© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview
Self-Defending Data Center
Bernie Trudel
Head of Technology, Data Center
Cisco Systems, Asia Pacific
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 2
Agenda
� The Evolution of Security Threats
� Cisco Self-Defending Network
� Layers of Security in the Data Center
� Next generation Security
� Securing against DDoS attacks
� Application Security
� The Benefits of a Systems Approach
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 3
Managing Risk and Compliance:A Diverse and Evolving Set of Concerns
� Downtime and service disruption
� Data loss and disclosure
� Damaged trust
� Compliance recovery
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 4
The Evolution of IntentA Shift to Financial Gain
Threats Are Becoming Increasingly Difficult to Detect and Mitigate
Thr
eat S
ever
ity
1990 1995 2000 2005
Financial:Theft and Damage
Fame:Viruses and Malware
Notoriety:Basic Intrusions and Viruses
2007 2010
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 5
A More Sophisticated Threat Environment With a Structured Network for Financial Gain
Writers Middle Men Second-Stage Abusers
First-Stage Abusers End Value
Spyware
Viruses
Trojans
Worms
Malware Writers
Internal Theft Abuse of Privilege
Information Harvesting
Machine Harvesting
Extortionist DDoS for Hire
Spammer
Phisher
Pharmer/DNS Poisoning
Identity Theft
Compromised Host and
Application
Botnet Creation
Botnet Management
Personal Information
Information Brokerage
Electronic IP Leakage
Theft
Espionage
Extortion
Commercial Sales
Fraudulent Sales
Click Fraud
Financial Fraud
Tool Writers Hacker or Direct Attack
Fame
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 6
The Evolving Security Challenge:Emergence of New Attack Types
Source: 2007 CSI Survey
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 7
The Need for a Systems Approach
Less Complexity, Improved Usability
Collaborative Operation, Increased Effectiveness
Fewer Devices, Reduced Initial and Ongoing Costs
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 8
Cisco Self-Defending Network:A Systems Approach to IT Security
Enabling EveryElement to Be a Pointof Defense and Policy
Enforcement
IntegratedProactive Security Technologies that
Automatically Prevent Threats
Adaptive
Collaboration Among the Services and
Devices Throughoutthe Network to Thwart
Attacks
Collaborative
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 9
Cisco Self-Defending Network 3.0The Future of IT Security
Integrates Advanced Network, Endpoint, Content, and
Application Security for Evolving Threats
Better Together
Protects Against Latest Threats Using Information Gathered from
Across the Global Network
Wide Traffic Inspection
Provides End-to-End IT Security Solution with Extensive Breadth of
Protection
End-to-End Solution
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 10
Securing the Data Center - Priorities
� Prevent Intrusions Layers 0 to 7
- Video Surveillance and Physical Access Control
- L2 and L3 security services – Next Generation
- L4-L5 stateful protocol inspection and Network Access Control
- L4-L7 intrusion prevention systems
- HTTP and XML Application security
� Ensure Service Availability
- DDoS protection
- Server Behavioral Protection
� Provide Data Integrity
- Network-based and storage-based encryption
- System-wide monitoring of intrusion
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 11
Physical Security: IP Video Surveillance
GATEWAY - DECODERSCAMERA GATEWAY - ENCODERS NETWORK
IP NETWORK
Unicast & Multicast
LAN & WAN
IP GATEWAYDECODERS
NETWORK
DECOMPRESS
DECODE
INTERFACE
IP GATEWAYENCODER
INTERFACE
ENCODE
COMPRESS
NETWORK
MONITOR
KEYBOARD
LAPTOPS
DESKTOPS
Operating System
STREAM MANAGER
Application
SERVICES PLATFORMS VIDEOSTORAGE VIEWING APPLICATION
IP CAMERAS
ANALOGCAMERA
RecordingFeatures
VideoAnalytics
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 12
Impact of Security Outbreak (Virus, Worm, DoS)Direct and Collateral Damage
Availability of Networking Resources impacted by the propagation of the worm
Access
Distribution
Core
InfectedSource
SiSi
SiSi
SiSiSiSi
SystemUnder Attack
Network Links Overloaded
• High Packet Loss• Mission Critical
Applications Impacted
Routers Overloaded
• High CPU• Instability
• Loss of MgmtEnd SystemsOverloaded
• High CPU• Applications
Impacted
SiSi
SiSi
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 13
Access
Distribution
Core
InfectedSource
SiSi
SiSi
SiSi SiSi
Catalyst 6500 Integrated Security Protects Network Infrastructure
SystemUnder Attack
Protect the Links
• QoS• Scavenger Class
Protect the End Systems
• Cisco Security Agent
Protect the Switches
• CEF• Rate Limiters• CoPP
Prevent the Attack
• NAC & IBNS• ACLs
Catalyst 6500 offers comprehensive hardware-based s ecurity features to protect network infrastructure
Integrated Netflow delivers scalable monitoring and anomaly detection
SiSi
SiSi
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 14
Catalyst Integrated Security ToolkitHardening Layer 2/3
� Port security prevents MAC flooding attacks
� DHCP snooping prevents client attack on the switch and server
� Dynamic ARP Inspectionadds security to ARP using DHCP snooping table
� IP source guard adds security to IP source address using DHCP snooping table
� All features work on switchports
IP Source GuardIP Source Guard
Dynamic ARP InspectionDynamic ARP Inspection
DHCP Snooping
Port Security
IP Spoofing
ARP Spoofing or ARP Poisoning
DHCP Rogue Server for Default Gateway Interception
MAC Address Flooding
Attack Mitigated
IP Source GuardIP Source Guard
Dynamic ARP Dynamic ARP InspectionInspection
DHCP Snooping DHCP Snooping
Port SecurityPort Security
CISF Feature
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 15
Service Chaining and Virtualization
Bloomberg
ILX
NASDAQ
Reuters
NYSE
Eight Active Devices can be condensed into two
Highly Availableplatforms with stateful
redundancy andintegrated applications
Vendor RouterL2 Switch Interface
Virtual Firewall
IntrusionProtection
L3 RoutedInterface
CoreInterconnect
Data Flow
Core
Core
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 16
Switch Security ScenarioEdge classification with centralized policy enforce ment
Printer
PCs
PCsWhat the!?
