Introduction

An Introduction to Security Cloud Control

Security Cloud Control (formerly Cisco Defense Orchestrator) is a cloud-based multi-device manager that facilitates management of security policies in highly distributed environments to achieve consistent policy implementation.

Security Cloud Control helps you optimize your security policies by identifying inconsistencies with them and by giving you tools to fix them. Security Cloud Control gives you ways to share objects and policies, as well as make configuration templates, to promote policy consistency across devices.

Because Security Cloud Control coexists with local device managers such as the Adaptive Security Device Manager (ASDM), it keeps track of configuration changes made by Security Cloud Control and by other managers, and then reconcile the differences between managers.

Security Cloud Control has an intuitive user interface that allows you to manage a wide range of devices in one place. Advanced users will also find their traditional CLI interface with some new enhancements to make management even more efficient for them.

Security Cloud Control also provides a guided "Day 0" experience helping you quickly onboard threat defense devices to your on-premises or cloud-delivered Firewall Management Center. It also presents you with other key features you may benefit from and helps you enable and configure them.

Onboard Devices

Before you onboard a device, make sure that you have successfully completed the installation wizard and licensed the device. Then use Security Cloud Control's onboarding wizard to onboard your device. Security Cloud Control can easily manage large deployments.

See Onboard Devices and Services.


Note

Once you have onboarded devices to a Security Cloud Control tenant, you cannot migrate the devices from one Security Cloud Control tenant to another. If you want to move your devices to a new tenant, you need to re-onboard the devices to the new tenant.

For a complete list of devices that Security Cloud Control supports and manages, see Supported Devices, Software, and Hardware.

Cisco Online Privacy Statement

Cisco Systems, Inc. and its subsidiaries (collectively "Cisco") are committed to protecting your privacy and providing you with a positive experience on our websites and while using our products and services ("Solutions"). Please read Cisco Online Privacy Statement carefully to get a clear understanding of how we collect, use, share, and protect your personal information.

Managing AWS with Security Cloud Control

Using Security Cloud Control to Manage AWS VPCs

Security Cloud Control provides a simplified management interface for your Amazon Web Services (AWS) Virtual Private Clouds (VPCs). You can manage your AWS VPCs and their components in the same interface you manage your other devices.

Use Security Cloud Control to perform these tasks:

These are common AWS features that Security Cloud Control expects to support in the future:

  • Showing the relationship of load balancers (elastic, network, and application load-balancers) to the security group.

  • Showing the relationship of auto-scaling groups to a security group.

You cannot manage these aspects of security groups with Security Cloud Control:

  • Creating Security Groups.

  • Linking Security Groups to instances.

  • Assigning Security Groups to load balancers.

  • VPC peering.

Onboard AWS VPCs

Start by onboarding the AWS VPC using Security Cloud Control's onboarding wizard. See Onboard an AWS VPC for more information.

Note that if an AWS VPC contains tags, these tags are imported into Security Cloud Control when you onboard the device. Security Cloud Control represents the tags as labels. Unlike security cloud objects or rules, labels are not automatically synchronized to the AWS VPC. See Labels and Filtering for more information.

Handle AWS VPC login credentials and permissions through the Security Cloud Control console. Without the correct credentials or permissions, Security Cloud Control cannot communicate with the AWS VPC. See Update AWS VPC Connection Credentials and Changing Permissions for an IAM User for more information.

View AWS VPC Details

Once the AWS VPC has been onboarded, you can view the AWS VPC's ID, region, security groups, and the rules and objects assigned to those security groups.

Work with Security Groups

Security groups are a collection of rules that govern inbound and outbound network traffic to all the AWS instances, and other entities, associated with the security group. When you onboard an AWS VPC to Security Cloud Control, the security groups are stored in Security Cloud Control as security group objects.

Using Security Cloud Control you can perform these tasks:

At this time, you cannot create new security groups in a VPC.

