1、#CiscoLive#CiscoLiveDavid Jansen CCIE 5952D������istinguished ArchitectBRKSEC-2191Poli����cy Driven Secure Hybrid Cloud Architecture 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicA little bit about DavidCisco role:Distinguished Architect,work with customers dailyUnofficial Title:“A person t
2、hat needs to learn how to say,“No.”Experience:been at Cisco my life.Fun fact 1:An awesome husband;Father of a daughter and twin �����boysFun fact 2:Written/publi���shed 4 books;4 video series and working on my last one Fun fact 3:Enjoy the outdoors,music,working out,running,etc.BRKSEC-21913 2023 Cisco and/o
3、r its affiliates.All rights reserved.Cisco Pu�������blic#CiscoLiveEnter your personal notes �������hereCisco Webex App 4Questions?Use Cisco Webex App to chat with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex
4、spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12344https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKSEC-2191 2023 Cisco and/or its affiliates.All rights reserved.C����isco Public#CiscoLiveAbstractThis session
5、 will introduce how users/devices connect to public and private application with hybrid multi cloud design;users and workloads are everywhere.We will discuss security services using multi-tenancy,������segmentation to provide security controls.As customers continue to regulations,we will discuss security
6、services and provide policy compliance and regulatory.The goal is to outline a security framework architecture that highlights critical security technologies to help customers.Employing this foundational blueprint across Branch/Campus,on-premises Data Centers/co-location and cloud workl�������oads.Included
7、 in this design and covered in this session are the following key technology pillars that represent the security baseline:Identity m�������anagementSegmentation&multi-tenancyVisibility&telemetrySecurity&policy communicationsBRKSEC-21915 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cisc
8、oLiveProbl��������em StatementWhere do I start with ZTNA?What solution(s)do I leverage for a given use-case?There are a multiple personas in modern IT technology stacksCloud continues to be the disruptor and our customers have been on this Cloud journey for several years.BRKSEC-21916 2023 Cisco and/or its a
9、ffiliates.All ri������ghts reserved.Cisco Public#CiscoLiveGoals of this sessionProvide use-cases and solutions to help with the ZTNA JourneySharing real-world experience with customer deployments and problems experiencedEnforcing the sentiment that ZTNA is a j�����ourney!Application(CASB/HTTPS)NetworkNGFW/IPSZ
10、ero TrustBRKSEC-21917Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicTrends on Customer and Industry transformationArchitectural Building Block������sDesigning PolicyUse Cases:Security Service Edge(SSE)Secure Access Service Edge(SASE)Softw������are Defined Cloud Interconnection(SDCI)Exte
11、nding Policy to Public IaaSSecure Workload Identity with ISEValidating PolicySummaryBRKSEC-21918 2023 Cisco and/or its affiliat�����es.All rights reserved.Cisco Public#CiscoLivePerimeter security appliancesPerimeter security appliancesto protect networkto protect networkInternet/Cloud-CentricUserUser-tot
12、o-applicationapplicationSiteSite-toto-sitesiteThe Customer and Industry transformationSite-to-site connectivityMPLS transportCore routing servicesPerimeter security�����Connectivity SLACloud OnRampSD-WAN/OverlaysCloud-delivered securityUsers/Devices/ThingsApplication SLADigital Digital ExchangeExchangeIn
13、ternetInternetMPLSMPLSBRKSEC-21919 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMPLSRemote SiteMPLS������Data CenterData CenterRemote UserWhat has changed?BRKSEC-219110-The Customers Network and Security Enterprise Perimeter/Edges are no longer the ph����ysical borders of physica
