1 © 2004 cisco systems, inc. all rights reserved. cisco self defending network securing the...

1© 2004 Cisco Systems, Inc. All rights reserved.

Cisco Self Defending NetworkSECURING THE INTELLIGENT INFORMATION NETWORK

James Jones

CCIE 1550, CISSP

August 2005


Agenda

• Security evolves to become a business issue

• Cisco’s unique architectural systems approach

• Security is a business enabler


Key Issues Facing Customers Today

SECURITY• Threats• Theft• Loss• Response time

APPLICATION AND SERVICE OPTIMIZATION• Enablers• Awareness• App management• Performance/optimization• Resilience

SIMPLIFICATION• Scale• Cost• Staffing• Integration and systems management

THESE ISSUES THESE ISSUES ARE COMMON ARE COMMON TO THE TO THE COMPUTE AND COMPUTE AND NETWORK NETWORK LAYERSLAYERS


0

20,000

40,000

60,000

80,000

100,000

120,000

140,000

1995 1996 1997 1998 1999 2000 2001 2002 2003

Security Incidents on the Rise

Incidents

Source: CERT: Carnegie Mellon Software Engineering Institute, IDC


Evolution of Security Challenges

GLOBALInfrastructure

Impact

REGIONALNetworks

MULTIPLENetworks

INDIVIDUALNetworks

INDIVIDUALComputer

GLOBALInfrastructure

Impact

REGIONALNetworks

MULTIPLENetworks

INDIVIDUALNetworks

INDIVIDUALComputer

Target and Scope of DamageTarget and Scope of Damage

1980s1980s 1990s1990s TodayToday FutureFuture

SecondsSeconds

MinutesMinutes

Next GenNext Gen

2nd Gen2nd Gen

DaysDays3rd Gen3rd Gen

1st Gen1st Gen

WeeksWeeks

Time from Knowledge of Vulnerability to Release of Exploit is Shrinking

Time from Knowledge of Vulnerability to Release of Exploit is Shrinking


Security… Top of Mind for Business / Gov’t

Top Ten Business Trends In 2004

Revenue growthRevenue growth

* Use of information in products / services* Use of information in products / services

* Economic recovery* Economic recovery

Single view of customerSingle view of customer

Faster innovationFaster innovation

Greater transparency in reportingGreater transparency in reporting

Enterprise risk managementEnterprise risk management

Security / Business disruptionsSecurity / Business disruptionsOperating costs / budgetsOperating costs / budgets

Data protection and privacyData protection and privacy

20032003

Source: Gartner Top Ten Business Trends, 2004

12121122——————55337744

Rankings:Rankings:

“Affects Growth of IT Industry”

20022002

——1144——————3366————

20042004

112233445566778899

1010


Regulatory Complianceand the “IAC triad”

• Regulatory ComplianceHIPPA, Graham Leach Bliley (GLB), Sarbanes Oxley (SOX), Basel II, EPA

• Integrity

Assurance of accuracy and reliability of data and systems ensuring neither is modified in an unauthorized manner

• Availability

Ensures the system or data is available and executes in a predictable manner with an acceptable level of performance

• Confidentiality

Preventing unauthorized disclosure of sensitive information by ensuring that the necessary level of secrecy is in place at each junction of data processing


BUSINESS PROCESSES

APPLICATIONS AND SERVICES

NETWORKED INFRASTRUCTURE • ACTIVE PARTICIPATION in

application and service delivery

• A SYSTEMS APPROACH integrates technology layers to reduce complexity

• Flexible POLICY CONTROLS adapt this intelligent system to your business though business rules

• ACTIVE PARTICIPATION in application and service delivery

• A SYSTEMS APPROACH integrates technology layers to reduce complexity

• Flexible POLICY CONTROLS adapt this intelligent system to your business though business rules

Cisco Intelligent Information Network

CONNECTIVITY INTELLIGENT NETWORKINGCONNECTIVITY INTELLIGENT NETWORKING

BUSINESS PROCESS OPTIMIZATION REQUIRES AN INTELLIGENT INFORMATION NETWORK

CISCO NETWORK STRATEGY

RESILIENT

INTEGRATED

ADAPTIVE


Value of Integrated Security System Security is no longer an option… It’s a necessity

