Cisco Firewall Basics -...

Cisco Firewall Basics

Mark Cairns, Consulting Systems Engineer

BRKSEC-1020

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/clus17/#BRKSEC-1020Cisco Spark spaces will be available until July 3, 2017.

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-1020 4


Mark Cairns

• Based in Richmond, VA and cover accounts in Virginia and Washington DC

• 19 years experience with Cisco Security Solutions

• You can reach me at [email protected] and @12LISN2

Consulting Systems Engineer, GSSO, supporting US Commercial

BRKSEC-1020 5

mailto:[email protected]


Session Information

• This is an introductory 1000 level session

• It is not meant for professionals with deep knowledge of firewalls and Cisco ASA

• This session is not for you if you want to deep dive into configurations for specific features / functionality

• References may be made to advanced functionality for context but we will stay at a fairly high level

Cisco Firewall Basics

BRKSEC-1020 6


Follow up SessionsDeeper dives on specific content

BRKSEC-1020 7

Session ID Session Description Time

BRKSEC-2058 A Deep Dive into using the Firepower Manager Wed 4:00-5:30

BRKSEC-3007 Advanced Cisco IOS Security Tuesday 1:30-3:30

BRKSEC-3300 Advanced IPS Deployment Thursday 8:30-10:00

BRKSEC-3690 Advanced Security Group Tags Monday 1:30-3:30

BRKSEC-2050 ASA Firepower NGFW typical deployment scenarios Monday 1:30-3:30, Tuesday 1:30-3:30

BRKSEC-2033 Best Security and deployment strategies SMB NGFW Tuesday 8:00-10:00

BRKSEC-2342 Branch Router Security Thursday 10:30-12:00

BRKSEC-2055 Cloud-Managed Security for Distributed Networks with Cisco Meraki MX Wednesday 4-5:30


Follow up SessionsDeeper dives on specific content

BRKSEC-1020 8

Session ID Session Description Time

BRKSEC-2203 Deploying TrustSec Security Group Tagging Tuesday 4:00-5:30

BRKSEC-3455 Dissecting Firepower NGFW "Installation & Troubleshooting" Tuesday 1:30-3:30

BRKSEC-3035 Firepower Platform Deep Dive Wednesday 1:30-3:30

LTRSEC-1000 Firepower Threat Defense Deployment Hands-on Lab Wed 8:00-12:00, Thursday 8:00-12:00

BRKSEC-3032 NGFW Clustering Deep Dive Tuesday 8:00-10:00

BRKSEC-2020 NGFW Deployment in the Data Center and Network Edge Using

Firepower Threat Defense

Tuesday 8:00-10:00, Wed 1:30-3:30

BRKSEC-2064 NGFW and ASAv in Public Cloud (AWS and Azure) Thursday 1:00-2:30

• Introduction

• Firewalls in General

• Use Cases - Why

• Firewall Options - What

• Introduction to Firepower

• Advanced Use Case Examples

• Q&A – Feel free to ask questions

Agenda

Firewalls in General


Securing/Hardening for What Purpose or Need?

Subversion

Bots, Viruses, and Worms

Spyware and Adware

Disruption

Denial of service attacks

Advanced Persistent Threats (APTs)

Penetration Attempt

Zero-day Attacks

Hacker Attacks

Data Loss

Data theft and/or interception

Identity theft

BRKSEC-1020 11


FirewallsWhat are they?

• Primary filtering appliances/VMs that work at both the network and application layers

• Provide a platform for the features/functionality needed for network security

• VPNs (remote-access and site to site)

• NGIPS

• Anti-Malware Protection

• Next-generation security should not abandon proven stateful inspection capabilities in favor of application and user ID awareness by itself

• Comprehensive network security solution needs include firewalls, next-generation firewalls (application inspection and filtering) and next generation intrusion prevention systems (context aware)

• The firewall often is the conduit from which other defense components combat the threats that face the network

BRKSEC-1020 12


Filtering on a Tuple?