1����4、l locations or street addr����esses.-This has resulted in the new PerimeterSo where is the new perimeter?Wherever security controls and capabilities are to protect users/devices,things,applications and data;the security perimeter is everywhere.Architectural Building Blocks 2023 Cisco and/or its affiliat
15、es.All rights reserved.Cisco Public#CiscoLiveWhat is Middle-Mile?The Internet is changing from a netwo���������������rk-of-networks to a network-of-servicesWAN is Evolving to a Service ExchangeDiscrete circuits connecting locationsConsumption OptionsOptimize Traffic FlowsCloud ConnectivityRemote location+Geo(s)WAN
16、 service,Internet or private networks CSP network,ASN or private networks SP core network,SDCI,CSP,SSE/SASE,private network First mile Last mile Middle-mile Transport Local access Cloud provider network �����Cus�������tomer premises Colocation/PoP Colocation/PoP Interconnect transport Regional Peering Edge/Serv
17、ice ExchangeRegional Peering Edge/Service ExchangeBRKSEC-219113 2023 Cisco and/or its affiliates.All rights reserved.Cisc�������o Public#CiscoLiveWhat is SD-WAN?Fabric for any to any communicationBetter application experienceApplication Aware RoutingSecurityOptimized cloud connectivitySimplified manag�����ement
18、BRKSEC-219114����� 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePutting it a��������ll TogetherZero Trust,SDWAN,SASE and SSEMarket convergenceConnect ItSecure ItFirewall as a Service(FWaaS)Secure Web Gateway(SWG)Cloud Access Security Broker(CASB)Zero Trust Network Access(ZTNA)SSESAS
19、EOn-ramp into Public IaaS and Privat�����e Cloud*SD-WAN Analytics(including Internet Intelligence)Secure SD-WANFabric*Performance-������based Internet RoutingSD-WANOn-prem UnifiedThreat ManagementCapabilitiesCapabilitiesPrinciplePrincipleZero Trust MethodologyArchitectureArchitectureBRKSEC-219115 2023 Cisco an
20、d/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecurity Stack for the cloud edgeBRKSEC-219116Designing Policy1BRKS 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhere should you start?Business case/objective regulatory PCI,HIPPA,GOVt,BSI,SSI results in s�������eg
21、mentation(put scope around the segmentation)Exec sponsor is a must haveStart with PIN vs use-case;i.e.start at the DC first or do you start with the users�����(start small)What tools to help with process?BRKSEC-219118CISO:How do I deploy segmentation without getting fired?2023 Cisco and/or its affiliates
22、.All rights reserved.Cisco Public#CiscoLive19Introducing TrustSecPrinter 1Printer 2SGT_Contractor SGT_BuildingManagementSGT_EmployeeContractor 1Contractor 2Contr�������actor 3Contractor 4������Employee 1Employee 2Employee 3Employee 4SGT_FinanceServerSGT_PrintersFin 1Fin 2Temperature Device 1Temperature Device 2S
23、urveillanceDevice 1SurveillanceDevice 25050Simplified a���ccess control with Group Based PolicyClassificationPropagationEnforcementSGT(s)embedded into NetFlowBRKSEC-2191 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePolicy and Segmentation is a ProcessObjectivesObjectives:S
24、uccess criteriaDefine SegmentsDefine Segments:Memberships and relationshipsValidationValidation:Would it work?EnforcementEnforcement:Active EnforcementVerificationVerification:Is intent captured correctly?BRKSEC-219120i.e.Regulatory Compliance&Reduced Threat Surfacei.e.Who measures success?(Audito���r)
25、2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveStarting a DesignPolicy Policy Enforcement Enforcement PointsPointsIdentify �������assets Identify assets to protectto protectMethods of Methods of Clas��������sificationClassificationPCI Data,Production Systems,Intellectual Property.Static
26、Static Dynamic Dynamic FirewallUmbrellaRoute/Switch(TrustSec)Propagation Propagation MethodsMethodsInline TaggingOut of band ove������rlayImpliedBRKSEC-219121Best Practice:Start Small,you dont have to do everything at once 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure N
