Professional Documents
Culture Documents
Cisco Security Solutions: January 2009
Cisco Security Solutions: January 2009
For Customers
®
Cisco Security Solutions
Contents
Why Security Matters More Than Ever
Security Appliances
• Cisco ASA 5500 Series Adaptive Security Appliances
Firewall
Intrusion Prevention Systems
Cisco Router Security
End-Point Security
• Cisco Security Agent
• Cisco Network Admission Control
Email, Web, and Content Security
• Cisco Web Security Gateway Appliances
• Cisco IronPort Email Security Appliances
• Cisco ACE Web Application Firewall
• Content Security on the Cisco ASA 5500 Series
Management
• Cisco Security Monitoring, Analysis, and Response System
• Cisco Security Manager
• Cisco Secure Access Control System
• Cisco Enterprise Policy Manager
Switch Security
• Cisco Catalyst 6500 Series Security Services Modules
• Cisco TrustSec
Solutions
• Compliance
• Cisco Virtual Office
Virtual Private Networks
• Site-to-Site VPNs
• Remote-Access VPNs
Putting It All Together
EXIT
January 2009
HOME
Contents
Why Security Matters More Than Ever
Security Appliances
• Cisco ASA 5500 Series Adaptive Security Appliances
Firewall
Intrusion Prevention Systems
Cisco Router Security
End-Point Security
Cisco Security Agen
EXIT
Security Appliances HOME
Private
WAN CiscoUnity®
System
Internet
Internet
Cisco ASA
5500 Security
Appliance
Intrusion Prevention Systems HOME
Overview Contents
The most trusted and widely-deployed IPS in the world, Cisco Cisco IPS collaborates with other key network components
Why Security Matters More Than Ever
Intrusion Prevention System (IPS) provides proven protection for end-to-end network-wide protection. Threat information
is shared between Cisco IPS and the host-based IPS Cisco Security Appliances
against over 30,000 threats to help customers secure their
• Cisco ASA 5500 Series Adaptive Security Appliances
confidential data and meet ever-increasing compliance Security Agent and Cisco wireless controller. Available as a
mandates. Cisco IPS accurately identifies, classifies, and stops dedicated appliance, Cisco IPS is also integrated into Cisco Firewall
malicious traffic, including worms, spyware / adware, network firewall, switch, and router platforms for maximum protection Intrusion Prevention Systems
viruses, and application abuse before they affect business and deployment flexibility. Cisco Router Security
continuity. Cisco Anomaly Detection stops Day-Zero attacks
End-Point Security
before signature updates are available. • Cisco Security Agent
• Cisco Network Admission Control
The following figure shows how Cisco IPS products fit within the network.
Email, Web, and Content Security
Branch Office • Cisco Web Security Gateway Appliances
Mobile Worker • Cisco IronPort Email Security Appliances
• Cisco ACE Web Application Firewall
• Content Security on the Cisco ASA 5500 Series
Main Office
Management
Management: • Cisco Security Monitoring, Analysis, and Response System
Data Center
CiscoSecurity • Cisco Security Manager
Manager, • Cisco Secure Access Control System
Cisco ASA CiscoSecurity MARS
5500 with IPS Secure • Cisco Enterprise Policy Manager
Wireless
Switch Security
• Cisco Catalyst 6500 Series Security Services Modules
IPS • Cisco TrustSec
Solutions
• Compliance
• Cisco Virtual Office
Private IPS
WAN
Virtual Private Networks
• Site-to-Site VPNs
Internet • Remote-Access VPNs
EXIT
Putting It All Together
IPS
Intrusion Prevention Systems (continued) HOME
Benefits Contents
• Advanced IPS technology based on 12 years of IPS innovation Flexible deployment options include: Why Security Matters More Than Ever
• Proven protection against more than 30,000 threats • Cisco IPS 4200 Series Sensors as standalone IPS appliances. Security Appliances
• Tight integration with host-based IPS (Cisco Security Agent) Learn more at: http://www.cisco.com/go/4200 • Cisco ASA 5500 Series Adaptive Security Appliances
for end-to-end protection • Integrated Cisco ASA 5500 Series Advanced Inspection Firewall
• Tight integration with Cisco Wireless Controller for secure and Prevention Security Services Modules (AIP SSM10,
Intrusion Prevention Systems
wireless deployments AIP SSM20, and AIP SSM40) provide intrusion prevention,
firewall, and VPN in a single, easy-to-deploy platform. Cisco Router Security
• Simplified management with Cisco IPS Manager Express for
smaller organizations Learn more at: http://www.cisco.com/go/aipssm End-Point Security
• Cisco AIM-IPS, NME-IPS, or Cisco IPS Sensor Software for • Cisco Security Agent
• Enterprise-class policy management with Cisco Security • Cisco Network Admission Control
Manager and Cisco Security Monitoring, Analysis, and integrated services routers.
