Welcome to Your Cisco Connect & Grow Series: Heat Up Your Sales with Cisco Security for SMB

BEFORE WE TAKE OFF… This webinar is being recorded and will be available 48 hours after the event at www.ingrammicro.com/ciscowebinars

This is your event – So please ask questions! Utilize the Q&A box or take the opportunity to call in and ask your question live during the broadcast. We love to hear from you!

And now, let’s get going…

Thank you for being a valued Cisco partner!

Cisco Connect & Grow Series

Incentive Drawing

Three $50 AmEx Gift Cards will be drawn at the close of the session

Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro’s express written permission.

Cisco Connect & Grow Series Heat Up Your Sales with Cisco Security for SMB Peter Avino Solution Center Engineer/Instructor Cori Hahn Tech Support Specialist II (Cisco Security Lead),Ingram Micro June 24th, 2015

• Security Threats • ASA 5500X • Meraki MX • Demo • Q&A

Today’s Agenda

Cisco Confidential 6 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

CISCO ASA

Identity-Policy Control & VPN

ASA + Sourcefire = New, Adaptive, Threat-focused NGFW

URL Filtering (subscription)

FireSIGHT Analytics & Automation

Advanced Malware Protection (subscription)

Intrusion Prevention (subscription)

Application Visibility & Control

Network Firewall Routing | Switching

Clustering & High Availability

WWW

Cisco Collective Security Intelligence Enabled

Built-in Network Profiling

SMBs Are Underserved by Legacy Solutions

Legacy next-generation firewall and unified threat management (NGFW + UTM) solutions were never designed for advanced threat protection.

• UTMs are less effective

• Legacy NGFWs and point solutions are costly and impractical to administer

• Point solutions bring major integration risks and questionable security efficacy

ASA for SMB

Superior Threat Defense Featuring integrated,

best-of-breed security technologies

Continually updated with superior threat

intelligence feeds

Superior Product Value Small footprint devices capable

of running superior, next-generation,

threat-focused capabilities

Flexible Management Simplified, integrated, local

management for single-instance deployments

Centralized management for threat data correlation across

the distributed enterprise

A New Way Forward for SMBs and Distributed Enterprises

Cisco Next-Generation Firewalls for SMBs, Distributed Enterprises, and Industrial Control

Desktop Model Integrated Wireless Access Point

Higher Performance Ruggedized

100% NGFW - Ships with AVC

Wireless can be managed locally or through WLC

1RU; New value-focused

price-performance points

NGFW for industrial control and critical infrastructure

5506-X 5506W-X 5508-X 5516-X

5506H-X

Perfect for Cisco® ASA

5505 Refreshes

Performance Comparison

Category Features ASA 5506-X/5506H-X/5506W-X ASA 5508-X ASA 5516-X

Performance

Maximum stateful firewall throughput 750 Mbps 1 Gbps 1.8 Gbps

VPN throughput 100 Mbps 175 Mbps 250 Mbps

Maximum AVC throughput 250 Mbps 450 Mbps 850 Mbps

Maximum AVC and NGIPS throughput 125 Mbps 250 Mbps 450 Mbps

AVC or IPS sizing throughput [440 B] 90 Mbps 180 Mbps 300 Mbps

Maximum concurrent sessions 50,0001 100,000 250,000

Maximum CPS 5000 10000 20000

~1.5x to 2x ~1.5x to 2x

Model Comparison

Category Features ASA 5506-X ASA 5506W-X ASA 5506H-X ASA 5508-X ASA 5516-X

Hardware

Form factor Desktop Desktop Desktop 1RU 1RU

CPU Multicore@1.25 GHz Multicore@1.25 GHz Multicorex 1.25 GHz Multicorex 2 GHz Multicorex 2.4 GHz

Memory - RAM 4 GB 4 GB 4 GB 8 GB 8 GB

Flash 8 GB 8 GB 8 GB 8 GB 8 GB

Fan No No No Yes Yes

I/O 8x GE 8x GE; Wi-Fi 8x GE 8 x GE 8 x GE

Software

Stateful firewall Yes Yes Yes Yes Yes

FirePOWER™ services (all) Yes Yes Yes Yes Yes

User (node) support Unlimited (default) Unlimited (default) Unlimited (default) Unlimited (default) Unlimited (default)

