You are on page 1of 56

Secure Enterprise Design

BRKSEC-2000

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

2

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

1

Agenda
Basic Security Principles
Network Security Is a System Everything Is a Potential Target and Weapon Strive for Operational Simplicity Security Through Obscurity Is Not Secure Confidentiality Is Not the Same as Security

Enterprise Security Policy Design Design Principles Case Study/Example Conclusion
BRKSEC-2000 14339_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

3

Network Security Is a System
Firewall + AV ≠ Network Security Network security is not something you can just buy
Technology will assist Policy, Operations, and Design are more important

Network security system:
A collection of network-connected devices, technologies, and best practices that work in complementary ways to provide security to information assets

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

4

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

2

Cisco Self-Defending Network

Integrated
Enabling every element to be a point of defense and policy enforcement

Collaborative
Collaboration among the services and devices throughout the network to thwart attacks

Adaptive
Proactive security technologies that automatically prevent threats

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

5

Evolution of Security Challenges
Target and Damage Seconds
Next Gen

GLOBAL
Infrastructure Impact

REGIONAL
Networks

Minutes Days Weeks
2nd Gen 1st Gen 3rd Gen

MULTIPLE
Networks

INDIVIDUAL
Networks

INDIVIDUAL
Computer
BRKSEC-2000 14339_04_2008_c1

1980s

1990s
Cisco Public

Today

Future
6

© 2008 Cisco Systems, Inc. All rights reserved.

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

3

Evolution of Security Challenges
Broad Outbreaks
Broad Scope IT Burden User Challenges But… Require Automated Processes User Self-reliance

Targeted Attacks
Narrow scope Business Loss User Transparent But… Nearly invisible Little user knowledge

Productivity Impact
Anti-Virus L3/L4 Firewall
BRKSEC-2000 14339_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Potential Damage
Intrusion Prevention Behavioral Analysis App Gateway
7

Simple Real-World Example: Virus/Worm
What Devices Assist in Stopping Attacks? IPS (host/network, anomaly/signature-based) Antivirus (host/network) Traditional stateful firewalls do little to stem the tide
WWW SMTP AV HIPS Internet WAN Router

Internal Host

AV

Internet
ISP Router
BRKSEC-2000 14339_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved.

Stateful Firewall NIPS

Campus Network

Anomaly Detection
Cisco Public

8

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

4

Anything Is a Potential Target or Weapon
Hosts are preferred target for worms and viruses
Large number of attacks target user hosts Compromised hosts become launch points (botnets)

But there are other high-value alternative targets:
Infrastructure devices: routers, switches Support services: DHCP servers, DNS servers Endpoints: management stations, IP phones Infrastructure: network capacity Security devices: IDS/IPS

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

9

For Example
How Can a Router Be a Weapon? Disable interfaces = DoS Change ACLs = change access policy and DoS Alter routing tables = change access policy and DoS Packet generator = DoS Serve false addresses = DoS and Man-in-the-Middle (MitM)

Internet

LAN

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

10

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

5

For Example
How Can an IDS/IPS Be a Weapon? If shunning is implemented (not recommended): You can spoof attack signature from root nameservers This will cause the IDS/IPS to shun rootservers Target will slowly lose reachability to the internet over time

Internet

LAN

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

11

Strive for Operational Simplicity
Network ops is critical to security system design
How will your system hold up under attack? Do you have the tools you need to respond effectively?

Good management tools
Ensure manageability when under attack Excellent visibility of threats

Good operational processes
Ensure late night changes won’t cripple security Monitor tools, respond to threats

Operational simplicity helps reduce down time
BRKSEC-2000 14339_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

12

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

6

Aggregation vs. Segmentation
NIPS VPN GW Extranet Server SSL Offload FW Router Extranet Client

Which meets your business needs?

Extranet Server Security-Enabled Switch
BRKSEC-2000 14339_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Extranet Client

13

Security Through Obscurity “Isn’t”
Too many secrets is bad for security
Good crypto algorithms are secure because they are public The only “secret” is the key itself

Security design should follow the same principles
Avoid security relying on secrets (i.e., running insecure web servers on obscure TCP ports, hiding your FW manufacturer, etc.)