Learn more at: http://www.cisco.com/go/ime Email, Web, and Content Security
Response System (Cisco Security MARS)
• Cisco Web Security Gateway Appliances
• Protects against more than just virus outbreaks, such as • Cisco Catalyst 6500 Series Intrusion Detection System
• Cisco IronPort Email Security Appliances
attacks targeted against a company’s information (IDSM-2) Modules. • Cisco ACE Web Application Firewall
Learn more at: http://www.cisco.com/en/US/products/hw/ • Content Security on the Cisco ASA 5500 Series
• Helps prevent against severe loss due to disruptions, theft, or
modules/ps2706/ps5058/index.html
defacement caused by compromised servers Management
• Cisco Adaptive Wireless IPS protects the wireless signal • Cisco Security Monitoring, Analysis, and Response System
• Stops worm and virus outbreaks at the network level, before
from being hijacked by an intruder while Cisco’s network IPS • Cisco Security Manager
they reach the desktop • Cisco Secure Access Control System
prevents authenticated users (with a legitimate user name
and password) from performing malicious or unauthorized • Cisco Enterprise Policy Manager
activity, such as stealing confidential data. Switch Security
Learn more at: http://www.cisco.com/go/wips • Cisco Catalyst 6500 Series Security Services Modules
• Cisco TrustSec
For more information on Cisco IPS solutions, please visit:
Solutions
http://www.cisco.com/go/ips
• Compliance
• Cisco Virtual Office
Virtual Private Networks
• Site-to-Site VPNs
• Remote-Access VPNs
EXIT
Putting It All Together
Cisco Router Security HOME
Overview Contents
It’s crucial to secure your critical network infrastructure, • A good business continuity design typically includes Why Security Matters More Than Ever
including Cisco® routers. encrypted dual WAN links, remote network access during
Security Appliances
• Cisco Router Security adds important security features with disasters, and stateful failover of critical services. Cisco
• Cisco ASA 5500 Series Adaptive Security Appliances
a strong return on investment (ROI). Router Security enables all these solutions.
Firewall
• This feature set adds the following capabilities to your branch • Cisco Router Security can enable other network services
such as secure unified communications (voice and video) Intrusion Prevention Systems
router: site-to-site VPN, IPsec and SSL remote-access VPN,
Common Criteria/EAL4-certified stateful firewall, content and secure wireless LAN. Cisco Router Security
filtering, inline intrusion prevention, Network Admission End-Point Security
Control (NAC), and security management. • Cisco Security Agent
• Cisco Network Admission Control
The following figure shows how the Cisco Router Security fits in the network. Email, Web, and Content Security
• Cisco Web Security Gateway Appliances
Branch Office • Cisco IronPort Email Security Appliances
Mobile Worker • Cisco ACE Web Application Firewall
• Content Security on the Cisco ASA 5500 Series
Main Office Management
• Cisco Security Monitoring, Analysis, and Response System
• Cisco Security Manager
Data Center • Cisco Secure Access Control System
Application • Cisco Enterprise Policy Manager
Servers
Secure
Wireless
Cisco Unified Switch Security
Cisco IOS CallManager
• Cisco Catalyst 6500 Series Security Services Modules
Router
Security • Cisco TrustSec
Solutions
CiscoUnity® • Compliance
Branch Firewall
System
is included • Cisco Virtual Office
in Secure
ASR Router
WAN Bundle
Private Security
Virtual Private Networks
WAN • Site-to-Site VPNs
• Remote-Access VPNs
Internet EXIT
Putting It All Together
Cisco Router Security (continued) HOME
Benefits Contents
• Maximizes ROI by greatly increasing router value with • Enables compliance with U.S. federal and state data and Why Security Matters More Than Ever
security services such as firewall, IPsec and SSL VPN, network privacy laws (for example, Payment Card Industry
Security Appliances
intrusion prevention, content filtering, and Network Admission [PCI] requirements)
• Cisco ASA 5500 Series Adaptive Security Appliances
Control (NAC) • Simplifies management burden by converging security and
Firewall
• Enables your business to securely deploy wireless LAN and other services in a single network device
unified communications services such as voice and video Intrusion Prevention Systems
For more information, please visit:
• Offers a secure, cost-effective, easy-to-manage, and scalable Cisco Router Security
http://www.cisco.com/go/routersecurity
solution for site-to-site business communications End-Point Security
• Cisco Security Agent
The following figure shows the security services available through Cisco Router Security • Cisco Network Admission Control
