Deploying IOS Security: BRKSEC-2007

Deploying IOS Security
BRKSEC-2007
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 2
© 2006, Cisco Systems, Inc. All rights reserved.

14465_04_2008_c2.scr
Agenda
Drivers for Integrated Security

Technology Overview
Design Considerations
Deployment Models
Real World Use Cases
Case Study
Summary
BRKSEC-2007
Security as an Option
Security is an add-on Security is built-in
Challenging integration Intelligent collaboration
Not cost-effective Appropriate security
Cannot focus on core priority Direct focus on core priority
BRKSEC-2007

14465_04_2008_c2.scr
Threats and Challenges
Threats at the Branch Office and HQ
Branch Office
DDoS on
Router
Attack on DMZ
Attacks on branch
servers QFP
Internet
Head Quarter
Web surfing
Branch Office
Worms/Viruses Wireless attacks
Voice
attacks
Branch Office
BRKSEC-2007
Requirement of Integrated Security Solution

IOS Security
Securing the Branch Office and HQ
Branch Office
Network
Secure Internet
Foundation
Protection
access to branch,
DDoS on without the need
Application
Router
for additional
Firewall
Integrated devices
Attacks on HQ Firewall
Control worms
branch servers QFP
IPS FPM Internet

Head Quarter
and viruses right
Worms
at the remote site,
011111101010101
congesting
WAN
Regulate
conserve WAN
URL surfing
Voice Wireless
bandwidth
Filtering Security Security Wireless
Voice
attacks
attacks Protect the router
itself from hacking
and DoS attacks
Branch Office
BRKSEC-2007

14465_04_2008_c2.scr
Agenda
Drivers for Integrated Security

Technology Overview
Deployment Models
Case Study
Summary
BRKSEC-2007
Cisco IOS Security—

Router Technologies
QFP
Secure Network Solutions
Compliance Secure Secure Business

Voice Mobility Continuity
Integrated Threat Control

011111101010101
Advanced URL Intrusion Flexible Network Network

Firewall Filtering Prevention Packet Admission 802.1x Foundation
Matching Control Protection
Secure Connectivity Management and Instrumentation
Role Based
GET VPN DMVPN SSL VPN IPsec VPN SDM NetFlow IP SLA
Access
BRKSEC-2007

14465_04_2008_c2.scr
Integrated Threat Control
Cisco IOS Firewall (Classic and Zone-Based)
Cisco IOS Application Intelligence Control
Cisco IOS Intrusion Prevention System
Cisco IOS URL Filtering
Cisco IOS Flexible Packet Matching (FPM)
Cisco IOS Network Foundation Protection
(NFP)
BRKSEC-2007
Cisco IOS Firewall Overview Advanced

Firewall
Advanced Layer 3–7 Firewall
Cisco IOS Firewall is Common Criteria certified firewall
Stateful filtering
Application inspection (Layer 3 through Layer 7)
Application control—Application Layer Gateway (ALG)
engines with wide range of protocols and applications
Built-in DoS protection capabilities
Supports deployments with Virtualization (VRFs),
transparent mode and stateful failover
IPv6 support
http://www.cisco.com/go/iosfw
BRKSEC-2007

14465_04_2008_c2.scr
Cisco IOS Zone-Based
Policy Firewall Advanced
Firewall
Allows grouping of physical and Supported Features

virtual interfaces into zones Stateful Inspection
Application Inspection: IM, POP,
Firewall policies are applied to traffic IMAP, SMTP/ESMTP, HTTP
traversing zones URL filtering
Per-policy parameter
Simple to add or remove interfaces
Transparent firewall
and integrate into firewall policy
VRF-aware firewall (Virtual
Firewall)
Private-DMZ
Policy DMZ
DMZ-Private
Public-DMZ
Policy
Policy
Trusted Internet Untrusted
Private-Public
Policy
BRKSEC-2007
Cisco IOS Zone-Based Firewall—

Rule Table (SDM) Advanced
Firewall
BRKSEC-2007

14465_04_2008_c2.scr
Cisco IOS Zone-Based Policy Firewall
Configuration (Command Line Interface (CLI)
class-map type inspect match-any services
Define Services
match protocol tcp
Inspected by Policy
!
policy-map type inspect firewall-policy
class type inspect services Configure Firewall
Action for Traffic
inspect
!
zone security private
zone security public Define Zones
!
zone-pair security private-public source private destination public
service-policy type inspect firewall-policy Establish Zone Pair,
! Apply Policy
interface fastethernet 0/0
zone-member security private
!
Assign Interfaces to
interface fastethernet 0/1 Zones
zone-member 192.168.1.2
security public
BRKSEC-2007
Cisco IOS Transparent Firewall

Introduces “stealth firewall” capability
No IP address associated with firewall (nothing to attack)
No need to renumber or break up IP subnets
IOS Router is bridging between the two “halves” of the network
Use Case: Firewall Between Wireless and Wired LANs
Both “wired” and wireless segments are in same subnet 192.168.1.0/24
VLAN 1 is the “private” protected network.
Wireless is not allowed to access wired LAN
192.168.1.3
Wireless
Fa 0/0
Internet
VLAN 1
Transparent
192.168.1.2 Firewall
BRKSEC-2007

14465_04_2008_c2.scr
Transparent Cisco IOS Firewall
Classification: Security Zone Policy:
class-map type inspect match-any protocols zone-pair security zone-policy source wired
destination wireless
match protocol dns
service-policy type inspect firewall-policy
match protocol https
!
match protocol icmp
interface VLAN 1
match protocol imap
description private interface
match protocol pop3
bridge-group 1
match protocol tcp
zone-member security wired
match protocol udp
!
interface VLAN2
Security Policy:
description public interface
bridge-group 1
class type inspect protocols
zone-member security wireless
Inspect
Layer2 Configuration:
bridge configuration
Security Zones:
bridge irb
zone security wired
bridge 1 protocol ieee
zone security wireless
bridge 1 route ip
BRKSEC-2007
Cisco IOS Flexible Packet 011111101010101
Matching (FPM) Flexible

Packet
Matching
Rapid Response to New and Emerging Attacks
Network managers require tools to filter day-zero
attacks, such as before IPS signatures are
available
Traditional ACLs take a shotgun approach—
legitimate traffic could be blocked
Example: Stopping Slammer with ACLs
meant blocking
port 1434—denying business transactions
involving
Microsoft SQL
FPM delivers flexible, granular Layer 2–7
matching
Example: port 1434 + packet length 404B +
specific pattern within payload Æ Slammer
0111111010101010000111000100111110010001000100100010001001
Match Pattern AND OR NOT

Cisco.com/go/fpm
BRKSEC-2007

14465_04_2008_c2.scr
Cisco IOS Flexible Packet Matching
Configuration - Slammer Filter
Class-map stack ip-udp
Match field ip protocol eq 17 next udp
Class-map access-control slammer

Match field udp dport eq 1434
Match start ip version offset 224 size 4 eq 0x04011010
Match start network-start offset 224 size 4 eq 0x04011010
Policy-map access-control udp-policy

access-control typed class
Class slammer defines traffic pattern: udp
Drop dst port 1434, starting from
IP header, offset 224 byte,
Poliyc-map access-control fpm-policy
the 4 byte value should be
0x04041010
Class ip-udp
service-policy udp-policy
BRKSEC-2007
Cisco IOS Intrusion Prevention (IPS) IPS