However, don’t advertise details of your security (if obscurity is low cost…use it)
Security shouldn’t be affected by publication of your security architecture, but don’t post Visio drawings on your website

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

14

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

7

Confidentiality Is Not the Same as Security
What is confidentiality?
Protecting information to ensure it is only disclosed to authorized audiences

What is security?
Protecting systems, resources, information from unintended and unauthorized access or misuse

Example: encrypted e-commerce with partners and customers
E-commerce data is “protected” by SSL Encryption Compromised endpoint attacks server through SSL connection NIPS and Firewalls can not see attack HIPS, PVLANs, and host security required to protect servers
SSL Customer

Internet
E-Comm Svr Mail Svr
BRKSEC-2000 14339_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

15

Agenda
Basic Security Principles Policy Design Process
Overall Lifecycle Business Goals and Risk Analysis Open vs. Closed Policies Security Is Not an Add-On

Design Principles Best Practice Designs Case Studies Conclusion
BRKSEC-2000 14339_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

16

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

8

Overall Security Lifecycle
A Security System Is One Part of a System Lifecycle
Business needs
What does your organization want to do with the network?

Risk analysis
What is the risk and cost balance?

Business Needs

Risk Analysis

Security policy
Define policies, standards, guidelines to address business needs and risk?

Security Policy
Policies, Guidelines, Standards

Industry best practices
Use reliable, well-understood, and recommended security best practices?

Security System

Industry Best Practices

Security operations
Incident response, monitoring, maintaining, and compliance auditing
BRKSEC-2000 14339_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Security Operations
Incident Res, Monandmaint, Comply Audit
17

Formulating a Security Policy
Business Requirements Risk Analysis

Regulatory Requirements

Cost Analysis

Security Policy
BRKSEC-2000 14339_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

18

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

9

Business Goals and Risk Analysis
Effective security policies require clear understanding of business goals and good risk analysis Business needs often come first
Your business shouldn’t halt due to security concerns Security should protect assets, and accommodate business goals Security often conflicts with ease of use and flexibility.

Risk analysis is understanding two key elements:
The cost/benefit of your security system How attack techniques play out in your environment

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

19

Open vs. Closed Policies
Open policy “Yes you can, unless explicitly denied”
Popular in communal and academic environments Generally used by service and transport providers

Closed policy “No you can’t, unless explicitly permitted”
Popular in enterprise and business environments

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

20

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

10

Agenda
Basic Security Principles Policy Design Process Design Principles
General Design Principles Mapping Technology to Security Requirements

Case Study/Example Conclusion

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

21

Domains of Trust (Zones)
1stcase.com
Internal WAN

2ndcase.com
Internal External WAN Servers

External Servers

Internet Internet Labs

Employees Labs

VPN Remote Access

VPN Remote Access Employees

Domains of Trust segment communities by policy

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

22

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

11

Purpose of Domains of Trust
Risk defines policy
Importance to the business Likelihood of being attacked

Security Domains based on like “policy”
Network segments have different trust levels Consistent security controls within a segment Define trust relationships between segments

Gradient of trust differentiate domains
Trust gradient may be minor or extreme Gradient determines security measures

Choke points control trust between segments
Commonly a network firewall or access control

Domains of trust are key to good network security design
BRKSEC-2000 14339_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

23

Sample Domains of Trust
Private Public

Production

Lab HQ Public Branch

Steep gradient = high risk Considerable safeguards
Advanced Firewalling Flow-based inspection Misuse detection (IPS) Constant monitoring

Lesser gradient = low risk Basic safeguards
Basic access control Casual monitoring

Considerable safeguards between corporate and public Protect data transiting steep gradients
Communication security Auth, confidentiality, integrity