High availability Yes - Active/Standby only1

Yes - Active/Standby only1

Yes - Active/Standby only1

Yes (Active/Active)

Yes (Active/Active)

Security context No No No Yes2 Yes2

Clustering No No No No Planned

Platform Features

• The product has a reset pin. If it is pressed after more than three seconds, it will restore the factory configuration, clear passwords, and erase Rommon variables.

• Cisco® Trust Anchor is implemented to validate the source of the image file and to also protect against hardware tampering and counterfeiting.

Superior Threat Defense

Integrated Threat Defense

URL Filtering (Subscription)

On-box or Centralized

Management

Advanced Malware

Protection (AMP) (Subscription)

Application Visibility and Control

(AVC)

Network Firewall Routing | Switching

WWW

VPN

Next-Generation Intrusion Prevention

(NGIPS) (Subscription)

Threat protection is our #1 differentiator.

• Same features and licenses as the larger Cisco® ASA with FirePOWER™ Services models when used with FireSIGHT®

• Simplified NGFW offering with on-box ASDM 7.3.x

Functional Distribution of Features

Advanced Malware Protection

File Type Filtering Application Visibility and Control

NGIPS

URL Category and Reputation

*File Capture FirePOWER™ Services

IP Fragmentation

IP Option Inspection

TCP Intercept

TCP Normalization

ACL

NAT

VPN Termination

Routing ASA

Cisco FirePOWER Provides Superior Visibility for Accurate Threat Detection and Adaptive Defense

Cisco Advanced Malware Protection Built on Superior Collective Security Intelligence

101000 0110 00 0111000 111010011 101 1100001 110 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

1001 1101 1110011 0110011 101000 0110 00

• 1.6 million global sensors

• 100 TB of data received per day

• 150 million+ deployed endpoints

• 600 engineers, technicians, and researchers

• 35% worldwide email traffic

101000 0110 00 0111000 111010011 101 1100001 110 1100001110001110 1001 1101 1110011 0110011

1001 1101 1110011 0110011 101000 0110 00 Cisco®

Collective Security

Intelligence

Web

WWW

Endpoints Devices

Networks Email IPS

Cisco Collective Security Intelligence Cloud

Automatic Updates Every 3–5 Minutes

• 13 billion web requests

• 24-hour daily operations

• 4.3 billion web blocks per day

• 40+ languages

• 1.1 million incoming malware samples per day

• AMP community

• Private/public threat feeds

• Talos security intelligence

• AMP threat grid intelligence

• AMP Threat Grid dynamic analysis 10 million files/monthly

• Advanced Microsoft and industry disclosures

• Snort and ClamAV open source communities

• AEGIS program

Cisco Confidential 19 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Five Subscription Packages to Choose From for Each Appliance

URL

IPS

URL

• AVC is part of the default offering

• 1, 3 and 5 year terms

• SMARTnet is ordered separately with the appliance

IPS

AMP

IPS

“NGFW” Packages

“NGIPS” Packages

AMP

URL

IPS

Key ASA Features

ASA 9.3.2 Release (Key Features) • REST API • Transport Layer Security (TLS) 1.2 • ECMP support, IPV6 Border Gateway Protocol (BGP) • Standards-based IKE v.2 support; Citrix HTML5 browser support • VPN clients Windows 7, 8.1, 8.1 phone client, iOS8, Knox, Strong Swan • Cisco AnyConnect® 4.0

ASA 9.4.1 Release (Key Features) • Policy-based routing • REST API phase 2, SNMP enhancement • Client less tagging, WebVPN support for OWA2013 and XenDesktop7.5 • Full VX LAN support

