1 © 2004 cisco systems, inc. all rights reserved. cisco self defending network securing the...
TRANSCRIPT
1© 2004 Cisco Systems, Inc. All rights reserved.
Cisco Self Defending NetworkSECURING THE INTELLIGENT INFORMATION NETWORK
James Jones
CCIE 1550, CISSP
August 2005
222© 2005 Cisco Systems, Inc. All rights reserved.
Agenda
• Security evolves to become a business issue
• Cisco’s unique architectural systems approach
• Security is a business enabler
333© 2005 Cisco Systems, Inc. All rights reserved.
Key Issues Facing Customers Today
SECURITY• Threats• Theft• Loss• Response time
APPLICATION AND SERVICE OPTIMIZATION• Enablers• Awareness• App management• Performance/optimization• Resilience
SIMPLIFICATION• Scale• Cost• Staffing• Integration and systems management
THESE ISSUES THESE ISSUES ARE COMMON ARE COMMON TO THE TO THE COMPUTE AND COMPUTE AND NETWORK NETWORK LAYERSLAYERS
444© 2005 Cisco Systems, Inc. All rights reserved.
0
20,000
40,000
60,000
80,000
100,000
120,000
140,000
1995 1996 1997 1998 1999 2000 2001 2002 2003
Security Incidents on the Rise
Incidents
Source: CERT: Carnegie Mellon Software Engineering Institute, IDC
555© 2005 Cisco Systems, Inc. All rights reserved.
Evolution of Security Challenges
GLOBALInfrastructure
Impact
REGIONALNetworks
MULTIPLENetworks
INDIVIDUALNetworks
INDIVIDUALComputer
GLOBALInfrastructure
Impact
REGIONALNetworks
MULTIPLENetworks
INDIVIDUALNetworks
INDIVIDUALComputer
Target and Scope of DamageTarget and Scope of Damage
1980s1980s 1990s1990s TodayToday FutureFuture
SecondsSeconds
MinutesMinutes
Next GenNext Gen
2nd Gen2nd Gen
DaysDays3rd Gen3rd Gen
1st Gen1st Gen
WeeksWeeks
Time from Knowledge of Vulnerability to Release of Exploit is Shrinking
Time from Knowledge of Vulnerability to Release of Exploit is Shrinking
666© 2005 Cisco Systems, Inc. All rights reserved.
Security… Top of Mind for Business / Gov’t
Top Ten Business Trends In 2004
Revenue growthRevenue growth
* Use of information in products / services* Use of information in products / services
* Economic recovery* Economic recovery
Single view of customerSingle view of customer
Faster innovationFaster innovation
Greater transparency in reportingGreater transparency in reporting
Enterprise risk managementEnterprise risk management
Security / Business disruptionsSecurity / Business disruptionsOperating costs / budgetsOperating costs / budgets
Data protection and privacyData protection and privacy
20032003
Source: Gartner Top Ten Business Trends, 2004
12121122——————55337744
Rankings:Rankings:
“Affects Growth of IT Industry”
20022002
——1144——————3366————
20042004
112233445566778899
1010
777© 2005 Cisco Systems, Inc. All rights reserved.
Regulatory Complianceand the “IAC triad”
• Regulatory ComplianceHIPPA, Graham Leach Bliley (GLB), Sarbanes Oxley (SOX), Basel II, EPA
• Integrity
Assurance of accuracy and reliability of data and systems ensuring neither is modified in an unauthorized manner
• Availability
Ensures the system or data is available and executes in a predictable manner with an acceptable level of performance
• Confidentiality
Preventing unauthorized disclosure of sensitive information by ensuring that the necessary level of secrecy is in place at each junction of data processing
888© 2005 Cisco Systems, Inc. All rights reserved.
BUSINESS PROCESSES
APPLICATIONS AND SERVICES
NETWORKED INFRASTRUCTURE • ACTIVE PARTICIPATION in
application and service delivery
• A SYSTEMS APPROACH integrates technology layers to reduce complexity
• Flexible POLICY CONTROLS adapt this intelligent system to your business though business rules
• ACTIVE PARTICIPATION in application and service delivery
• A SYSTEMS APPROACH integrates technology layers to reduce complexity
• Flexible POLICY CONTROLS adapt this intelligent system to your business though business rules
Cisco Intelligent Information Network
CONNECTIVITY INTELLIGENT NETWORKINGCONNECTIVITY INTELLIGENT NETWORKING
BUSINESS PROCESS OPTIMIZATION REQUIRES AN INTELLIGENT INFORMATION NETWORK
CISCO NETWORK STRATEGY
RESILIENT
INTEGRATED
ADAPTIVE
999© 2005 Cisco Systems, Inc. All rights reserved.