Emule is broken!
Mark emule with special packet tag mutually agreed between FWSM and PISA
Catalyst 6500 with PISA
Catalyst 6500 with PISA
- FWSM policy: “drop emule”- Tagged packet recognized as emule � dropped
Catalyst 6500 with FWSM
emule
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 17
Next Generation Trusted SecurityNext Generation Trusted Security
Cisco Trusted Agents
Cisco Trusted Agents
DesktopDesktop
• Group 5 assigned• Access granted• Access blocked
Network Policy Checks
Corporate Net
Client Identified and Connected
Client Provided Trust Group
Cisco TrustSecCisco TrustSec
5
72 58
51
93
95
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 18
Cisco TrustSec – Next Gen Security
FCFC
Unified I/O
Unified I/O
FCFC
GbE
GbE
Seamless Service Interworking over a Common Unified Fabric
Unified Fabric
…while simplifying topologies, improving performance, and eliminating Spanning-Tree……and encrypting every packet on the wire with
TrustSec roles-based security…
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 19
Cisco IPS Architecture
Forensics Capture
Modular Inspection
Engines
Signature Updates
Engine Updates
Cisco Threat Intelligence
Services
Risk-based Policy
Control
Attack De-
obfuscation
On-box Correlation
Engine
Mitigation and Alarm
Virtual Sensor
Selection
IN OUT
Context Data
Network Context
Information
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 20
CSA: Behavioral Protection for Servers
Target
12
3
45
Probe
Penetrate
Persist
Propagate
Paralyze
• Ping addresses• Scan ports• Guess user accounts• Guess mail users
• Mail attachments• Buffer overflows• ActiveX controls• Network installs• Compressed messages• Guess Backdoors
• Create new files• Modify existing files• Weaken registry security settings• Install new services• Register trap doors
• Mail copy of attack• Web connection• IRC• FTP• Infect file shares
• Delete files• Modify files• Drill security hole• Crash computer• Denial of service• Steal secrets
�Rapidly Mutating�Continual signature
updates�Inaccurate�Focus on Vulnerability
�Rapidly Mutating�Continual signature
updates�Inaccurate�Focus on Vulnerability
� Most damaging� Focus on exploit�Change very slowly� Inspiration for Cisco
Security Agent solution
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 21
Systematic Intrusion Protection
VPN Access
Internet
CS- MARS
IDS
CSA CSA
CSA
CSA CSA
� Collaboration Example:• Cisco Security Agent ( CSA)• Intrusion Detection ( IDS)• Cisco Monitoring, Analysis, and Response System ( CS-MARS)
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 22
DDOS: Why traditional defenses…
• Optimized for signature based application layer detection – most sophisticated DDoS attacks are characterized by anomalous behavior in layers 3 and 4
• Cannot easily detect DDoS attacks using valid packets – require extensive manual tuning
• FW based on static policy enforcement - Most DDoS attacks today use “approved” traffic that bypass the firewall
• Lack of “anomaly detection”
• Lack of anti-spoofing capabilities –to separate good from bad traffic
Firewalls IDS
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 23
DDoS Security – Anomaly Detection
DDoS GuardBGP announcement
Target
1. Detect
2. Activate: Auto/Manual
3. Divert only target’s traffic
Non-targeted servers
Anomaly Detector, Cisco IDS, Netflow
system,…
Cat6k
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 24
4. Identify and filter the malicious
DDoS Guard
Target
Legitimate traffic to target
5. Forward the legitimate
DDoS Security – Scrub Traffic Clean
Traffic destined to the target
Non-targeted servers
6. Non-targetedtraffic, flowsfreely
Anomaly Detector, Cisco IDS, Netflow
system,…
Cat6k
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 25
75% of New Application
Attacks Focused on
Custom Applications
Custom Web ApplicationsCustomized Packaged Applications
Internal and Third-Party CodeBusiness Logic and Code
Network
OperatingSystems
DatabaseServers
OperatingSystems
ApplicationServers
OperatingSystems
WebServers
Network Firewall
IDS/IPS
Application Layer Requiring Protection
“50% of enterprises and government agencies are us ing XML, Web services or SOA.” Source: Gartner
“XML accounted for 15% of internet traffic in 2005. By 2008, it is expected to account for 50%.” Source: 451 Group
“50% of enterprises and government agencies are us ing XML, Web services or SOA.” Source: Gartner
“XML accounted for 15% of internet traffic in 2005. By 2008, it is expected to account for 50%.” Source: 451 Group
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 26
