guided vehicleguided vehicleMinimize roaming delaysEnhanc
13、ed mobile Enhanced mobile broadbandbroadbandImmersive experiencesDigital healthDigital healthTelemedicine and mobile health Digital campus Digital campus AR/VRE-learning BRKSEC-2085 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePrivate 5G-Why Now?Enabling customers digit
14、ization journey Precision robotic control High speed SW downloads AGVs and driverless vehicles Distribution line automation Video surveillance Unmanned autonomous vehicles Efficient and reliable backhaul for Wi-Fi-connected endpoints Clean spectrum for venue operatorsIndustrial/ManufacturingIndustri
15、al/ManufacturingDistribution/WarehouseDistribution/WarehousePort/Hubs/EnergyPort/Hubs/EnergyVenuesVenuesRegulatory changes open cellular spectrum for private use Unique 5G capabilities compliment Wi-Fi(Ultra low latency,high reliability,broad reach)BRKSEC-2085 2023 Cisco and/or its affiliates.All ri
16、ghts reserved.Cisco Public#CiscoLive Supply chain modernization for consumables and high value deployable assets Automated receipt,store,issue,and shipping using robots and asset Real time asset tracking,facility modeling,predictive analyticsPrivate 5G use case:Logistics Smart WarehouseUse case desc
17、riptionArchitecture OutdoorIndoor5G SA5G NSAJMAMidbandmmWaveJMAMidbandmmWaveSD-WANFTDFTDApplicationsManagementID AMNFVi/OMANOCollaborationAnalyticsStorageBRKSEC-2085The Cisco Private 5G Solution 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco OperatedMSP OperatedPriv
18、ate 5G Managed Service Offer Another viewCisco Control CenterPartner managed and operated Private 5G connectivity for 5G enterprise endpointsEasy,outcome-based consumption of Private 5G transportSolution&User AdministrationCloudOn-premRANEnterprise/Partner OperatedMSP Private 5G Managed ServiceCisco
19、 CloudEnterprise DC/CloudBRKSEC-2085 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive(SD)WANDistribution SwitchCampusRAN EMSRAN ServersGPS GMRadioCloudRAN FirewallWAN FirewallDC/CampusFirewallWAN FirewallUCS220 Control CenterCisco CloudCNDP CloudAWSTLSTLSThe Cisco P5G Arch
20、itecture in DetailAcccess SwitchgNBIndoorOutdoorPortalsUser Credentials/ProfilesaaS ManagementSIM&P5G Edge Mgmt.P5G Data PlaneP5G Session ControlBRKSEC-2085 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive(SD)WANTORCampusFHRAN EMSDU/CUGPS GMRUCloudRAN FirewallWAN FirewallD
21、C/CampusFirewallWAN FirewallUCS220 AMFCEESec.PrxUPFMMESMFCNISE Prx5G Prx4G PrxControl CenterCisco CloudCNDP CloudAWSTLSRBACPortalsPoliciesUE LCMCompute StatusRAN UIAUSFUDM+HSSUDRCHF5GC NF LCMCI/CDRBACCompute MgmtDeployAutom.MonitorOps GWAPI GWTLSThe Cisco P5G Architecture in DetailFHgNBIndoorOutdoor
22、BRKSEC-2085 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAMFAMF Connection managementConnection management Subscriber Mobility&Subscriber Mobility&trackingtracking State informationState informationSMFSMF UE session managementUE session management Tunnel managementTunne
23、l management IP address allocationIP address allocation RoamingRoamingUPFUPF Data planeData plane Tunnel endpointTunnel endpoint DPI,QoSDPI,QoSControlDataN1N2N4N3N6AUSFAUSF AAA serverAAA serverUDMUDM User DBUser DB SubscriptionSubscriptionUDRUDR Backend to Backend to UDMUDMCHFCHF Billing&Billing&Acc
24、ountingAccountingN11N12N8N13N10(SD)-WANMore Details on 5G Packet Core FunctionsBRKSEC-2085Edge ApplianceCisco CloudTLS 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Endpoint/IoT GW IntegrationCisco P5G Integrated Enterprise Architecture VisionEnd-end Automation and
25、 PolicyComprehensive Telemetry and AssuranceConsistent Security and Segmentation5GAccessWifiAccessWANCampusWiredAccessCloudDCUnified Identity FrameworkCommon Enterprise PolicyUnified EN OperationsConsolidated Insights&AnalyticsJoint TransportEnterprise Security IntegrationPrivate&Public MobilityBRKS
26、EC-2085 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDistributionAccessRAN ServersRadioUCS220 AMFUPFSMFControl CenterCisco Cloud5G Endpoint Network RegistrationRadio Radio RegistrationRegistration1 15G Identity Establishment 5G Identity Establishment 2 25G Core Registra
