identity management and access control for security ccie...

Identity Management and Access Control for Security CCIE Candidates

Mark Bernard

BRKCCIE-3222

Cisco Spark

Questions? Use Cisco Spark to chat with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

Cisco Spark spaces will be available until July 3, 2017.

cs.co/ciscolivebot#BRKCCIE-3222

cisco16

Polling

Our Questions for You We will using polling a few times to get some information from attendees

1. Send a text to 22333 with cisco16 as the body

2. Respond to all the polls as we get to them

3. No need to send the cisco16 again

pollev.com/cisco16

• Introduction

• CCIE Security Program Overview

• Cisco Identity Services Engine (ISE) Overview

• Configure, Verify & Troubleshoot Profiling Using Device Sensor

• Configure, Verify & Troubleshoot pxGrid with ISE & WSA

• Conclusion

Agenda

About Me

• Security Consulting Systems Engineer supporting Enterprise South Operation

• Joined Cisco in 2005

• Based out of Tennessee, USA

• CCIE Mentor for Cisco Employees

• Cisco Live Speaker since 2006

• CCIE #23864, CISSP, etc.MNB@cisco.com

@bernarmn

6BRKCCIE-3222

CCIE Security Program Overview

CCIE Security TopicsDomain Written Exam Lab Exam

1.0 Perimeter Security and Intrusion

Prevention

21% 23%

2.0 Advanced Threat Protection and

Content Security

17% 19%

3.0 Secure Connectivity and

Segmentation

17% 19%

4.0 Identity Management, Information

Exchange, and Access Control

22% 24%

5.0 Infrastructure Security, Virtualization,

and Automation

13% 15%

6.0 Evolving Technologies 10% N/A

For more details, please visit: http://learningnetwork.cisco.com

Questions? Visit the Learning@Cisco Booth

Identity Management Topics in CCIE Exam4.1 Describe, implement, and troubleshoot various personas of

ISE in a multinode deployment

4.10 Describe, implement, verify, and troubleshoot provisioning of

AnyConnect with ISE and ASA

4.2 Describe, implement, and troubleshoot network access device

(NAD), ISE, and ACS configuration for AAA

4.11 Describe, implement, verify, and troubleshoot posture

assessment with ISE

4.3 Describe, implement, and troubleshoot AAA for administrative

access to Cisco network devices using ISE and ACS

4.12 Describe, implement, verify, and troubleshoot endpoint

profiling using ISE and Cisco network infrastructure including

device sensor

4.4 Describe, implement, verify, and troubleshoot AAA for network

access with 802.1X and MAB using ISE.

4.13 Describe, implement, verify, and troubleshoot integration of

MDM with ISE

4.5 Describe, implement, verify, and troubleshoot cut-through

proxy/auth-proxy using ISE as the AAA server

4.14 Describe, implement, verify, and troubleshoot certificate based

authentication using ISE

4.6 Describe, implement, verify, and troubleshoot guest life cycle

management using ISE and Cisco network infrastructure

4.15 Describe, implement, verify, and troubleshoot authentication

methods such as EAP Chaining and Machine Access Restriction

4.7 Describe, implement, verify, and troubleshoot BYOD on-

boarding and network access flows with an internal or external CA

4.16 Describe, implement, and troubleshoot identity mapping on

ASA, ISE, WSA and FirePOWER

4.8 Describe, implement, verify, and troubleshoot ISE and ACS

integration with external identity sources such as LDAP, AD, and

external RADIUS

4.17 Describe the functions and security implications of AAA

protocols such as RADIUS, TACACS+, LDAP/LDAPS, EAP (EAP-

PEAP, EAP-TLS, EAP-TTLS, EAP-FAST, EAP-TEAP, EAP- MD5, EAP-

GTC), PAP, CHAP, and MS-CHAPv2

4.9 Describe ISE and ACS integration with external identity

sources such as RADIUS Token, RSA SecurID, and SAML

4.18 Describe, implement, and troubleshoot pxGrid between

security devices such as WSA, ISE, and Cisco FMC

Identity Management Topics in CCIE Exam4.1 Describe, implement, and troubleshoot various personas of

