© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Evaluating Security Solutions for the Network Understanding the Cisco Self-Defending Network
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Cisco Self-Defending Network Network as Platform Efficient security management, control, and response Advanced technologies and security services to: Protect critical assets Mitigate the effects of outbreaks Ensure privacy
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Network as Platform for Security Cisco Integrated Services Routers –Integrate Cisco IOS Firewall, VPN, and intrusion prevention system (IPS) services across the Cisco router portfolio –Deploy new security features on existing routers using Cisco IOS Software –Cisco NAC-enabled Cisco Catalyst Switches –Denial-of-service (DoS) attack mitigation –Integrated security service modules for high-performance threat protection and secure connectivity –Man-in-the-middle attack mitigation Cisco Adaptive Security Appliances –High-performance firewall, IPS, network antivirus, and IPsec/SSL VPN technologies all in one unified architecture –Device consolidation to reduce overall deployment and operations costs and complexities –Cisco NAC-enabled
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Self-Defending Network Phases
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Trust and Identity Management
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Trust Is the Root of Security Trust is a relationship in which two (or more) network entities are allowed to communicate. Trust forms the root of all security policy decisions. Trust and risk are opposites; security is based on enforcing limitations to trust relationships. Trust relationships: –Can be explicit or implied –Can be inherited –Can be abused
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Domains of Trust Question: From a security design perspective, what is the key difference between Case 1 and Case 2?
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Domains of Trust Question: From a security design perspective, what is the key difference between Case 1 and Case 2? Answer: Case 2 is more segmented into domains of trust.
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Example: Domains of Trust DomainsGradientSafeguards Needed Private to PublicExtreme (high risk) Advanced firewalling, flow-based inspection, misuse detection (IPS), constant monitoring Production to LabMinor (low risk) Basic access control, casual monitoring Headquarters to Branch Steep (considerable risk) Communication security, authentication, confidentiality, integrity concerns
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Identity Identity is the who of a trust relationship. The identity of a network entity is verified by credentials. Both people and devices can be authenticated. Three authentication attributes: –Something you know –Something you have –Something you are Common approaches to identity: –Passwords –Tokens –Certificates
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Passwords Correlates an authorized user with network resources
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Tokens Strong (two-factor) authentication based on something you know and something you have
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Access Control in Networks Confidentiality and integrity are traditionally supported through access control. Access control enforces rules about which entities can access which resources. Network access control is based on: –Authentication, which establishes the identity of the subject –Authorization, which defines what a subject can do in a network Audit trails and real-time monitoring provide accounting and security auditing information.
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Example: Trust and Identity Management Technologies Access control lists (ACLs) Firewalls –Stateful inspection –Application inspection Network Admission Control (NAC) –NAC Framework –Cisco NAC Appliance IEEE 802.1X Cisco IBNS
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Firewall Filtering Using ACLs
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v NAC Framework and Appliance Two approaches for Network Admission Control (NAC) Offers customers a deployment time-frame choice Adapts to investment protection requirements of customer NAC Infrastructure NAC Framework Sold through NAC- enabled products Integrated solution leveraging Cisco network and vendor products Cisco NAC Appliance Sold as virtual or integrated appliance Self-contained product integrates but does not rely on partners
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v X Protocol
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Identity and Access Control Deployment Locations Authenticate at edge. Deploy ACLs based on policy. Practice defense in depth.
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Threat Defense Enhances security in the existing network infrastructure –Protects businesses from operation disruption, lost revenue, and loss of reputation. Adds comprehensive security on network endpoints –Cisco Security Agent provides endpoint protection. Adds dedicated security technologies to networking devices and appliances –Security technologies are implemented throughout the network.
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Physical Security
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Physical Security Guidelines Deploy adequate physical access control. Evaluate whether physical access can compromise other security features. Identify additional security issues resulting from device theft. Protect communications over infrastructure out of your control using cryptography.