Diverse Endpoint Support for Greater Flexibility

Flexible Options

Advanced VPN Capabilities AnyConnect 4.0 Secure Mobility

Corporate File Sharing

Access Granted

Rich, Granular Security Integrated into the Network

Superior Threat Defense

Always on for seamless experience and performance

Superior Value

Data-Loss Prevention

Threat Prevention

Acceptable Use

Access Control

Skype Youtube

Salesforce.com

Centralized or Local Management

Flexible Management Options

Centralized Management

• Management for multiple devices

• Comprehensive visibility and control over network activity

• Optimal remediation through infection scoping and root-cause determination

Provides Security Teams with:

Centralized Management: Same as Larger Models - Uses CSM and FireSIGHT™

BEFORE Discover Enforce Harden

DURING Detect Block

Defend

AFTER Scope

Contain Remediate

NEW - Integrated Onbox Management

• The Cisco® Adaptive Security Device Manager (ADSM) 7 combines control of access policy and advanced threat defense functions

• The enhanced UI provides quick views on trends and the ability to navigate to more details

• Centralized management is optionally available with FireSIGHT® + Cisco Security Manager

Better Together Continuous Visibility and Control

!

Network Remote

Remediation

Discover infections Find the root cause Understand threats

Mobile Deep Visibility and Control (Remediate)

*Note: Blocking on the network is available in version 5.2

Network Visibility and Control* (Block)

OS Hypervisor

APP OS

APP OS

APP OS

Hypervisor Vmware vSphere

VM VM VM SVM

AV

Cisco/Meraki Cloud Managed MX Security Appliance

Cloud-managed networking architecture

Network endpoints securely connected to the cloud

Cloud-hosted centralized management platform

Intuitive browser-based dashboard

Out of band cloud management in every product

Scalable – Unlimited throughput, no bottlenecks – Add devices or sites in minutes

Reliable – Highly available cloud with multiple datacenters – Network functions even if connection to cloud is interrupted

Secure – No user traffic passes through cloud – Fully HIPAA / PCI compliant (level 1 certified) – 3rd party security audits, daily penetration testing

Future-proof – New features pushed through firmware, guided by customer feedback – Automatic firmware and security updates (user-scheduled) – Reliability and security information at meraki.cisco.com/trust

Management data (1 kb/s) WAN

MX security appliances

A complete unified threat management solution

7 models scaling from teleworker and small branch to campus / datacenter

Feature highlights

Application Control Traffic Shaping, Content Filtering, Geo Firewall Rules

Security NG Firewall, Client VPN, Site to Site VPN, IDS/IPS

Networking NAT/DHCP, 3G/4G Cellular, Static Routing, Link Balancing

Stateful firewall

Site to site VPN

Branch routing

Link bonding and failover

Application control

Web caching

Client VPN

`

All enterprise features, plus: Content filtering (with Google SafeSearch)

Kaspersky Anti-Virus and Anti-Phishing

SourceFire IPS / IDS

Geo-based firewall rules

MX security appliances: Licenses

Enterprise License Advanced Security License

Designed for security and availability

Redundancy & availability Increased uptime of mission-critical

infrastructure

Increase reliability with multi-hub VPN and warm spare failover (HA)

Comprehensive Security Granular control over phishing, foreign-

originated and malicious traffic

Monitor and prevent threats based on severity, specific signatures, and region

Multi-site connectivity IPSec VPN connections with flexible

topology and security policies

Reduce VPN configuration time to seconds and complexity to a few clicks

Teleworker

Z1

- 1-5 users

- Dual-radio wireless

- FW throughput: 50 Mbps

MX security appliances: Models

Users Unique features Throughput

Small branch

MX64 / MX64W ~50 - Wireless (MX60W) 200 Mbps

Medium branch

MX80 ~100 - Large WAN Opt cache (1 TB) 250 Mbps

MX100 ~500 - Gigabit uplinks

- Large WAN Opt cache (1 TB) 500 Mbps

Large branch / campus

MX400 ~2,000

- High-speed uplinks

- Built-in redundancy

- Modular interface

- Large WAN Opt cache (1TB)