• The genesis of firewalls was initially a means to filter traffic based on the five tuple

• Source IP address – the IP address of the initiator of the IP packet

• Destination IP Address – the IP address of the destination of the IP packet

• Source Port – UDP or TCP port used by initiator to establish communications with destination

• Destination Port – UDP or TCP port used by destination to establish communications with source

• IP Protocol – the specific IP protocol used in the communication

Packet

BRKSEC-1020 13


Filtering – IP Protocols

• ICMP (1)

• TCP (6)

• UDP (17)

• GRE (47)

• ESP (50)

• AH (51)

• EIGRP (88)

• OSPF (89)

http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml

Packet

BRKSEC-1020 14

http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml


Stateful Inspection

• Most routers and switches can filter based on the five tuple…why a firewall then?

• Stateful firewalls track L3/L4 traffic as it leaves and returns to the network

• Connections are maintained in the connection table tracking five tuple and additional information such as sequence

Packet

Packet

TCP outside:2.2.2.2/80 (2.2.2.2/80) inside:1.1.1.1/35478 (1.1.1.1/35478), flags UIO, idle 4m39s, uptime 6m16s, timeout 1h0m, bytes 3002

Src IP – 2.2.2.2

Dest IP – 1.1.1.1

Src Port – TCP/80

Dest Port – TCP/35478

Src IP – 1.1.1.1

Dest IP – 2.2.2.2

Src Port – TCP/35478

Dest Port – TCP/80*Best Practice – Limit outbound connections to known services and hosts such as SMTP servers only for port 25.

BRKSEC-1020 15


Network Address Translation

• Network address translation (NAT) is the mapping of IP addresses from a private network to a public network

• NAT gives network administrators and security administrators:

• Access to non-publically routable IPv4 space

• Cost savings because addresses are not cheap

• Allows for masquerading of internal network addresses

• IPv4 Address space is exhausted

Packet

Src IP – 3.3.3.3

Dest IP – 2.2.2.2



Src IP – 10.1.1.1

Dest IP – 2.2.2.2



BRKSEC-1020 16

Use Cases


Use Case #1

• Hospitality, Retail or other similar distributed deployment

• Remote sites 100+

• Direct Internet Access (DIA) at remote sites

• Company has a “Cloud First” mandate

• 4 Network / Security Engineers (“jack of all trades, master of none”)

• Basic security needs for URL filtering, DNS security, IPS

• Need VPN connectivity to HQ

BRKSEC-1020 18


Cloud Networking Group

BRKSEC-1020 19


MX64(W)

~50 users

802.11ac wireless

FW throughput: 250 Mbps

MX65(W)

~50 users

802.11ac wireless & PoE+


Mid-

sized

branch

MX84

~200 users

Dedicated WAN uplinks


MX100

~500 users

Gigabit uplinks


MX400

~2,000 users

Modular interface

FW throughput: 1 Gbps

Small

branch

MX600

~10,000 users

Modular interface

FW throughput: 1 Gbps

Large

branch

or campus

All devices support 3G/4G

Teleworker

Z1

1-5 users

Dual-radio wireless


Meraki MX OptionsReference

BRKSEC-1020 20


Meraki MX Security

Next Generation Firewall Application aware firewalling

Intrusion Prevention

(IPS)Based on Cisco Snort

URL Content FilteringWith over 80 categories and

over 4 billion categorized URLs

Geo-based security Allow or block traffic by country

Malware Protection Cisco AMP and Threat Grid

Automatic updatesSoftware and security updates

delivered from the cloud

PCI compliancePCI 3.2 certified cloud

management backend

BRKSEC-1020 21


Meraki MX Basics

BRKSEC-1020 22


Meraki MX Basics continued

BRKSEC-1020 23


Meraki MX Basics continued

BRKSEC-1020 24


Meraki Threat and Filtering

BRKSEC-1020 25


Meraki Threat and Filtering continued

BRKSEC-1020

Cisco Umbrella

26


Use Case #2

• Regional Services Company

• 8 sites on MPLS with ISR routers deployed

• Broadband Internet being added for DMVPN backup/redundancy (IWAN)

• Simple filter to protect the new Internet link

• HQ has a proxy for Internet

BRKSEC-1020 27


Securing the WAN

• Typical MPLS WAN

• Does not ensure privacy

• Best Practice – Consider encryption across existing WAN

BRKSEC-1020 28


Internet based WAN

• Lower cost alternative to MPLS

• Dictates VPN for routing and privacy

• Balance complexity with features and functionality

• Typically no need for inbound access directly from Internet

BRKSEC-1020 29


Zone Based Firewall

BRKSEC-1020 30


Zone Based Firewall

G0/1.103

G0/0G0/1.101

DMZ

InternetTrusted

TCP/UDP/ICMP

Response OK

All Traffic Permit

Support for:

• ISR, ASR, CSR

• NAT

• WAAS

• VRFs

• Redundancy

• VTIs for VPNs

• Deep Packet Inspection

BRKSEC-1020

Note: For simple inside to outside

configuration, remove all reference to

DMZ interface. This DMZ configuration

assumes a second security device to filter

traffic or terminate VPN.