Distributed Defense Against Worms and Viruses
Cisco IOS IPS stops attacks at the entry point, conserves WAN bandwidth, and
protects the router and remote network from DoS attacks
Integrated form factor makes it cost-effective and viable to deploy IPS in Small and
Medium Business and Enterprise branch/telecommuter sites
Supports 2000+ signatures sharing the same signature database available with
Cisco IPS sensors
Allows custom signature sets and actions to react quickly to new threats
Protect router
and local network Stop attacks
from DoS attacks before they fill
up the WAN
Branch Office
Internet Corporate Office
Apply IPS on traffic from

Small Branch branches to kill worms
Small Office and
Telecommuter from infected PCs
http://www.cisco.com/go/iosips
BRKSEC-2007

14465_04_2008_c2.scr
Cisco IOS Intrusion Prevention System (IPS)
Download Cisco IOS IPS Files to your PC Cisco IOS IPS Configuration (Con’t)
http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup retired false
IOS-Sxxx-CLI.pkg
realm-cisco.pub.key.txt interface fast Ethernet 0
ip ips ips-policy in
Configure Cisco IOS IPS Crypto Key
mkdir ipstore (Create directory on flash) Load the signatures from TFTP server
Paste the crypto key from copy tftp://192.168.10.4/IOS-S289-CLI.pkg idconf
realm-cisco.pub.key.txt Loading IOS-S259-CLI.pkg from 192.168.10.4 :!!!
Cisco IOS IPS Configuration show ip ips signature count

ip ips config location flash:ipstore retries 1 Total Compiled Signatures:
ip ips notify SDEE 338 -Total active compiled signatures
ip ips name ips-policy
ip ips signature-category
category all
retired true
category ios_ips basic
BRKSEC-2007
Comprehensive, Scalable
IPS Management IPS
Integrated, Collaborative Security for the Branch
Full range of management options:
Cisco SDM 2.5 † provides full IPS provisioning and monitoring for single router
Cisco Security Manager 3.1† / CS-MARS for Enterprise IPS
CLI option supports automated provisioning and signature update†
Cisco Configuration Engine for MSSP—scales to thousands of devices‡
Operational consistency across Cisco IPS portfolio

Risk Rating and Event Action Processor (SEAP) reduce
false positives‡
Enhanced Microsoft signature support (MSRPC and SMB)†
† New in Cisco IOS 12.4(15)T2

‡ Unique in the Industry
BRKSEC-2007

14465_04_2008_c2.scr
Cisco IOS Transparent IPS
Use Case: IPS Between Wireless and Wired LANs IPS
Introduces “stealth IPS” capability

No IP address associated with IPS (nothing to attack)
IOS Router is bridging between the two “halves” of the network
Both “wired” and wireless segments are in same subnet

192.168.1.0/24
VLAN 1 is the “private” protected network.
192.168.1.3
Wireless
Fa 0/0
Internet
VLAN 1
Transparent
192.168.1.2 IPS
BRKSEC-2007

http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup interface VLAN 1
IOS-Sxxx-CLI.pkg description private interface
realm-cisco.pub.key.txt bridge-group 1
ip ips ips-policy out
mkdir ips5 (Create directory on flash) interface VLAN 2
Paste the crypto key from description private interface
realm-cisco.pub.key.txt bridge-group 1
Cisco IOS IPS Configuration
ip ips config location flash:ips5 retries 1 Load the signatures from TFTP server
ip ips notify SDEE copy tftp://192.168.10.4/IOS-S289-CLI.pkg
ip ips name ips-policy idconf
ip ips signature-category Loading IOS-S259-CLI.pkg from 192.168.10.4 :!!!
category all
retired true show ip ips signature count
category ios_ips basic Total Compiled Signatures:
338 -Total active compiled signatures
retired false
BRKSEC-2007

14465_04_2008_c2.scr
Cisco IOS URL Filtering URL
Filtering
Internet Usage Control

Control employee access to
entertainment sites during
work hours Internet
Control downloads of
Branch Web
objectionable or offensive Office Surfing
material, limit liabilities
Cisco IOS supports static whitelist
and blacklist URL filtering
External filtering servers such as
Websense, Smartfilter can be
used at the corporate office, with
Cisco IOS static lists as backup
SDM 2.3 supports configuring
static lists and importing .csv files
for URL lists
BRKSEC-2007
Router Hardening Network

Foundation
Protection
A router can be logically divided

Data Plane into three functional planes:
Ability to forward 1. Data plane: The vast majority of
data packets handled by a router travel
through the router by way of the
data plane
Control Plane
2. Management plane: Traffic from
Ability to route management protocols and other
interactive access protocols, such
as Telnet, Secure Shell (SSH)
protocol, and SNMP, passes
Cisco NFP Management through the management plane
Plane 3. Control plane: Routing control
Ability to manage protocols, keepalives, ICMP with
IP options, and packets destined
to the local IP addresses of the
Think “Divide and Conquer”: router pass through the control
plane
Methodical Approach to Protect
Three Planes
BRKSEC-2007

14465_04_2008_c2.scr
Network Foundation Protection
Detects traffic anomalies & respond to attacks in real-time

Data Plane Technologies: NetFlow, IP source tracker, ACLs, uRPF, RTBH,
QoS tools
Defense-in-depth protection for routing control plane

Control Plane Technologies: Receive ACLs, control plane policing, iACL’s,
neighbor authentication, BGP best practices
Secure and continuous management of Cisco IOS network

Management infrastructure
Plane Technologies: CPU & memory thresholding, dual export syslog,
image verification, SSHv2, SNMPv3, security audit, CLI views
http://www.cisco.com/go/nfp
BRKSEC-2007
Router Hardening: Traditional Methods

Disable any unused protocols Use ‘type 5’ password
VTY ACLs ‘service password encryption’ is
reversible and is only meant to
SNMP prevent shoulder surfing
Community ACL Run AAA

Views Don’t forget Authorization
and Accounting
Disable SNMP RW
Disable extraneous
Use SNMPv3 for RW if needed
interface features
Prevent dead TCP sessions
Encrypt Sessions
from utilizing all VTY lines
service tcp-keepalives-in
SSH
IPSec
BRKSEC-2007

14465_04_2008_c2.scr
Best Practice - Features to Disable
BOOTP IP redirects
CDP IP Source Routing
Configuration auto-loading IP unreachable notifications
Identification service
DNS
NTP
DHCP Server
PAD Service
Finger Proxy Arp
HTTP Server Gratuitous Arp
FTP Server SNMP
TFTP Server TCP Small Servers
UDP Small Servers
IP Directed Broadcast
MOP Service
IP mask reply
TCP keep-alives
BRKSEC-2007
Cisco IOS Control Plane Policing Network

Foundation
Protection
Continual Router Availability Under Stress
Mitigates DoS attacks on control plane (route processor) such as
ICMP floods
Polices and throttles incoming traffic to control plane; maintains packet
forwarding and protocol states during attacks or heavy traffic load
Control Plane
Management Routing Management

ICMP IPv6 …..
SNMP, Telnet Updates SSH, SSL
Input Output
to control plane from control plane
Control Plane Policing Silent Mode