ServersAnd
Applications
Data Center
Industry’s Highest Performance Data Center Security :16Gbps, 1M NAT, 256K ACL Entries
� Protect from XML vulnerabilities
� Maintain message integrity and confidentiality
XML Firewall
Application Security: The Last Line Of Defense
Network Attack
XML Attack
Application Attack
DATACENTER FIREWALLAPPLICATION FIREWALL
XML FIREWALL
Cisco ACE
BLO
CK
ED
BLO
CK
ED
Datacenter Firewall
� Secure from Protocol and Denial of Service attacks
� Encrypt Critical Content
Application Firewall
� Protect from both known and unknown threats
� Protect against “Day Zero” attacks
BLO
CK
ED
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 27
Ironport’s Content Security Story
MANAGEMENTController
Internet
SenderBase(the common
security database)
CONTENTSECURITY
GATEWAYS
LAN
Block incoming threats:•Spam, Phishing/Fraud•Viruses, Trojans, Worms•Spyware, Adware•Unauthorized Access
Block incoming threats:•Spam, Phishing/Fraud•Viruses, Trojans, Worms•Spyware, Adware•Unauthorized Access
Enforce policy:• Acceptable Use• Regulatory Compliance• Intellectual Property• Encryption
Enforce policy:• Acceptable Use• Regulatory Compliance• Intellectual Property• Encryption
Centralize admin:• Per-user policy• Per-user reporting• Quarantine• Archiving
Centralize admin:• Per-user policy• Per-user reporting• Quarantine• Archiving
Mail Server
Mail Server
EMAILSecurity Appliance
WEB / IM / SIPSecurity Appliance
End User Client
End User Client
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 28
The Challenges of Approaching Security Without an End-to-End, Systems Approach
NA
C
Firew
all
Netw
ork IPS
IPsec V
PN
Spam
G
ateway
Host IP
S
AV
Gatew
ay
Web
ApplicationF
irewall
UR
L Filter
SS
L VP
N
Security
Manage-m
ent
XM
L Firew
all
Training and Staffing
Policy Implementation
Threat Intelligence
Event Sharing and Collaboration
Configuration and Management
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 29
The Advantages of a Systems Approach:Lower Cost, Higher Efficiency, Greater Effect
Policy Implementation
Configuration and Management
Training and Staffing
Threat Intelligence
Event Sharing and Collaboration
Integration Into the Network Infrastructure
NA
C
Firew
all
Netw
ork IPS
IPsec V
PN
Spam
G
ateway
Host IP
S
AV
Gatew
ay
Web
ApplicationF
irewall
UR
L Filter
SS
L VP
N
Security
Manage-m
ent
XM
L F
irewall
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 30
Self-Defending Network in the Data Center
Cisco ASA
ACS
Cisco Security MARS
Cisco® WAAS
Web Servers
Cisco ACE
Cisco Security Agent
Cisco Security Agent
Cisco Security Agent
ApplicationServers
Database Servers
AXG (Web Applications)
Cisco Security Agent
Cisco Security Agent
Cisco MDS with SME
Tier 1/2/3 Storage
Tape/Offsite Backup
AXG(B2B)
CSMCisco Security Agent-MC
CW-LMN
Data-Center Edge• Firewall and IPS• DoS protection• Application protocol
inspection• Web Services security• VPN termination• E-mail and Web access
control
Cisco Catalyst 6000FWSM
Web Access• Web security• Application security• Application isolation• Content inspection• SSL encryption and
offload• Server hardening
Applications and Database
• XML, SOAP, and AJAX security
• DoS prevention• Application-to-
application security• Server hardening
Storage• Data encryption
o In motiono At rest
• Stored data access control
• Segmentation
Management• Tiered access• Monitoring
and analysis• Role-based
access• AAA access
control
Cisco IronPort E-Mail Security
AXG (DHTML to XML)
Cisco IronPort Web Security
Cisco IronPort Web Security
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 31
Market Leader with Commitment to Security
� Product and technology innovation1500+ security-focused engineers
Nine acquisitions added to our solution portfolio in last two years
100+ NAC partners worked collaboratively with us to deliver an unprecedented security vision
� Industry leadershipCritical Infrastructure Assurance Group
Responsible disclosure
Cisco® Security Center Web destination
IntelliShield: Security intelligenceand best-practice sharing
“ Because the network is a strategic customer asset, the protection of its business-critical applications and resources is a top priority.”
John Chambers, Chairman snd CEO, Cisco
New
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 32
Summary
� Threat evolution requires new thinking, new approach
� Network and content security – SDN evolution
� Cisco TrustSec brings a new paradigm to DC security
� Cisco is committed to defending the Data Center
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 33