1 Gbps

MX600 ~10,000

- High-speed uplinks

- Built-in redundancy

- Modular interface

2 Gbps All devices support 3G/4G

CISCO CLOUD MANAGED CISCO ENTERPRISE

Cisco Enterprise and Cloud Managed primary positioning

Easy to deploy and manage over the web

Out-of-the-box optimized feature set

Ongoing managed upgrades and enhancements

Optimized for lean IT, with limited requirement for 3rd Party integration

Flexible deployment and configuration options

Highly customizable and advanced feature set

Advanced professional services, extended support

Extensive integration capabilities

Both portfolios offer significant professional services opportunities

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34

Partner Demo Promotion - ASA5506-K9 Get 1 unit of the New Cisco ASA5506-K9 with Firepower Services At 99.9% discount to Demo with Your Customers. Includes a Free 45 day trial of Firepower Services (URL AMP and IPS) and Cisco Support

STEP by STEP • Partner contacts their Distributor of Choice to Register • Partner will use CCW ( Cisco Commerce Workspace) to order the ASA5506-K9 DEMO Unit at 99.9% discount • Partner agrees to obtain their Cisco Express Security Specialization(ESS) within 45 Business once registered • Partner will be registered by their distributor and show a special incentive (ASA5506 Demo Promotion) in CCW • CCW Deal ID is approved, Product is shipped from Distributor to Partner. Note - Partner has the option to conduct FirePower Services Demos with their Customers (or) Install the product at a Customer Site, for a potential sale, and later offer the suite of Firepower Services (1yr AMP URL or IPS licenses ) with Smartnet * after the 45 day trial licenses expire. For questions please contact: Scott Schweizer, SBDM Americas Distribution sschweiz@cisco.com

Experience Center How can Cisco and Ingram Enable You to Fly Higher?

Strength in Numbers

300+ $2.5B

18+

$150M+

145+

Years Cisco Experience

Annual Cisco Revenue

Years Cisco Partnership

Inventory Industry Leader

Dedicated Cisco Specialists

Partner Enablement & Services

State of the Art Experience Center

Technical & Business Sales Training

Config to Order

Professional Services

Build to Order

World Class Tech Support

Dedicated Field Engineers

Flexible Financing Opportunities

Partner Programs & Promotions

Just Switch It

Fast Track

Unified Access

Collaborate Now

UCS Advantage

ASA Migration Program

Mobility Express Bundles

Security Ignite

Experience Center

Hands on Technology from ALL Cisco Architectures

$10M+ Cisco Equipment

Product Demos

Dedicated Cisco Engineering Team

Solution Proof-of-Concepts

Exec. Meeting Presence w/ Latest Video Conf

End Users & Staff Training

Live or Remote Demos/Trainings

Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro’s express written permission.

Questions? Peter Avino Solution Center Engineer/Instructor, Ingram Micro Peter.avino@ingrammicro.com

Cori Hahn Tech Support Specialist II (Cisco Security Lead),Ingram Micro Cori.Hahn@ingrammicro.com

Incentive Drawing

And the winner is …..

Connect & Grow Upcoming Webinars June 25

July 8

July 7 CSCC Quoting

Build Next-Gen Automated Data Center w/ Nexus 9k

Introduction to Cisco Services

July 9 CSCC Quoting

July 15 Cisco 101: Onboarding Steps for New Registered and Select Partners

Contact Us

Hardware

Partner Development

Services

Public Sector

(800) 456-8000 ext. 76471 Option 1: Hardware

(800) 456-8000 ext. 76799 myciscoteam@ingrammicro.com

(800) 456-8000 ext. 76471 Option 2: Services

(800) 456-8000 ext. 76471 Opt 1: HW Opt. 2: Services

Cisco Confidential 45 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential 46 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Cisco Security "Expert" Level Series For Partner SE/FE’s, TAC Level NPI Training

• Featured ASA Courses – ASAv & ASA 9.2 NGFW – ASA 9.0 Firewall Features (Clustering, Suite B,

etc.) – ASA 9.0.1 Remote Access VPN – ASA (Cloud Web Security- CWS) – ASA CX/PRSM Advanced Topics – AnyConnect 3.1