27、tion 5G Core Registration(NAS)(NAS)3 34 4PDU session PDU session EstablishmenEstablishment tPolicy Policy checkschecks5 5Create Session ContextsCreate Session Contexts6 6Encrypted Identity response from Endpoint to Authentication Mobility Function(AMF)!5G NAS Identity Authentication based on 128 or
28、256 bit Symmetric Key stored in SIM/eSIM.Identity is IMSI stored in SIM/eSIM.NAS Registration Data-plane traffic between Device and RAN(CU)is encrypted and integrity protected.Different keys for data-plane and signaling planeContext Creation Separate Encryption Keys!Separate Integrity ProtectionRadi
29、o Registration6 63 32 21 1BRKSEC-2085User Credentials/ProfilesSIM&P5G Edge Mgmt.NAS:Non-access stratumUPF:User-plane Function(data plane)CU:Centralized UnitSMF:Session Management Function 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCloudControl CenterCisco CloudCNDP Cl
30、oudAWSTLSTLSA Typical Data Plane Packet FlowGTP TunnelIP Packet Flow(SD)WANDistributionUCS220 MPLS5GCampusAccessRAN EMSGPS GMgNBP5G Data Plane(UPF)BRKSEC-2085 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco P5G Security MandateThreat modelingSecure code development a
31、nd scanningOngoing vulnerability scanning and patching Data privacy requirements GDPR readyData encrypted at rest and transit(need to list the type of encryption and ciphers involved)Data retention and deletion rulesPrivacy assessment to identify all PII and protection mechanismsAnnual third-party p
32、enetration testingSecurity monitoring and logging(log protection)Data redundancy and backupsSecurity Incident ManagementSystem hardeningData Protection SecuritySecure authentication and authorization mechanisms(include if SAML is allowed,how credentials are stored,API/user accounts,Secure communicat
33、ion between cloud and the edgeSecure key management processes Role based access/least privilege accessOn-prem offers have similar requirements and some additional requirements related to system integrity:Image signingSecure bootBRKSEC-2085Creating Synergies between Wi-Fi and P5G Security 2023 Cisco
34、and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Network AnalyticsCisco Firepower Threat DefenseCisco UmbrellaCisco Identity Services EngineSecurity Synergy Points for Private 5GP5G UEApplicationDNSSecurityApplication Visibility Control(AVC)Identity PostureAssessmentAcces
35、s Control Using TrustSecFlow AnalyticsIntrusion PreventionNetworkAnti-MalwareLogging/ReportingMonitoringP5G AccessWANWi-Fi AccessAddressedPartially addressedNot addressed 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveConverged Security Architecture FrameworkISEISEpxGRIDp
36、xGRIDP5G CoreP5G CoreWireless solutionsWireless solutionsVisibility Access Visibility Access and Controland ControlContext ReuseContext ReuseFirewallFirewallWiFi ControllerWiFi ControllerNetwork ResourcesNetwork ResourcesIntrusion Intrusion PreventionPreventionFlow Flow AnalyticsAnalyticsAnti Anti M
37、alwareMalwareSGTSGT-InlineInlineSGTSGT-SXPSXPSWITCHSWITCHROUTERROUTERBRKSEC-2085Cisco ISE is the foundation!2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco ISE ReviewBRKSEC-2085Cisco Identity Services Engine(ISE)is an industry leading,Network Access Control and Polic
38、y Enforcement platform,that lets you,ACCESS POLICYfor endpointsfor networkCISCO ISEWHOWHATHOWWHENWHEREHEALTHTHREATSCVSSRole-based Access Control|Guest Access|BYOD|Secure AccessWIREDWIRELESSVPNVPVPN NPartner Eco SystemSIEM,MDM,NBA,IPS,IPAM,etc.pxGRID&APIsSeeSeeUsers,endpoints and applicationsSecureSe
39、cureBy controlling network access and segmentationShareShareContext with partners for enhanced operations 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveConsistent Policies across Wired,Wi-Fi and P5G Access!Single point for identity-based enterprise policiesFor Private 5G