Email, Web, and Content Security
• Cisco Web Security Gateway Appliances
• Cisco IronPort Email Security Appliances
• Cisco ACE Web Application Firewall
• Content Security on the Cisco ASA 5500 Series
Secure Network Solutions
Management
• Cisco Security Monitoring, Analysis, and Response System
Compliance • Cisco Security Manager
• Cisco Secure Access Control System
Business Continuity Secure Voice Secure Mobility
• Cisco Enterprise Policy Manager
Switch Security
Integrated Threat Control • Cisco Catalyst 6500 Series Security Services Modules
• Cisco TrustSec
Solutions
011111101010101 • Compliance
• Cisco Virtual Office
Advanced Content Intrusion Flexible Packet Network 802.1x Network Foundation
Firewall Filtering Prevention Matching Admission Control Protection Virtual Private Networks
• Site-to-Site VPNs
• Remote-Access VPNs
Secure Connectivity Management and Instrumentation EXIT
Putting It All Together
Role-Based
GET VPN DMVPN Easy VPN SSL VPN CCP NetFlow Access IP SLA
End-Point Security HOME
Internet
Groupware Groupware
Email, Web, and Content Security HOME
The following figure shows how a Cisco ACE Web Application Firewall fits in the network. Solutions
• Compliance
• Cisco Virtual Office
Virtual Private Networks
Web-Enabled Applications
• Site-to-Site VPNs
Cisco ACE Web • Remote-Access VPNs
Web Client Application EXIT
Manager Putting It All Together
Cisco ACE Cisco ACE
Network Application Application
Firewall Switch Switch
Internet
Portal
Private
WAN
Internet
Management HOME
Access
Client
Management HOME
Policy-Based
Access Control
Functional Data
• Is Joe allowed to view employee profile? • What fields of the employee profile can Joe see?
• Can he adjust salary (if so, what limit/approval)? • Is he entitled to view address of employees in “EMEA” and
can he see data about all VPs and their direct reports?
Switch Security HOME
Stateful Firewall
Virtualization Services
Application Firewall
IPS
Switch Security HOME
Cisco Unified
CallManager AA-LAN
Cisco
Guest
Catalyst Switch
Cisco
Unknown Catalyst Switch
Solutions HOME
Compliance Contents
Why Security Matters More Than Ever
Overview Security Appliances
• The Payment Card Industry (PCI) is a global industry standard • CiscoWorks Network Compliance Manager • Cisco ASA 5500 Series Adaptive Security Appliances
to protect customer credit card information while it is in • Cisco Network Admission Control (NAC) Appliance Firewall
process, in transit, or while being stored. • Cisco IronPort® Email Security
Intrusion Prevention Systems
• Cisco® PCI Validated Architectures, a set of architectures • Cisco ACE WAF
audited by a PCI Qualified Security Assessor (QSA) address Cisco Router Security
• Cisco IPS 4200 Series intrusion prevention system
many of the PCI requirements. appliances
End-Point Security
• Cisco Security Agent
• The Cisco PCI solution includes Cisco products and services: • Cisco Catalyst® 6500 Series Firewall Services Module • Cisco Network Admission Control
• Cisco ASA 5500 Series Adaptive Security Appliances with (FWSM) and Intrusion Detection Services Module (IDSM-2)
firewall, VPN, and IPS
Email, Web, and Content Security
• Cisco Secure Access Control System (ACS) • Cisco Web Security Gateway Appliances
• Cisco IOS® Software on Cisco integrated service routers • Professional services that can help achieve PCI • Cisco IronPort Email Security Appliances
with firewall, VPN, and IPS compliance, and then help maintain a compliant state • Cisco ACE Web Application Firewall
• Unified Wireless Network with Cisco Wireless Control • Content Security on the Cisco ASA 5500 Series
• Cisco PCI Services from Cisco and from Cisco Security
Server (WCS), Wireless LAN Controller, and Aironet® 1100 Management
Specialized Partners include:
and 1200 Series Wireless Access Points • Cisco Security Monitoring, Analysis, and Response System
• Cisco PCI Gap Analysis Service
• Cisco Security Agent • Cisco Security Manager
• Cisco PCI Remediation Service • Cisco Secure Access Control System
• Cisco Security Monitoring, Analysis and Response System
• Cisco PCI Remote Monitoring and Management Service • Cisco Enterprise Policy Manager
(Cisco Security MARS)
• Cisco PCI Periodic Gap Analysis Service Switch Security
• Cisco Security Manager
• Cisco Catalyst 6500 Series Security Services Modules
• Cisco TrustSec
Remote Location Internet Edge Main Office Network Management Center Solutions
Cisco • Compliance
Security Cisco • Cisco Virtual Office
CSA ACS Security
POS Agent (CSA) IronPort
Terminal Management Virtual Private Networks
POS Server
NAC • Site-to-Site VPNs
ASA 5500 • Remote-Access VPNs
WAP 7300 NCM/CAS EXIT
1200 Router ASA Putting It All Together
WAN CS-MARS
Switch ASA ISR ASA IPS
6500
Switch
Compliance Contents