Value of Integrated Security System Security is no longer an option… It’s a necessity
Security as an Option
Security is an add-on
Challenging integration
Not cost-effective
Cannot focus on core priority
Security as INTEGRAL of a System
Security is built-in
Intelligent collaboration
Appropriate security
Direct focus on core priority
101010© 2005 Cisco Systems, Inc. All rights reserved.
SYSTEM LEVEL SYSTEM LEVEL SOLUTIONSSOLUTIONS
• EndpointsEndpoints
• NetworkNetwork
• ServicesServices
SECURITY TECHNOLOGYINNOVATION
SECURITY TECHNOLOGYINNOVATION
• Endpoint SecurityEndpoint Security• Application FirewallApplication Firewall• SSL VPNSSL VPN• Network AnomalyNetwork Anomaly
INTEGRATED SECURITY
INTEGRATED SECURITY
• Secure Connectivity• Threat Defense• Trust & Identity
• Secure Connectivity• Threat Defense• Trust & Identity
An initiative to dramatically improve the network’s ability to identify, prevent, and adapt
to threats
An initiative to dramatically improve the network’s ability to identify, prevent, and adapt
to threats
Self Defending Network Strategy
Cisco strategy to dramatically improve the
network’s ability to
identify, prevent, and adapt to threats
Cisco strategy to dramatically improve the
network’s ability to
identify, prevent, and adapt to threats
111111© 2005 Cisco Systems, Inc. All rights reserved.
Phases of Self Defending Network (SDN)
SDN Phase I
Integrated Security
SDN Phase I
Integrated Security
SDN Phase III
Adaptive Threat Defense
SDN Phase III
Adaptive Threat Defense
SDN Phase II
Collaborative Systems
SDN Phase II
Collaborative Systems• Multiple
Security Appliances
• Separate managementsoftware
• MultipleSecurity Appliances
• Separate managementsoftware
PointProducts
PointProducts
“5–7 Years to Drive Architecture”
121212© 2005 Cisco Systems, Inc. All rights reserved.
VPN Concentrator
Cisco Firewall
CiscoIDS Sensors
Security Technology Leadership
Best-of-Breed Security
Security Technology Leadership
Best-of-Breed Security
Cisco IOS VPN
Networking Technology Leadership20 Years of Routing & Switching Expertise
Networking Technology Leadership20 Years of Routing & Switching Expertise
Cisco ISR
Cisco Catalyst
Network InfrastructureProtection
Trust & Identity Secure Connectivity
Integrated Security
Protect the network infrastructure from attacks Control Plane Policing, NBAR, AutoSecure
Leverage the networkto intelligently protect EndpointsNAC, 802.1x
Secure and scalable network connectivitySecure Voice (sRTP, V3PN), DMVPN, MPLS & IPSec
Threat DefensePrevent and respondto network attacks and threats such as wormsIntrusion Prevention, Netflow, App Firewall, OPS
Securing the IP Fabric Securing the IP Fabric with Integrated Securitywith Integrated Security
131313© 2005 Cisco Systems, Inc. All rights reserved.
NAC – First Collaborative Security System
Desktop
a) Access Grantedb) Access Deniedc) Quarantine
Remediation
Authentication and policy check of client
Quarantine VLANQuarantine VLAN
Remediation
Corporate Net
Client attempts connection
SiSi
And more to come….
NAC Framework
141414© 2005 Cisco Systems, Inc. All rights reserved.
Current NAC Program Participantshttp://www.cisco.com/en/US/partners/pr46/nac/partners.html
ANTI VIRUS REMEDIATION
CLIENT SECURITY
151515© 2005 Cisco Systems, Inc. All rights reserved.
Adaptive Threat Defense in Action Products, Services and Architecture Example
PIXPIX
CSACSA
NACNAC
Quarantine VLANQuarantine VLAN
Cisco Router Cisco Router
CSACSA
VPN AccessVPN Access
VPN
Cisco DDoSCisco DDoS
CSACSA
Cisco Router Cisco Router Catalyst Catalyst
CatalystCatalyst
Identity-BasedNetworking
Identity-BasedNetworking
Cisco IPSCisco IPS
App Inspection, Use App Inspection, Use Enforcement, Web ControlEnforcement, Web Control
Application SecurityApplication Security
App Inspection, Use App Inspection, Use Enforcement, Web ControlEnforcement, Web Control
Application SecurityApplication Security
Malware/Content Defense, Malware/Content Defense, Anomaly DetectionAnomaly DetectionAnti-X DefensesAnti-X Defenses
Malware/Content Defense, Malware/Content Defense, Anomaly DetectionAnomaly DetectionAnti-X DefensesAnti-X Defenses
Traffic/Admission Control, Traffic/Admission Control, Proactive ResponseProactive Response
Containment & ControlContainment & Control
Traffic/Admission Control, Traffic/Admission Control, Proactive ResponseProactive Response
Containment & ControlContainment & Control
161616© 2005 Cisco Systems, Inc. All rights reserved.
