This document contains the following sections:
● Introduction
● New Features, Supported Hardware and Software
● Caveats
● Related Documentation
Introduction
The Cisco® Cyber Threat Defense Solution (CTD) combines the following elements to improve the detection and remediation of advanced cyber threats within the Cisco network:
● Unique interior network traffic telemetry using the scalable unsampled NetFlow capabilities of Cisco Catalyst® switches, Cisco routers, and Cisco NetFlow Generation Appliances (NGAs), as well as NetFlow Security Event Logging (NSEL) from Cisco ASA 5500 Series Adaptive Security Appliances.
● Network traffic analysis capabilities provided by the Lancope StealthWatch products. (Cisco has partnered with Lancope to jointly develop and offer the Cisco Cyber Threat Defense Solution.)
● Contextual information including user and device identity from the Cisco Identity Services Engine (ISE), Network Address Translation (NAT) from ASA firewalls, and Network-Based Application Recognition (NBAR) from Cisco routers.
The CTD solution is published as a Cisco Validated Design. More information about the Validated Design program can be found by visiting http://www.cisco.com/go/cvd.
New Features, Supported Hardware and Software
Highlights of New Features in StealthWatch 6.5
New capabilities added to the CTD solution in StealthWatch 6.5 include:
● Introduction of a web-based user interface for threat visibility, including a global threats map, new security alarm indicators, new views (host list and user list), and simplified customization of the display
● Job management display for flow queries
● Ability to run and save flow queries for later reuse
● Expanded ability to define custom security events
● Redesigned online help facility
Please refer to the Lancope StealthWatch 6.5.0 Release Notes for details on the new features and fixes introduced in this release.
New Cisco Platforms Validated in Cyber Threat Defense 1.1.2
In addition to Lancope StealthWatch 6.5 software, Cyber Threat Defense 1.1.2 adds support for the Cisco Catalyst Series 3850 Series Switches. It also updates the Cisco ISE integration how-to document in the Cisco Validated Design.
Cisco Hardware and Software Components of Cyber Threat Defense 1.1.2
Version 1.1.2 of the Cyber Threat Defense was validated against the specific combinations of hardware and software shown in the tables below. Table 1 shows the Cisco Catalyst switch series that incorporate hardware support for line-rate unsampled NetFlow export. Table 2 shows other Cisco hardware platforms included in this Cisco Validated Design release.
Table 1. Cisco Catalyst Switches Capable of Line-Rate Unsampled NetFlow
Model |
Hardware Required |
Recommended Software Release |
Catalyst 3560-X and 3750-X |
Cisco service module |
Cisco IOS 15.0.2SE4 |
Catalyst 3850 Series |
Any |
Cisco IOS XE 3.3.0SE |
Catalyst 4500 Series |
Supervisor Engine 7-E, 7L-E, or 8-E |
Cisco IOS XE 3.3.0SG |
Catalyst 6500 Series |
Supervisor Engine 2T |
Cisco IOS 15.0.1SY1 |
Additional information regarding Cisco Catalyst switches and Cisco IOS NetFlow can be found at http://www.cisco.com/go/catalyst and http://www.cisco.com/go/netflow.
Table 2. Cisco Router, ASA 5500, ISE, and NGA Software Recommendations
Platform |
Recommended Software Version |
Cisco Integrated Services Router (ISR) G2 |
Cisco IOS 15.3.2T |
Cisco ASR 1000 Series Aggregation Services Routers |
Cisco IOS XE 3.9S |
Cisco ASA 5500 Series Adaptive Security Appliances |
Cisco ASA Software Release 8.4.5 or |
Cisco Identity Services Engine (ISE) |
Cisco ISE Release 1.2.1 |
Cisco NetFlow Generation Appliance (NGA) |
Cisco NGA Release 1.0.2 |
Caveats
Open Caveats
Table 3 contains open caveats that are known to apply to this Validated Design at the time of release, with Cisco and Lancope defect-tracking numbers where applicable.
Cisco ID |
Lancope ID |
Description |
n/a |
SWD-4627, LSQ-1352 |
500 error on web GUI for specific username |
n/a |
SWD-4582, LSQ-1321 |
HTML not escaped in saved query description |
CSCuj86159 |
n/a |
ISE deprioritizes authentication syslog messages under heavy load, possibly leading to incomplete identity information in SMC |
n/a |
SWD-3526 |
SMC shows duplicate identities under certain situations |
Resolved Caveats
Table 4 contains caveats that affected previous versions of this Cisco Validated Design and are resolved in this release.
Table 4. Resolved Caveats
Cisco ID |
Lancope ID |
Description |
n/a |
n/a |
Response time of ISE RESTful API degrades with large numbers of endpoints |
Release Notes for Component Products
Please consult the product release notes listed in Table 5 for product-specific caveats regarding any Cisco products integrated with the Cyber Threat Defense Solution. Note that a Cisco.com account may be necessary to view these documents.
Table 5. Release Notes for Component Products
Component |
Release Notes |
Cisco Catalyst 3560-X or 3750-X with Catalyst 3K-X 10G Service Module |
|
Cisco Catalyst 4500 with Supervisor Engine 7-E, 7L-E, or 8-E |
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/release/note/OL_26675-01.html |
Cisco Catalyst 6500 with Supervisor Engine 2T-10GE |
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/release_notes.html |
Cisco Catalyst 3850 Series |
|
Cisco Integrated Services Routers G2 |
http://www.cisco.com/c/en/us/td/docs/ios/15_3m_and_t/release/notes/15_3m_and_t.html |
Cisco ASR 1000 Series Aggregation Services Routers |
http://www.cisco.com/c/en/us/td/docs/routers/asr1000/release/notes/asr1k_rn_rel_notes.html |
Cisco ASA 5500-X Series Adaptive Security Appliances |
|
Cisco Identity Services Engine |
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/release_notes/ise12_rn.html |
Cisco NetFlow Generation Appliance |
Design and implementation guides and other reference materials are available at http://www.cisco.com/go/threatdefense.