27、etwork AnalyticsTrustSec Policy Analytics BRKSEC-219122 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTrustSec Analytics ReportBRKSEC-219123Designed to provide visib������ility into SGT traffic:How do I decide what policies should exist between my groups?How do I know that my
28、policies are correct and wont disrupt operatio�������ns?Gray no trafficGreen there is traffic and a permit IP ACL existsRed there is traffic and a deny IP ACL existsBlue custom policy 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBusiness Centric SegmentationEngineersNon-Beer D
29、rinkersBottling LineBR������KSEC-219124Business-based groups and membershipsBusiness-base������d groups and membershipsBusiness-centric relationships between groupsUse CasesSecure Access Service Edge Secure Access Service Edge(SASE)(SASE)1 12 23 3Security Service Edge(SSE)(SSE)Software Defined Cloud Software De
30、fined Cloud Interconnection(SDCI)In�������terconnection(SDCI)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveArchitectureCisco Cisco SASE/SSE/SDCISASE/SSE/SDCIData CenterApplication DestinationsUsers/Devices/ThingsMiddle Mile/coloMiddle Mile/coloPrivate TransportPrivate Transport
31、Public TransportPublic TransportSite nRemoteUserRemote UserProxy/DNGSite 1 Use-case based Everything will not behind a common enforcement point Ability to choose how t�����o enforce Ability to choose������� where to enforce Course-gain and fine-grain policyBRKSEC-219126Use Cases:Cisco Secure Access(SSE)Cisco+Se
32、cure Connect(SASE)2023 Cisco and/or its affiliates.All rig������hts rese������rved.Cisco Public#CiscoLiveCisco Secure Cisco Secure AccessAccessData CenterApplication DestinationsPrivate TransportPrivate TransportPublic TransportPublic TransportRemoteUserRemote UserProxy/DNGCisco Secure Access(SSE)Transparently
33、secures users-to-applicationsInte�������rnet:Redirected transparently to SSE cloudDNS/Web ApplicationsSaaS ApplicationsCASB/DLP protections inline and via API.App bypass also supportedPrivate modern ApplicationsZTNA gives controlled access to selected applicationsPrivate Traditional ApplicationsRA-VPN������� give
34、s full network access for existing applicationsSecure Client*or ClientlessBRKSEC-219128Secure Client*or ClientlessUser Authentication and Device TrustZTNA per app tunneling*formerly known as AnyConnect 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiv����eCisco Secure Cisco Secu
35、re AccessAccessData CenterApplication DestinationsPrivate TransportPrivate TransportPublic TransportPublic TransportSite nSite������� 1Cisco Secure Access(SSE)Transparently secures users-to-applications29BRKSEC-2191Internet:Redirected transparently to SSE cloudDNS/Web ApplicationsSaaS ApplicationsCASB/DLP
36、protections inline and via API.App bypass also supportedPrivate modern ApplicationsZTNA gives controlled access to selected applicationsBranch/Campus 2023 Cisco and/or ������its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Cisco Secure AccessAccessData CenterApplication DestinationsPr
37、ivate TransportPrivate TransportPublic TransportPublic TransportSite nSite 1Cisco Secure Access(SSE):Transparently secures users-to-applicationsSDWAN+SecurityInternet:Redirected transparently to SSE cloudDNS/Web ApplicationsSaaS ApplicationsCASB/DLP protections inline and vi��������a API.App bypass also sup
38、portedPrivate modern ApplicationsZTNA gives controlled access to selected applicationsPrivate Traditional ApplicationsRA-VPN gives full network access for existing applicationsSASE/SSE Bypass/DIA:Getting the r������ight traffic to the right place-not every application has to go thru SASE/SSE.For example,O
39、ffice365 no proxy/SWG.Va������lue of ISE users/trusted devicesSDWAN ������FabricSDWAN Fabric(Meraki/Viptela)(Meraki/Viptela)BRKSEC-219130Cisco+Cisco+Secure Secure ConnectConnect(SASE)(SASE)Users,DevicesSGT EnforcementISE 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Cis