31


Configuring ZBFzone security Internet

zone security Trusted

zone security DMZ

interface LISP0

zone-member security DMZ

!

interface GigabitEthernet0/0

description Public Outside

zone-member security Internet

!

interface GigabitEthernet0/1.101

description Inside

zone-member security Trusted

!

interface GigabitEthernet0/1.103

description Public DMZ

zone-member security DMZ

Create Zones

Assign interfaces to security zones

BRKSEC-1020






32


Configuring ZBFclass-map type inspect match-any All_Protocols

description - Match all outgoing protocols

match protocol tcp

match protocol udp

match protocol icmp

policy-map type inspect trusted-to-internet

class type inspect All_Protocols

inspect

class class-default

drop

policy-map type inspect DMZ

class class-default

pass

zone-pair security Trusted->Internet source Trusted destination Internet

service-policy type inspect trusted-to-internet

zone-pair security Internet->DMZ source Internet destination DMZ

service-policy type inspect DMZ

zone-pair security DMZ->Internet source DMZ destination Internet

service-policy type inspect DMZ

Create Inspection Class

Create Inspection Policy

Create Zone Pairs and Associate Policy

BRKSEC-1020






33


Use Case #2 (Variant)

• Regional Services Company

• 8 sites on MPLS with ISR routers deployed

• Broadband Internet being added for DMVPN backup and DIA

• Simple Complete filter to protect the new Internet link

BRKSEC-1020

Firepower Virtual – VMware / KVM

34


Internet based WAN

• Lower cost alternative to MPLS

• Dictates VPN for routing and privacy

• Balance complexity with features and functionality

• Typically no need for inbound access directly from Internet

• Direct Internet Access (DIA) adds security risk

BRKSEC-1020 35


Use Case #3

• Data Center upgrade

• Adding security to new design

• No L3 hop for security to reduce convergence time

• N+1 redundancy

• Multi 10 Gbps throughput

BRKSEC-1020 36

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-1020

Data CenterA/S or Clustering for Performance and Scale

Firepower 9300 with SM-24, SM-36 or SM-44

Firepower 4110, 4120, 4140 or 4150

37

Firepower 2110, 2120, 2130*, 2140*

*10 Gig Interfaces


Data CenterSpecifications

Reference

38

*Note 2100 models do not support clustering.

Only 2130 and 2140 support 10 Gbpsinterfaces and optional network module.

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39BRKSEC-1020

Firepower 2100 Series

FPR 2110 16x 1G Port

FPR 2120 16x 1G Port

FPR 2140 12x 1G 12x 10G Port

High Performance, Purpose Built Hardware for Cisco NGFW

Available in 4 Platforms

Higher Port Density in 1 Rack Unit

10 Gbps Support (2130 and 2140)

Firepower

2100

Firepower

2100

Firepower

2100

FPR 2130 12x-1G 12x 10G Port

Firepower

2100


Data CenterClustering for Performance and Scale

Handles asymmetric traffic associated with VPC/VSS

N+1 redundancy

Keeps DC design intact

Scale to 16 firewalls

40


Data CenterACI Deployments

Automation Scale and Performance SecuritySimplicity OpenAgility and

Visibility

APIC

41


Use Case #4

• Cloud expansion / Cloud First

• AWS and/or Azure

• Need to replicate security / inspection policy for cloud traffic

BRKSEC-1020

Your Data Here

42


Cisco ASAv and Threat Defense Virtual

Cisco® ASA 9 Feature Set / Threat Defense 6

Cisco

ASAv

FTDv

ASA

10 vNIC interfaces and VLAN tagging

Virtualization displaces multiple-context and clustering

Parity with all other Cisco ASA platform features

SDN (Cisco APIC) and traditional (Cisco ASDM and CSM)

management tools

Dynamic routing includes OSPF, EIGRP, and BGP

REST API for programmed configuration and monitoring

Cisco TrustSec® PEP with SGT-based ACLs

Failover Active/Standby HA model

FTDv

• 4 vNIC default

• 8 GB RAM, 4 vCPU

VMware, KVM, Hyper V (ASA only), AWS, Azure (features can differ

for cloud)

