Industrial Ethernet:

Vulnerabilities, Threats, and

Countermeasures

© 2004 ODVA
 2YHUYLHZ

• Threats & Vulnerabilities

• Integrated Security Strategy
• Intrusion Detection & Prevention for
Control Systems
• Plant Floor Security Architecture

© 2004 ODVA
 .QRZQYXOQHUDELOLWLHVLQ
FRQWUROV\VWHPQHWZRUNV
Design Implementation Configuration
Insecure comm links TCP/IP stack issues Weak/default passwords
Insecure devices & Protocol flaws 802.11 Defaults (no WEP)
protocols OS/App flaws Inadequate filtering on
Less than weak Windows HMI Flaws router/firewall
authentication in devices WEP/802.11 Flaws OS defaults and failure to
and protocols apply patches & upgrades
DoS to Network
Insecure remote access infrastructure Device
(i.e. dialin modems,
partner, integrator
connections)
Default insecure features
Undocumented and difficult or non-
commands/backdoors scalable secure features
Insecure coding practices
and inadequate testing
Ill-defined or unrealistic
security requirements

© 2004 ODVA
 'HYLFH9XOQHUDELOLWLHV
• Most PLCs (Communication Modules) have no
ability to filter based on source IP address even
an the socket layer—let alone based on
application layer message types
• Few devices have the ability to do low-level
packet filtering (to mitigate network transport
layer attacks)
• TCP/IP Stack Issues
– Resource Exhaustion
– Poor Initial Sequence Number Selection
– Malformed Message
• Use of “IT” Protocols for Industrial Applications

© 2004 ODVA
 3URWRFRO9XOQHUDELOLWLHV

• Most Industrial Ethernet protocols simply

encapsulate serial/fieldbus protocol over
TCP/UDP
• Lack of Authentication, Authorization, and
Encryption in Protocol Design and
Specification
• Implementation flaws in processing
valid/invalid formatted messages

© 2004 ODVA
+LJK/HYHO$WWDFNHU*RDOV
• Gather information about publisher/subscriber
• Write/Alter data on publisher
• Write/Alter data on subscriber
• Program PLC
• Compromise subscriber
• Compromise publisher
• Disable publisher
• Disable subscriber
• Disable publisher-subscriber communication’s link

© 2004 ODVA
 $WWDFN2ULJLQV
• Within Cell
• Outside Cell (same zone)
• Outside Zone
• Wireless (802.11)
• Plant Engineering/IT
• Plant Direct/RAS Dialup
• Plant Business Partner
• Corporate RAS/VPN User
• Corporate Engineering/IT
• Corporate Data Center
• Corporate Internet Connection

© 2004 ODVA
5HYLHZRI)LOWHULQJ7HFKQRORJ\
• Intelligent switches/bridges
– Filter on L2 (MAC) source address
• Router Access Control Lists
– Filter source/dest by L3 (IP Address) and L4 (Port)
• Stateful Firewalls
– Filter based on TCP/ICMP/UDP “state” and limited
support for some applications
• Application Proxies
– Complete application and protocol support, typically
requires (reconfiguration of client
• Deep Packet Inspection and Network IPS
– High speed (possibly inline/transparent) filtering at all
application and protocol layers

© 2004 ODVA
 %XW,VWKHUHUHDOO\DWKUHDW"
• I’m not even directly connected to the Internet
–The traditional perimeter is eroding – SOHO/VPN, wireless,
dial-up, partner connectivity
–Multiple application entry points – SMB, Email, Web Browser,
Web Server
• Worms and viruses only target Windows machines
–Network infrastructure devices aren’t directly targeted either,
but end up as “collateral damage”—what happens to
automation devices?
–Instead of attacking windowsupdate.com or whitehouse.gov
write your worm to overwrite firmware of you ControlLogix
• The bottom line—security controls must be integrated
throughout the network and end-devices must be
hardened

© 2004 ODVA
 &RQFOXVLRQV
• Technology knows no organizational boundaries – “IT
Security Products” can be altered to secure control system
applications
• Security technologies and practices lag threats and
vulnerabilities – it is now 1995?
– Vulnerabilities are still known by a small but growing community – for
now?!
– Small target population – Industrial Ethernet (and wireless) have not
reached critical mass
– Threat picture is unclear – lack of automated tools (although this could
change quickly)
• Simple “type-code filtering” is better that the status quo but
is probably a partial (interim?) solution to more robust
security enhancement necessary for industrial devices and
protocols

© 2004 ODVA
 &RQFOXVLRQVFRQW
• Security enhancements for automation protocols are 3-5
years away from widespread deployment, but legacy
devices will remain a problem after secure protocols
become a reality
• More Questions than Answers!?
– Operational constraints of deploying security deep within
the automation cell—especially management and
monitoring
– Operation control and interaction between multiple
security technologies (authentication servers, VPNs,
border routers, and firewalls)
– Integration of Control System Security Software and
Network Security Countermeasures?
– What device is best suited for application protocol
filtering: firewall, router, intelligent switch? Where should
it be deployed?