ISE in a multinode deployment

4.10 Describe, implement, verify, and troubleshoot provisioning of

AnyConnect with ISE and ASA

4.2 Describe, implement, and troubleshoot network access device

(NAD), ISE, and ACS configuration for AAA

4.11 Describe, implement, verify, and troubleshoot posture

assessment with ISE

4.3 Describe, implement, and troubleshoot AAA for administrative

access to Cisco network devices using ISE and ACS

4.12 Describe, implement, verify, and troubleshoot endpoint

profiling using ISE and Cisco network infrastructure including

device sensor

4.4 Describe, implement, verify, and troubleshoot AAA for network

access with 802.1X and MAB using ISE.

4.13 Describe, implement, verify, and troubleshoot integration of

MDM with ISE

4.5 Describe, implement, verify, and troubleshoot cut-through

proxy/auth-proxy using ISE as the AAA server

4.14 Describe, implement, verify, and troubleshoot certificate based

authentication using ISE

4.6 Describe, implement, verify, and troubleshoot guest life cycle

management using ISE and Cisco network infrastructure

4.15 Describe, implement, verify, and troubleshoot authentication

methods such as EAP Chaining and Machine Access Restriction

4.7 Describe, implement, verify, and troubleshoot BYOD on-

boarding and network access flows with an internal or external CA

4.16 Describe, implement, and troubleshoot identity mapping on

ASA, ISE, WSA and FirePOWER

4.8 Describe, implement, verify, and troubleshoot ISE and ACS

integration with external identity sources such as LDAP, AD, and

external RADIUS

4.17 Describe the functions and security implications of AAA

protocols such as RADIUS, TACACS+, LDAP/LDAPS, EAP (EAP-

PEAP, EAP-TLS, EAP-TTLS, EAP-FAST, EAP-TEAP, EAP- MD5, EAP-

GTC), PAP, CHAP, and MS-CHAPv2

4.9 Describe ISE and ACS integration with external identity

sources such as RADIUS Token, RSA SecurID, and SAML

4.18 Describe, implement, and troubleshoot pxGrid between

security devices such as WSA, ISE, and Cisco FMC

Security Appliances Core Devices Others Physical Machines

Cisco Identity Services

Engine (ISE): 2.1.0

IOSv L2: 15.2 Test PC: Microsoft

Windows 7

Cisco Catalyst Switch

C3850-12S: 16.2.1

Cisco Secure Access

Control System (ACS):

5.8.0.32

IOSv L3: 15.5(2)T Active Directory:

Microsoft Windows

Server 2008

Cisco ASA 5512-X:

Cisco Web Security

Appliance (WSA): 9.2.0

Cisco CSR 1000V Series Cloud

Services Router: 3.16.02.S

Cisco Application Policy

Infrastructure Controller

Enterprise Module : 1.2

Cisco 2504 WLC 2504:

8.0.133.0

Cisco Email Security

Appliance (ESA): 9.7.1

Cisco Adaptive Security

Virtual Appliance (ASAv): 9.6.1

Cisco Unified

Communications

Manager: 8.6.(1)

Cisco Aironet 1602E:

15.3.3-JC

Cisco Wireless Controller

(WLC): 8.0.133

FireAMP Private Cloud Cisco Unified IP Phone

7965: 9.2(3)

Cisco Firepower

Management Center Virtual

Appliance: 6.0.1 and/or 6.1

AnyConnect: 4.2

Cisco Firepower NGIPSv:

Cisco Firepower Threat

Defense: 6.0.1

11BRKCCIE-3222

Cisco Gear Used on CCIE Security

*Device Authentication only, provisioning of IP phones is NOT

required.