Security as an Option

Security is an add-on

Challenging integration

Not cost-effective

Cannot focus on core priority

Security as INTEGRAL of a System

Security is built-in

Intelligent collaboration

Appropriate security

Direct focus on core priority


SYSTEM LEVEL SYSTEM LEVEL SOLUTIONSSOLUTIONS

• EndpointsEndpoints

• NetworkNetwork

• ServicesServices

SECURITY TECHNOLOGYINNOVATION

SECURITY TECHNOLOGYINNOVATION

• Endpoint SecurityEndpoint Security• Application FirewallApplication Firewall• SSL VPNSSL VPN• Network AnomalyNetwork Anomaly

INTEGRATED SECURITY

INTEGRATED SECURITY

• Secure Connectivity• Threat Defense• Trust & Identity

• Secure Connectivity• Threat Defense• Trust & Identity

An initiative to dramatically improve the network’s ability to identify, prevent, and adapt

to threats

An initiative to dramatically improve the network’s ability to identify, prevent, and adapt

to threats

Self Defending Network Strategy

Cisco strategy to dramatically improve the

network’s ability to

identify, prevent, and adapt to threats

Cisco strategy to dramatically improve the

network’s ability to

identify, prevent, and adapt to threats


Phases of Self Defending Network (SDN)

SDN Phase I

Integrated Security

SDN Phase I

Integrated Security

SDN Phase III

Adaptive Threat Defense

SDN Phase III

Adaptive Threat Defense

SDN Phase II

Collaborative Systems

SDN Phase II

Collaborative Systems• Multiple

Security Appliances

• Separate managementsoftware

• MultipleSecurity Appliances

• Separate managementsoftware

PointProducts

PointProducts

“5–7 Years to Drive Architecture”


VPN Concentrator

Cisco Firewall

CiscoIDS Sensors

Security Technology Leadership

Best-of-Breed Security

Security Technology Leadership

Best-of-Breed Security

Cisco IOS VPN

Networking Technology Leadership20 Years of Routing & Switching Expertise

Networking Technology Leadership20 Years of Routing & Switching Expertise

Cisco ISR

Cisco Catalyst

Network InfrastructureProtection

Trust & Identity Secure Connectivity

Integrated Security

Protect the network infrastructure from attacks Control Plane Policing, NBAR, AutoSecure

Leverage the networkto intelligently protect EndpointsNAC, 802.1x

Secure and scalable network connectivitySecure Voice (sRTP, V3PN), DMVPN, MPLS & IPSec

Threat DefensePrevent and respondto network attacks and threats such as wormsIntrusion Prevention, Netflow, App Firewall, OPS

Securing the IP Fabric Securing the IP Fabric with Integrated Securitywith Integrated Security


NAC – First Collaborative Security System

Desktop

a) Access Grantedb) Access Deniedc) Quarantine

Remediation

Authentication and policy check of client

Quarantine VLANQuarantine VLAN

Remediation

Corporate Net

Client attempts connection

SiSi

And more to come….

NAC Framework


Current NAC Program Participantshttp://www.cisco.com/en/US/partners/pr46/nac/partners.html

ANTI VIRUS REMEDIATION

CLIENT SECURITY


Adaptive Threat Defense in Action Products, Services and Architecture Example

PIXPIX

CSACSA

NACNAC

Quarantine VLANQuarantine VLAN

Cisco Router Cisco Router

CSACSA

VPN AccessVPN Access

VPN

Cisco DDoSCisco DDoS

CSACSA

Cisco Router Cisco Router Catalyst Catalyst

CatalystCatalyst

Identity-BasedNetworking

Identity-BasedNetworking

Cisco IPSCisco IPS

App Inspection, Use App Inspection, Use Enforcement, Web ControlEnforcement, Web Control

Application SecurityApplication Security

App Inspection, Use App Inspection, Use Enforcement, Web ControlEnforcement, Web Control

Application SecurityApplication Security

Malware/Content Defense, Malware/Content Defense, Anomaly DetectionAnomaly DetectionAnti-X DefensesAnti-X Defenses

Malware/Content Defense, Malware/Content Defense, Anomaly DetectionAnomaly DetectionAnti-X DefensesAnti-X Defenses

Traffic/Admission Control, Traffic/Admission Control, Proactive ResponseProactive Response

Containment & ControlContainment & Control

Traffic/Admission Control, Traffic/Admission Control, Proactive ResponseProactive Response

