Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Charlie Stokes
Security Technical Marketing Engineer
Agenda
• Introduction
• FirePOWER Appliances and Modules
• Before: Changes to Policy
• During: Changing how the system responds
• After: Changing how data is viewed
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Introduction
• The goal of this session is to highlight selected areas of FirePOWER Systems
that might not be understood as well or utilized to their fullest.
• Understanding how these features work can make FirePOWER deployments
work faster and better.
• This is not a comprehensive guide to such changes as we will see!
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
What platforms support FirePOWER Services as a software module?
Maximum AVC and IPS throughput
1.25 Gbps NGFW
1 MM Connections
1 Gbps NGFW 50,000 CPS
750K Connections
650Mbps NGFW 30,000 CPS
500K Connections
20,000 CPS ASA 5555-X
250Mbps NGFW
300 Mbps NGFW 250K Connections
15,000 CPS ASA 5545-X
100K Connections
10,000 CPS ASA 5525-X
ASA 5515-X
ASA 5512-X
Branch Locations Small/Medium Internet Edge
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
What platforms support FP Hardware Module?
Maximum AVC and IPS throughput
ASA 5585-SSP60
ASA 5585-SSP40 10 Gbps NGFW
ASA 5585-SSP20 4 M Connections
ASA 5585-SSP10 6 Gbps NGFW 160,000 CPS
3.5 Gbps NGFW 1.8 M Connections
2 Gbps NGFW 1 M Connections
500K Connections 120,000 CPS
75,000 CPS
40,000 CPS
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
IPS Throughput
Appliances (440Byte HTTP)
60 Gbps 8390
30 Gbps 8360
All appliances include:
● Integrated lights-out management 15 Gbps 8350
● Sourcefire acceleration technology 10 Gbps 8250
● LCD display
6 Gbps 8140
• L2-L7 classification
• Stateful flow processing
• PKI & Bulk Cryptography PCIe-based NFE
(qty. 1-4)
• Flow-based load balancing
• L2 switching / L3 routing / NAPT
• Physical Interfaces
• Integrated bypass relays NetMods
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Detailed ASA FirePOWER Services Packet Flow
YES
1 2 3 4 5 6
NO NO NO
DROP DROP DROP
7 8 9 10 11
NAT IP Egress L3 L2 XMIT
Header Interface Route YES Addr YES PKT
NO NO
DROP DROP
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPS Technology In FirePOWER Devices
Soft NFE
ASA Only
Verdict
ASA Backplane
FirePOWER
Appliance
Only
10
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Introduction to FirePOWER
• Differences between FirePOWER modules and
appliances
– Because the Appliances have a hardware frontend (NetMods,
NFPs and NFEs), there are certain capabilities that exist on the
appliances that do not on the FirePOWER services modules for
ASA currently:
• Application Bypass
• Fast Path Rules (Superseded by Trust Rules)
• SSL Decrypt on Appliances in 5.4 is done in the NFE
• Hardware Failopen Interfaces
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
FirePOWER
• FirePOWER offers a wide
range of customization
options and is very
flexible.
• There are times it might
feel like this!
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
FirePOWER
• Some options are
more relevant and
important than
others.
• With experience, you
can make it feel more
like this!
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Integrated Threat Defense Across the Attack Continuum
Attack Continuum
Advanced Malware
Firewall/VPN NGIPS
Protection
IoCs/Incident
Modern Threat Control Web Security Response
• After: Changing the way data is displayed and how users interact with that data
• Custom Block Responses
• Host attributes
• Custom tables
• Custom workflows
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Security Techniques and Analysis
• Advanced Security Techniques
– These changes affect the posture of the sensor and the way it performs, analyzes
or responds to attacks:
• Normalizer and Preprocessor Settings
• IPS Policy Layering
• Custom Rules and Rule Performance Tuning
• Custom Application Detection
• Correlation Rules: Creating and using
• Remediation Rules: Creating and using
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Before
17
Before During and After
• Before: Change the policy of the sensor
• Normalizer and Preprocessor Settings
• IPS Policy Layering
• Custom Application Detection: OpenAppID
• Custom Rules and Performance Tuning
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Normalizer and Preprocessor Settings
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Preprocessors
Handle the task of presenting packets and packet data
in a contextually relevant way to the detection engine.
Packet
Maintaining TCP Stream Protocol
fragment
TCP state reassemble normalization
reassembly
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Preprocessors
• Inline normalization preprocessor identifies abnormal traffic and normalizes it in order to minimize
chance of attackers evading detection in inline deployments.
