CiscoSecurity Agent

Network Admission Control (NAC)

Cisco ASA 5500

CiscoIOS Router Security

IronPort S-Series IronPort C-Series Cisco Secure ACS Cisco EPM

Firewall

VPN

IPS ACE WAF Cisco Catalyst 6500 Series Security Modules

CiscoSecurity Manager

CiscoSecurity MARS

Main Office

Branch OfficeMobile Worker

PrivateWAN

Internet

SecureWireless

Data Center

CiscoUnity®System

Cisco UnifiedCallManager

ApplicationServers

Cisco ASA 5500(may includeFirewall, IPS,

Content Security,VPN and

Secure UC)

Cisco ASA 5500(may includeFirewall, IPS,

Content Security,VPN and

Secure UC)

Cisco Catalyst 6500 SeriesFirewall Services Module

Cisco ASA 5500 Security

Appliance

Branch Firewallis included in Secure WAN Bundle

Cisco ASA 5500 Security

Appliance

Cisco IOSRouter

Security ASR RouterSecurity

PrivateWAN

Internet

Data Center

CiscoUnity®System

Cisco UnifiedCallManager

ApplicationServers

Main Office

Branch OfficeMobile Worker

SecureWireless

Cisco ASA5500 with IPS

PrivateWAN

Internet

Management:CiscoSecurity

Manager,CiscoSecurity MARS

Main Office

Branch OfficeMobile Worker

SecureWireless

Data Center

IPS

IPS

IPS

Branch Firewallis included in Secure WAN Bundle

Cisco IOSRouter

Security

ASR RouterSecurityPrivate

WAN

Internet

Data Center

CiscoUnity®System

Cisco UnifiedCallManager

ApplicationServers

Main Office

Branch OfficeMobile Worker

SecureWireless

Business Continuity Secure Voice Secure Mobility

Compliance

Secure Network Solutions

Advanced Firewall

ContentFiltering

IntrusionPrevention

802.1x Network FoundationProtection

Flexible PacketMatching

011111101010101

Network Admission Control

Integrated Threat Control

Secure Connectivity

GET VPN Easy VPN SSL VPN CCP NetFlow

Management and Instrumentation

IP SLARole-Based

AccessDMVPN

Mobile Workerwith Cisco

Security Agent

Desktops with Cisco Security

Agent

Desktops with Cisco Security Agent

PrivateWAN

Internet

Main Office

Branch OfficeMobile Worker

Data Center

Critical Servers with Cisco Security Agent

1. End user attempts to access a network

User is redirected to a login page

Network access is blocked until end user provides login information.

User login authenticated. Device validated to assess vulnerabilities and posture.

Device is noncompliant User is denied network access and device is assigned to a quarantine role.Device remediation takes place.

AuthenticationServer

2.

Wired

Wireless

VPN

IPsec/SSL

EmployeeGuestContractorPartnerStudent

Network Access Device

Cisco NAC Server

Quarantine

3a.

Device is compliant 3b.

Posture Assessment

Compliantwith correct login

Noncompliantor wrong login

Machine gets on “clean list”and is granted access to network.

Cisco NAC Manager

http://www.cisco.com/go/nac

WCCP Router orLayer 4 Switch

Clients IronPort S-Series

Firewall

IntegratedAuthentication via LDAP

and Active Directory

Router

Router

Internet

Before IronPort After IronPort

EncryptionPlatform

Antispam

Antivirus

PolicyEnforcement

Mail Routing

Groupware

MTA

Users Users

Groupware

DLPScanner

DLP PolicyManager

Internet Internet

IronPort EmailSecurity Appliance

Firewall Firewall

DMZ Data Center

Web Client

Applications

NetworkFirewall

Cisco ACEApplication

Switch

Cisco ACEApplication

Switch

Cisco ACE WebApplication

Firewall

Cisco ACE WebApplicationFirewall

Web

-Ena

ble

d A

pp

licat

ions

Cisco ACE WebApplication

Manager

Portal

Internet

Main Office

Branch OfficeMobile Worker

PrivateWAN

Internet

SecureWireless

Data Center

CiscoUnity®System

Cisco UnifiedCallManager

ApplicationServers

Cisco ASA 5500with Content

Security Module

Cisco ASA 5500with Content

Security Module

http://www.cisco.com/go/cscssm

CiscoSecurityMARS

Main Office

Branch OfficeMobile Worker

PrivateWAN

Internet

SecureWireless

Data Center

CiscoUnity®System

Cisco UnifiedCallManager

ApplicationServers

Main Office

Branch OfficeMobile Worker

PrivateWAN

Internet

SecureWireless

Data CenterApplicationServers

CiscoSecurityManager

Cisco SecureAccess ControlSystem (ACS)