BRKSEC-1020 43


* Lab Edition license is built in with 100-Kbps throughput and 100 total

connections allowed

Cisco ASAv Platforms

100 Mbps

1 Gbps

2 Gbps

Cisco®

ASAv5

Cisco®

ASAv10

Cisco®

ASAv30

BRKSEC-1020 44


Cisco ASAv Platforms

10 GbpsCisco®

ASAv50

BRKSEC-1020 45

• Introduced with ASA release 9.8(1)

• Supported on KVM or ESXi

• Uses IXGBE-VF vNIC

• Does not support Transparent mode (promiscuous restriction on IXGBE-VF)

• Not supported in Amazon Web Services, Microsoft Azure or Hyper-V


ASAv and/or NGFW

• Supported in both AWS and Azure

• *Note restrictions based on cloud deployment


Meraki Virtual MX for AWS (vMX100)

• Appears in the dashboard

• 500 Mbps VPN throughput

• Bring Your Own License (BYOL)


Use Case #5

• Typical Internet Edge designs

• Outbound Internet (Web, Email, FTP, etc)

• Inbound traffic to DMZ and/or eCommerce

• VPN for Remote Access, L2L, business partners

BRKSEC-1020 48


Edge With DMZ

• Similar to a basic edge design with the addition of inbound traffic

• Traffic inbound from the DMZ to the trusted network may or may not pass the firewall.

BRKSEC-1020 49


Edge With DMZ - VPN

• Multiple path options for VPN with trusted and untrusted packets.

• VPN Concentrator may be connected outside the firewall

• Trusted traffic path usually depends on source. Employee or Vendor, B2B, etc.

*Best Practices – Remember that controlling access from a VPN to an internal resource is not a dead end! Jump box scenario.

Hide your firewall with private IP space on the outside.

BRKSEC-1020 50


Tiered DMZs

• Typically seen in multi-tiered hosting for e-commerce

• Forces all traffic between tiers to pass firewall rules

• Can help mitigate risk and contain exploits and/or breaches within a DMZ

BRKSEC-1020 51


Bridge across your DMZs

• Sometimes referred to as clean and dirty DMZs

• VPN, Video, etc.

• Avoids hair-pinning

*Best Practice – Use destination NAT with a block of unused private IPs for outbound L2L VPN instead of routing individual remote IPs.

BRKSEC-1020 52


Split Firewalls

• Layer 3 hop between firewalls

• Avoids hair-pinning within a firewall

• Simplifies policy

• May still have an optional trusted connection

BRKSEC-1020 53

Quick Hardware Snapshot


Portfolio

ASA 5515-X

ASA 5512-X

ASA 5555-X

ASA 5545-X

ASA 5525-X

Branch Internet EdgeSMB/SOHO

ASA 5585-X SSP60

ASA 5585-X SSP40

ASA 5585-X SSP20

ASA 5585-X SSP10

Data Center

ASA 5505

FPR 4110

FPR 4120

FPR 4140

FPR 4150

ASA 5506-X

ASA 5508-X

ASA 5516-X

FPR 9300 -SM-24

FPR 9300 -SM-36

FPR 9300 -SM-44

FPR 2110

FPR 2120

FPR 2130

FPR 2140

Service Provider

EOS Aug 2017EOS Aug 2017


Latest Additions to the 5500 Portfolio5506X with Firepower Services

• Max 250 Mbps AVC throughput

• Max 125 Mbps AVC and NGIPS

• 90 Mbps AVC or IPS with 440 byte HTTP

• ASDM 7.3.x or CSM and Firepower Management Center

• Available in hardened and wireless configurations

BRKSEC-1020

Reference

56


Latest Additions to the 5500 Portfolio5508X with FirePOWER Services




• ASDM 7.3.x or CSM, Firepower Management Center, On-box, CDO

BRKSEC-1020

Reference

57


Latest Additions to the 5500 Portfolio5516X with FirePOWER Services




• ASDM 7.3.x or CSM, Firepower Management Center, On-box, CDO

BRKSEC-1020

Reference

58

Over, Through or Around The Wall


Things Change

BRKSEC-1020 60


If you knew you were going to be

compromised, would you do

security differently?


