At-a-Glance
Cisco Router-Based
Threat Defense
Solutions
Protect Your Branch Offices Against Attacks
Many branch offices are experiencing network usage spikes. There
are all kinds of contributors: cloud networking, guest Wi-Fi access,
customer transactions, high-definition video, and even machine-tomachine sensor traffic. For relief, many are supplementing their carrier
virtual private network (VPN) services with less expensive, public
Internet services.
Benefits of Built-In Router
Security:
• Gain additional protection
without having to deploy a
security appliance.
Opening up your branch to direct Internet connections in this way saves
money and improves communications. It also triggers new security
considerations. That’s because a portion of the traffic will no longer run
through your data center for anomaly scanning and policy checking. So
your branch router now needs to supply you with the same protections
that your data center once handled alone.
• Boost security where you need
it most, such as in branch
offices with direct Internet
connections that bypass your
data center.
The Cisco Arsenal
• Meet PCI DSS and other
regulatory compliance
requirements.
• The Cisco Zone-Based Firewall statefully inspects all traffic for
compliance with corporate policy to block or prevent unauthorized
network access. You can also use it to segment traffic into groups
that shouldn’t share data. You can partition user groups from one
another based on switch port or more granularly using a policysetting method called Security Group Tagging (SGT).
• Save time and money by
reducing the number of devices
in your network.
Cisco® router-based security solutions give you an edge at thwarting
attacks, whether they are coming from the Internet or from an internal
location. All the security tools you need are integrated right into your
Cisco Integrated Services Router (ISR):
• Cisco IOS® IPS is a signature-based intrusion detection and
prevention system (IDS/IPS) that helps you meet Payment Card
Industry Data Security Standards (PCI DSS) requirements by
inspecting traffic against a large database of known threats.
• FirePOWER™ Threat Defense is the industry-leading, next-generation
IDS/IPS that brings contextual awareness to security events,
networkwide. A sensor in your router collects security events that
are evaluated centrally to determine what’s normal and what’s an
anomaly to help reduce false positives. IPS takes action upon the
actual threats.
• Cloud Web Security inspects web traffic against malware and lets you
apply URL filtering to enforce policies.
© 2015 Cisco and/or its affiliates. All rights reserved.
At-a-Glance
What Components Do You Need?
nce
Branch
MPLS VPN
Public IP services
Corporate
Network
Internet
Cisco router-based security tools scan for malware and other threats and
take action on them to keep your branches safe. This protection is critical
in branch offices running partial or full direct Internet access connections.
The tools are also essential if you must comply with government regulatory
mandates for security, such as PCI DSS or the Health Insurance Portability
and Accountability Act (HIPAA). Table 1 lists some use cases.
Table 1. Matching Security to Your Needs
To improve network performance,
many branches are building direct
connections from their router to the
Internet using public Internet services.
This approach is less expensive and
faster to implement than carrier-based
services such as MPLS VPNs. That
traffic now bypasses your data center,
so it pays to have security mechanisms
integrated right into your branch router.
Use Case
Industry
Security
Requirements
Recommended
Cisco Solution(s)
Regulatory
compliance (PCI
DSS, HIPAA, GrammLeach-Bliley Act, and
other mandates)
• Retail
• Healthcare
• Financial
• Firewall
• Intrusion
detection and
prevention
• Zone-Based
Firewall*
• Cisco IOS IPS*
Wi-Fi guest access
•
•
•
•
• Firewall
• Intrusion
detection and
prevention
• Web security
• Zone-Based
Firewall*
• Cisco IOS IPS*
• Cloud Web
Security (CWS)**
Partial direct Internet
access (DIA)
• Retail
• Healthcare
• Manufacturing
• Firewall
• Intrusion detection
and prevention
• Web security
• Zone-Based
Firewall*
• FirePOWER Threat
Defense***
• CWS**
Full DIA
• Retail
• Healthcare
• Manufacturing
• Firewall
• Intrusion detection
and prevention
• Web security
• Malware protection
• Zone-Based
Firewall*
• FirePOWER Threat
Defense***
• CWS**
Retail
Healthcare
Hospitality
City/local
government
* Embedded in Cisco IOS Software that comes with the router.
** Requires a “connector” subscription in your router software license.
*** Requires Cisco Unified Computing System™ (Cisco UCS®) E-Series Server Blade in
the router and a subscription to your desired tier of service.
Next Steps
To learn more about Cisco router-based threat-defense capabilities,
visit our router security homepage or contact your Cisco sales
representative.
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of
Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/
go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner
does not imply a partnership relationship between Cisco and any other company. (1110R)
C45-735097-00 09/15