40、,Wi-Fi,and Wired NetworksGoverning P5G Access Policies with Cisco ISEConsistent Policies across Wired,Wi-Fi and P5G Access!4G/5G EdgeWi-FiMobility Mgmt.UPFSession Mgmt.AuthenticationSubscriber Mgmt.P5G PolicydB(SIM)dB(Enterprise)LAN/WANISE-AAAAuthenticationCisco CloudWiFi Policy12Mandatory authentic
41、ationOptional secondary authorizationLAN WAN SDWANPolicyprovisionedBRKSEC-2085 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUnified Segmentation Policies across Wi-Fi,Wired and P5G access networks based on Cisco ISE RulesDomain-specific segmentationVLAN,VXLan,SGT,VRFEnf
42、orcing coherent Enterprise Segmentation with Cisco ISE4G/5G EdgeWi-FiMobility Mgmt.UPFSession Mgmt.P5G PolicydB(Enterprise)LAN/WANISE SegmentationPolicyWiFi PolicyEngineering SegmentGuest SegmentP5G PolicyLAN/WAN PolicyBRKSEC-2085 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cis
43、coLiveDistributionAccessRAN ServersRadioUCS220 AMFUPFSMFControl CenterCisco CloudCisco ISE Integration:Secondary AuthorizationCisco ISE Integration adds a secondary RADIUS-based authorization into the Registration processRADIUS Access Request:SMF sends IMSI/IMEIRADIUS Access Accept:ISE returns VLANR
44、adio Radio RegistrationRegistration1 15G NAS Identity Establishment 5G NAS Identity Establishment 2 25G Core Registration 5G Core Registration(NAS)(NAS)3 34 4PDU session PDU session EstablishmenEstablishment tPolicy Policy checkschecks5 5Create Session ContextsCreate Session Contexts8 8ISE6 6RADIUS
45、AuthorizationRADIUS AuthorizationRADIUS ResponseRADIUS Response7 7User Credentials/ProfilesDemo:ISE for 2ndary Auth 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFederating Cisco Control Center and Cisco ISE 2023 Cisco and/or its affiliates.All rights reserved.Cisco Publ
46、ic#CiscoLiveRegistering Endpoint ID and User ID Groups in Cisco Control CenterBRKSEC-2085 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDefining Endpoint and User ID Groups in Cisco ISEBRKSEC-2085 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiv
47、eConfiguring Matching Conditions in Cisco ISEBRKSEC-2085 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMatching Conditions:VLANBRKSEC-2085 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive5G Devices in Cisco ISE User ID GroupsBRKSEC-2085 2023 Ci
48、sco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRADIUS Access-Accept Returns AttributesBRKSEC-2085 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveConfiguring Policy Sets in Cisco ISEBRKSEC-2085Integrating Private 5G into your Enterprise Security 2023 C
49、isco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveConverged Security Architecture FrameworkISEISEpxGRIDpxGRIDP5G CoreP5G CoreWireless solutionsWireless solutionsVisibility Access Visibility Access and Controland ControlContext ReuseContext ReuseFirewallFirewallWiFi WiFi Controller
50、ControllerNetwork ResourcesNetwork ResourcesIntrusion Intrusion PreventionPreventionFlow Flow AnalyticsAnalyticsAnti Anti MalwareMalwareSGTSGT-InlineInlineSGTSGT-SXPSXPSWITCHSWITCHROUTERROUTERIntegration into EN SecurityHas been coveredBRKSEC-2085 2023 Cisco and/or its affiliates.All rights reserved
51、.Cisco Public#CiscoLiveP5G-traffic flow-Whats the problem?ISEEnterprise SwitchPrivate 5G solutionPrivate 5G solutionVisibility Access Visibility Access and Controland ControlContext ReuseContext ReuseEN NetworkAnd now And now what?what?P5G Edge P5G Edge CoreCoreBRKSEC-2085AGV Forklift 2023 Cisco and
52、/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTrustSec Policy&EnforcementCISCO DNA CENTERCISCO ISEAPIDNA Center automates TrustSec for CampusBRKSEC-2085 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTrustSec-Control Points-When to use WhatBRKSEC-2085WhatWh
53、atPurposePurposeDoesDoesAttribute Attribute PropagationPropagationSGT Inline taggingNetwork Segmentationwith CTS capable Network DevicesGroup information propagates SGTs across network devicesIP/SGTSGT-via SXP Control ProtocolNetwork SegmentationFor non-CTS Capable Devices,which need to support SXPS