The package

BRKSEC-1020

Reputation?

Sender Receiver

Content

(deep packet inspection)

Chicken Pox Virus

Vaccine

Tracking history

62


The Threat-Centric Firewall

• Integrating defense layers helps organizations

get the best visibility

• Enable dynamic controls

to automatically adapt

• Protect against advanced threats

across the entire attack continuum

Proven Cisco ASA firewalling

Industry leading NGIPS and AMP

Cisco ASA with FirePOWER Services

BRKSEC-1020 63


Indications of Compromise (IoCs)

IPS Events

Malware Backdoors

Exploit Kits

Web App Attacks

CnC Connections

Admin Privilege Escalations

SI Events

Connections

to Known CnC IPs

Malware Events

Malware Detections

Office/PDF/Java Compromises

Malware Executions

Dropper Infections

BRKSEC-1020 64


Application Visibility and Control

BRKSEC-1020 65


IPS with Snort

BRKSEC-1020 66


Host Profiles

• What OS?

• What Services?

• What Applications?

• What Vulnerabilities?

BRKSEC-1020 67


Impact Assessment

Impact FlagAdministrator

ActionWhy

1 Act immediately,

vulnerable

Event corresponds

to vulnerability

mapped to host

2 Investigate,

potentially vulnerable

Relevant port open

or protocol in use,

but no vuln mapped

3Good to know,

currently not

vulnerable

Relevant port not

open or protocol

not in use

4 Good to know,

unknown target

Monitored network,

but unknown host

0 Good to know,

unknown networkUnmonitored network

BRKSEC-1020 68


Advanced Malware Analysis

BRKSEC-1020 69


Network File Trajectory – Where Has It Been Seen?

BRKSEC-1020 70


SSL Inspection issues? - AMP for Endpoints

BRKSEC-1020 71

Firepower NGFW


Fully Integrated Threat Focused Unified Management

• FW / applications / IPS

• Cisco® AMP – network /

endpoint

• Analysis and remediation

• Cisco security solutions

• Application-aware DDoS

• Networkwide visibility

• Industry-best threat

protection

• Known and unknown threats

• Track / contain / recover

• Across attack continuum

• Manage, control, and

investigate

• Automatically prioritize

• Automatically protect

Introducing Cisco Firepower NGFW

BRKSEC-1020 73


Firepower 6.x on ASA – Upgrade vs Re-ImageChoose Firepower Services or Firepower Threat Defense

Firepower Software on ASA Platforms

Firepower

Services 5.4

ASA 9.5.x

Upgrade

Firepower

Services 6.0

ASA 9.5.x*

Re-Image

Firepower

Threat Defensevs

*Firepower Services 6.x compatible ASA Version Required

BRKSEC-1020 74

Firepower 9300 – ASA or TD

Firepower 4100 – ASA or TD

Firepower 2100 – TD Only


Firepower 6.x Virtual – Upgrade vs MigrateChoose NGIPSv + ASAv or Firepower Threat Defense

ASAv

Firepower

NGIPSv 6.0

Upgrade

Firepower

Threat Defense

Virtual 6.0

Migrate

Firepower

NGIPSv 5.4

ASAv

Upgrade

BRKSEC-1020 75


FXOSChassis Operating System

76


FXOSChassis Operating System - Continued

77


FXOSChassis Operating System - Continued

78

Advanced Use Cases


ASA Policy Enforcement with MDM

AP

WLC

ASA

Web Server

ISE MDM

Leverage security groups to authorize endpoints based on MDM compliance.

Compliance check

SX

P

Create Security Groups on ISE

1 Compliant

2 Non-Compliant

Policy on ASA by Security Group

1

2

3

4

5

6

7

8

9

BRKSEC-1020

Security Group Query

80

TrustSec Demo


TrustSec (WLC, ISE, ASA, Firepower)Reference







































Correlation


Custom Security Intelligence

• Correlate an action(s) with a remediation (in this case, create a custom security intelligence block list)

• In this example we are looking for blocking events based on geolocation and dropping the source IP into the custom security intelligence list.