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Infrastructure Protection The measures taken to preserve the integrity and availability of the network infrastructure as a transport and service entity Goals: –That the network devices are not accessed or altered in an unauthorized manner –That the end-to-end network transport and any integrated services remain available Policy enforcement technologies can help preserve, directly, the integrity and availability of the network.
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Infrastructure Protection Deployment Locations Deploy on all network infrastructure devices –Different mechanisms are used on different platforms, but typically there are equivalent functions available. –More advanced mechanisms are available mainly on higher-end platforms. Implement throughout the network
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Recommended Practices for Infrastructure Protection Use SSH to access devices. Enable AAA and role-based access control for access to all network devices. Collect and archive syslog information. Use SNMPv3. Disable unused services. Use SFTP (SSH FTP) or SCP and avoid FTP and TFTP. Install vty access lists to limit access to management and CLI services. Enable control plane protocol authentication. Consider one-step lockdown in SDM for basic router security.
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Threat Detection and Mitigation Provide early detection and notification of unpredicted malicious traffic or behavior. Goals: –To detect, notify of, and help stop an event or traffic that is unauthorized and unpredicted –To help preserve the availability of the network, particularly against unknown or unforeseen attacks Technologies include: –Endpoint protection –Infection containment –Intrusion and anomaly detection –Application security and anti-X defense
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Example: Threat Detection and Mitigation Technologies Network-based intrusion prevention systems (NIPS) –Adaptive security appliance (ASA) –IPS sensor applicance –Cisco IOS IPS Host-based intrusion prevention systems (HIPS) –Cisco Security Agent NetFlow Syslog Event correlation systems –Cisco Security Monitoring, Analysis, and Response System (MARS) Cisco Traffic Anomaly Detector Module
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Threat Detection and Mitigation Solutions Deployment Locations
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Secure Connectivity
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Encryption Fundamentals A method of protecting the confidentiality of data Uses keys to encrypt the data and decrypt it at a later time
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Encryption Keys Shared secrets: Secret key is carried out of band to the remote side. Easiest mechanism, but it has inherent security concerns. Public key infrastructure (PKI): Uses asymmetric cryptography in which the encryption key is different from the decryption key Lets you publish the encryption key, while keeping the decryption key secret Widely used in e-commerce sites around the world
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v VPN Protocols IPsec (IP security) Built directly on the IP layer (Protocol 50) Uses IKE and ESP Requires IPsec software on endpoints SSL (Secure Socket Layer) Built on top of the TCP layer (port 443) Provides confidentiality for web traffic (HTTPS) All major browsers can use SSL
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Transmission Confidentiality
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Transmission Confidentiality Guidelines Evaluate the location for transmission confidentiality needs. Use the strongest available cryptography, performance permitting. Use well-known and established cryptographic algorithms. Do not focus on confidentiality alone; integrity and authenticity are also important.
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Data Integrity
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Data Integrity Guidelines Evaluate the need for transmission integrity. Use the strongest available cryptography, performance permitting. Use well-known and established cryptographic algorithms.
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Security Management Overview Security management does the following: –Collects, analyzes, and presents data –Provisions policies on security devices –Maintains consistency and change control of policies –Provides role-based access control and accounts for all user activity Security implementation is only as good as policies used. Biggest risk to security in a properly planned architecture is policy error.
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Security Management Solutions Cisco Router and Security Device Manager (SDM) Cisco Adaptive Security Device Manager (ASDM) Cisco Intrusion Prevention System Device Manager (IDM) Management Center for Cisco Security Agents Cisco Secure Access Control Server (ACS) Cisco Security Manager Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS)
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Summary The Cisco Self-Defending Network integrates security into the network to provide the network the ability to identify, prevent, and adapt to threats. Trust and identity management provide secure network access and admission at any point in the network and isolate and control infected or unpatched devices that attempt to access the network. Threat defense provides a strong defense against known and unknown attacks using security integrated in routers, switches, and appliances. Secure connectivity uses encryption and authentication to provide secure transport across untrusted networks. Security management is a framework for scalable policy administration and enforcement.
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v