CCIE Security Exam Changes

CCIE Security v5.0 Lab Exam Format

The 5.0 Lab is now comprised of three modules:1.Troubleshooting Module

2.Diagnostic Module

3.Configuration Module

ISE Overview

Role-Based Access

BRKCCIE-3222

Introducing Cisco Identity Services Engine

A centralized security solution that automates context-aware access to

network resources and shares contextual data

Network

Identity Profiling

and Posture

Compliant

Context

Traditional Cisco TrustSec®

Role-Based Policy Access

Guest Access

BYOD Access

Secure Access

Deploying ISE

pXGrid Controller

- Facilitates sharing of context

Policy Services Node (PSN)

- Makes policy decisions

- RADIUS / TACACS+ Servers

Policy Administration Node (PAN)

- Single plane of glass for ISE admin

- Replication hub for all database config changes

Monitoring and Troubleshooting Node (MnT)

- Reporting and logging node

- Syslog collector from ISE Nodes

Single Node (Virtual / Appliance)

Up to 20,000 concurrent endpoints

STANDALONE ISE

Multiple Nodes (Virtual / Appliance)

Up to 500,000 concurrent endpoints

Network

MULTI-NODE ISE

17BRKCCIE-3222

Endpoint Profiling &

Device Sensor

How Does ISE Get All That Information ?Cisco ISE Profiling

Feed Service

(Online/Offline)

Netflow DHCP DNS HTTP RADIUS NMAP SNMP

CDP LLDP DHCP HTTP H323 SIP MDNS

ACTIVE PROBES

DEVICE SENSOR

1.5 million

devices with ‘50’ attributes

each can be stored

High-level canned

profiles. +Periodic feeds

Medical device profiles

Cisco ISE

Cisco Network

ACIDEX AD

ACIDex

AnyConnect Identity Extensions (ACIDex) | Device Sensor (DS)20BRKCCIE-3222

• Distributed collection on Network Devices. Cache, CDP, LLDP, DHCP, HTTP (Wireless only), etc.

• Centralized collection over RADIUS protocol

Profile Conditions PROFILED+ =

Example:MAC OUI + Lexmark

If DHCP Class ID

Contains E260dn

It’s a Lexmark

E260n Printer

Data From Device Sensor

RADIUS Accounting

CDPLLDPDHCPMAC

HTTPDHCPMAC

Just One Type of Probe

BRKCCIE-3222

Profiling with ‘Device Sensor’ Doesn’t require packet

redirections (DHCP Helper)

and SPAN sessions

for profiling

Highly scalable and efficient

ISE runs only “RADIUS”

Profiling based on:

• CDP/LLDP

• DHCP

• HTTP (WLC only)

• mDNS,

• H323,

• MSI-Proxy (4k only)

ISE Construction of Profiles

Create conditions

based on data sent by

Cat3K switches

Link one or more conditions

together to identify a new

device

22BRKCCIE-3222

Certainty Factors

We Must Meet This Threshold

Before Assigning Profile

Multiple Conditions May

Be Required

Device Sensor for WirelessRADIUS Accounting

Per WLAN Enable/Disable

device profiling

DHCP (WLC 7.2.110.0)

– Hostname, Class ID

HTTP / Both (WLC 7.3)

– User Agent

FlexConnect with Central

Switching supported

DHCPHTTP

BRKCCIE-3222 24

Lets Configure Device Sensor & Profiling

Configure ISE

Add Device Name

Add IP Address

Add the Shared

Secret Key

26BRKCCIE-3222

Configure ISE – Turn on Radius Profiling

Edit PSN

Enable Radius Profiling* After this Step, you may want to go to switch & ping & aaa test the ISE Server to ensure connectivity

27BRKCCIE-3222

Verify the endpoint is profiled & view attributes

Click on Endpoint

Select Endpoint

Classification

Verify endpoint is profiled & view attributes (cont.)