• IPv4, IPv6, ICMPv4, ICMPv6 and TCP protocol normalization
• Normalization only is applied when both conditions are met:
– Drop when inline enabled
– Policy applied using an Inline set
• Pre-processor configuration consists of both global settings and per-policy settings, the latter allows
for specific configuration for a specific network segment
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Preprocessors – Execution Order
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Preprocessors – IP Defragmentation
I T P P P P P P P P P P P
Fragmentation: A simple
context based evasion
I T P P P
I P P P P
I P P P P
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Preprocessors – IP Defragmentation
P P P P P P
P P P P P
P P
P Target:
malloc(size)
Time
I T P P P
I P P P P
I P P P P
Increasing Byte Offset
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Preprocessors – IP Defragmentation
• Reassembles fragmented datagrams for the rule
engines.
• Rules will not execute against unreassembled
fragmented datagrams
• Global IP Defragmentation Option:
– Preallocated Fragments specifies the maximum
number of fragments the preprocessor can process at
once
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Preprocessors – IP Defragmentation
• Helps to detect fragmentation exploits such as
Teardrop, Jolt2
• Different OS reassemble the same overlapping
fragments in different ways allowing attackers
to evade detection by “hiding” exploit code in
overlapping fragments
• Target-Based Defragmentation Policies can be
configured to be aware of the OS running on
the network segment in order to reassemble
packets the same way the OS would which will
identify an attack hidden in overlapping
fragments
• IP Defragmentation preprocessor rules (GID
#123) need to be enabled to generate events
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Preprocessors – TCP Stream
• TCP stream preprocessor collects and reassembles all
packets that are part of a TCP session, allowing the rule
engine to inspect the stream a single entity versus
inspecting individual packets
• Global IP Defragmentation Option:
– Packet Type Performance Boost causes the IPS to ignore TCP
traffic for all ports/services that are not specified in enabled rules.
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Preprocessors – TCP Stream
• TCP stream preprocessor rules (GID #129) need to
be enabled to generate events
• Certain preprocessors require the TCP Stream
preprocessor to be enable in order to work:
– DCE/RPC Preprocessor
– DNS Preprocessor
– HTTP Inspect Preprocessor
– IMAP/POP/SMTP Preprocessor
– SSL Preprocessor
– MODBUS/DNP3 Preprocessor
• Any port you add to the server-level port list for the
above preprocessors should also be added to the
appropriate list of TCP reassembly ports
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Preprocessors – HTTP
• HTTP Inspect Preprocessor is responsible for
– Decoding and normalizing HTTP requests/responses
– Separating HTTP request messages into components:
URI, header, method and body
– Separating HTTP response messages into components:
status code, status message, header, body
– Detecting possible URI-encoding attacks
– Making the normalized data available for additional rule
processing
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Preprocessors – HTTP
• Global HTTP normalization options:
– Detect Anomalous HTTP Servers can be used to
detect HTTP traffic traversing ports not explicitly
specified as web server ports
– Detect HTTP Proxy Servers detects HTTP traffic using
proxy servers not defined by the Allow HTTP Proxy Use
option
– Max Compressed Data Depth defines the maximum
size of compressed data to decompress when Inspect
Compressed Data is enabled
– Max Decompressed Data Depth defines the maximum
size of normalized decompressed data when Inspect
Compressed Data is enabled
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Preprocessors – HTTP
• Some server-level HTTP normalization options:
– Networks can be used to specify the IP addresses of the
servers this configuration applies to
– Ports defines which ports HTTP normalization is applied
to
– Client/Server Flow Depth specifies # of bytes to inspect
in client-side and server-side traffic (including header and
payload)
– Inspect HTTP Responses enables extended inspection
of HTTP responses and extraction of response header,
body, status code and so on. (Ex: looking for 404 Not
Found)
– Profile specifies the types of encoding that are
normalized. Default profiles for Apache and IIS servers
are provided or a custom default setting can be tailored
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Preprocessors – Changes in 5.4
• < 5.4 : Base policy determines the global normalization settings applied to all rules, regardless of what
IPS policy is associated with an access control rule
• ≥ 5.4 : Global Normalization settings defined in Network Analysis Policy
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Preprocessors – Changes in 5.4
– Simplifies use and makes configuration more intuitive
– Simply associated a Network Analysis policy with an Access Control Policy
– Multiple Network Analysis Policies can be selected based on VLAN, Network Address, Zone
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
IPS Policy Layering
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
IPS Policy Layering
• Allows Users to create Policy Components that can be added to individual
inspection policies
• IE: Base inspection to be added to the Edge, DMZ, PCI, or Guest inspection policies
• Allows single point updates/changes that are automatically applied to additional policies.