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

24

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

12

Enterprise Security Zones—Logical

Mail Internet Access

DNS

Finance

ISP

DMZ

Corporate Core

Dev

Web Apps

Ops

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

25

Enterprise Security Zones—Physical

DNS
VLAN20

Email
VLAN21 Trunk

Finance
VLAN10

Internet

Trunk

VLAN11

Dev

VLAN22

VLAN12

Web Apps

Ops

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

26

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

13

Agenda
Basic Security Principles Policy Design Process Design Principles
General Design Principles Mapping Technology to Security Requirements

Case Study/Example Conclusion

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

27

Classic Perimeter Model
Firewall/VPN

Antivirus/Antispyware
BRKSEC-2000 14339_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

28

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

14

Cisco ASA 5500 Series Adaptive Security Appliances
• Integrated firewall, SSL/IPsec, IPS, Content Security • Multi-processor architecture for high services performance and investment protection • Flexible management options • Simple Web-based user interface • Numerous certifications and awards • And much more…
ASA 5550 New New ASA 5580-40 ASA 5580-20

Cisco ASA 5500 Platforms

ASA 5540 ASA 5520

ASA 5510 ASA 5505

Teleworker
BRKSEC-2000 14339_04_2008_c1

Branch Office

Internet Edge
Cisco Public

Campus Segmentation

Data Center
29

© 2008 Cisco Systems, Inc. All rights reserved.

Versatile Remote Application Access
SSL/VPN
AnyConnect Remote Access Web VPN Portal
Supply Partner Branch Office

IPSec
Remote Access Site to Site

Hourly Employee

Public Internet IPSec VPN SSL VPN

Employee at Home

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

30

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

15

So Aren’t I Safe Already?
Firewall/VPN

Antivirus/Antispyware
BRKSEC-2000 14339_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

31

6 Pillars to Shore Up Security
Firewall/VPN

Antivirus/Antispyware
BRKSEC-2000 14339_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

32

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

16

Pillar 1 Infrastructure Security
Firewall/VPN Infrastructure Antivirus/Antispyware
BRKSEC-2000 14339_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

33

Common Security Threats in the LAN
Stolen Passwords
username: dan password: grades

Network Administrator
username: dan password: grades

Unauthorized User

Unauthorized Copying

Bringing Down the Network

Confidential Plan Unauthorized User
BRKSEC-2000 14339_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

34

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

17

Infrastructure Protection Technologies
Control Plane Policing (CoPP) Infrastructure ACLs Anti-spoofing
RFC2827 uRPF Dynamic ARP inspection DHCP snooping

STP root guard CLI AAA SSH SNMPv3 Rate-limiters Resource schedulers MD5 authentication

BPDU guard

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

35

Controlling Unauthorized Network Expansion

Problem:
Individuals can add unauthorized devices to network

Solution:
Port security limits MAC addresses allowed on network ports to only one device at a time

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

36

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

18

Control Plane Policing (CoPP)
Secure routers against DoS attacks Apply QoS to processor switched packets Divide required protocols into priority groups
Management SNMP, Telnet ICMP IPv6 Input to the Control Plane Routing Updates Management SSH, SSL …..

Control Plane
Control Plane Policing (Alleviating DoS)

Output from the Control Plane Silent Mode (Prevent Recon)

Processor Switched Packets

Packet Buffer Incoming Packets CEF/FIB Lookup
BRKSEC-2000 14339_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Output Packet Buffer Locally Switched Packets

37

Routing Protocol Security
Routers are prone to multiple attacks
Traffic redirection, black holes, DoS, unauthorized prefix origination

Routers compromises can be disastrous
Hardening is critical

Prefix filtering prevents bogus advertisements
Define what routing prefixes are allowed from specific locations

Message authentication via MD5 should be done
Supported in RIPv2, OSPF, BGP, EIGRP, IS-IS Prevents malicious and accidental attacks
BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

38

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

19

Management Channel Security
OOB Mgmt Net Servers Management Segment Inband, Clear Inband, Secure OOB, Secure

Management Users

In-band in the clear
Telnet, HTTP, FTP TFTP, SNMPv2c

Out-of-band management
Strongest security Beware topology aware mngt systems

In-band secured
SSH, SSL, IPSec, SNMPv3, SFTP, SCP

Hybrid
Combination of methods listed above Based on proximity, scale, device type

Always Use AAA When Possible Protect Command and Control from Resource Starvation Attacks
BRKSEC-2000 14339_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

39

Pillar 2 Network Identity
Firewall/VPN Infrastructure
BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Identity Antivirus/Antispyware
Cisco Public

40

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

20

Identity-Based Network Services
802.1x Answering the Questions: Who are you? Where are you? How are you connected? What can you do?