See these topics for more information:

Share Objects Between AWS and Other Managed Devices

Security Cloud Control supports the use of objects in rules. Objects are containers for values. For example, you could have a network object that contains the IP address of a resource and give it a meaningful name. Then you can use that object in access rules as part of the source or destination of the rule, rather than using the resource's literal IP address. You can also re-use that object in different rules. If you change the value of the object once, any rule that uses that object starts using the new value.

After onboarding an AWS VPC, Security Cloud Control translates AWS concepts into security group objects, as well as network objects, and service objects found in existing security group rules.

Network objects and service objects (sometimes referred to as port objects) can be shared between AWS VPCs and other devices you manage using Security Cloud Control. Security group objects are unique to AWS.

See Sharing Objects Between AWS and other Managed Devices for more information.

Monitoring Changes to AWS VPCs and AWS Security Groups

Change Log

The change log continuously captures configuration changes as they are made in Security Cloud Control. This single view includes changes across all supported devices and services. These are some of the features of the change log:

  • Side-by-side comparison of changes made to device configuration.

  • Plain-English labels for all change log entries.

  • Records on-boarding and removal of devices.

  • Detection of policy change conflicts occurring outside of Security Cloud Control.

  • Answers who, what, and when during an incident investigation or troubleshooting.

Change Request Management

Change request management allows you to associate a change request and its business justification, opened in a third-party ticketing system, with an event in the Change Log. Use change request management to create a change request in Security Cloud Control, identify it with a unique name, enter a description of the change, and associate the change request with change log events. You can later search the Change Log for the change request name.

Support for Common Managerial Tasks

Security Cloud Control supports these common management tasks for AWS security groups:

The Security Cloud Control Dashboard

The Security Cloud Control dashboard is your central hub for monitoring and managing organization-level details across various categories. Upon logging in, you can access a customizable dashboard that offers critical insights and actions to optimize security and operational efficiency.

Customize Your Dashboard

Make your dashboard fit your specific needs by customizing the visible widgets.

  1. On the Home page, click Customize.

  2. Select or deselect the widgets you want to view on the dashboard.

  3. You can drag and drop the widgets to arrange them as you prefer.

Top Information

This section provides detailed insights into various tenant-level metrics. If enabled, you can view the following widgets:

  • Configuration States: Indicates the discrepancies between the configurations on your devices and those maintained by Security Cloud Control. This comparison helps identify any inconsistencies or conflicts that may exist.

    For more information, see Device Management.

  • Change Log Management: Helps you manage the change logs for precise operational control. The widget displays Completed and Pending change logs.

    For more information, see Change Logs.

  • RA VPN Sessions: Helps you monitor your Remote Access VPN sessions.

    For more information, see RA VPN Sessions.

  • Overall Inventory: Helps you monitor the health and status of all devices. The widget displays the total number of devices, categorized into Issues, Pending Actions, Other, Online and devices that are nearing or have already reached their last day of hardware support.

    For more information, see All Devices.

  • Site-to-Site VPN: Helps you manage and assess your site-to-site VPN connections. The widget displays the total number of VPN tunnels and the percentage that are Active and Idle.

    For more information, see Site-to-site VPN.

  • Accounts and Assets:

    • Helps you track and manage your multicloud accounts and resources effectively. You can launch the Multicloud Defense Controller from here.

    • Click +Add Account to add a new account.

    For more information, see Multicloud Defense Controller.

  • Top Risky Destinations: Helps you identify and monitor the top risky destinations that are granted access. The widget lists Applications and URL Categories and allows you to filter data for the last 90, 60, or 30 days. You can filter between Allowed (default) and Blocked traffic.

  • Top Intrusion and Malware Events: Helps you monitor and respond to top intrusion and malware events. The widget displays Intrusion Events and Malware Events and allows you to filter data for the last 90, 60, and 30 days. You can filter between Allowed (default) and Blocked events.

Announcements

Click the Announcements icon to view the most recent Security Cloud Control features and updates. Links to related documentation are provided if you need more information on any of the items listed.