© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Evaluating Security Solutions for the Network Selecting Network Security Solutions
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Network Devices Supporting Integrated Security Cisoc IOS router security PIX security appliance Adaptive security appliance (ASA) VPN concentrator Intrusion prevention system Catalyst service modules Endpoint security
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Integrated Security for Cisco IOS Routers Cisco IOS Firewall –Stateful multiservice application-based filtering Cisco IOS IPS –In-line deep-packet inspection Cisco IOS IPsec –Data encryption at the IP packet level Cisco IOS trust and identity –AAA –PKI –SSH –SSL
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Example: Security Hardware Options for ISRs Built-in VPN acceleration Voice security options High-performance AIM Cisco IDS Network Module Cisco Content Engine Module Cisco Network Analysis Module
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Security Appliances VPN concentrator –IPsec and SSL VPN support PIX security appliance – Rich application and protocol inspection – Integrated site-to-site and remote access VPNs ASA, a multifunction security appliance –Stateful firewall of PIX appliance, plus –Adaptive threat defense capabilities Application security Anti-X defenses IPS –Advanced integration modules
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Intrusion Prevention Systems In line (IPS) or passive (IDS) Multivector threat identification Network speeds from multiple T1s to 1 Gbps –IPS 4215 sensor protects up to 65 Mbps of traffic –IPS 4240 sensor protects up to 250 Mbps of traffic –IPS 4255 sensor protects up to 500 Mbps of traffic –IPS 4260 sensor protects up to 1 Gbps of traffic
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Cisco Catalyst Service Modules Cisco Firewall Services Module Cisco Intrusion Detection System Services Module Cisco SSL Services Module Cisco IPSec VPN SPA Cisco Traffic Anomaly Detector Module Cisco Anomaly Guard Module Cisco Network Analysis Module
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Cisco Security Agent Spyware and adware protection Protection against buffer overflows Distributed firewall capabilities Malicious mobile code protection Operating-system integrity assurance Application inventory Audit log consolidation
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Securing the Enterprise Network Embed Self-Defending Network features throughout the network in: –The enterprise campus –The enterprise data center –The enterprise edge Use Self-Defending Network technologies, including: –Identity and access control –Threat defense –Infrastructure protection –Security management
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Deploying Security in the Enterprise CampusIdentity and Access Control 802.1X or NAC NAC appliance ACLs Firewall –Stateful inspection –Application inspection
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Deploying Security in the Enterprise Campus Threat Detection and Mitigation NetFlow Syslog SNMP Host IPS (Cisco Security Agent) Network IPS Cisco Security MARS, Cisco Security Manager
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Deploying Security in the Enterprise Campus – Infrastructure Protection AAA SSH SNMPv3 IGP or EGP Message Digest 5 Layer 2 security features
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Deploying Security in the Enterprise CampusSummary Identity and access control: 802.1x, NAC, ACLs, firewalls Threat detection and mitigation: NetFlow, syslog, SNMP, Cisco Security-MARS, Network IPS, Host IPS Infrastructure protection: AAA, SSH, SNMPv3, IGP or EGP MD5, Layer 2 security features Security management Cisco Security Manager, Cisco Security MARS
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Deploying Security in the Enterprise Data Center – Identity and Access Control 802.1X ACLs Firewalls
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Deploying Security in the Enterprise Data CenterThreat Detection and Mitigation NetFlow Syslog SNMP Host IPS (Cisco Security Agent) Network IPS Cisco Security MARS, Cisco Security Manager
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Deploying Security in the Enterprise Data CenterInfrastructure Protection AAA SNMPv3 SSH IGP or EGP MD5 Layer 2 security features
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Deploying Security in the Enterprise Data CenterSummary Identity and access control: 802.1X, ACLs, firewalls Threat detection and mitigation: NetFlow, syslog, SNMP, Cisco SecurityMARS, Network IPS, Host IPS Infrastructure protection: AAA, SSH, SNMPv3, IGP or EGP MD5, Layer 2 security features Security management Cisco Security Manager, Cisco Security MARS
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Deploying Security in the Enterprise EdgeIdentity and Access Control ACLs Firewall IPSec or SSL VPN NAC appliance
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Deploying Security in the Enterprise EdgeThreat Detection and Mitigation NetFlow Syslog SNMP IPS (host or network) Cisco Security MARS, Cisco Security Manager
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Deploying Security in the Enterprise EdgeInfrastructure Protection SNMPv3 AAA SSH IGP or EGP MD5
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Deploying Security in the Enterprise Edge – Summary Identity and access control: Firewalls, IPSec, SSL VPN, ACLs Threat detection and mitigation: NetFlow, syslog, SNMP, Cisco Security MARS, Network IPS, Host IPS Infrastructure protection: AAA, CoPP, SSH, RFC 2827, SNMPv3, IGP/EGP MD5 Security management Cisco Security Manager, Cisco Security MARS
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Summary Cisco has integrated security features into the network devices, including ACLs, firewall support, VPNs, IPS, and event logging. The Cisco Self-Defending Network elements and Cisco network devices with integrated security are deployed throughout the enterprise network.
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v