Endpoint Profile

Endpoint Source

29BRKCCIE-3222

Lets Configure the Switch Branch3-3650(config)#aaa new-model Branch3-3650(config)#aaa authentication dot1x default radius Branch3-3650(config)#aaa accounting dot1x default start-stop group radius

Branch3-3650(config)#radius server ISEBranch3-3650(config-radius-server)# address ?

address ? ipv4 IPv4 Addressipv6 IPv6 Address

Branch3-3650Branch3-3650(config-radius-server)# address 172.16.110.140Branch3-3650Branch3-3650(config-radius-server)# key Cisco123Branch3-3650(config)# dot1x system-auth-control

Branch3-3650(config)# int g1/1/24 Branch3-3650(config-if)# switchport mode accessBranch3-3650(config-if)# switchport voice vlan 25 Branch3-3650(config-if)# authentication order mabBranch3-3650(config-if)# authentication port-control autoBranch3-3650(config-if)# mabBranch3-3650(config-if)# dot1x pae authenticatorBranch3-3650(config-if)#authen host-mode multi-auth // if 2 devices on port

Configure the AAA Framework

Configure the Radius Settings &

Enable dot1x framework globally

Configure the interface

30BRKCCIE-3222

Configure Device Sensor on the SwitchBranch3-3650(config)#device-sensor accounting Branch3-3650(config)#device-sensor notify ?

all-changes Trigger identity update when TLVs are added/modified/removednew-tlvs Trigger identity update only when TLVs are added

Branch3-3650(config)#device-sensor notify all-changes Branch3-3650(config)#radius-server vsa send accounting //(VSA)vendor specific attribute

Branch3-3650#sh device-sensor cache ?all Shows All dsensor cacheinterface Client interfacemac Shows dsensor cache details by MAC

Branch3-3650#sh device-sensor cache all

Branch3-3650# debug radius accounting packetsBranch3-3650# conf tBrandch3-3560# (config) int g2/1/1Brandch3-3560# (conf-if)shutBrandch3-3560# (conf-if) no shut

Configure the

device sensor

feature

Verify that you are getting

Device sensor information

verify what is being sent to ISE

31BRKCCIE-3222

Device Sensor Information ElementsExamples

Branch3-3650(config)#device-sensor filter-list ?cdp CDP Filter Listdhcp DHCP Filter Listh323 H323 Filter Listlldp LLDP Filter Listmdns MDNS Filter Listsip SIP Filter List

Branch3-3650(config)#device-sensor filter-list mdns list APPLEBranch3-3650(config-sensor-mdnslist)#tlv name ?

device-version MDNS Device Versionpointer-records MDNS PTR Recordssrv-records MDNS SRV Recordstext-records MDNS TXT Records

Branch3-3650(config)#device-sensor filter-list h323 list PHONEBranch3-3650(config-sensor-h323list)#tlv name ?

device-name H323 device namedevice-vendor H323 device vendordevice-version H323 device version

Branch3-3650(config)#device-sensor filter-list dhcp list Branch3-3650(config-sensor-dhcplist)#option name ?

all-subnets-local All Subnets Localarp-cache-timeout ARP Cache Timeoutauthentication Authenticationauto-configure Autoconfigurationbcmcs-servers-a BCMCS Controller IPv4 address listbcmcs-servers-d BCMCS Controller Domain Name listboot-file Boot File Nameboot-size Boot Size

[clip]

Example records and options for

protocol sensors

100+ option fields for

DHCP including vendor

specific attributes

32BRKCCIE-3222

Test and Debug AAA on the SwitchBranch3-3650 #sh run | inc aaaaaa new-modelaaa authentication dot1x default group radiusaaa accounting dot1x default group radiusaaa session-id common

Branch3-3650#sh run | sect radiusaaa authentication dot1x default group radiusaaa accounting dot1x default start-stop group radiusradius server ISEaddress IPV4 172.16.110.140 auth-port 1645 acct-port 1646key Cisco123

Branch3-3650#sh run int g1/1/24 interface GigabitEthernet1/1/4switchport access vlan 20switchport mode accessswitchport voice vlan 25shutdownauthentication order mabauthentication port-control automabdot1x pae authenticatorspanning-tree portfastend

