Same battle, different day: Our branch offices demand speedy access to the same flexible capabilities as everyone back at corporate—mobility, BYOD, guest Wi-Fi, cloud services—but they don’t have corporate’s expertise or the space to run full security operations. Speed, flexibility, costs, and security—they’re equally important. But in the branch, we often feel trapped trading one for the other.

It reminds me of Sid Meier’s turn-based strategy game, Civilization. In it, you’re always striking a balance between expanding your civilization and securing your border. Your capital city may be fat with resources and strong walls, but your border towns are just a turn away from being sacked by barbarians.

We need a civilized solution

Backhauling your security through headquarters and then back out to the Internet is not a very elegant solution. For flexibility and affordability in the branch, you need to provide Direct Internet Access (DIA), but in a way that’s highly secure. Not with a rack of appliances, but with one device. A device that you already need in your branch edge, anyway.

A router.

In this episode of TechWiseTV, we’ll show you how you can strike that balance and win the battle at your branch with one of Cisco’s highest-selling routers of all time: the Integrated Services Router (ISR) 4000.

In the video, Jason Wright and I quickly review many of the basic on-premise and cloud-based security capabilities that have been added to this venerable box—things like Zone-based Firewall, Snort Intrusion Detection, Firepower Threat Defense, and Cloud Web Security.

Then, Jason is joined by Kural Arangasamy, an engineer on our Branch Threat Defense team, to demonstrate two advanced capabilities that address this issue of backhauling traffic, and ensure that everything is really as secure as you think: Umbrella Branch (OpenDNS), and Stealthwatch Learning Network License.

Cisco Umbrella Branch with OpenDNS

With OpenDNS and Umbrella Branch connecting on the ISR, you can provide Direct Internet Access at the branch, and enforce your security policies at your local router.

Because you typically have no control over what DNS address a guest will use, the ISR automatically overrides it and sends its own query to OpenDNS via a secure tunnel. The policies you configure on the OpenDNS portal are accessible anywhere via a centralized management console, so security personnel from headquarters can manage the branch remotely, if necessary.     

“An elegant weapon for a more civilized age” – Obi-Wan Kenobi

Stealthwatch Learning Network license.

Stealthwatch is like having your finger on the pulse of the network by allowing you to easily identify anomalies and mitigate potential threats:

  • Why is this server trying to call out to China?
  • Why is that printer hosting some kind of external services?
  • Why is traffic spiking in this portion of the network?

There are two components:  An intelligent learning agent installed on the router that processes information locally, and a centralized management console that collects and reports on all this information.

In our TechwiseTV demo, the agent is running on the ISR itself. But, it’s actually a distributed learning agent that collects information from various sources like Netflow or NBAR. It performs deep packet inspection on DNS and other types of packets, and can query other routers on the network to help determine if an anomaly is indeed indicative of an attack.

It can also take action to mitigate the threat, like injecting an ACL or a QoS policy, and block the communication locally. So it’s not just a sensor, but an enforcer.

Jason Wright and Kural Arangasamy on TechWiseTV Episode 202
Jason Wright and Kural Arangasamy on TechWiseTV Episode 202

We demonstrate two different scenarios: An anomaly that turns out to be an FTP file transfer we didn’t expect, and an unusual spike in traffic. In both cases, what blew me away was how easy it was to understand what was truly going on, and how simple it was to take action.  Some of the coolest features:

  • Radar Graphs – to visually differentiate between normal behavior and an anomaly you may want to block or investigate further.
  • Like and Dislike buttons – to easily tune the algorithm to show you more or less of the type of anomaly you’re looking at.
  • Whitelisting – to stop alerts for anomalies that you know are expected behavior.
  • PCAP – to perform in-depth analysis of the packet that triggered the anomaly.

Integrating Security into the Network

The SLN agent can also talk to other services, like Cisco Identity Services Engine (ISE) to get information about the user, the device, and the operating system—contextual information to help to better understand the anomaly.

What we’re doing with the ISR is delivering on the promise of integrating security technologies into the network—so you can not only leverage the combined intelligence of the network to understand threats and enforce security policies – but also reduce the footprint and resources required at each of your branch offices.

Integration. It seems like the civilized thing to do.




P.S. To learn more about Cisco Stealthwatch Learning Network License, and get your questions answered, register for the free live Webinar we’ll be hosting on November 9th at 10 am PT/ 1pm ET.


Robb Boyd

Producer, Writer, Host