• Can use multiple layers, and allows for layer mergers. IE: My Changes merges into Base Shared
Policy Layer
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
IPS Policy Layering
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
IPS Policy Layering
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
IPS Policy Layering
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Application Detection
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
FirePOWER Application Detection
• FirePOWER can detect and block
thousands of applications using simple
rules for User defined filters, Security
Risk, Business Relevance, Type,
Categories or Tags.
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
FirePOWER Application Detection
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Custom Application Detection: Currently
• Adding Application Detection
rules in the product today is a
manual process, time consuming
and is not trivial.
• You either have to know enough
to define the detection pattern
yourself, or you have to have a
complete packet capture.
• If not done correctly, false
positives or false negatives can
result.
• Most importantly there is no
way to share these definitions
easily.
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
The Problem with Custom Application Detection
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
OpenAppID Overview
What is OpenAppID?
An open source application-focused detection language that
enables users to create, share and implement custom application
detection.
Key Advantages:
• New simple language to detect apps
• Reduces dependency on vendor release cycles
• Build custom detections for new or specific (ex. Geo-based) app-based threats
• Easily engage and strengthen detector solutions
• Application-specific detail with security events
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Goals and Benefits
• Market Defining
– Application Visibility and Control will be done the right way, and Cisco will be leading.
• Snort community ready
– A widely-used engine with a lot of attention and expert users to multiply efforts
• Crowdsourcing detection model
– Scales where needed
– Enable users to build and share content
– Great for geo-specific apps & custom internal apps
– Creates a single de facto standard for application identification
• Roadmap to enable Cisco products to benefit
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
network
Snort Architecture DAQ libraries
Packet Decoder
• Packet Decoder
– Packets are read using the Data AcQuisition library (DAQ)
(e.g. afpacket)
Preprocessors
– Decodes datalink protocols
– Decodes network protocols
– Decodes transport protocols
Detection Engine
• Preprocessors
– Examine packets
– Modify packets Logging and
– Normalize traffic Alerting System
----------------------
• Detection Engine Output Modules
– Uses Snort rules to create signatures for threats
– Wide range of detection capabilities
– Modular detection elements
Alert and log files
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
The AppID Preprocessor
• Leverages Snort HTTP preprocessor for header extraction
• Identifies application
• Generates appid attributes (payload, misc, client, service) that can be used in snort rules.
alert tcp any any -> any any (msg:"openAppId: FTP CWD to root attack";
appid: ftp; pcre: "/cwd.*root/i" ; sid:1018758; rev:4; )
• AppID preprocessor leverages the power of the Lua scripting language to create
application detectors
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
AppID Preprocessor Configuration
• Configured in the snort.conf file
• Syntax:
preprocessor appid : [memcap <memsize> ,] [app_stats_filename <filename>, ]
[app_stats_period <time>,] [app_stats_rollover_size <size>,]
[app_stats_rollover_time <time>,] app_detrector_dir <path>
memcap – upper bound for memory use in bytes [256 MB]
app_stats_filename – name of application statistics file [appstats-unified.log]
app_stats_period – bucket size for statistics in seconds [300]
app_stats_rollover_size – file size that will cause rollover in bytes [20 MB]
app_stats_rollover_time – time duration that will cause rollover in seconds [1 day]
app_detector_dir – name of applicaton statistics file [mandatory attribute, no default]
• Example:
preprocessor appid : app_stats_filename appstats-detectorA.log,
app_stats_period 60, app_detector_dir /root/openAppId/applications
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Custom Rules and Performance Tuning
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Custom Rules
• What are we trying to detect?
• How to detect it?
• Basic rule configuration components
• X example custom rules:
– String based rule: looking for “xxxx” in http (admin login)
– Is this activity happening more than x times per y (somebody using a script to brute
force a login) event rate filtering (section 2-4 under event processing)
– Regex rule with a content anchor to start with (and why we do this vs #1) (expanding on
1 and 2)
• Small primer on regex
• Rule revision keywork as part of best practices
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Rule Performance Monitoring and Tuning
• When dealing with custom rules (and sometimes default rule sets), performance
profiling allows a user to configure a sensor to get statistics on rule and
preprocessor utilization. These statistics can be of benefit when it comes to
tuning your installation and determining how well your rule set is performing.
• There are 2 types of profiling that can be configured:
– Rule Profiling
– Preprocessor Profiling
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
During
52
Before During and After
• Before: Change the policy of the sensor
• During: Change the way the sensor responds to an attack
• Creating and using Correlation Rules
• Creating and using Remediation Rules
• After: Change the way data is displayed and how users interact with that data
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Correlation Policies and Rules
• Correlation Policies and Rules allow users to take additional actions and
show events on very specific event chains.