Interact& Query

Integrate& Enforce

Report

MonitorProvision

AccessClient

Policy, DBPosture

NetworkEnforcement

Wireless Wired Remote

Reachability

Policy-BasedAccess Control

Functional Data

Main Office

Branch OfficeMobile Worker

PrivateWAN

Internet

SecureWireless

IPS

CiscoCatalyst6500 withServicesModules

VPNAcceleration

ContentSwitching

Stateful FirewallVirtualization ServicesApplication Firewall

Data Center

CiscoUnity®System

Cisco UnifiedCallManager

ApplicationServers

Cisco UnifiedCallManager

Cisco ASA5500 Series

Employee

Contractor

Sub-Contractor

Guest

Unknown

AA-LAN

AA-WLAN

AA-VPN

LAN

CiscoCatalyst Switch

Switch Policy Engine

CiscoCatalyst Switch

CiscoCatalyst Switch

CiscoCatalyst SwitchCisco Aironet WLAN

Access Points

Requirement 1Requirement 2Requirement 3

Requirement 4Requirement 5Requirement 6

Requirement 7Requirement 8Requirement 9

Requirement 10Requirement 11Requirement 12

Remote Location Internet Edge Main Office Network Management Center

Data Center

POSTerminal

StoreWorker PC

CSACiscoSecurityAgent (CSA)

CSA

CSA

CiscoSecurityManagementPOS Server

ASA 5500

ASA

ASA

ASA IPSSwitch

WAP1200

WAP

WirelessDevice

ISR

IronPort

7300Router

NCM/CAS

CS-MARS

AXGWAF

CSA AXG

WAN

NAC

ACS

Credit CardStorage E-commerce

6500Switch

http://www.cisco.com/go/compliance

RemoteEmployee

VPNRouters

Headend Management

CorporateCampus

CiscoCallManager

Wireless LAN

Internet

The Network Enables:

UnifiedComunications

ManagementMobility

Security

Cisco Catalyst6500 Series VPN

Cisco ASA5500 Security

Appliancewith IPsecand SSL

Cisco IOSRouter Securitywith Site-to-Site

and Remote-Access VPN

Secure ASRRouter

with VPN

PrivateWAN

Internet

Data Center

CiscoUnity®System

Cisco UnifiedCallManager

ApplicationServers

Main Office

Branch Office Mobile Worker

SecureWireless

http://www.cisco.com/go/vpn

Cisco Catalyst6500 Series VPN

Cisco ASA5500 Security

Appliancewith IPsecand SSL

Cisco IOSRouter Securitywith Site-to-Site

and Remote-Access VPN

PrivateWAN

Internet

Data Center

CiscoUnity®System

Cisco UnifiedCallManager

ApplicationServers

Main Office

Branch Office

Mobile Worker

SecureWireless

IPsec orSSL VPN

http://www.cisco.com/go/sslvpn

Branch Office

Cisco ASA 5500Security Appliancewith IPsec and SSL

Cisco IronPort S-series

and C-series

PrivateWAN

Internet

Main Office

Remote and Mobile Workers

Cisco SecurityManager

SecureWireless

Cisco Security MARS

NAC Appliance

CiscoSecurite ACS

Secure WAN Router with

Firewall

Wide AreaApplicationServer

VPNModule

FWSM IDS Module

Desktops with Cisco Security Agent

MDS 9000with SME

Desktopswith Cisco

SecurityAgent

ACEWAF/AXG

Serverswith Cisco

Security AgentCatalyst

6500

Guard

Detector

Content Switching