• Featured ISE

– ISE 1.2 BYOD – The Identity Services Engine Design/ Install -Part

1 – The Identity Services Engine Design/Install -Part

2 "Certificates & EAP-TLS“

• Featured Management – CSM 4.3 – CSM 4.4

https://communities.cisco.com/docs/DOC-26324

Cisco Confidential 47 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Security Voice of the Engineer

• Slides and recordings posted to Partner Community

• All Sessions are 1:00 – 2:00 Eastern Time

Date Topic

July 29 Adaptive Security Appliance

September 9 Identity Services Engine

October 7 Content Security (ESA, WSA, CWS)

November 4 Sourcefire

Target Date Topic

March 13 Cisco’s Intelligent Cybersecurity for the Real World

March 27 TrustSec 4.0 Launch

April 11 Sourcefire AMP Updates Launch

April 24 Secure Data Center Solutions

May 1 Sourcefire 5.3 Launch

May 29 ISE Licensing

June 12 ASA 9.2 Launch

September 18 FirePOWER Services for ASA Launch

September 25 ISE 1.3 Launch

October 9 ASA Licensing

https://communities.cisco.com/docs/DOC-52899

https://communities.cisco.com/docs/DOC-30718

Rebranded

Cisco Confidential 48 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Tech Talks – Security Deep-Dives Recorded Sessions & Slides https://communities.cisco.com/docs/DOC-30977

AnyConnect • AnyConnect VPN – 1/15/13 • AnyConnect NAM – 1/29/13 • AnyConnect Mobile – 2/12/13 • Advanced AnyConnect Configuration – 2/26/13 • AnyConnect TAC Tips – 3/12/13

Content Security • ESA Architecture & Deployment Best Practices - 3/5/13 • WSA Architecture & Deployment Best Practices– 3/19/13 • CWS Architecture & Deployment Best Practices – 4/2/13 • ASA CX Architecture & Deployment Best Practices – 4/16/13 • TAC Tips: Email – 4/30/13 • TAC Tips: Web – 5/14/13

Identity Services Engine (ISE) • TrustSec & ISE Overview - 9/25/12 • AAA, 802.1X, MAB - 10/9/12 • ISE Profiling – 10/23/12 • Web Auth, Guest & Device Registration – 11/6/12 • Bring Your Own Device & EAP Chaining – 11/20/12 • Posture & Security Group Access – 12/4/12 • Best Practices – 12/18/12 • TAC Tips: Processes, Trends, Troubleshooting – 1/8/13 • TAC Tips: Documentation, Tools, Troubleshooting – 1/22/13

SourceFire • System Overview – 5/28/14 • Threat Control – 6/11/14 • Application Control – 7/2/14 • File Control – 7/16/14 • FireAMP Overview – 7/30/14 • FireAMP Outbreak Control – 8/6/14

Adaptive Security Appliance

• ASA Overview – 10/1613 • Data Center & HA – 10/30/13 • Next Generation Firewall – 11/20/13 • IPS for NGFW – 12/4/13 • ASA Management – 12/18/13

Cisco Confidential 49 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

ASA FirePOWER Services launched Sept. 16, 2014. Pricing & Orderable on CCW now. Generally Available August 1, 2014.

Ordering Guide, Data Sheets, Sizing Guide, Promos, Presentations: http://www.cisco.com/c/en/us/products/security/asa-5500-series-next-generation-firewalls/partner-resources-listing.html/index.html

Sales Resources: http://www.cisco.com/c/en/us/products/security/asa-firepower-services/sales-resources-listing.html

Training: ASA with FirePOWER Services: Technical: https://communities.cisco.com/docs/DOC-53979

Training: ASA with FirePOWER Services: Sales: https://communities.cisco.com/docs/DOC-53978

Install Quick Start Guide: http://www.cisco.com/c/en/us/support/security/asa-firepower-services/products-installation-guides-list.html