40、co Secure AccessAccessData CenterApplication DestinationsPrivate TransportPrivate TransportPublic TransportPublic TransportSite n�����Site 1Cisco Secure Access(SSE):Transpar��������ently secures users-to-applicationsSDWAN+SecuritySASE/SSE Bypass/DIA:Getting the right traffic to the right place-not every applicat
41、ion can go thru SASE/SSE.For example,Office365 no proxy/SWG.Today:SGT Tags not����� supported in SSE CloudHowever,the firewa�������ll/router can enforce on the tag CPE;SGT Enforcement route a specific tunnel via the IOT tag/tunnel can have a different policy for IOT/AD-groups/subnets/tunnel-id in the policy as
42、well.Value of ISE IOT and workloadSDWAN FabricSDWAN Fabric(Meraki/Viptela)(M�����eraki/Viptela)BRKSEC-219131Cisco+Cisco+Secure Secure ConnectConnect(SASE)(SASE)SGT EnforcementIoTISEUse Cases:Software Def����ined Cloud Interconnection(SDCI)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cisc
43、oLiveSDCISDCIData CenterApplication DestinationsPrivate TransportPrivate TransportPublic TransportPublic TransportSDWA�����N FabricSDWAN Fabric(Meraki/Viptela)(Meraki/Viptela)SDCI:Transparently secures users-to-applicationsDIY/SaaS cons�����umption-Single pane via vManage,end-to-end network automationEnd to E
44、nd Network+Secur����ity automationEnd to End Policy,Encryption and Segmentation;ability to carry segmentationSecurity Stack,PEP Enforcement PointsAbility to do egress enforcement with Viptela/Meraki SDWANAbility to provide Remote Users/Site connectivity and security to d�����ifferent destinations.SaaS,Privat
45、e and Public ApplicationsAbility to carry VN/VRF and SGT end to endAbility to choose enforcement optionsIdentity integration with on-prem ISESecure Client*or Clientless VPN/ZTNAEncrypted SD-WAN FabricBRKSEC-219133-Secure Client*-Clientless-Branch/Campus-IOTSite nRemoteUserSite 1RemoteUserRemote �����User
46、Proxy/DNGISE 2023 Cisco and/or its affiliates.All rig�������hts reserved.Cisco Public#CiscoLiveSDCISDCIData CenterApplication DestinationsPrivate TransportPrivate TransportPublic Transport��������Public TransportSDWAN FabricSDWAN Fabric(Meraki/Viptela)(Meraki/Viptela)SDCI:Transparently secures users-to-application
47、sSDWAN+Secure FirewallEncrypted SD-WAN FabricBRKSEC-�������219134SDWAN+Secure FirewallIdentity-Based FirewallSGT-Based FirewallAbility to carry+Enforce����� VN/VRF and SGT end to endAbility to choose enforcement optionsDeployment Options:Base:FWAdvanced:Identity-based FW integration w/ISEAdvanced:SGT-based Fire
48、wallLeverage �������on-prem ISE InvestmentISESite nRemoteUserSite 1RemoteUserRemote UserProxy/DNG 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSDCISDCIData CenterApplication DestinationsPrivate TransportPrivate TransportPublic TransportPublic TransportSDWAN FabricSDWAN Fabric(
49、Meraki/Viptela)(Meraki/Viptela)SDCI:Transparently secures users-to-applicationsSDWAN+NGFWvEncrypted SD-WAN FabricBRKSEC-219135ISESite nRemoteUserSite 1RemoteUserRemote UserProxy/DNGNGFWvRequire Advanced NGFWSDWAN+FW NGFWv automated to of������fer secure policy enforcement point(PEP).vManage Day0/1,and FW
50、manager(SecOps)Day 2+Identiy+ISEAbility to carry VN/VRF and SGT end to endAbility to choose enforcement optionsIdentity integration with on-prem ISENGFWv Deployment Options:Base:NGFWvAdvanced:Identity-based FW integration w/ISEAdvanced:SGT-based Firewal������lLeverage on-prem ISE�������� Investment 2023 Cisco and
51、/or its���� affiliates.All rights reserved.Cisco Public#CiscoLiveUnified Security policy and intentSDWAN+cEdge Firewall36BRKSEC-2191ContractorDeny AllPermit AllDeny AllEmployeePLCContractorEmployeePermit A������llPermit AllDeny AllSourceDestinationZBFW PolicyIAAS,SAASPrivate AppsISEEmployeeEmployeeContractorC
52、ontractorPxGridPxGridFW policyActive DirectoryGranular Security Control at User/Group LevelIP to User/Group MappingOMP:IP to User/Group mappingIdentity-Based FirewallSGT-Based FirewallUser/Device to SGT mappingOMP:IP to ����SGT mapping 2023 Cisco and/or its affiliates.All rights reserved.Cisco Publ�������ic#Ci