(alleviates DoS attacks) (prevents
reconnaissance)
Processor
Switched Packets
Packet Output Packet

Buffer Buffer
Incoming Locally
Packets Switched Packets
CEF/FIB Lookup
Cisco.com/go/nfp
BRKSEC-2007

14465_04_2008_c2.scr
Cisco IOS AutoSecure Network
Foundation
Protection
One Touch Automated Router Lockdown
Disables Non-Essential Services
Eliminates DoS attacks based on fake
requests
Disables mechanisms that could be
used to exploit security holes
Enforces Secure Access

Enforces enhanced security in
accessing device
Enhanced security logs
Prevents attackers from knowing
packets have been dropped
Secures Forwarding Plane

Protects against SYN attacks
Anti-Spoofing
Enforces stateful firewall configuration
on external interfaces, where available http://www.cisco.com/go/autosecure
BRKSEC-2007
Secure Connectivity
Secure Connectivity
GET VPN DMVPN Easy VPN SSL VPN
BRKSEC-2007

14465_04_2008_c2.scr
Cisco IPsec VPN Technologies
Features Easy VPN DMVPN GET VPN
Infrastructure Network Public Internet Transport Public Internet Transport Private IP Transport
Hub-Spoke; (Client to Hub-Spoke and Spoke-to- Any-to-Any;

Network Style
Site) Spoke; (partial mesh) (full-mesh)
Dynamic routing on Dynamic routing on IP

Routing Reverse-route Injection
tunnels WAN
Stateful Hub Crypto Route Distribution Model

Failover Redundancy Route Distribution Model
Failover + KS: Stateful
Encryption Style Peer-to-Peer Protection Peer-to-Peer Protection Group Protection
Multicast replication at Multicast replication at Multicast replication in IP

IP Multicast
hub hub WAN network
BRKSEC-2007
Cisco GET VPN GET VPN
GET VPN Simplifies Security Policy and GET VPN Uses IP Header Preservation
Key Distribution to Mitigate Routing Overlay
Group
Original IP packet
Group
Member Member IP IP Header IP Payload
Subnet 1 Packet
Subnet 3
Private IPsec Tunnel Mode

Group WAN Group
IPsec
Member Member New IP

ESP Header
Original
Original
Header IPIP
Header IP Payload
Header
Subnet 2 Subnet 4
IP Header Preservation
GET
Key Original IP Original

Original
ESP Header IPIP
Header IP Payload
Server Header Header
Key Server
GET uses Group Domain of Interpretation (GDOI): RFC 3547

standards-based key distribution
GET adds cooperative key servers for high availability
Key servers authenticate and distribute keys and policies; group member
provisioning is minimized; application traffic is encrypted by group members
BRKSEC-2007

14465_04_2008_c2.scr
Cisco Dynamic Multipoint VPN DMVPN
Full meshed connectivity with Secure On-Demand

simple configuration of hub Meshed Tunnels
and spokes Hub
Supports dynamically
addressed spokes
Zero touch configuration for
addition of new spokes WAN
Spoke C
What’s New in Phase 3

Improved Scaling—NHRP/CEF Rewrite
and EIGRP Scaling enhancements Spoke A Spoke B
Manageability Enhancements = DMVPN Tunnels
= Traditional Static Tunnels
= Static Known IP Addresses
Cisco.com/go/dmvpn = Dynamic Unknown IP Addresses
BRKSEC-2007
Cisco Enhanced Easy VPN Easy VPN
Centralized Policy-Based Management

Automated deployments—no user intervention
Enforces consistent policy on remote devices What’s New in Easy VPN?
Add new devices without changes at headend
CTA/NAC policy enforcement
Supports dynamic connections with VPN Centralized policy push for
integrated client firewall
Interoperable across Cisco access and
security devices Password aging via AAA
cTCP NAT transparency and
Cisco VPN client—the only FIPS-certified client firewall traversal
DHCP client proxy and DDNS
registration
1. Remote calls ‘home’
Split DNS
Per-user policy from Radius
3. VPN tunnel
Support for identically
Cisco Security addressed spokes behind
Router Corporate NAT with split tunnels
2. Validate, Policy push
Office
VTI manageability—Display of
VRF information, summary
Internet
commands
Cisco VPN Software
Hardware Client: Cisco
ASA, PIX®, Security Router Client on PC/MAC/UNIX http://www.cisco.com/go
BRKSEC-2007
/easyvpn

14465_04_2008_c2.scr
Cisco IOS SSL VPN SSL VPN
Clientless Access Full Network Access
Internet Internet
SSL IP over SSL
Web based + Application Helper IP-Based Applications

Browser-based (clientless) Application agnostic
Gateway performs content Tunnel client dynamically loaded
transformation No reboot required after installation
File sharing (CIFS), OWA, Citrix Client may be permanently installed
Java-based application helper or removed dynamically
Cisco Router and Security Device Manager—Simple GUI-based provisioning and

management with step-by-step wizards for turnkey deployment
Cisco Secure Desktop—Prevents digital leakage, protects user privacy, easy to
implement and manage, and works with desktop guest permissions
Virtualization and VRF awareness—Pool resources
BRKSEC-2007
Secure Connectivity Related Sessions

BRKSEC-3005 : Advanced Remote Access with
SSLVPN
BRKSEC-3008/2007 : Site to Site VPN with GETVPN
BRKSEC-3006 : Advanced Site to Site VPN Dynamic
Multipoint VPNs (DMVPN)
BRKSEC-2007

14465_04_2008_c2.scr
Management and Instrumentation
Instrumentation and
Management SDM
Role Based
Access
NetFlow IP SLA
BRKSEC-2007
Cisco Security Management Suite
Cisco® Security Cisco Security

Device Manager Manager
• Quickest way to
setup a device
Quickest way to setup a device New solution for configuring
• Configures all routers, appliances, switches
device
Wizards toparameters
configure firewall,
• IPS, Ships
VPN,with
QoS, and wireless
device New user-centered design
Ships with device New levels of scalability
Cisco Security
MARS
Solution for monitoring

and mitigation
Uses control capabilities within

infrastructure to eliminate attacks
Visualizes attack paths
BRKSEC-2007

14465_04_2008_c2.scr
Instrumentation
Your network management system is only as good as the data you can
get from the devices in the network
IP Service Level Agent Network performance data (latency & jitter)

(IP SLAs)
NetFlow and NBAR Detailed statistics for all data flows in the
network Advanced Netflow Deployment BRKNMS-3005
SNMP V3 and Reliable traps using SNMP informs
SNMP informs
Syslog Manager and Total flexibility to parse and control syslog
XML-formatted syslog messages on the router itself
Tcl Scripting and Flexible, programmatic control of the router
Kron (Cron) jobs
Role-Based CLI Access Provides partitioned, non-hierarchical, access
(e.g. Network and Security Operations)
EEM Solving Security Challenges using EEM
BRKSEC-2007
Design
Consideration
BRKSEC-2007