Sales Acceleration Center (SAC): https://communities.cisco.com/docs/DOC-53126

Support Resources

Cisco Confidential 50 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential 51 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Available on all ASA platforms State-sharing between Firewalls for high availability L2 Transparent or L3 Routed deployment options Failover Link ASA provides valid, normalized flows to FirePOWER

module

*State sharing does not occur between FirePOWER Services Modules

Deploying ASA w/ FirePOWER Services: High Availability with ASA Failover

Cisco Confidential 52 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Up to 8 ASA5585-X IPS

Stateless load balancing by external switch

L2 Transparent or L3 Routed deployment options

Support for vPC, VSS and LACP

Cluster Control Protocol/Link

State-sharing between Firewalls for symmetry and high availability

Every session has a primary and secondary owner ASA

ASA provides traffic symmetry to FirePOWER module

*State sharing does not occur between FirePOWER Services Modules

Deploying ASA w/ FirePOWER Services: Scaling IPS with ASA5585-X Clustering

Cisco Confidential 53 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Asymmetry is an issue

• A standard Nexus deployment uses L3 routing protocol to the core and a L2 environment to the access layer where the Nexus is the default gateway for all servers in the access switch.

• The Nexus uses a virtual port channel (vPC) for connections to the Access layer. This allows the dual connection of the access layer without having spanning tree running.

• One requirement for inserting security services into this deployment is that it has to handle the fact that traffic will be asymmetric (return traffic is not guaranteed to take the same path as inbound traffic) due to the vPC and potentially routing inbound.

• These problems get worse when you move to distributed datacenters!

Asymmetric Traffic in a Nexus 7K Datacenter

N7K

Access

vPC

Core

DC Servers

vPC Peer-link

Internal Network

Cisco Confidential 54 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Clustering and Asymmetry

Traffic going to the Datacenter

• ASA 1 sees the traffic and becomes the owner

• Asymmetry is introduced on the return path

• ASA 2 sees the traffic and has never seen it before so asks, on the Cluster Control Link, who owns the flow

• ASA 1 signals that it owns the flow

• ASA 2 sends ASA 1 the packet from the flow in question over the CCL

• FirePOWER Services for ASA module inside ASA 1 sees the entire flow

• The module in ASA 2 sees no packets from that flow

Cisco Confidential 55 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Multi-Context ASA Deployments

• ASA can be configured in multi context mode such that traffic going through the ASA can be assigned different policies

• These interfaces are reported to the FirePOWER blade and can be assigned to security zones that can be used in differentiated policies.

• In this example, you could create one policy for traffic going from Context A Outside to Context A Inside. And then a different policy for Context B Outside to Context B Inside.

• Note: There is no management segmentation inside the FirePOWER module similar to the context idea inside ASA configuration.

Context A Context B

Outside

Inside

Cisco Confidential 56 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Multi-Context ASA Deployments

Admin Context Context-

1

Cisco Confidential 57 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

FirePOWER Services Demonstration Monitor-Only Mode (Demonstration Purposes Only currently)

• Monitor Mode allows FirePOWER Services to analyze traffic without being placed in the data path. The ASA is connected to a SPAN port on a switch or router, and copies of both inbound and outbound packets are sent to the FirePOWER Service. This copied traffic bypasses the ASA policy and goes directly to the FirePOWER Services which will apply policies to determine what traffic would have been blocked. After analysis of the traffic, the packets are discarded.

• https://communities.cisco.com/docs/DOC-50586

SPAN FirePOWER Services for ASA in Monitor-Only Mode

Cisco Confidential 58 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

FirePOWER devices, appliances and modules, support what is called mid session pickup.

This occurs when a flow is seen by an FP device at some point after the 3 way handshake has occurred.

FP device will attempt to sync up state for the client and server and once complete will enable the “Flow Established” flag that is required for most IPS signatures.

For customers more risk averse, “Require 3 way handshake” can be enabled that tells FirePOWER to ignore all flows where the 3 way handshake has not been seen. This prevents any possible false positives that might results from picking up a flow mid stream.

Session Failover (HA) Discussion