53、scoLiveCisco Cisco SASE/SSE/SDCISASE/SSE/SDCIData CenterApplication DestinationsMiddle Mile/coloMid�������dle Mile/coloPrivate TransportPrivate TransportPublic TransportPublic TransportSite nRemoteUserRemote UserProxy/DNGSite 1Users/Devices/ThingsEnd to End���� Segmented Traffic+EnforcementUser to ApplicationN
54、GF����WvISEKeep specific on its own“rail”VN/VRF is ability to get traffic to the FirewallMicro-segmentation can also be appliedUse Secu����rity Policy to x-connect“rail”to“rail”policy/communicationResulting in:Resulting in:Security Policies that are aligned user and group vs IP AddressesSDWAN embedded secur
55、ity stack is now aware of user identity and apply policy.Identit������y Firewall capability provides granular access control based on user identityZTNA trust assertion based on user and device contextTrust based establishmentGuest Internet VN/VRF/SGTGuest Internet VN/VRF/SGTThings VN/VRF/SGTThings VN/VRF/
56、SGTNGFW��������vNGFWvNGFWvNGFWvNGFWvBRKSEC-219137NGFWvUsers/Apps VN/VRF/SGTUsers/Apps VN/VRF/SGT 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiv�����eData CenterApplication to ApplicationPrivate TransportPrivate TransportPublic TransportPublic TransportSDCI:Transparently secures Applic
57、ation-to-ApplicationsSDWAN+NGFWv��������38BRKSEC-2191Web to DatabaseAuto-scaled ApplicationContainer ApplicationsCloud to CloudCloud to on-prem Data����� CenterAPI to API via HTTPSData CenterNGFWvSDCISDCI 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveData CenterApplication to Applica
58、tionPrivate TransportPrivate TransportPublic TransportPublic TransportEnd to End Segmented Traffic+EnforcementApplication to Application39BRKSEC-2191Keep specific on its own“rail”VN/VRF is ability to get traffic to �������the FirewallMicro-segmentation can also be appliedUse Security Policy to x-connect“ra
59、il”to“rail”policy/communicationWeb to DatabaseAuto-scaled ApplicationContainer ApplicationsCloud to CloudCloud to on-prem Data CenterAPI to �������API via HTTPSData CenterNGFWvSDCISDCIWeb Front EndWeb Front EndDatabasesDatabasesFinance ApplicationFinance ApplicationNGFWvNGFWvNGFWvNGFWvNGFWvNGFWvNGFWvNGFWvU
60、se Case(s):Extend�������ing Policy to Public IaaS 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnabling Group-based PoliciesIaaSCat8KvNGFWvNGFWvISECat8KvBRKSEC-219141 2023 Cisco and/or its affili�����ates.All rights reserved.Cisco Public#CiscoLiveExtending Policy&Control into AWSLe
61、verage Security Group Tags(SGT)within IaaS EnvironmentConfigure SGTs and ISE controls on the CAT8Kv/NGFWv within the AWS Transit VPC environment.Then manually create policy groups within ISE to manage segmentation and control between VPCs.BRK������SEC-219142 2023 Cisco and/or its affiliates.All rights res
62、erved.Cisco Public#CiscoLiveDevDev(VPC1)(VPC1)Prod Prod(VPC2)(VPC2)CiscoLive CiscoLive(VPC3)(VPC3)InternetInternetEmployeeEmployeeDevelope�������rDeveloperDev VPCDev VPCProd VPCProd VPCCiscoLiveCiscoLiveXXXXXTransit VPCAZ1AZ2VPC1AWS Transit VPCSimplifying Segmentation and Control Direct ConnectEmployee Tag
63、Developer TagISEIdentity&Access ControlPolicy EnforcementDevVPC2ProdVPC3CiscoLive-Control Spoke to Spo������ke-Control User to App-Control App to App-Control InternetControl Traffic between VPCsSimplify Security ConfigurationsScale Security Group Cont������rolSingle Control PointSecure Internet Breakout by enab
64、ling Snort IPS on CAT8KvDa������ta Center192.168.0.0/1620.0.0.0/16CAT8KvCAT8KvCAT8000Cisco Live TagDev VPC TagProd VPC Tag30.0.0.0/16192.168.0.6192.168.1.2Dynamic Route Peering40.0.0.0/16Control Access to spoke VPCs based on SGT Tags and Policy Enforcement within the Transit VPC Hub CAT8Kvs43 2023 Cisco a
65、nd/or its affiliates.All rights reserv���ed.Cisco Public#CiscoLiveDevDev(VPC1)(VPC1)Prod Prod(VPC2)(VPC2)CiscoLive CiscoLive(VPC3)(VPC3)InternetInternetEmployeeEmployeeDeveloperDeveloperDev VPCDev VPCProd VPCProd VPCCiscoLiveCiscoLiveXXXXXTransit VPCAZ1AZ2VPC1AWS Transit VPCSimplifying Segmentation and