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

41

Preventing Unwanted Access
Confidential Plan

Problem:
Unauthorized users connect to network and download confidential documents

Unauthorized User

Solution:
802.1x Security
Confidential Plan

802.1x with Cisco Access Control Server (ACS) authenticates user

Unauthorized User
BRKSEC-2000 14339_04_2008_c1

Cisco ACS Server
Cisco Public

© 2008 Cisco Systems, Inc. All rights reserved.

42

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

21

802.1x Protocol
802.1x EAPoL
Host Attempt Access RADIUS LAN Connectivity Established Request Credentials Send Credentials Accept/Reject Credential Assessment Performed Apply Policy to Port

RADIUS
RADIUS/ AAA Server

Forward Credentials to ACS Server Authentication Result Policy Instructions (Dynamic VLAN)

Authenticate Client to Auth Server via Extensible Authentication Protocol (EAP) Switch is Intermediary, but aware of conversation
BRKSEC-2000 14339_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

43

Pillar 3 Posture Assessment

Firewall/VPN Infrastructure
BRKSEC-2000 14339_04_2008_c1

Posture
Cisco Public

© 2008 Cisco Systems, Inc. All rights reserved.

Identity

Antivirus/Antispyware
44

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

22

Posture Assessment
Before Allowing Access, NAC
Recognize
User, device, role

Recognize Enforce

Evaluate
Identify vulnerabilities

Evaluate

Enforce
Quarantine and Remediate before network access

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

45

Posture Assessment Use Cases
Managed LAN Users Unmanaged/ Guest LAN Users

Customer Business Issues

Wireless LAN Users
BRKSEC-2000 14339_04_2008_c1

VPN/Remote/ WAN Users
46

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

23

Posture Assessment Design
Client Traffic inline before posture assessment Traffic Inline or Out-of-band after Potential traffic controls:
Filters Bandwidth VLAD retag per role User time-outs

Hubs, Access Points, Unsupported Switches
BRKSEC-2000 14339_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

47

NAC Deployment Flexibility
Border Router Firewall NAC Appliance
Bridged Central Deployment

Intranet

NAC Appliance Switch
Routed or Bridged Central Deployment

Switch

Core

NAC Appliance
Edge Deployment

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

NAC Appliance Manager

Authentication Server
48

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

24

Pillar 4 Management
Firewall/VPN Infrastructure
BRKSEC-2000 14339_04_2008_c1

Management

Posture
Cisco Public

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Security Management Suite
Configuration Monitoring

Identity
Auditing

Antivirus/Antispyware
49

Identity

Analysis

Mitigation

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

50

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

25

Cisco Security Management Suite
Configuration Monitoring

Identity

Analysis

Auditing

Mitigation

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

51

Cisco Security Manager
Manage Cisco security device configurations
Routers, ASA, FWSM, PIX, IPS

Multiple views into devices and policies
Device, Policy, Topology

Delivers policy scalability with security service management
FW, VPN, IPS management with comprehensive security platform controls

Power tools
FlexConfig, Config diff viewer, Rule analysis, ACL hit counts

Flexible architecture for unique provisioning capabilities
Designed to support new and evolving security technologies

Integration with other value-add components
BRKSEC-2000 14339_04_2008_c1

Syslog correlation with CS-MARS Role-based access control (RBAC) with Cisco \ACS
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

52

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

26

CSM: Device/Policy/Topology Views

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

53

Cisco Security Management Suite
Configuration Monitoring

Identity

Analysis

Auditing

Mitigation

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

54

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

27

CS-MARS
Capture multiple sources of data…

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

55

CS-MARS
Feed into Correlation Engine…

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

56

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

28

Critical Data Reduction

2,694,083 Events 992,511 Sessions 249 Incidents 61 High Severity Incidents
Tremendous Data Reduction
BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