// sample Test and Debug commandsBranch3-3650# ping 172.16.110.140Branch3-3650# show IP interface BriefBranch3-3650# test AAA group radius blahuser blahpassword legacy Attempting authentication test to server-group radius using radiusUser authentication request was rejected by server.Branch3-3650# debug radius accounting packetsBranch3-3650# debug device-sensor {errors | events}

Verify the AAA Framework

Test ISE connectivity (Do this after

configuring the device in ISE)

Verify the Radius Settings

Verify the interface Settings

* don’t forget to bring up the access port interface33BRKCCIE-3222

Verify Device Attributes (cont)

Verify Endpoint

Source

Navigate to

Attributes

BRKCCIE-3222 34

Configure The Authorization Policy in ISE

35BRKCCIE-3222

Configure the Authorization Policy (Cont)

Rule added in Authorization Policy

Choose a

Rule Name

Choose Condition

Based on Profiles and

Connectivity Attributes

Assign

Appropriate

Policy

BRKCCIE-3222 36

You Have Completed Profiling with Device Sensor

37BRKCCIE-3222

PxGrid Deployment

Cisco Platform Exchange Grid (PxGrid)Enable Unified Threat Response by Sharing Contextual Data

Cisco® ISE collects

contextual data from network1

Context is shared via

pxGrid technology2

Context improves visibility to

detect threats3

Devices can direct ISE to rapidly

contain threats or apply policy4

ISE uses partner data to update

context and refine access policy5

Cisco and Partner

Ecosystem

pxGrid

Controller

Context

45 Cisco Network

39BRKCCIE-3222

PxGrid Use Cases

Use-Case Description Partner

Cloud Access Monitoring: User/Device-

Aware Cloud-Hosted Resource

Monitoring

ISE user, group, access, device context to enhance monitoring and reporting of access to cloud

services by end-users.

SkyHigh, Elastica

Network/App Performance

Monitoring: User/device-aware network

topology and performance management

ISE IP:user:device binding and related context to network data system to attribute user, device,

role, etc. to visualization and performance management data.

Savvius

Threat Defense: User-behavior anomaly

(UBA) detection

Assess typical behavior of individual and groups of users and then look for anomalous behavior.

Utilizes ISE user/device context in analytics and event reporting.

FortScale,

Rapid 7, E8

WSA+ISE: User-aware web security

policies

Web access decisions based on ISE user/device context. Enables customers to differentiate web

content access policies based on real-time user and device situational awareness.

Cisco WSA

DNS, DHCP and IP Address

Management: User, Group and Device

Based DDI Monitoring and Reporting

Associate users and user network privileges with DHCP leases, IP address assignments and

domain name access by using ISE user/network context.

Infoblox

SIEM/TD: User/Device-Aware

SIEM/ThreatDefense Integration

Same use-cases as existing SIEM/TD ecosystem, but utilizing pxGrid for context and Rapid Threat

Containment.

NetIQ, Lancope,

Splunk, FireSIGHT

Management

Center 5.4,

LogRhythm

40BRKCCIE-3222

Web Filtering with pxgrid & Passive ID through ISE

41BRKCCIE-3222

Lets Configure pxGrid with ISE & WSA

Sample Lab Topology

Configure the WSACertificates

Network >

Certificate Management

Manage trusted Root Certificate

44BRKCCIE-3222

Configure the WSA

Add your certificate

45BRKCCIE-3222

Configure the WSA: Add ISE to the WSA

Network >

Identity Service Engine

47BRKCCIE-3222

Configure the WSA Add ISE

Run Test to ensure DNS,

Certificates are valid & SGTs are imported

Add the pxGrid node

& Certficiates

48BRKCCIE-3222

Add the Monitor ISE nodes

& Certificates

Add the WSA Certificates

Now Configure ISE

Ensure that you are connected to the AD Controller

Select the Node

Click “join”

50BRKCCIE-3222

AD should show

“Operational” status

Configure ISE certificates for pxGrid clients

51BRKCCIE-3222

For complete certificate steps see:

https://communities.cisco.com/community/technology/security/pa/ise/blog/2016/07/27/ise-21-and-wsa-via-pxgrid-and-ca-signed-certificates