66、 Control Direct Conn������ectEmployee TagDeveloper TagISEIdentity&Access ControlPolicy EnforcementDevVPC2ProdVPC3CiscoLive-Control Spoke to Spoke-Control User to App-Control App to App-Control InternetControl Traffic between VPCsSimplify Security ConfigurationsScale Security Group ControlSingle Control Po
67、intSecure Internet Breakout by enabling������� Snort IPS on CAT8Kv20.0.0.0/16CAT8KvCAT8KvCAT8000Cisco Live TagDev VPC TagProd VPC Tag30.0.0.0/16192.168.0.6192.168.1.2Dynamic Route Peering40.0.0.0/16NG����FWvNGFWv44Data Center192.168.0.0/16 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cisco
68、LiveDynamic Attributes ConnectorEngineer10.100.1��������8.22AWS Endpoint IaaS?.?.?.?Azure Endpoint IaaS?.?.?.?FirepowerSensorFMCAccountant10.100.19.7-Instead of manually defining the IP/G��������roup mapping;dynamically changing cloud environments-Subscribe to and pull dynamic IP feeds-Ability to assign multiple IP
69、 address to multiple dynamic Firewall objectsCSDACBRKSEC-219145DevDev(VPC1)(VPC1�������)Prod Prod(VPC2)(VPC2)CiscoLive CiscoLive(VPC3)(VPC3)InternetInternetEmployeeEmployeeDeveloperDeveloperDev VPCDev VPCProd VPCProd VPCCiscoLiveCiscoLiveXXXXXTransit VPCAZ1AZ2VPC1AWS Transit VPCSimplifying Segmentation and
70、 C�������ontrol Direct ConnectEmployee TagDeveloper TagISEIdentity&Access ControlPolicy EnforcementDevVPC2ProdVPC3CiscoLive-Control Spoke to Spoke-Control User to App-Control App to App-Control InternetControl Traffic between VP�������CsSimplify Security ConfigurationsScale Security Group ControlSingle Control Po
71、intSecure Internet Breakout by enabling Snort IPS on CAT8Kv20.1.1.10030.1.1.200CAT8KvCAT8KvCAT8000Cisco Live TagDev VPC TagProd VPC Tag30.1.1.5040.1.1.50192.168.0.6192.168.1.2Dynamic Route Peering20.1.1.7540.1.1.7546Data Center192.168.0.0/16 2023 Cisco and/or������� its affiliates.All rights reserved.Cisco
72、 Public#CiscoLiveCisco Secure WorkloadEngineer10.100.18.22AWS Endpoint IaaSAzure Endpoint IaaSFirepowerSensorFMC20.1.1.75Accountant10.100.19.7-Segmentation policies enforcement at workloads-Virtual Machines,Containers an�����d Bare Metal-Private and Public IaaS-Prevent East/West lateral Movement-Dynamic
73、Policy-Policy Enforcement-Policy VisibilityCisco S������ecure WorkloadISE30.1.1.5040.1.1.5010.1.1.10BRKSEC-219147Use Case:Secure Workload Identity with ISE 2023 Cisco and������/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure Workload Identity with ISE Provide the following Benefits:IP to SGT/
74����、IP to SGT/User mappings:Give context to flows in a single interfaceDynamic Mappings:Support for shared devices where user changesFlow Search by Username,Group or SGT:What were the connections from user X?ADM maps reflecting SGT tags:Which devices or users are accessing the right applicationsISE publ
75、ishes update over the pxGrid message busSecure Workload consumes this message bus an������d annotates the hosts/end-points provided by ISEBRKSEC-219149 2023 Cis�������co and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveISE Provides Campus Identity to Secure Workload DCs50BRKSEC-2191Cisco Secure Wo
76、rkload ������AnalyticsPlat�����formUsersUser:TonySGT:16(Doctors)IP:23.72.193.172Applications/Data(Software Sensor)Enforced Policies For:User:Tony or SGT:16=DoctorsApp:Patient-Data(EPG)IP:23.72.193.172May not access employee dataMay access patient recordsDynamic Policy Generated1)The sensor endpoint is sending
77、Telemetry data2)The endpoint also ����authenticates with ISE which notifies our identity repository via pxGrid.3)Secure Workload merges the two streams and outputs dynamically generated policy.via pxGrid 2023 Cisco a������nd/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure Client*Solution Ov
78、erview:Enable data modelling with the Secure Client Network Visibility Module(NVM)Consistent method to Identify,Discover,Group,Classify and Segment based on modelled customer policy as well as Applicat������ion(consistency across Branch,Campus,DC and Cloud)Apply Zero Trust Security Model between segmented