(continued) Why Security Matters More Than Ever
Security Appliances
Benefits • Cisco ASA 5500 Series Adaptive Security Appliances
• Reduces network complexity, expense, and risk of fines and • User-friendly and auditor-friendly PCI reports reduce audit Firewall
penalties by establishing a proven, PCI-validated architecture time and expense
Intrusion Prevention Systems
• Provides organizations with a step-by-step approach toward • End-to-end integrated solution delivers stronger value
Cisco Router Security
achieving PCI compliance beyond individual product benefits
End-Point Security
• Shows how customers can use their existing Cisco For more information, please visit: • Cisco Security Agent
investment http://www.cisco.com/go/compliance • Cisco Network Admission Control
Email, Web, and Content Security
• Cisco Web Security Gateway Appliances
• Cisco IronPort Email Security Appliances
• Cisco ACE Web Application Firewall
• Content Security on the Cisco ASA 5500 Series
Management
• Cisco Security Monitoring, Analysis, and Response System
• Cisco Security Manager
• Cisco Secure Access Control System
• Cisco Enterprise Policy Manager
Switch Security
• Cisco Catalyst 6500 Series Security Services Modules
• Cisco TrustSec
Solutions
• Compliance
• Cisco Virtual Office
Virtual Private Networks
• Site-to-Site VPNs
• Remote-Access VPNs
EXIT
Putting It All Together
Solutions HOME
Headend Management
Solutions HOME
The following figure shows how Cisco site-to-site VPNs fit in the network Switch Security
• Cisco Catalyst 6500 Series Security Services Modules
Branch Office • Cisco TrustSec
Mobile Worker
Solutions
Main Office
• Compliance
• Cisco Virtual Office
Data Center Virtual Private Networks
Application • Site-to-Site VPNs
Servers
• Remote-Access VPNs
Cisco Unified
CallManager
EXIT
Secure Putting It All Together
Wireless Secure ASR
Cisco IOS
Router
Router Security
with VPN
with Site-to-Site
and Remote- CiscoUnity®
Access VPN System
Cisco Catalyst
Private 6500 Series VPN
WAN Cisco ASA
5500 Security
Internet Appliance
with IPsec
and SSL
Virtual Private Networks HOME
Private
WAN Cisco Catalyst
6500 Series VPN
Internet
Cisco ASA
5500 Security
Appliance
IPsec or with IPsec
SSL VPN and SSL
Mobile Worker
Virtual Private Networks HOME
The Cisco® Self-Defending Network provides the most This integrated, collaborative, and adaptive approach to security Contents
comprehensive, end-to-end approach to network security in provides comprehensive, in-depth defense and maximum risk
Why Security Matters More Than Ever
the industry. Our world-class solutions not only provide best- reduction, while lowering total cost of ownership, making it the
of-breed capabilities and features, but also provide a level of ideal choice for securing your networked environment. Security Appliances
• Cisco ASA 5500 Series Adaptive Security Appliances
security not available anywhere else, through:
Firewall
1. Integration: Critical security functions have been woven into
Cisco’s entire line of appliances and network devices, as Intrusion Prevention Systems
well as into all of our critical business applications and Cisco Router Security
services, such as unified communications and data center. End-Point Security
2. Collaboration: An additional layer of security is achieved • Cisco Security Agent
through unprecedented collaboration between security • Cisco Network Admission Control
and network devices, and between different security Email, Web, and Content Security
devices and solutions. • Cisco Web Security Gateway Appliances
3. Adaptability: The ability to identify a security event anywhere • Cisco IronPort Email Security Appliances
• Cisco ACE Web Application Firewall
on the network, and share that information across the net-
• Content Security on the Cisco ASA 5500 Series
work, allows Cisco solutions to dynamically adapt the net-
work’s overall security profile to real-time threats and events. Management
• Cisco Security Monitoring, Analysis, and Response System
• Cisco Security Manager
Branch Office Main Office • Cisco Secure Access Control System
• Cisco Enterprise Policy Manager
Cisco Security MARS Cisco
Securite ACS Switch Security
Cisco Security
Manager • Cisco Catalyst 6500 Series Security Services Modules
• Cisco TrustSec
NAC Appliance
Solutions
• Compliance
• Cisco Virtual Office
Secure
Desktops Wireless
Secure WAN with Cisco Servers Virtual Private Networks
Router with Security with Cisco • Site-to-Site VPNs
Firewall Agent Guard Security Agent • Remote-Access VPNs
Catalyst EXIT
6500 Putting It All Together
Wide Area
Application Content Switching
Server
VPN ACE
Module WAF/AXG
Private Detector
WAN Cisco IronPort
S-series
Internet and C-series
FWSM IDS Module MDS 9000
with SME