14465_04_2008_c2.scr
Design Consideration
Cisco IOS Firewall Advanced
Firewall
Classic or Zone based Firewall
Zone based Firewall 12.4(4)T or Classic Firewall
All new features would be offered in zone based policy firewall configuration model;
no end-of-life plan for Classic Cisco IOS Firewall but there will be no new features
ASR1000 supports IOS Zone-based Firewall
Manageability
Provisioning firewall policies:
CLI, Cisco Security Manager, SDM and Config Engine
Monitoring firewall activity:
Syslog, snmp, screen-scrapes from "show" commands
Modifying Security policies
SDM supports zone-based Firewall
Interoperate
Cisco IOS Firewall interoperate with other features: NAT, VPN,
Intrusion Prevention System (IPS), WCCP/WAAS, proxy, URL Filtering and QoS
Memory Usage
Single TCP or UDP (layer3/4) session takes 600 bytes of memory
Multi-channel protocol sessions use more than 600 bytes of memory
BRKSEC-2007
Cisco IOS Firewall
Cisco IOS Firewall Went Through a Paradigm Shift

12.4(4)T and Onward Supports Zone-Based IOS Firewall
Before Release 12.4(4)T &
Release 12.4(4)T & Later
12.4 Mainline
Interface based policies Zone based policies
No granular support Very granular Firewall policies
Support for Classic IOS Firewall Support for Classic IOS Firewall continued.
No new features on Classic IOS Firewall
No advanced AIC support Advanced protocol conformance support
(P2P, IM, VoIP, etc.)
Classic IOS Firewall Zone Based IOS Firewall

Supported in CSM and SDM Supported in SDM. CSM planned for CY2008
MIB support No MIB—Roadmap
IPv6 support No IPv6—Roadmap
Active/Passive failover support No Active/Passive failover—Roadmap
BRKSEC-2007

14465_04_2008_c2.scr
Cisco IOS Firewall Advanced
Firewall
Denial of Service (DoS) Protection Settings

Prior 12.4(11)T default DoS settings were set low
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_white_
paper0900aecd804e5098.shtml
12.4(11)T onwards DOS settings are max out by default
Addressing
Firewall policies can be made much more efficient with a well thought-out IP
address scheme
Performance Consideration
Cisco IOS Firewall Performance Guidelines for ISRs (800-3800)
http://www.cisco.com/en/US/partner/products/ps5855/products_white_
paper0900aecd8061536b.shtml
ASR1000 TCP/ICMP/UDP Inspection Performance (Up to 10G) with select ALGs
(SIP UDP, active FTP, DNS, H.323v2, SCCP)
BRKSEC-2007
Cisco IOS Firewall - ISRs

Real World Performance: HTTP
BRKSEC-2007

14465_04_2008_c2.scr
Cisco IOS Firewall Voice Features Advanced
Firewall
Protocol ISRs ASR1000 Comments
H.323 V1 & V2 Yes Yes Tested using CME 4.0
H.323 V3 & V4 No No Roadmap

H.323 RAS Yes No
H.323 T.38 Fax No No Roadmap
CCM 4.2 supported
SIP UDP Yes Yes RFC 2543, RFC 3261 not
supported
SIP TCP No No Roadmap
SCCP Yes Yes Tested with CCM 4.2/CME 4.0
Locally generated traffic
No No Roadmap
inspection for SIP/SCCP
For Cisco IOS® support, contact ask-stg-ios-pm@cisco.com with requirements

BRKSEC-2007
Cisco IOS Flexible Packet Matching IOS FPM
ISR ASR1000
Functionality ACL
12.4(15)T2 RLS 2.2
# of ACEs per interface Unlimited Unlimited 60,000
# of match criteria/ ACE 4 Unlimited 2
Depth of Inspection 44 Bytes Full Pkt 256 B
Raw offset No Yes Yes
Relative offset (fixed header length No Yes Yes
support)
Dynamic offset (variable header No Yes No
length support)
Nested policies No Yes Yes
Nested class-maps No Yes Yes
Regex match No Yes Yes
String match No Yes Yes
Match string pattern window No Full Pkt Full Pkt
Protocol Support IPv4, TCP, UDP, IPv4, TCP, UDP, IPv4, TCP, UDP,
ICMP ICMP, Ethernet, GRE, ICMP, Ethernet
IPsec
Actions supported permit, deny, log permit, count, drop, log, permit, count, drop, log,
send-response, nested- send-response
policy redirect, rate limit
BRKSEC-2007

14465_04_2008_c2.scr
Cisco IOS IPS 4.x and 5.x
Cisco IOS IPS Went Through a Paradigm Shift

12.4(11)T2 and Onward Supports IPS 5.x
Before Release 12.4(11)T2 Release 12.4(11)T2 &
& 12.4 Mainline later
IOS IPS Internal 2.xxx.xxx 3.000.000
Version (show
subsys name ips)
Signature Format 4.x 5.x
Signature http://www.cisco.com/cgi- http://www.cisco.com/cgi-
Download URL bin/tablebuild.pl/ios-sigup bin/tablebuild.pl/ios-v5sigup
Signature Pre Tuned Signature Files Signature package
Distribution Basic/Advanced SDF Files IOS-Sxxx-CLI.pkg
Loading Signatures From a single SDF file From a set of configuration
files
Configuration of Flat single SDF file approach Hierarchical multi-
Signatures level/multi-file approach
Signature Update for Cisco IOS IPS 4.X (12.4(9)T or Prior)

Will Continue Till ?
BRKSEC-2007
Migrating to Cisco IOS IPS 5.x (12.4(11)T2)
Option 1: Existing customer using non-customized pre-built

signature files (SDFs)
No signature migration needed
Signatures in 128MB.sdf are in IOS-Basic Category
Signatures in 256MB.sdf are in IOS-Advanced Category
Option 2: Existing customer using customized pre-built
signature files (SDFs)
Signature migration (TCL) script available on Cisco.com to convert
customized SDF to 5.x format
This migration script does not migrate user-defined (non-Cisco)
signatures
Migration Guide:
http://www.cisco.com/en/US/products/ps6634/products_
white_paper0900aecd8057558a.shtml
BRKSEC-2007

14465_04_2008_c2.scr
Cisco IOS IPS—12.4(11)T2 and Later Release IOS IPS
Manageability
Provisioning IPS policies:
CLI, Cisco Security Manager, SDM and Config Engine
Signature Tuning and Update:

The basic category is the Cisco recommended signature set
for routers with 128 MB RAM and the advanced category is
for 256MB RAM
Signature tuning with Command line Interface (CLI) is available after 12.4(11)T
Signature package update align with Cisco sensors 42xx. (Auto Update via CSM)
Monitoring IPS activity:

Reporting via CS-MARS (SDEE and Syslog support) and screen-scrapes from
"show" commands
Modifying Security policies:

SDM/CSM supports IPS
BRKSEC-2007
Provisioning and Monitoring Options
IPS Signature Provisioning IPS Event Monitoring
Up to 5 More than 5 1 Up to 5 More than 5

Cisco Same signature set/policy: Cisco IPS Cisco Cisco Security
Security Opt 1: Cisco Security Manager Event IEV or MARS x.3.2
Device (CSM) Viewer syslog (model and
Manager Opt 2: Cisco SDM and Cisco (IEV) server quantity
(SDM) Configuration Engine to copy depends on #
or
generated IPS files to large # of of routers,
routers Cisco topology and
SDM cumulative
Different signature set/policy:
EPS)
Single or multiple instances of CSM
BRKSEC-2007