• Can use multiple event types within a single rule
– Intrusion event with a Host Profile qualification
– Intrusion event with a Flow track
– Discovery event with Host Track
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Correlation Example Rule:
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Remediation Modules
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Remediation Modules
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
FirePOWER + ISE == Better Together
• Once an abnormality is
detected, is deny my only
option?
• What if I want to be able
to just clamp it down and
keep monitoring it
• What if I want to be able
to do more security
inspection before I make
a decision?
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Threat-Centric Security with TrustSec, ISE, FirePOWER
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
FirePOWER Remediation to ISE 1.2
Example Walkthrough using ISE 1.2 Remediation Module Beta
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Cisco TrustSec, ISE, and FirePOWER
ISE
Database
Server
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
PCI Auditor Conn
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
PCI Credit Card Data
The PCI Auditor has
access to credit card
database records as part of
their job.
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Infection
While at home or off
campus, the iPAD gets
infected with some type of
malware.
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
FirePOWER Detects Propagation
While on campus, a FirePOWER device detects malware propagation or
exploitation attempts.
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Instead of just blocking the Malware or Exploit, tell ISE
Using a Remediation Module, FirePOWER can tell ISE to quarantine the host
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE with TrustSec
ISE with TrustSec controls who can access the network and how they access it.
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
PCI Assets Protected
Instead of just blocking
the one attack that was
detected, the host was
moved to a quarantine
VLAN and until cleaned
cannot access any
important assets.
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
FirePOWER and ISE 1.3 w/ pxGrid
A proof of concept project was created to show FirePOWER remediation using
ISE 1.3 and pxGrid
• SessionDirectory – exposes the existing attributes in the ISE Session directory for pxGrid session objects:
Session State, IP Address, UserName, User AD domain, MAC, NAS IP Address, Trustsec Security Group Name
Connection parameters:
IP Address ISE pxGrid node
Identity (Host certificate)
CA Root Certificate
Private key password
Successfully Subscribed
Send Mitigation Action Request
Mitigation action=quarantine; IP=10.0.0.18
Processes request GLC libraries, and sends information
Mitigation successful
* Proof of Concept Only **EndpointProtectionService- must manually move into EPS client group
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Walk-through Download suspicious executable - ‘putty.exe’
Violation of
Intrusion Policy
Correlation
UnQuarantine
Correlation
79
Before During and After
• Before: Change the policy of the sensor
• During: Change the way the sensor responds to an attack
• After: Change the way data is displayed and how users interact with that data
• Custom Block Responses
• Host attributes
• Custom tables
• Custom workflows
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Custom Block Response Pages
• Simple update that can be leveraged for existing
infrastructure.
• Example: Use a Google Docs Spreadsheet and
Web form for user access requests.
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Custom Block Response Pages
• Modify the existing Custom Block Page.
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Host Attributes
• Host Profile based
• Allows the user to alert and perform
analysis on events as they pertain
not only to the chance of success
but also on the severity of success.
• Become key in Correlation Rules
• Allows the user to alert based on
location or division
• Integer, List, Text, URL options for
use
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Host Attributes
• List Option as an Example:
• Can use multiple Attributes on a
single host.
– IE: Location and Criticality or
Location and PCI/HIPPA/DMZ
• URL Option can be used to call
back to asset database or other
web enabled tool for additional
device history or options.
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Custom Tables
• Combination of events types into a single table
• Allows users the ability to focus reporting and analysis across multiple tables
• Can be used in Custom Widgets, gives widget visibility to previous un-available tables
• Can be extremely flexible in providing custom visualization of event data and correlations within the
management console
– For example the next screen has a sample custom table that uses data elements from
three tables:
• Connection Events
• Host Attributes
• Indications of Compromise.
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Custom Tables
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Custom Workflows
• Custom Workflows allow Users to customize, per user, on how they want to view
data.
• Can be created or changed on multiple Event Type Table (Intrusion, Connection, Malware, etc.)
• Allows multiple pages with 5 columns per page.
• Allows Table view of all columns available within the event table specified.
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Custom Workflows
• Use any Column in the table and apply sort order for
clarity.
• Add Multiple pages with the expectation that each
lower page will be constrained by selection(s) on the
preceding page.
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Call to Action
Visit the World of Solutions for
– Cisco Campus
• Cisco ASA with FirePOWER Services
• Cisco Next-Generation IPS/FireSight
• Fire and ISE demo in the ISE 1.3 pxGrid with Technology Partners
• Use Cases: ISE/IDS/ASA Ipad Demo and AnyC/ISE/ASA Demo
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Complete Your Online Session Evaluation
• Please complete your online session
evaluations after each session.
Complete 4 session evaluations
& the Overall Conference Evaluation
(available from Thursday)
to receive your Cisco Live T-shirt.
BRKSEC-3126 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 90