79、 groups.Enforce Segmentation Policy on existing customer infrastructure(endpoints,routers,switches&FWs)Automate the removal of infected endpoints(rapid thr�������eat containment to isolate,protecting applications&data)*formerly known as AnyConnectBRKSEC-219151Network Visibility Module(NVM)2023 Cisco and/or
80、 its affiliates.All rights reserved.Cisco Public#CiscoLiveEnterprise Policy DiscoveryUsersUser:StevenSGT:20(Doctors)IP:23.72.193.172Applications/DataEnforced Policies For:User:Steven or SG������T:20=DoctorsUser:Cisco/useridApp:Patient-Data(EPG)IP:23.72.193.172May not access employee dataMay access patient
81、 recordsDynamic Policy Generated1)Secure Client NVM Streams IPFIX to Secure Workload2)The endpoint also authenticates with ISE which notifies our identity repository via pxG�����rid.3)Secure Workload merges the two streams and outputs dynamically generated poli����cy.ISE via pxGridIP:23.72.193.172 today is”S
82、teven”,could be a different user tomorrowBRKSEC-219152Cisco Secure Workload AnalyticsPlatformValidating Policy 2023 Cisco and/or it������s affiliates.All rights reserved.Cisco Public����#CiscoLiveSecure Network Analytics/Secure WorkloadPolicy Analytics54BRKSEC-2191Flow CollectorManagerIdentity Services Engine
83、1.TrustSec Analytics Reports2.Direct flow analysis leveraging SGT in Flow Table3.Custom Security Events Secure ClientInfrastructure 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Ci�������scoLiveSecure Network AnalyticsTrus�������tSec Policy Analytics Two report types introduced in Secure Netwo
84、rk Analytics v7.3.1BRKSEC-219155 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cisc�����oLiveSecure Network AnalyticsTrustSec Policy AnalyticsBRKSEC-219156Ability to validate trusted ISE policy is being observed from near real-time network telemetry 2023 Cisco and/or its affiliates.Al
85、l rights reserved.Cisco Public#CiscoLiveSecure WorkloadFlow SearchBRKSEC-219157 2023 Cisco and/or its affiliates.All rights reserved.Cis�������co Public#CiscoLiveSecure WorkloadCompliance,Policy Validation All Flows are tracked 4 waysPermitted,bidirectional flows that match the policyMisdropped,permitted t
86、raffic where we have dropped a packetEscaped,bidirectional flows������� that are against the policyRejected,uni-directional flows that are against the policyBRKSEC-219158 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-219159Summary 2023 Cisco and/�������or its affiliates.All rig
87、hts reserved.Cisco Public#Ci�����scoLiveSu�����mmaryProvided guidance how and where to start on the ZTNA JourneySimplified security controls and capabilities are to protect users/devices,things,applications and data to align to operational personas.Ability to define dynamic classification(source and destinati
88、on),define policy and enforcementProvided the ability to monitor,view and audit PolicyProvided capabilities to expand to the cloud not migrating to the Cloud.BRKSEC-2191������61 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePlease fill out the surveyDrop your email in the comm
89、ents I WILL respond!BRKSEC-219162 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill ou�������t your session surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!63BRKSEC-2191These p
90、oints help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in the Cisco Live Challenge ������for eve������ry survey completed.2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase
91、 for related demosBook your one-on-oneMeet ��������the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL you#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive66Gamify y
92、our Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events������ App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123466 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKSEC-2191#CiscoLive
sgpjbg002
工作日 8:30 - 17:30
报告分类