Containment & ControlContainment & Control


VoIP Security Test

Hardened for VOIP Security in the Wiring Closet

Call Manager’s Applications Servers

PSTN

Catalyst 4500 Security Used Concurrently

• Dynamic ARP Inspection• IP Source Guard• DHCP Snooping• Port Security• VACL• Policing

Cisco IP Network

Data VLAN

Voice VLAN

Data Center VLAN

Attack Point

Attack Point

Miercom Hacker Assault Team unable to disrupt Cisco VoIPSTOPPED at the edge by a Catalyst 4500 …

Miercom Quote-“Cisco achieved the highest rating of the vendors tested. Cisco’s overall score, an A- on Miercom’s VoIP-Security Rating Scale, has set the high bar that other IP-telephony vendors will now endeavor to reach”


Integrated Systems Equals Greater Value AND Decreased Costs

FOUNDATION TECHNOLOGIESFOUNDATION TECHNOLOGIESFOUNDATION TECHNOLOGIESFOUNDATION TECHNOLOGIES

Reduce OPEX by 30-40%-- investment protectionReduce OPEX by 30-40%-- investment protection

SECURE IP COMMUNICATIONSSECURE IP COMMUNICATIONSSECURE IP COMMUNICATIONSSECURE IP COMMUNICATIONS

SECURE WIRELESSSECURE WIRELESSSECURE WIRELESSSECURE WIRELESS Lower Implementation Costs and TCO -- simpler to deploy and manage

Lower Implementation Costs and TCO -- simpler to deploy and manage

Secure, Integrated, intelligent systemsSecure, Integrated, intelligent systems

Trusted and protected business applications, legislative complianceTrusted and protected business applications, legislative compliance

SELF-DEFENDING NETWORKSELF-DEFENDING NETWORKSELF-DEFENDING NETWORKSELF-DEFENDING NETWORK

More effective communication and collaboration through application and infrastructure integrationMore effective communication and collaboration through application and infrastructure integration

Wireline and wireless equivalence – ubiquitous secure connectivityWireline and wireless equivalence – ubiquitous secure connectivity

29% savings through OPEX reduction, training, support, integration

29% savings through OPEX reduction, training, support, integration

Sage Research, 2003

47% savings -- simpler, management, integration, operations

47% savings -- simpler, management, integration, operations

Sage Research, 2003

NASDAQ internal study, 2004


Cisco Security Management Directions

Device MgrsDevice MgrsSecurity Manager

(VMS NG)Security Manager

(VMS NG)

Security AuditorSecurity AuditorM.A.R.S.M.A.R.S.

- Today auditing highly manual and costly

- Cisco offers auditing with predefined best practice policies

- Solution for monitoring and mitigation

- Visualize attack paths

- Uses control capabilities within infrastructure to eliminate attacks

- Quickest way to setup a device

- Configures all device parameters

- Ships with device

- Solution for configuring routers, appliances, switches and endpoints

- Applies policy at multiple layers - broadest coverage in the industryProvisionProvision

MonitorMonitor

Analysis

Analysis

RespondRespond


WIRELESS

• Security

A complete security solution includes threat defense capabilities such as rogue AP detection; secure connectivity through support for strong encryption; and trust and identity features, to enable only those with permission to access the network

• Application Aware

Fast Secure L3 roaming for latency-sensitive applications (through WLSM)

WIRELESS

MANAGEMENT

IPCOMMUNICATIONS

SECURITY

Integration Through A Systems Architecture


IP COMMUNICATIONS• Security

Comprehensive approach to securing applications and media leveraging infrastructure in the first true system approach

• Complete Applications Portfolio

Integrated suite of collaboration, call control voice mail and voice and video conferencing applications

• Voice Aware Network

System approach enables appropriate QoS, High Availability

WIRELESS

MANAGEMENT

IPCOMMUNICATIONS

SECURITY

Integration Through A Systems Architecture


Security Architecture… Designed in at PRDSelf Defending, Adaptive

ROUTING / SWITCHINGROUTING / SWITCHING

SERVICE PROVIDERSERVICE PROVIDER

ADVANCED TECHNOLOGIESADVANCED TECHNOLOGIES

IP TELEPHONYIP TELEPHONY SECURITYSECURITY

WIRELESSWIRELESS

OPTICALOPTICAL STORAGESTORAGE

NETWORKED HOMENETWORKED HOME

SECURITY and SERVICESSECURITY and SERVICES

1 © 2004 cisco systems, inc. all rights reserved. cisco self defending network securing the...

Documents