54、ecurity group tag exchange protocol(SXP)Propagate the IP-to-SGT mapping database across network devicesIP/SGTpxGRIDNetwork Segmentation Active peer to peer exchange and updates on clientsOver Cisco pxGrid(Platform Exchange Grid),multiple security products exchange knowledge about a device.This open,
55、scalable,and IETF standards-driven platform helps to automate security to get answers and contain threats faster.pxGrid exposes all attributes about an endpointIP/SGT/device type/posture status/etc.Cisco Group Based Policy Platform and Capability Matrix 2023 Cisco and/or its affiliates.All rights re
56、served.Cisco Public#CiscoLiveClassification,SGT Lookup and EnforcementAGV Forklift SGT(34)MAC:00:50:56:A0:56:2210.6.5.111Robot SGT(36)MAC:00:50:56:A0:FD:F210.6.5.110Cisco ISEAuthc/AuthzCisco DNA CenterRobotPermit AllDeny AllAGV ForkliftRobotForklift APPPermit AllDeny AllSourceDestinationEgress Polic
57、yPolicy downloadPolicy downloadClassification:Dynamic/ISESrc SGT found,Dst SGT foundEnforcement:At Egress BRKSEC-2085 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSXPForklift ApplicationTrustSec-SGT propagation InlineISEEnterprise SwitchP5G Edge P5G Edge CoreCorePrivate
58、 5G solutionPrivate 5G solutionVisibility Access Visibility Access and Controland ControlContext ReuseContext ReuseASA-FWSDA NetworkSGT carried inline in the data trafficover CTS capable network devicesDATAIPPayroll ServerData CenterAGV ForkliftForklift ApplicationPayroll ServerPermit AllDeny AllSou
59、rceSourceDestinationDestinationEgress PolicyEgress PolicyDATAIPSGT Tag added on egress portIP-SGT Binding or VLAN-SGT shared to SwitchVLANBRKSEC-20855AGV ForkliftSXP 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTrustSec-SGT propagation via SXP Enterprise SwitchPrivate 5
60、G solutionPrivate 5G solutionVisibility Access Visibility Access and Controland ControlContext ReuseContext ReuseIP-to-SGT data shared over control plane protocol.ISEIPSGTSGT-5 5P5G Edge P5G Edge CoreCoreForklift ApplicationASA-FWSDA NetworkPayroll ServerData CenterBRKSEC-2085SXPDATAIPVLANDATAIPAGV
61、Forklift 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePropagation examplesSGT Exchange Protocol(SXP)SGT Exchange Protocol(SXP)Not inlinecapableSwitch6 610.4.9.5IP-to-SGT binding exchange over 64999/TCPCisco ISE can be a SXP speaker/ListenerSwitchRouter55 510.0.1.210.0.1
62、.26 610.4.9.55 510.0.1.2SXP aggregationSXP SpeakerSXP ListenerInline MethodsInline MethodsETHERNETETHERNETSDA BorderEthernet Inline Tagging:Ethernet Inline Tagging:(EtherType:0 x8909)16-Bit SGT encapsulated within Cisco Meta Data(CMD)payload./L3 Crypto:/L3 Crypto:Cisco Meta Data(CMD)uses protocol 99
63、,and is inserted to the beginning of the ESP/AH payload.SGT(16 bit)insertion in the Nonce field(24 bit)RouterVxLANVxLANIPSECIPSECSDA EdgeB BE EEthernetEthernetVxLANVxLANIPSecIPSecBRKSEC-2085 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFrom Campus to Data CenterACI Poli
64、cy DomainACI Policy DomainTrustSec Policy DomainTrustSec Policy DomainSwitchRouterRouterFirewallNexus9000Nexus9000ServersUserSGToverEthernetIPSec/DMVPN/GETVPN/SXPClassificationISE creates matching SGTs for EPGsISE exchanges IP-SGT/EPG Name bindingsIP-ClassId,VNI bindingsIP-Security Group bindings ex
65、changed with networkSpineLeafCisco ISECisco ISECisco APICCisco APIC-DCDCSecurity GroupsEnd Point GroupsAPAPICICWANWAN(GETVPN(GETVPN DMVPN IPSEC)DMVPN IPSEC)ASR 1KData plane integrationPolicy plane integrationBRKSEC-2085 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveData
66、CenterForklift ApplicationTrustSec propagation via pxGRIDEnterprise SwitchPrivate 5G solutionPrivate 5G solutionVisibility Access Visibility Access and Controland ControlContext ReuseContext ReuseIP-to-SGT data shared over control protocol.No SGT in the data planeISE pxGRIDP5G Edge P5G Edge CoreCore
67、FTD-FWSDA NetworkPayroll ServerpxGRID FMCFMCIPSGTSGT-5 5Device TypeDevice TypePosturePosture StatusStatusBRKSEC-2085DATAIPVLANAGV ForkliftDATAIP 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Network AnalyticsCisco Firepower Threat DefenseCisco UmbrellaCisco