• Monitor the events in Firepower Manager for a match against a rule.

• The remediation runs a perl script on the Firepower Manager, which leverages the remediation framework to parse event information.

103BRKSEC-1020























Reference Material


Support Tools

http://www.cisco.com/c/en/us/support/web/tools-catalog.html

BRKSEC-1020 116

http://www.cisco.com/c/en/us/support/web/tools-catalog.html


Security Threats and Notifications

http://www.cisco.com/security

Current News

Proactive Notifications

BRKSEC-1020 117

http://www.cisco.com/security


www.talosintel.com

BRKSEC-1020 118


SAFE Architecture

www.cisco.com/go/safe


• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card.

• Complete your session surveys through the Cisco Live mobile app or on www.CiscoLive.com/us.

Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at www.CiscoLive.com/Online.

http://www.ciscolive.com/us

http://ciscolive.com/Online

http://ciscolive.com/Online

http://www.ciscolive.com/Online


Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Lunch & Learn

• Meet the Engineer 1:1 meetings

• Related sessions

BRKSEC-1020 121

Thank you


Cybersecurity Cisco Education OfferingsCourse Description Cisco Certification

Understanding Cisco Cybersecurity

Fundamentals (SFUND)

The SECFND course provides understanding of

cybersecurity’s basic principles, foundational knowledge, and

core skills needed to build a foundation for understanding

more advanced cybersecurity material & skills.

CCNA® Cyber Ops

Implementing Cisco Cybersecurity

Operations (SECOPS)

This course prepares candidates to begin a career within a

Security Operations Center (SOC), working with

Cybersecurity Analysts at the associate level.

CCNA® Cyber Ops

Securing Cisco Networks with Threat

Detection and Analysis (SCYBER)

Designed for security analysts who work in a Security

Operations Center, the course covers essential areas of

security operations competency, including SIEM, Event

monitoring, security event/alarm/traffic analysis (detection),

and incident response

Cisco Cybersecurity

Specialist

Cisco Security Product Training Courses Official deep-dive, hands-on product training on Cisco’s

latest security products, including NGFW, ASA, NGIPS,

AMP, Identity Services Engine, Email and Web Security

Appliances, and more.

For more details, please visit: www.cisco.com/go/securitytraining or http://learningnetwork.cisco.com

Questions? Visit the Learning@Cisco Booth

BRKSEC-1020 124

http://www.cisco.com/go/securitytraining

http://learningnetwork.cisco.com/


Cybersecurity Cisco Education OfferingsCourse Description Cisco Certification

New! CCIE Security 5.0 CCIE® Security

Implementing Cisco Edge Network Security

Solutions (SENSS)

Implementing Cisco Threat Control

Solutions (SITCS) v1.5

Implementing Cisco Secure Access

Solutions (SISAS)

Implementing Cisco Secure Mobility

Solutions (SIMOS)

Configure Cisco perimeter edge security solutions utilizing Cisco

Switches, Cisco Routers, and Cisco Adaptive Security Appliance

(ASA) Firewalls

Implement Cisco’s Next Generation Firewall (NGFW), FirePOWER

NGIPS (Next Generation IPS), Cisco AMP (Advanced Malware

Protection), as well as Web Security, Email Security and Cloud

Web Security

Deploy Cisco’s Identity Services Engine and 802.1X secure

network access

Protect data traversing a public or shared infrastructure such as the

Internet by implementing and maintaining Cisco VPN solutions

CCNP® Security

Implementing Cisco Network Security

(IINS 3.0)

Focuses on the design, implementation, and monitoring of a

comprehensive security policy, using Cisco IOS security features

CCNA® Security

For more details, please visit: www.cisco.com/go/securitytraining or http://learningnetwork.cisco.com

Questions? Visit the Learning@Cisco Booth

BRKSEC-1020 125

http://www.cisco.com/go/securitytraining

http://learningnetwork.cisco.com/

Date post:	06-Feb-2018
Category:	Documents
Upload:	lephuc
View:	233 times
Download:	8 times

Cisco Firewall Basics -...

Documents