57

NetFlow Telemetry
Cisco Cisco and Partners Partners

Network Planning

Router:
• Cache creation • Data export • Aggregation

Collector:
• Collection • Filtering • Aggregation • Storage • File system management

Accounting/Billing

Applications:
Data Presentation
58

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

29

Cisco Security Management Suite
Configuration Monitoring

Identity

Analysis

Auditing

Mitigation

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

59

Access Control System (ACS)
Key Scenarios
Device Administration Remote Access Wireless and 802.1x
CiscoWorks

Compliance Features
Authentication policy (e.g. require complex password) Authorization enforcement (e.g. network access, device command authorization) Audit logging
BRKSEC-2000 14339_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

ACS

AD/LDAP

Posture/Audit

60

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

30

Pillar 5 Intrusion Detection/Protection
Firewall/VPN Infrastructure
BRKSEC-2000 14339_04_2008_c1 BRKSEC-2000 14339_04_2008_c1

Management

Posture
Cisco Public Cisco Public

© 2008 Cisco Systems, Inc. All rights reserved.

Network IPS

© 2008 Cisco Systems, Inc. All rights reserved.

Identity

Antivirus/Antispyware
61

IPS
62

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

31

Network-Based IDS: The Sensor
Network Link to the Management Console IP Address Passive Interface No IP Address Monitoring the Network Data Capture Data Flow

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

63

Network-Based IPS: The Sensor
Network Link to the Management Console

Management Interface IP Address

Data Flow Transparent Interfaces No IP Address

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

64

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

32

Distributed IPS Solutions
Signature Updates

Central Signature File Management
Corporate Office

Cisco IPS Appliance

WAN
Regional Office Branch Office

Telecommuter
BRKSEC-2000 14339_04_2008_c1

Small Satellite Office

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

65

Accurate Prevention Technologies
Risk Rating Provides Threat Context
Event Severity Signature Fidelity Attack Relevancy Asset Value of Target
How urgent is the threat?

+
How prone to false positive?

Decision support balances attack urgency with business risk

+ +

Is attack relevant to host being attacked? How critical is this destination host? Drives Mitigation Policy

RISK RATING
BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

66

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

33

Accurate Prevention Technologies
Meta Event Generator Delivers Advanced Correlation
On-box correlation allows adaptation to new threats in real-time without user intervention
Risk Rating A + B + C + D = WORM!

High

DROP Event DWorm Stopped!

Links lower risk events into a high risk meta-event, triggering prevention actions Models attack Behavior by Correlating:
Event type Time span

Event A
Medium

Event B

Event D

Event C
Low

Time:
BRKSEC-2000 14339_04_2008_c1

0

2

4

6
Cisco Public

8

10
67

© 2008 Cisco Systems, Inc. All rights reserved.

Host Based IPS

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

68

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

34

Behavioral Host Intrusion Prevention
Intercept OS calls Invokes allow/deny response Monitor system calls:
File system Network Registry Execution

“Zero Update” architecture

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

69

Malicious Behavior
• Ping addresses • Scan ports • Guess passwords • Guess mail users

1 Target 5

Probe

2 Penetrate 3 Persist 4 Propagate
Paralyze

• Delete files • FTP • Modify files • Infect file shares • Drill security hole • Crash computer • Denial of service • Steal secrets
BRKSEC-2000 14339_04_2008_c1

• Mail attachments • Buffer overflows • ActiveX controls • Network installs • Compressed messages • Backdoors • Create new files • Modify existing files • Weaken registry security settings • Mail copy of attack • Install new services • Web connection • Register trap doors • IRC

Rapidly mutating Continual signature updates Inaccurate

Most damaging Changes very slowly Inspiration for the CSA solution
70

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

35

CSA in Action: Protection Against Zotob and Variants (B through G)
TCP/445 via Null session Buffer Overflow against uPNP service Executable in System folder Modifies registry and HOSTS Downloads files via TFTP Connects to IRC

Starts Command shell for FTP, TFTP 1171 300 threads scan for other systems to infect Deletes registry keys and files Terminates processes

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

71

Pillar 6 Application Security
Firewall/VPN Infrastructure
BRKSEC-2000 14339_04_2008_c1

Management

Application

Posture
Cisco Public

© 2008 Cisco Systems, Inc. All rights reserved.