68、Identity Services EngineThreat Containment with pxGRIDAGV ForkliftApplicationDNSSecurityApplication Visibility Control(AVC)Identity PostureAssessmentAccess Control Using TrustSecFlow AnalyticsIntrusion PreventionNetworkAnti-MalwareP5G AccessWANpxGRID(secured by TLS)AddressedPartially addressedNot ad
69、dressedCyber Security breachThreat DetectedQuarantineBRKSEC-2085 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveP5G Security Architecture Design ConsiderationsRoute your traffic trough your Security InstancesMake your network ready for new trafficP5G possibly generate a h
70、igh amount of data throughput due to Machine Vision,Camera applications and AR/VRConsider how security will impact P5G URLLC communicationAutomate Segmentation and Context reuseBRKSEC- 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveContext Build,Summarize,ExchangeVisibili
71、ty and Access ControlISE builds context and applies access control restrictions to users and devicesContext Reuseby eco-system partners for analysis&controlSecure Network AnalyticsSecure FirewallDNAC+3rdParty PartnerspxGridREST APISyslogWhoWhatWhenWhereHowPostureEndpointsMobility Services EngineVuln
72、erability ScannersThreat IntelligenceThreatVulnerabilityMobile Device ManagersDirectory ServicesSystem managersScalable GroupISEBRKSEC-2085 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco pxGrid 2.0pxGrid 1.0pxGrid 2.0ProtocolXMPPWebSockets&RESTPortsTwo(TCP 5222&7400
73、)One(TCP 8910)Service redundancyNo(No HA)YesScale and performanceLow Limited integrations(5,000 KB/s for 4 subscribers)High Scalable integrations(100,000 KB/s agg.for 150 subscribers)Client-side developmentJava or CAny languageSupportFrom ISE 1.3From ISE 2.4More at http:/More at http:/bit.lybit.ly/p
74、xgrid2/pxgrid2-0 0Not supported in 3.1Not supported in 3.1All Cisco products now All Cisco products now support pxGrid 2.0!support pxGrid 2.0!ProductMin VersionCisco Firepower6.0Cisco Secure Network Analytics7.3.2Cisco Cyber Vision3.1.0Cisco Web Security Appliance11.7Cisco Industrial Network Directo
75、r1.3Cisco DNA Center2.1.0ISE 3.1 Deprecates pxGrid 1.0 BRKSEC-2085Where to position Firewalls 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveProtecting the Enterprise with Cisco FirewallsBRKSEC-2085(SD)WANCloudRAN FirewallWAN FirewallEN/Campus/DC FirewallCampus/DCOutdoorI
76、ndoorP5G Packet CoreDistribution SwitchFronthaul SwitchFH SwitchRANRadioAccessNetworkRANGTPGTPUEVPNVPNVPNVPNPolicy should allow only N1/N2/N3 Traffic and Management 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKIOT-2010Operations&ControlOperations&ControlPurdue Level
77、3ProcessProcessPurdue Level 0-2I I-DMZDMZEnterpriseEnterpriseIndustrial CoreZone-1Zone-2SCADA/HMIHMISISPLC/RTU/IEDHMIPLC/RTU/IEDMESSensorSensorCisco IE Switch with Cyber Vision SensorSensorSensorSensorSIEMSecureXCisco Secure Industrial FirewallFMCSecureAnalyticsSensorCyber VisionHW SensorSPANISE Cyb
78、er VisionGlobal CenterISE Cisco Secure FirewallCyber VisionCenterExtend security operations to OT-with P5GEnterpriseEnterpriseMESZone-4HMISISPLC/RTU/IEDCisco IR Router with Cyber Vision SensorSensorZone-3HMISISPLC/RTU/IEDCisco IR Router with Cyber Vision SensorSensor5G5G-PIMPIM5G5G-PIMPIMPrivate 5GR
79、ANEdge NodeI I-DMZDMZCisco Secure FirewallRANCisco SecureIndustrial FirewallBRKSEC-2085 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCyber Vision facilitates OT SegmentationCyber Vision CenterDNAC/ISEApplication FlowGroup-Based Access ControlNetFlowpxGridVisualize Zones
80、&ConduitsGroup endpoints into zones to visualize aggregated flows as conduits to inform segmentation policyDynamic SGT MappingCyber Vision grouping results in dynamic Group-based policy assignment to endpoints through ISEMonitor Before EnforcementVisualize Group-based network behavior in DNAC and en
81、able enforcement when confident after monitoring1 1Visibility to inform segmentation 2 2Define policy andobserve behavior 3 3Enforce segmentation when readyPLC/RTU/IEDHMISensorCisco IE Switch with Cyber Vision SensorBRKSEC-2085Security Management 2023 Cisco and/or its affiliates.All rights reserved.