14465_04_2008_c2.scr
Performance Consideration
Performance of router is not effected by adding more signatures
Memory Usage
Signature compilation process is highly CPU-intensive while the
signatures are being compiled. The number of signatures that
can be loaded on a router is memory-dependent
Fragmentation
Cisco IOS IPS uses VFR (Virtual Fragmentation Reassembly)
to detect fragmentation attacks
BRKSEC-2007
Cisco IOS IPS and Out-of-Order Packets
Cisco IOS IPS supports Out-of-Order packet starting

from the following two releases:
Release 12.4(9)T2
Release 12.4(11)T
Configurable via CLI: ip inspect tcp reassembly

Notification for packets dropped due to insufficient
buffer space
BRKSEC-2007

14465_04_2008_c2.scr
Cisco Security Manager 3.1
Cisco IOS IPS Signature List View
BRKSEC-2007
Cisco IOS IPS and Auto Update

SDM CSM
BRKSEC-2007

14465_04_2008_c2.scr
IOS IPS and IPS Appliances/Modules
Cisco IOS IPS Cisco IOS IPS Cisco IPS 42xx sensors, IDSM2,
Release 12.4(9)T Release 12.4(11)T SSM-AIP, NM-CIDS modules
Signature Format 4.x 5.x/6.0 5.x/6.0
Signature Updates & Tuning using SDF using IDCONF using IDCONF
Subset of 1700+ signatures (depends 1900+ signatures selected by

Signatures Supported
on router model/DRAM) default
IOS-Basic or IOS-
Recommended (pre-built or Basic or
Advanced
default) Signature Set Advanced SDF All signatures alarm-only
Category
Day-Zero Anomaly Detection No Available in 6.0 release
Transparent (L2) IPS Yes Yes
Rate Limiting No Yes
IPv6 Detection No Yes
Signature Event Action Proc. No Yes Yes
Meta Signatures No Yes
Voice, Sweep & Flood Engines No Yes (H.225 for voice)
Event Notification Syslog & SDEE SDEE
BRKSEC-2007
IPS Solutions on Cisco ISRs

Cisco IOS IPS Cisco IPS AIM Cisco NM-CIDS
Dedicated CPU/DRAM for IPS No Yes Yes
Inline and Promiscuous Detection No, Promiscuous Mode

Yes Yes
and Mitigation Only
Subset of 2000+
Full Set Signatures Full Set Signatures
Signature Supported Signatures, Subject to
(2200+) (2200+)
Available Memory
Automatic Signature Updates Yes Yes Yes
Day-zero Anomaly Detection No Yes Yes
Rate Limiting No Yes Yes
Cisco Security Agent and Cisco IPS

No Yes No
Collaboration
Meta Event Generator No Yes Yes

Event Notification Syslog, SDEE SNMP and SDEE SNMP and SDEE
Device Management CLI, SDM IOS CLI, IDM IPS CLI, IDM
System/Network Management CSM CSM CSM
IEV, CS-MARS, On-box IEV, CS-MARS, On-box
Event Monitoring and Correlation IEV, CS-MARS
Meta Event Generator Meta Event Generator
Note: Only One IPS Solution May Be Active in the Router. All Other Must Be Removed or Disabled.
BRKSEC-2007

14465_04_2008_c2.scr
Recommendation
New web and collateral content at http://www.cisco.com/go/iosips/

Use the latest T Train image: 12.4(15)T2
Native support for Microsoft SMB and MSRPC signatures
Works with WAAS Module if Zone-Based FW also configured
Includes many bug fixes for SDM interoperability, etc.
To use IOS IPS with WAAS (WAN Optimization) Module:

You must use 12.4(11)T2/T3 or 12.4(15)T2 image
If IPS is applied on the optimized WAN interface, you must also configure Zone-
Based Firewall for a zone including that interface
ASR1000 introduces this fix-up in RLS 2.2 for IOS Firewall
If working with an image prior to 12.4(11)T or any Mainline image:

Use the latest Basic (128MB.sdf) and Advanced (256MB.sdf) signature files at
http://www.cisco.com/cgi-bin/tablebuild.pl/ios-sigup/
BRKSEC-2007
Agenda
Drivers for IOS Security

Technology Overview
Deployment Models
Case Study
Summary
BRKSEC-2007

14465_04_2008_c2.scr
Deployment Models
BRKSEC-2007
Enterprise Branch and HQ Profiles
Single Router Model Dual Router Model
QFP QFP
QFP QFP
Private Head Quarter Head

Private Quarter
Wan
WAN
Internet
Security Services Security Services

Cisco IOS Firewall Cisco IOS Firewall
Cisco IOS IPS Cisco IOS IPS
Infrastructure Protection Infrastructure Protection
ACLs ACLs
IPsec VPNs IPsec VPNs
Branch Branch
Office Office
BRKSEC-2007

14465_04_2008_c2.scr
Enterprise Branch and HQ
Single Router Model
Single Router Model

Primary: Internet with
IPSec VPN - IPVPN
Backup: None
QFP
QFP
Internet access is via
Head Quarter split-tunneling
Internet
Security Services
Cisco IOS Firewall
Cisco IOS IPS
Infrastructure Protection
ACLs
Branch
Office
BRKSEC-2007
Enterprise Branch and HQ Profile

Single Router Model
Single Router Model

Primary WAN Services:
Lease line/E1/Fiber or
IP VPN
QFP
QFP
Backup: Internet (ADSL)
with VPN or UMTS
Private Head Quarter
Wan Internet access is via split-
tunneling
Internet
Failover: Routing protocol
with EOT (Enhanced
Security Services
Cisco IOS Firewall
Object Tracking)
Cisco IOS IPS
ACLs
Branch
Office
BRKSEC-2007

14465_04_2008_c2.scr
Single Router Model
Single Router Model

Lease line/E1/Fiber
Backup: Leased line/E1/Fiber
QFP
QFP
Internet access policy
Head Quarter enforced via Head Quarter
Private
Wan Failover: Routing Protocol
Security Services
Cisco IOS Firewall
Cisco IOS IPS
ACLs
Branch
Office
BRKSEC-2007

Dual Router Model
Dual Router Model

Lease line/E1/Fiber
Backup: Leased
QFP line/E1/Fiber
QFP
Head Quarter Internet access

Private
policy enforced via Head
WAN Quarter
Stateful Firewall
(Stateful Failover)
Security Services
Cisco IOS Firewall
Cisco IOS IPS
ACLs
Branch
Office
BRKSEC-2007

14465_04_2008_c2.scr
Agenda
Drivers for IOS Security

Technology Overview
Deployment Models
Case Study
Summary
BRKSEC-2007
Real World
Use Cases
BRKSEC-2007

14465_04_2008_c2.scr
1. Protect the Inside LAN and DMZ at Branch Office and

HQ with NetFlow Event Logging
2. Protect Servers at Branch Office and HQ
3. Virtual Firewall and IPS at the Branch Office
4. Blocking Peer-to-Peer and Instant Messaging
Applications at the Branch
5. Load Balancing and Failover with two Providers
a. Load Balancing
b. Failover
BRKSEC-2007
1. Protect the Inside LAN at Branch Office

with Split Tunneling Deployed Advanced
Firewall
Cisco IOS Firewall and IPS Policies:

Allow authenticated users to access corporate resources
Restrict guest users to Internet access only
Control peer-to-peer and instant messaging applications
Employees can
access corporate
network via
encrypted tunnel
IPsec
Employees Tunnel
QFP
192.168.1.x/24
Internet
Branch Office
Router Inspect Head Quarter
Internet
Guests can traffic
access
Wireless Guests Internet only
192.168.2.x/24
BRKSEC-2007

14465_04_2008_c2.scr
1. Firewall Configuration Snippet at
Branch
Classification: Security Zones:
class-map type inspect match-any protocols zone security private
match protocol dns zone security public
match protocol icmp Security Zone Policy:
match protocol imap zone-pair security zone-policy source
private destination public
match protocol pop3
match protocol tcp
!
match protocol udp
interface VLAN 1
Order of match statement description private interface
is important
Security Policy: !
policy-map type inspect firewall-policy interface fastethernet 0
class type inspect protocols description public interface
inspect zone-member security public
BRKSEC-2007
1. Firewall Configuration Snippet at HQ

Classification:
Security Zones:
class-map type inspect match-any fw-class
zone security public
match protocol udp
zone security dmz
match protocol tcp
policy-map type inspect fw-policy
Security Zone Policy:
class type inspect fw-class
zone-pair security zone-policy source
inspect log public destination dmz
class class-default service-policy type inspect firewall-policy
parameter-map type inspect firewall-policy !
log dropped-packets interface G0/1/0
log flow-export v9 udp destination 1.1.28.199 description public interface
2055 zone-member security public
log flow-export template timeout-rate 30 !
interface g0/1/1
description dmz interface
zone-member security dmz
BRKSEC-2007

14465_04_2008_c2.scr
1. Cisco IOS Zone-Based Firewall (SDM)
for ISRs
BRKSEC-2007
1. IPS Configuration Snippet

IOS-Sxxx-CLI.pkg
mkdir ipstore (Create directory on flash) Load the signatures from TFTP server
Paste the crypto key from copy tftp://192.168.10.4/IOS-S289-CLI.pkg idconf
realm-cisco.pub.key.txt Loading IOS-S259-CLI.pkg from 192.168.10.4 :!!!
Cisco IOS IPS Configuration show ip ips signature count

ip ips config location flash:ipstore retries 1 Total Compiled Signatures:
ip ips notify SDEE 338 -Total active compiled signatures
ip ips name ips-policy
category all
retired true
BRKSEC-2007

14465_04_2008_c2.scr
1. Cisco IOS IPS Signatures and
Categories (SDM) for ISRs
BRKSEC-2007
1. Deploying IOS Firewall Split

Tunneling (CSM) on ISRs
BRKSEC-2007

14465_04_2008_c2.scr
1. Deploying IOS IPS (CSM) on ISRs
BRKSEC-2007
2. Protect Servers at Branch Office Advanced

Firewall
Cisco IOS® Firewall and IPS policies applied to DMZ

protect distributed application servers and Web servers hosted
at remote sites
Servers
192.168.3.14-16/24
Servers
hosted
separately
in DMZ
IPsec
Employees Tunnel
192.168.1.x/24
Internet
Branch Office
Router Head Quarter
Wireless Guests
192.168.2.x/24
BRKSEC-2007

14465_04_2008_c2.scr
2. IPS Configuration Snippet
a. Download Cisco IOS IPS Files to your PC d. Cisco IOS IPS Configuration (Con’t)
IOS-Sxxx-CLI.pkg
description DMZ interface
b. Configure Cisco IOS IPS Crypto Key ip ips ips-policy out
mkdir ips5 (Create directory on flash)
Paste the crypto key from e. Load the signatures from TFTP server
realm-cisco.pub.key.txt copy tftp://192.168.10.4/IOS-S289-CLI.pkg idconf
Loading IOS-S259-CLI.pkg from 192.168.10.4 :!!!
c .Cisco IOS IPS Configuration
ip ips config location flash:ips5 retries 1 show ip ips signature count
ip ips notify SDEE Total Compiled Signatures:
ip ips name ips-policy 338 -Total active compiled signatures
category all
retired true
BRKSEC-2007
2. Firewall Configuration Snippet

Classification: Security Zone Policy:
class-map type inspect match-all web-dmz zone-pair security zone-policy source
public destination dmz
match protocol http
match access-group 199
!
interface VLAN 1
access-list 199 permit tcp any host 192.168.10.3
description private interface
Security Policy:
!
interface fastethernet 0
class type inspect web-dmz
description public interface
Inspect
zone-member security public
Security Zones:
interface fastethernet 1
zone security private
description dmz interface
zone-member security dmz
zone security dmz
BRKSEC-2007

14465_04_2008_c2.scr
3. Virtual Firewall and IPS Advanced
Firewall
Cisco IOS Firewall, NAT, and URL-filtering policies are virtual route
forwarding (VRF) aware, providing support for overlapping address space,
which simplifies troubleshooting and operations
Photo Shop
192.168.1.x/24
Separate IPsec tunnels

for Photo Shop and IPsec
Retail Store traffic Tunnel
VRF A
Photo Shop Head
Retail Store Cash Register VRF B Quarter
192.168.2.x/24
VRF C
Internet
Store Router IPsec
Tunnel
Supports
overlapping
address space Retail Store
Internet Services
Head Quarter
192.168.2.x/24
BRKSEC-2007

Classification: Security Policy (Continued):
class-map type inspect retail-hq policy-map type inspect hq-retail
match protocol ftp class type inspect hq-retail
match protocol http
inspect
match protocol smtp extended
class class-default
class-map type inspect hq-retail
match protocol smtp extended drop log
class-map type inspect photo-hq policy-map type inspect photo-hq
match protocol http class type inspect photo-hq
match protocol rtsp inspect
class-map type inspect hq-photo class class-default
match protocol h323 drop log
Security Policy policy-map type inspect hq-photo-
policy-map type inspect retail-hq class type inspect hq-photo
class type inspect retail-hq inspect
inspect class class-default
class class-default drop log
drop log
BRKSEC-2007

14465_04_2008_c2.scr
3. Deployed Firewall Configuration
Snippet (SDM)
BRKSEC-2007
4. Blocking Peer-to-Peer and Instant

Messaging Applications Advanced
Firewall
Cisco IOS Firewall can block/rate-limit instant messaging (IM)

applications like MSN, AOL and Yahoo.
Servers
192.168.3.14-16/24
Blocking the Instant

Messengers e.g.
MSN IPsec
Employees Tunnel
192.168.1.x/24 QFP
Internet
Branch Office
Router Head Quarter
Wireless Guests
192.168.2.x/24
BRKSEC-2007

14465_04_2008_c2.scr
Security Zones: Virtualization (Virtual Routing and Forwarding)
zone security retail-LAN interface FastEthernet0/1.10
zone security retail-VPN encapsulation dot1Q 10
zone security photo-LAN ip vrf forwarding retail
zone security photo-VPN zone-member security retail-LAN
!
Security Zone Policy: interface Tunnel0
zone-pair security retail-VPN ip vrf forwarding retail
source retail-LAN destination retail-VPN zone-member security retail-VPN
zone-pair security VPN-retail interface FastEthernet0/1.20

source retail-VPN destination retail-LAN encapsulation dot1Q 20
ip vrf forwarding photo
zone-pair security photo-VPN zone-member security photo-LAN
source photo-LAN destination photo-VPN !
interface Tunnel0
zone-pair security VPN-photo ip vrf forwarding photo
source photo-VPN destination photo-LAN zone-member security photo-VPN
BRKSEC-2007
4. Deployed Firewall Configuration