Enable pxGrid Services in ISE

Enable pxgrid services

Edit the Node

52BRKCCIE-3222

Enable Auto Registration in ISE

Enable auto approve new accounts

Ensure admin & mnt are showing

53BRKCCIE-3222

Verifying WSA is registered pxGrid Client

Ensure the WSA client is online

54BRKCCIE-3222

Ensure pxGrid is connected

Configure Security Group Tags in ISE

Add SGT tag

SGT tag gets

propagated to WSA

55BRKCCIE-3222

Configure The Authorization Policy

56BRKCCIE-3222

Configure the Authorization Policy (Cont)

Rule added in Authorization Policy

Choose a

Rule Name

Choose Condition

Based on Profiles and

Connectivity Attributes

Assign

Appropriate SGT

BRKCCIE-3222 57

Now Configure WSA (again)

Add an Identity Profile

Create a New Ident. Profile

59BRKCCIE-3222

Add an Identity Profile (Cont)

Select “Identify Users with ISE”

Select Block Transactions

60BRKCCIE-3222

Type in the name of the profile

Add an Access Policy

Create a New Access Policy

61BRKCCIE-3222

Add an Access Policy (cont)

Select SGT to use

62BRKCCIE-3222

Type in Access Policy Name

Search for your SGT

Check the box next to your SGT

Click the “add” button

63BRKCCIE-3222

Now that your SGT is assigned

Click Done

64BRKCCIE-3222

Configure URL Filtering

65BRKCCIE-3222

Configure URL Filter here

Create URL Filter List (cont)

Select Categories to Block

66BRKCCIE-3222

Configure Web Redirection

Select WCCP for our Example

Configure WCCP on the WSA

67BRKCCIE-3222

Configure Web Redirection

Match the Service ID on the

Network Device

Configure WCCP on the WSA (cont)

68BRKCCIE-3222

Configure Web Redirection on the Switch

69BRKCCIE-3222

Verify Your Configuration

Turn up Logging for Troubleshooting

Use %m for troubleshooting ISE

71BRKCCIE-3222

Telnet into the WSA and verify via CLI

72BRKCCIE-3222

Browse to the WSA and verify with Policy Trace

73BRKCCIE-3222

Browse to the WSA and verify with Policy Trace (Cont)

74BRKCCIE-3222

Verify on the Switch via CLI

75BRKCCIE-3222

You Have Completed Pxgrid ISE and WSA Integration

76BRKCCIE-3222

• CCIE Security Program Overview

• Cisco Identity Services Engine (ISE) Overview

• Configure, Verify & Troubleshoot Profiling Using

Device Sensor

• Configure, Verify & Troubleshoot pxGrid with ISE &

BRKCCIE-3222

Summary

• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card.

• Complete your session surveys through the Cisco Live mobile app or on www.CiscoLive.com/us.

Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at www.CiscoLive.com/Online.

Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Lunch & Learn

• Meet the Engineer 1:1 meetings

• Related sessions

79BRKCCIE-3222

Security Beta Programs

To participate in Beta:

http://cs.co/security-beta-nomination

or email

ask-sbg-beta@cisco.com“I've been involved in many beta programs … I must

say that this one has been the best organized. This

beta has taken a very active, hands-on approach.” -

Liberal Arts College Customer

Security Beta Products Customer Benefits

• Free test hardware

• Early experience with and training on new

features and functionality

• Demos and feedback sessions on product

usability, design, and roadmaps

• Risk-free testing in the customer environment

prior to FCS

• Beta customer S1-3 issues fixed in GA release

ASAFirepower

NGFW/NGIPS

Firepower

Platforms

AMP for

EndpointsISR ESA

ISE OpenDNS

Stealthwatch

Learning

Networks

Cybersecurity Cisco Education OfferingsCourse Description Cisco Certification

Understanding Cisco Cybersecurity

Fundamentals (SFUND)

The SECFND course provides understanding of

cybersecurity’s basic principles, foundational knowledge, and

core skills needed to build a foundation for understanding

more advanced cybersecurity material & skills.