Identity

Antivirus/Antispyware
72

IPS

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

36

IronPort Perimeter Security Appliances

Internet IronPort SenderBase EMAIL Security Appliance WEB Security Appliance

Security MANAGEMENT Appliance

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

73

IronPort SenderBase®
Data Makes the Difference
150 Parameters

Threat Prevention in Realtime
• Complaint Reports • Spam Traps • Message Composition Data • Global Volume Data • URL Lists • Compromised Host Lists • Web Crawlers • IP Blacklists & Whitelists • Additional Data

SenderBase Data

Data Analysis/ Security Modeling

SenderBase Reputation Scores -10 to +10

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

74

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

37

IronPort Reputation Filters Stop 80% of Hostile Mail at the Door…

Known good is delivered Suspicious is throttled & spam filtered Known bad is deleted/tagged

Reputation Filtering

Anti-Spam Engine

Incoming Mail
Good, Bad, and “Grey” or Unknown Email

IronPort uses identity and reputation to apply policy Sophisticated response to sophisticated threats

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

75

Web Traffic: Clear and Present Risks
The Circle of Risk

Malware & AUP violations

35-40% of Web usage is non-business related
(Source: IDC Research)

Web Traffic

75%+ of enterprises infected with spyware & malware
(Source: IDC Research)
BRKSEC-2000 14339_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

76

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

38

Web Traffic
The Long Tail Gets Longer

“Big

Head + Long Tail”

• ~110 Million sites 50% Predictable traffic, well known domains
Traffic Volume

• ~10–12 Billion Web Pages • Growing at 35–40% annually

Big Head Long Tail
# of Sites

50% Growing fast, harbors spyware & malware

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

77

IronPort S-Series
Addressing the Entire Spectrum of Web Traffic

Solution:
AUP URL Filtering
Traffic Volume

Solution:
Big Head Long Tail
# of Sites

IronPort Web Reputation Filters Signature-based Anti-Malware Protection

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

78

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

39

Closing the Application-Network Gap
Deploy
Service Virtualization Mainframe Connectivity

Application Infrastructure

Secure
XML Firewall and DoS Access Control Integration Problem Diagnosis/SLA Management Rich Enterprise Policy Mgt

Scale
Application Aware Load Balancing Bandwidth Compression XML Processing Offload

Network Infrastructure

Simplify, Secure and Scale Web Services Deployment
BRKSEC-2000 14339_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

79

Firewall/VPN Infrastructure
BRKSEC-2000 14339_04_2008_c1

Management

Application

Posture
Cisco Public

© 2008 Cisco Systems, Inc. All rights reserved.

Identity

Antivirus/Antispyware
80

IPS

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

40

Agenda
Basic Security Principles Policy Design Process Design Principles Best Practice Designs
Internet Edge Campus Data Center

Case Study/Example Conclusion
BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

81

Enterprise Network
End Points

Si

Si

Si

Si

Si

Si

Si

Si

Si

Si Si

Si

Si

Si

WAN
BRKSEC-2000 14339_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved.

Data Center
Cisco Public

Internet
82

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

41

What Needs to Be Applied?
Access control and identity:
At trust domain perimeters In front of endpoints or resources

Threat detection and mitigation:
Throughout the network and in front of key high-value assets

Infrastructure protection:
On all infrastructure devices

Application security:
In front of key high-value application resources

Security management:
Throughout the network, to all devices
BRKSEC-2000 14339_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

83

Agenda
Basic Security Principles Policy Design Process Design Principles Best Practice Designs
Internet Edge Campus Data Center

Case Study/Example Conclusion
BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