Snippet
Servers List: IM-Blocking Policy:
parameter-map type protocol-info msn-servers policy-map type inspect IM-blocking
server name messenger.hotmail.com class type inspect IMs
server name gateway.messenger.hotmail.com drop log
server name webmessenger.msn.com Security Zones
parameter-map type protocol-info aol-servers zone security private
server name login.oscar.aol.com Zone Policy
server name toc.oscar.aol.com zone-pair security IM-Zone-policy source
server name oam-d09a.blue.aol.com private destination public
service-policy type inspect IM-blocking
Classification:
class-map type inspect match-any IM interface VLAN 1
match protocol msnmsgr msn-servers description private interface
match protocol aol aol-servers zone-member security private
class-map type inspect match-all IMs interface fastethernet 0

match class-map IM description public interface
zone-member security public
BRKSEC-2007

14465_04_2008_c2.scr
4. Blocking Instant Messaging
MSN/AOL (SDM)
BRKSEC-2007
5a. Load Balancing with

Two Providers Advanced
Firewall
Cisco IOS Firewall supports WAN Load balancing
Servers
192.168.3.14-16/24
WAN Load Balancing
Multi-Home NAT
Destination Based Load
Balancing
Zone Based Firewall
ISP-1 IPsec
Employees Tunnel
192.168.1.x/24 QFP
Internet
Branch Office ISP-2
Router Head Quarter
Wireless Guests
192.168.2.x/24
BRKSEC-2007

14465_04_2008_c2.scr
5a. Configuration Snippet
Classification: WAN Load balancing Configs(Con’t)
class-map type inspect match-any internet route-map dsl1 permit 10
match protocol http
match ip address 121
match interface Dialer1
match protocol dns
match protocol smtp
match protocol icmp route-map dsl0 permit 10
! match ip address 120
! match interface Dialer0
policy-map type inspect private
class type inspect internet access-list 120 permit ip 192.168.10.0
inspect 0.0.0.255 any
class class-default
access-list 121 permit ip 192.168.10.0
WAN Load balancing Configs 0.0.0.255 any
ip route 0.0.0.0 0.0.0.0 Dialer1 Policy Based Routing
ip route 0.0.0.0 0.0.0.0 Dialer0
! route-map IPSEC permit 10
ip nat inside source route-map dsl0 interface match interface Dialer1
Dialer0 overload access-list 128 permit esp 192.168.10.0
0.0.0.255 any
ip nat inside source route-map dsl1 interface
dialer1 overload
BRKSEC-2007
5a. Configuration Snippet

Security Zones Configs
zone security trust
zone security untrust
zone-pair security firewall source trust

destination untrust
!
service-policy type inspect private
Interface Configs:
interface Dialer0
zone-member security untrust
ip nat outside
!
interface Dialer1
zone-member security untrust
ip nat outside
!
interface BVI1
zone-member security trust
ip nat inside
BRKSEC-2007

14465_04_2008_c2.scr
5b. Failover with Two Providers Advanced
Firewall
WAN Object Tracking

Servers
192.168.3.14-16/24
WAN Failover
Object Tracking
Fail Over
Zone Based Firewall
ISP-1 IPsec
Employees Tunnel
192.168.1.x/24 QFP
Internet
Branch Office ISP-2
Router Head Quarter
Wireless Guests
192.168.2.x/24
BRKSEC-2007
5b. Configuration Snippet—

Private Zone Policy
Tracking Configuration: (Object Tracking) Interface Configurations:
track timer interface 5 Interface Dialer 0
! description WAN-Backup interface
track 123 rtr 1 reachability ip address negotiated
delay down 15 up 10 ip nat outside
ip sla 1 NAT Configuration:
icmp-echo 172.16.1.1 source-interface Dialer0 ip nat inside source route-map fixed-nat
timeout 1000 interface Dialer0 overload
threshold 40 ip nat inside source route-map dhcp-nat
interface FastEthernet0 overload
frequency 3
ip sla schedule 1 life forever start-time now
route-map fixed-nat permit 10
Interface Configurations: match interface Dialer0
interface FastEthernet0 !
description WAN-1 Interface route-map dhcp-nat permit 10
ip address dhcp match ip address 110
ip nat outside match interface FastEthernet0
ip dhcp client route track 123
BRKSEC-2007

14465_04_2008_c2.scr
5b. Configuration Snippet—
Private Zone Policy
NAT Configuration (Con’t): Security Zones Configs
access-list 110 permit ip 192.168.108.0 0.0.0.255 zone security trust
any
zone security untrust
Routing Configuration zone-pair security firewall source trust

destination untrust
ip route 0.0.0.0 0.0.0.0 dialer 0 track 123 !
ip route 0.0.0.0 0.0.0.0 dhcp 10 service-policy type inspect private
Classification: interface FastEthernet0

class-map type inspect match-any internet description WAN- Interface
match protocol http
match protocol https Member security zone untrust
match protocol dns
match protocol smtp
match protocol icmp Interface Dialer0
!
! description Backup-Interface
policy-map type inspect private
class type inspect internet member security zone untrust
inspect
class class-default
interface Vlan1
member security zone trust
BRKSEC-2007
Case Study
BRKSEC-2007

14465_04_2008_c2.scr
Education—Centralized Deployment
URL Filtering Internet
School T1
URL Filtering
T1
Private WAN QFP
School
T1
Apply Intrusion Prevention

System (IPS) on traffic from
Schools to kill worms from
infected PCs
URL Filtering
School
BRKSEC-2007
Education—Decentralized Deployment
URL Filtering Internet
Backup
School
DSL
Illegal
T1 surfing
DSL
Internet T1
Private WAN
School District School
T1
Backup Building
DSL
Apply IPS on traffic from
Schools to kill worms
from infected PCs
Secure Internet
Advanced Layer School
3-7 firewall
Web usage control
BRKSEC-2007

14465_04_2008_c2.scr
Summary
BRKSEC-2007
Summary
There is an established and increasing trend of

integrated services in routing industry
Integrated Services Edge has become more common
deployment over distributed architecture
Cisco IOS network security technologies enable new
business applications by reducing risk, as well as
helping to protect sensitive data and corporate
resources from intrusion
Consolidation of branch office equipment for lowering
OPEX is giving rise to integrated security as evident
from the real world use cases
BRKSEC-2007

14465_04_2008_c2.scr
Q and A
BRKSEC-2007
Recommended Reading
Continue your Cisco Live

learning experience with further
reading from Cisco Press
Check the Recommended
Reading flyer for suggested
books
Available Onsite at the Cisco Company Store