CCNA® Cyber Ops

Implementing Cisco Cybersecurity

Operations (SECOPS)

This course prepares candidates to begin a career within a

Security Operations Center (SOC), working with

Cybersecurity Analysts at the associate level.

CCNA® Cyber Ops

Securing Cisco Networks with Threat

Detection and Analysis (SCYBER)

Designed for security analysts who work in a Security

Operations Center, the course covers essential areas of

security operations competency, including SIEM, Event

monitoring, security event/alarm/traffic analysis (detection),

and incident response

Cisco Cybersecurity

Specialist

Cisco Security Product Training Courses Official deep-dive, hands-on product training on Cisco’s

latest security products, including NGFW, ASA, NGIPS,

AMP, Identity Services Engine, Email and Web Security

Appliances, and more.

For more details, please visit: www.cisco.com/go/securitytraining or http://learningnetwork.cisco.com

81BRKCCIE-3222

Cybersecurity Cisco Education OfferingsCourse Description Cisco Certification

New! CCIE Security 5.0 CCIE® Security

Implementing Cisco Edge Network Security

Solutions (SENSS)

Implementing Cisco Threat Control

Solutions (SITCS) v1.5

Implementing Cisco Secure Access

Solutions (SISAS)

Implementing Cisco Secure Mobility

Solutions (SIMOS)

Configure Cisco perimeter edge security solutions utilizing Cisco

Switches, Cisco Routers, and Cisco Adaptive Security Appliance

(ASA) Firewalls

Implement Cisco’s Next Generation Firewall (NGFW), FirePOWER

NGIPS (Next Generation IPS), Cisco AMP (Advanced Malware

Protection), as well as Web Security, Email Security and Cloud

Web Security

Deploy Cisco’s Identity Services Engine and 802.1X secure

network access

Protect data traversing a public or shared infrastructure such as the

Internet by implementing and maintaining Cisco VPN solutions

CCNP® Security

Implementing Cisco Network Security

(IINS 3.0)

Focuses on the design, implementation, and monitoring of a

comprehensive security policy, using Cisco IOS security features

CCNA® Security

For more details, please visit: www.cisco.com/go/securitytraining or http://learningnetwork.cisco.com

82BRKCCIE-3222

Thank you

Glossary of Acronyms• AAA - Authentication Authorization Accounting

• ASAv - Adaptive Security Virtual Appliance

• APIC-EM - Application Policy Infrastructure Controller Enterprise Module

• CSR – Cloud Services Router

• MAB - Machine Authentication Bypass

• MAR - Machine Access Restriction

• ISE – Identity Services Engine

• MAB – MAC Authentication Bypass

• ACL – Access Control List

• SGT – Security Group Tag

• SGACL – Security Group Access Control List

• ACI – Application Centric Infrastructure

• EPG – EndPoint Group

• BYOD – Bring Your Own Device

86BRKCCIE-3222

identity management and access control for security ccie...

Documents

next generation ccie · ccie data center ccie sp ccie...

ccie self study ccie security exam cert guide 1st ed

ccie voice

jeff doyle ccie #1919 jennifer dehaven carroll ccie #1402

cover page -...

ipv6 for r&s ccie...

how to pass ccie in first attempt? tips by ccie experts

2) ccie enterprise infrastructure expert level certification...

jeff doyle ccie #1919 jennifer dehaven carroll ccie...

ccie collaboration

ccie routing & switching v5 workbook - ccie r&s v5

ccie r&s -...

brkccie-9163 – ccie service...

ccie routing & switching v5 workbook - ccie r&s v5 workbook...

ccie service provider -...

ccie security dominating ccie collaboration and ccie data

ccie routing & switching version...

ccie - 71 ccie labs

ccie security lab workbook volume i version 3 - lagout...

network now! - cisco · network now! learning@cisco . ......