VoIP Security Test
Hardened for VOIP Security in the Wiring Closet
Call Manager’s Applications Servers
PSTN
Catalyst 4500 Security Used Concurrently
• Dynamic ARP Inspection• IP Source Guard• DHCP Snooping• Port Security• VACL• Policing
Cisco IP Network
Data VLAN
Voice VLAN
Data Center VLAN
Attack Point
Attack Point
Miercom Hacker Assault Team unable to disrupt Cisco VoIPSTOPPED at the edge by a Catalyst 4500 …
Miercom Quote-“Cisco achieved the highest rating of the vendors tested. Cisco’s overall score, an A- on Miercom’s VoIP-Security Rating Scale, has set the high bar that other IP-telephony vendors will now endeavor to reach”
171717© 2005 Cisco Systems, Inc. All rights reserved.
Integrated Systems Equals Greater Value AND Decreased Costs
FOUNDATION TECHNOLOGIESFOUNDATION TECHNOLOGIESFOUNDATION TECHNOLOGIESFOUNDATION TECHNOLOGIES
Reduce OPEX by 30-40%-- investment protectionReduce OPEX by 30-40%-- investment protection
SECURE IP COMMUNICATIONSSECURE IP COMMUNICATIONSSECURE IP COMMUNICATIONSSECURE IP COMMUNICATIONS
SECURE WIRELESSSECURE WIRELESSSECURE WIRELESSSECURE WIRELESS Lower Implementation Costs and TCO -- simpler to deploy and manage
Lower Implementation Costs and TCO -- simpler to deploy and manage
Secure, Integrated, intelligent systemsSecure, Integrated, intelligent systems
Trusted and protected business applications, legislative complianceTrusted and protected business applications, legislative compliance
SELF-DEFENDING NETWORKSELF-DEFENDING NETWORKSELF-DEFENDING NETWORKSELF-DEFENDING NETWORK
More effective communication and collaboration through application and infrastructure integrationMore effective communication and collaboration through application and infrastructure integration
Wireline and wireless equivalence – ubiquitous secure connectivityWireline and wireless equivalence – ubiquitous secure connectivity
29% savings through OPEX reduction, training, support, integration
29% savings through OPEX reduction, training, support, integration
Sage Research, 2003
47% savings -- simpler, management, integration, operations
47% savings -- simpler, management, integration, operations
Sage Research, 2003
NASDAQ internal study, 2004
181818© 2004 Cisco Systems, Inc. All rights reserved.
191919© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Security Management Directions
Device MgrsDevice MgrsSecurity Manager
(VMS NG)Security Manager
(VMS NG)
Security AuditorSecurity AuditorM.A.R.S.M.A.R.S.
- Today auditing highly manual and costly
- Cisco offers auditing with predefined best practice policies
- Solution for monitoring and mitigation
- Visualize attack paths
- Uses control capabilities within infrastructure to eliminate attacks
- Quickest way to setup a device
- Configures all device parameters
- Ships with device
- Solution for configuring routers, appliances, switches and endpoints
- Applies policy at multiple layers - broadest coverage in the industryProvisionProvision
MonitorMonitor
Analysis
Analysis
RespondRespond
202020© 2005 Cisco Systems, Inc. All rights reserved.
WIRELESS
• Security
A complete security solution includes threat defense capabilities such as rogue AP detection; secure connectivity through support for strong encryption; and trust and identity features, to enable only those with permission to access the network
• Application Aware
Fast Secure L3 roaming for latency-sensitive applications (through WLSM)
WIRELESS
MANAGEMENT
IPCOMMUNICATIONS
SECURITY
Integration Through A Systems Architecture
212121© 2005 Cisco Systems, Inc. All rights reserved.
IP COMMUNICATIONS• Security
Comprehensive approach to securing applications and media leveraging infrastructure in the first true system approach
• Complete Applications Portfolio
Integrated suite of collaboration, call control voice mail and voice and video conferencing applications
• Voice Aware Network
System approach enables appropriate QoS, High Availability
WIRELESS
MANAGEMENT
IPCOMMUNICATIONS
SECURITY
Integration Through A Systems Architecture
222222© 2005 Cisco Systems, Inc. All rights reserved.
Security Architecture… Designed in at PRDSelf Defending, Adaptive
ROUTING / SWITCHINGROUTING / SWITCHING
SERVICE PROVIDERSERVICE PROVIDER
ADVANCED TECHNOLOGIESADVANCED TECHNOLOGIES
IP TELEPHONYIP TELEPHONY SECURITYSECURITY
WIRELESSWIRELESS
OPTICALOPTICAL STORAGESTORAGE
NETWORKED HOMENETWORKED HOME
SECURITY and SERVICESSECURITY and SERVICES