82、Cisco Public#CiscoLiveYour InfrastructureSIEM/SOAROthers3rdparty toolsIntelligenceCiscoApplicationsCloudNetworkEndpointYour SOCCISOSecOps Analyst Incident responderClear prioritization Streamlined investigationsAutomation and response guidanceOpen and extensible Built on the Cisco security platformE
83、mailIdentityExtended Detection and Response-XDR BRKSEC-2085SummaryBRKS 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSummaryPrivate 5G can be onboarded like WiFiISE is the core Control PointSegmentation and Security can be done with different toolsSecurity automation and
84、 context reuse is easy&possibleDesign the integration appropriate to the requirementsBRKSEC-2085 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLink CollectionZero Trust:Network and Cloud Security Design GuideCisco Platform Exchange GridCisco Platform Exchange GridCisco G
85、roup Based Policy Platform and Capability MatrixCisco Group Based Policy Platform and Capability MatrixCisco Secure Technical Alliance PartnersCisco Secure Technical Alliance PartnersISE Security Ecosystem Integration GuidesISE Security Ecosystem Integration GuidesBRKSEC-2085 2023 Cisco and/or its a
86、ffiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!63Session IDThese points help you get on the leaderboard and increase your ch
87、ances of winning daily and grand prizesAttendees will also earn 100 points in theCisco Live Challenge for every survey completed.2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveJune 4|2:00 pmTECSPGTECSPG-24322432New Adventures in Wireless:The Journey of WiFi6 and Private 5
88、G Networks for the EnterpriseJune 5|8:30 amBRKSPGBRKSPG-20422042Architecting Private 5G for resiliency,security,and enterprise network convergenceJune 5|10:30 amBRKSPMBRKSPM-10061006The 5G System as a Spectrum Management SolutionJune 7|2:30 pmPSOGENPSOGEN-10331033Unlock business outcomes from connec
89、tivity with a Private 5G solutionStartStartCisco Private 5G Learning Map64BRKSEC-2085June 5,|8:00 amBRKSECBRKSEC-20852085Architecting Enterprise Security in a Wi-Fi plus Private 5G WorldJune 5|11:00 amBRKENSBRKENS-29502950Is your Enterprise Network Ready for P5G June 8|09:30 amBRKSPGBRKSPG-204420445
90、G Use Cases Flight Line of the Future and Smart Warehouse June 8|3:00 pmBRKEWNBRKEWN-20302030WiFi6 and Private 5G for the Enterprise a Better Together JourneyJune 8|1:00 pmBRKGENBRKGEN-20012001Cisco P5G-A Robust and Secure ArchitectureJune 8|01:00 pmIBOSPGIBOSPG-20072007Getting Started with Private
91、5GJune 7|4:00 pmBRKSPGBRKSPG-30043004Monolithic or Polylithic packet cores?The case for specialized use-case-based mobile packet coresJune 5|11:30 amPSOSPGPSOSPG-10021002Leading Your Digital Transformation with Cisco Private 5G Network Offer 2023 Cisco and/or its affiliates.All rights reserved.Cisco
92、 PublicContinue your educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL you#CiscoLive#CiscoLive 2023 Cisco and/or its
93、 affiliates.All rights reserved.Cisco Public#CiscoLive68Gamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123468 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKSEC-2085