84

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

42

Enterprise Internet Edge
VPN
Dist

ASA5500 Firewall Firewall Services Module ASA5500 IOS Firewall

DMZ

Firewall/VPN

Infrastructure

Management

Application

Posture

Identity

IPS

Internet

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Antivirus/Antispyware

85

Enterprise Internet Edge
Infrastructure
Dist

SNMP v3 – All AAA – All CoPP – All SSH – All RFC2827 – All IGP/EGP MD5 – All
Firewall/VPN

DMZ

Infrastructure

Management

Application

Posture

Identity

IPS

Internet

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Antivirus/Antispyware

86

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

43

Enterprise Internet Edge
Posture
Dist

NAC appliance Identity AAA
VPN Proxy Authentication

DMZ

Firewall/VPN

Infrastructure

Management

Application

Posture

Identity

IPS

Internet

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Antivirus/Antispyware

87

Enterprise Internet Edge
Management
Dist

SDEE NetFlow Syslog – All SNMPv3 – All SSH – All

DMZ

Firewall/VPN

Infrastructure

Management

Application

Posture

Identity

IPS

Internet

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Antivirus/Antispyware

88

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

44

Enterprise Internet Edge
IPS
Dist

IPS 4200 Integrated IPS CSA

DMZ

Firewall/VPN

Infrastructure

Management

Application

Posture

Identity

IPS

Internet

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Antivirus/Antispyware

89

Enterprise Internet Edge
Application
Dist

Ironport C Series Ironport S Series Ace XML Gateway

DMZ

Firewall/VPN

Infrastructure

Management

Application

Posture

Identity

IPS

Internet

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Antivirus/Antispyware

90

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

45

Agenda
Basic Security Principles Policy Design Process Design Principles Best Practice Designs
Internet Edge Campus Data Center

Case Study/Example Conclusion
BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

91

Enterprise Campus Network
Firewall
Access

ACLs Firewall Services Module

Dist

Si

Si

Core
Si Si

Firewall/VPN

Infrastructure

Management

Application

Posture

Identity

IPS

Mngt

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Antivirus/Antispyware

92

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

46

Enterprise Campus Network
Infrastructure
Access

L2 security features AAA – All SSH – All SNMP v3 – All

Dist

Si

Si

CoPP uRPF IGP/EGP MD5

Core
Si Si

Firewall/VPN

Infrastructure

Management

Application

Posture

Identity

IPS

Mngt

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Antivirus/Antispyware

93

Enterprise Campus Network
Identity
Access

802.1x NAC Appliance Posture NAC Appliance

Dist

Si

Si

Core
Si Si

Firewall/VPN

Infrastructure

Management

Application

Posture

Identity

IPS

Mngt

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Antivirus/Antispyware

94

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

47

Enterprise Campus Network
Management
Access

Syslog – All Netflow – All SNMPv3 – All MARS CSM NAC Manager

Dist

Si

Si

Core
Si Si

Firewall/VPN

Infrastructure

Management

Application

Posture

Identity

IPS

Mngt

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Antivirus/Antispyware

95

Enterprise Campus Network
IPS
Access

CSA IPS 4200

Dist

Si

Si

Core
Si Si

Firewall/VPN

Infrastructure

Management

Application

Posture

Identity

IPS

Mngt

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Antivirus/Antispyware

96

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

48

Agenda
Basic Security Principles Policy Design Process Design Principles Best Practice Designs
Internet Edge Campus Data Center

Case Study/Example Conclusion
BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