BRKSEC-2007

14465_04_2008_c2.scr
Complete Your Online
Session Evaluation
Give us your feedback and you could win Don’t forget to activate
fabulous prizes. Winners announced daily. your Cisco Live virtual
account for access to
Receive 20 Passport points for each session all session material
evaluation you complete. on-demand and return
for our live virtual event
Complete your session evaluation online now in October 2008.
(open a browser through our wireless network Go to the Collaboration
to access our portal) or visit one of the Internet Zone in World of
stations throughout the Convention Center. Solutions or visit
www.cisco-live.com.
BRKSEC-2007
BRKSEC-2007

14465_04_2008_c2.scr
Appendix
BRKSEC-2007
Cisco Security Router Certifications

FIPS Common Criteria
140-2, Firewall
IPsec (EAL4)
Level 2 (EAL4)
Cisco® 870 ISR 9 Q3CY07 9
Cisco 1800 ISR 9 Q3CY07 9
Cisco 7200 VAM2+ 9 Q3CY07 9
Cisco 7200 VSA Q4CY07 Q3CY07 ---
Cisco 7301 VAM2+ 9 Q3CY07 9
Cisco 7600 IPsec VPN SPA 9 Q3CY07 ---
Cisco ASR1000 Series CY08 CY08 CY08
Catalyst 6500 IPsec VPN SPA 9 Q3CY07 ---
Cisco 7600 9 Q3CY07 9
BRKSEC-2007
Cisco.com/go/securitycert

14465_04_2008_c2.scr
Cisco IOS Network Foundation
Protection Network
Foundation
Protection
Data Plane Feature Function and Benefit

Macro-level, anomaly-based DDoS detection through counting the number of
NetFlow
flows (instead of contents); provides rapid confirmation and isolation of attack
Access Control Lists Protect edge routers from malicious traffic; explicitly permit the legitimate traffic
(ACLs) that can be sent to the edge router's destination address
Next generation “Super ACL” – pattern matching capability for more granular
Flexible Packet Matching
and customized packet filters, minimizing inadvertent blocking of legitimate
(FPM)
business traffic
Unicast Reverse Path Mitigates problems caused by the introduction of malformed or spoofed IP
Forwarding (uRPF) source addresses into either the service provider or customer network
Drops packets based on source IP address; filtering is at line rate on most
Remotely Triggered
capable platforms. Hundreds of lines of filters can be deployed to multiple
Black Holing (RTBH)
routers even while the attack is in progress
Protects against flooding attacks by defining QoS policies to limit bandwidth or
QoS Tools
drop offending traffic (identify, classify and rate limit)
Control Plane Function and Benefit
Receive ACLs Control the type of traffic that can be forwarded to the processor
Provides QoS control for packets destined to the control plane of the routers
Control Plane Policing
Ensures adequate bandwidth for high-priority traffic such as routing protocols
MD5 neighbor authentication protects routing domain from spoofing attacks
Routing Protection Redistribution protection safe-guards network from excessive conditions
Overload protection (e.g. prefix limits) enhances routing stability
Management Plane Function and Benefit
CPU and Memory
Protects CPU and memory of Cisco® IOS® Software device against DoS attacks
Thresholding
Dual Export Syslog Syslog exported to dual collectors for increased availability
BRKSEC-2007

14465_04_2008_c2.scr

Deploying IOS Security: BRKSEC-2007

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Deploying IOS Security: BRKSEC-2007

Uploaded by

Copyright:

Available Formats

Deploying IOS Security

© 2006, Cisco Systems, Inc. All rights reserved.

 Drivers for Integrated Security

 Security is an add-on  Security is built-in

 Challenging integration  Intelligent collaboration

 Not cost-effective  Appropriate security

 Cannot focus on core priority  Direct focus on core priority

© 2006, Cisco Systems, Inc. All rights reserved.

Requirement of Integrated Security Solution

IPS FPM Internet

© 2006, Cisco Systems, Inc. All rights reserved.

 Drivers for Integrated Security

Cisco IOS Security—

Secure Network Solutions

Compliance Secure Secure Business

Integrated Threat Control

Advanced URL Intrusion Flexible Network Network

Secure Connectivity Management and Instrumentation

© 2006, Cisco Systems, Inc. All rights reserved.

Cisco IOS Firewall Overview Advanced

© 2006, Cisco Systems, Inc. All rights reserved.

 Allows grouping of physical and Supported Features

Trusted Internet Untrusted

Cisco IOS Zone-Based Firewall—

© 2006, Cisco Systems, Inc. All rights reserved.

Cisco IOS Transparent Firewall

© 2006, Cisco Systems, Inc. All rights reserved.

Cisco IOS Flexible Packet 011111101010101

Matching (FPM) Flexible

Match Pattern AND OR NOT

© 2006, Cisco Systems, Inc. All rights reserved.

Class-map access-control slammer

Policy-map access-control udp-policy

Cisco IOS Intrusion Prevention (IPS) IPS

Internet Corporate Office

Apply IPS on traffic from

© 2006, Cisco Systems, Inc. All rights reserved.

Cisco IOS IPS Configuration show ip ips signature count

 Operational consistency across Cisco IPS portfolio

† New in Cisco IOS 12.4(15)T2

© 2006, Cisco Systems, Inc. All rights reserved.

 Introduces “stealth IPS” capability

 Both “wired” and wireless segments are in same subnet

Cisco IOS Intrusion Prevention System (IPS)

© 2006, Cisco Systems, Inc. All rights reserved.

Internet Usage Control

Router Hardening Network

A router can be logically divided

© 2006, Cisco Systems, Inc. All rights reserved.

 Detects traffic anomalies & respond to attacks in real-time

 Defense-in-depth protection for routing control plane

 Secure and continuous management of Cisco IOS network

Router Hardening: Traditional Methods

Community ACL  Run AAA

© 2006, Cisco Systems, Inc. All rights reserved.

Cisco IOS Control Plane Policing Network

Management Routing Management

Control Plane Policing Silent Mode

Packet Output Packet

© 2006, Cisco Systems, Inc. All rights reserved.

Enforces Secure Access

Secures Forwarding Plane

Drivers for Integrated Security

Security is an add-on Security is built-in

Challenging integration Intelligent collaboration

Not cost-effective Appropriate security

Cannot focus on core priority Direct focus on core priority

Drivers for Integrated Security

Allows grouping of physical and Supported Features

Operational consistency across Cisco IPS portfolio

Introduces “stealth IPS” capability

Both “wired” and wireless segments are in same subnet

Detects traffic anomalies & respond to attacks in real-time

Defense-in-depth protection for routing control plane

Secure and continuous management of Cisco IOS network

Community ACL Run AAA

Hub-Spoke; (Client to Hub-Spoke and Spoke-to- Any-to-Any;

Dynamic routing on Dynamic routing on IP

Stateful Hub Crypto Route Distribution Model

Encryption Style Peer-to-Peer Protection Peer-to-Peer Protection Group Protection

Multicast replication at Multicast replication at Multicast replication in IP

GET uses Group Domain of Interpretation (GDOI): RFC 3547

Full meshed connectivity with Secure On-Demand

Cisco Router and Security Device Manager—Simple GUI-based provisioning and

Denial of Service (DoS) Protection Settings

Option 1: Existing customer using non-customized pre-built

Signature Tuning and Update:

Monitoring IPS activity:

Modifying Security policies:

Cisco IOS IPS supports Out-of-Order packet starting

Configurable via CLI: ip inspect tcp reassembly