Recently I deployed Cisco’s AMP for Endpoints for a 50-user organization. For the uninitiated, AMP for Endpoints is Cisco’s cloud based, enterprise grade, advanced malware protection software that is deployed to each end device in the network. Each endpoint reports back to the central cloud controller and is managed by the controller. Cisco integrated AMP for Endpoints with Cisco’s ThreatGRID to provide deep threat analytics; analyzing millions of files and correlating them against hundreds of millions of malware samples. The controller can then push these new signatures to each endpoint automatically, protecting the device.
Setting up the controller was easy. Being cloud based, there wasn’t a need to install an appliance, physical or virtual, on the network. Once an account is created, configuration of the controller was also easy. Many of the default settings work perfectly for most organizations, and the only thing I needed to configure was adding the companies’ critical applications to the exclusions list. The hardest part of the deployment (and I mean that sarcastically) was to install the connector software to each endpoint.
The AMP for Endpoints connector supports Windows, Mac OS, Linux, and even Android; for windows servers they have a special server image, as well as a domain controller image. With all of these images the task of deploying them to the endpoint devices became the challenge. For the servers, we chose a manual approach, downloading and installing each package individually (there weren’t that many servers, so it wasn’t too bad). For user endpoints Cisco has a few clever ways to deploy.
The first deployment option is a manual install; each image has a URL that you can email to your team and have them download and install their flavor of the connector. I don’t need to tell you that letting the users choose their own image will cause a help desk nightmare and I don’t recommend this method.
The second deployment option, and the way we decided to deploy, is to use the AMP Enabler AnyConnect module. Cisco’s AnyConnect has a whole suit of modules for deploying security features. When the user VPNs into the network using AnyConnect the AMP Enabler module checks to see if the machine has AMP for Endpoints installed, if not it forces installation. Obviously for any users who never VPN into the network this deployment option won’t work. What we did was to enable hairpinning on the ASA and ask internal users to VPN into the network.
The final deployment option is to use Cisco ISE to posture and install AMP for endpoints when a computer connections to the network via wireless, wired, or VPN. This is obviously the best option as this forces all users to install AMP for Endpoints without user intervention. The downside for customers who don’t already have ISE installed is the need to deploy ISE on their network. (Not that it’s a bad idea, but ISE is a whole other discussion).
AMP for Endpoints is a powerful tool, and with the deployment integrations with Cisco’s other security products, deploying AMP for Endpoints to your users is easy.
Written By: Trevor Butler, LookingPoint Network Engineer - CCNP CMNA