97

Enterprise Datacenter Network
Firewall
Si Si

Firewall Services Module ACLs WAAS ACE

Core

Agg

Firewall/VPN

Core Access

Infrastructure

Management

Application

Posture

Identity

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Antivirus/Antispyware

IPS

98

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

49

Enterprise Datacenter Network
Infrastructure
Si Si

CoPP uRPF IGP/EGP MD5 AAA – All SNMP v3 – All

Core

Agg

SSH – All L2 security features
Firewall/VPN

Core Access

Infrastructure

Management

Application

Posture

Identity

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Antivirus/Antispyware

IPS

99

Enterprise Datacenter Network
Management
Si Si

NetFlow Syslog – All SNMPv3 – All MARS

Core

Agg

Firewall/VPN

Core Access

Infrastructure

Management

Application

Posture

Identity

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Antivirus/Antispyware

IPS

100

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

50

Enterprise Datacenter Network
IPS
Si Si

IPS 4200 CSA

Core

Agg

Firewall/VPN

Core Access

Infrastructure

Management

Application

Posture

Identity

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Antivirus/Antispyware

IPS

101

Enterprise Datacenter Network
Application
Si Si

Ace XML Gateway

Core

Agg

Firewall/VPN

Core Access

Infrastructure

Management

Application

Posture

Identity

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Antivirus/Antispyware

IPS

102

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

51

Agenda
Basic Security Principles Policy Design Process Design Principles Best Practice Designs Case Studies/Examples
Educational Environment Campus Financial Environment Campus Manufacturing Environment Campus

Conclusion
BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

103

Campus Case Study: Educational
NAC Role Assignment

Core Access

L2 Security ACLs FWSM

Little control of endpoint posture Must provide access to various platforms Must control rogue network devices Firewall/VPN Infrastructure Identity Posture Management IPS
Firewall/VPN

Dist

MD5

IPSM NetFlow, Syslog, SNMPv3

Core
Si Si

Infrastructure

Management

Application

Posture

Identity

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Antivirus/Antispyware

IPS

104

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

52

Campus Case Study: Financial
CSA NAC Role/ Posture L2 Security Core Access ACLs FWSM Dist MD5 IPSM NetFlow, Syslog, SNMPv3 Core
Si Si

Full control of endpoint posture Mixed endpoint platforms Regulatory concerns Firewall/VPN Infrastructure Identity Posture Management IPS
Infrastructure

Firewall/VPN

Management

Application

Posture

Identity

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Antivirus/Antispyware

IPS

105

Campus Case Study: Manufacturing
NAC Role/ Profiler L2 Security Core Access NAC Appliance ACLs FWSM IPSM NetFlow, Syslog, SNMPv3 Core
Si Si

Full control of endpoint posture Support “dumb” endpoints (e.g.. manufacturing equipment/robots) Mixed endpoint platforms Firewall/VPN Infrastructure Identity Posture Management IPS
Infrastructure

Dist

MD5

Firewall/VPN

Management

Application

Posture

Identity

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Antivirus/Antispyware

IPS

106

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

53

Conclusion
Summary
Network security is a system Must incorporate business needs, security policy, best practices, risk analysis

Food for thought
Sample designs are a useful start, but every network is unique New technologies may enhance security, but best practices take time to develop Thoroughly understand the problems Fully understand how available tools work Apply the tools as necessary
BRKSEC-2000 14339_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

107

Related Sessions
Identity and Access Control
SEC-2005 Deploying 802.1X SEC-2007 Deploying Cisco IOS Security SEC-2020 Firewall Design and Deployment SEC-2041 Deploying Cisco Network Admission Control Appliance

Infrastructure Protection
SEC-2002 Understanding and Preventing Layer 2 Attacks SEC-2101 Service Provider and Large Network Core Infrastructure Best Practices SEC-2105 Router Security Strategies: Securing IP Network Traffic Planes

Threat Detection and Mitigation
SEC-2030 Deploying Network-Based Intrusion Prevention Systems SEC-2031 Understanding Host-Based Threat Mitigation Techniques

Security Management
SEC-2006 Inside the Perimeter: 6 Steps to Improving your Security Monitoring SEC-2009 Cisco Security Manager (CSM) and CS-MARS Integration and Deployment SEC-3009 Operational firewall and IPS management using CSM and MARS
BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

108

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

54

Q and A

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

109

Recommended Reading
Continue your Cisco Live learning experience with further reading from Cisco Press Check the Recommended Reading flyer for suggested books

Available Onsite at the Cisco Company Store
BRKSEC-2000 14339_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

110

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

55

Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Passport points for each session evaluation you complete. Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Don’t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008. Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

111

BRKSEC-2000 14339_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

112

© 2008, Cisco Systems, Inc. All rights reserved. 14339_04_2008_c1.scr

56