© 2004 ODVA
,QWHJUDWHG6HFXULW\
6WUDWHJ\

© 2004 ODVA
(VVHQWLDO6HFXULW\7HFKQRORJLHV

Extended
Perimeter • Permit or deny network/application access
Security

Secure
Connectivity • Protect traffic across untrusted networks

Intrusion • Monitor for and block attacks

Protection

Security
• Management, monitoring, and analysis
Management

• Authenticate, authorize, and audit

Identity
Services

© 2004 ODVA
 'HSOR\6HFXULW\$VDQ,QWHJUDWHG
6\VWHP
Surveillance and Alarms
Secured Doors and Vaults Patrolling Security Guard
Network and Host-Based
Firewalls and Router ACLs Intrusion Detection Scanner

Card Readers
Security Room CCTV Secure Transport
Identity, AAA, Access
Centralized Security and Control Servers and Encryption and Virtual
Policy Management Certificate Authorities Private Networks (VPNs)
© 2004 ODVA
 :K\,QWHJUDWHG6HFXULW\"
• Everything is a target
• Routers are targets Some of these can be turned into
weapons
• Switches are targets
New breed of attacks have multiple
• Hosts are targets vectors that cannot be blocked by
• Networks are targets one device
• Applications are targets • Network security is a system –
Everything must be defended
• Information is a target
Layers of security are required
• Management tools are
targets Embedded security throughout the
network
• SAFE Integrated security in network
devices
• Secure management and reporting

© 2004 ODVA
,QWHJUDWHG1HWZRUN6HFXULW\
:KDW'R:H0HDQ"
Integrated Into All Devices:
Security In Everything
Routers, Switches, Servers, Firewalls, VPN Devices,
Intrusion Detection, Wireless, Telephony, Clients, Access
Control Servers

Embedded Throughout The Network:

Security Everywhere
Data Center, Campus, Wireless, Edge, Metro, Branches,
Telephony, Teleworkers, Mobile, SP Services

© 2004 ODVA
,QWHJUDWHG6HFXULW\6ROXWLRQV³
1HWZRUN%DVHGDQG$SSOLDQFHV
Cisco Delivers Security Solutions That Integrate With
Diverse Deployment Models

Network Embedded Security Appliances

• Great deployment
flexibility
• Support for virtually any
network environment
• Integration of security
and network services
• Dedicated function for
network overlay
• Defined administrative
segregation
• Single purpose provides
greater simplicity

• Tighter integration with • Fits into “by segment”

purchasing strategies
network applications
• Dedicated function devices
• Leverages existing sometimes preferred by
network management security organizations
and support models
© 2004 ODVA
 &LVFR6HFXULW\3RUWIROLR
Secure Extended
Connectivity Perimeter Intrusion Identity Security
Security Protection Services Management

Appliances Appliances Appliances

Cisco VPN 3000 Cisco PIX Cisco 4200 Series Cisco VPN
Series firewalls Cisco PIX firewalls Access Solutions
Cisco PIX firewalls Cisco Catalyst Control Center
Cisco Catalyst 6503, 6503, 6506 Server
Host Based CiscoWorks
6506 switches switches
“IBNS” VPN/Securiy
Integrated Integrated
Integrated 802.1X Management
Switch IDS Module
Switch VPN Module Switch Firewall extensions Solution
Module
CiscoWorks
Hosting
Cisco IOS Cisco IOS Cisco IOS Solution
VPN Firewall IDS Engine

SOHO 90,SOHO 90, 830,1700,

830,1700, 2600, 3700,
2600, 3600, 3600, 3700,
70007000 series
series

© 2004 ODVA
 )LUHZDOO'HSOR\PHQW2SWLRQV
Small Business / Branch Office Internet Access
Corp HQ PIX 525, 535
Internet

Service
Provider
Cisco 1700, 2600, 3600,
Series with IOS Firewall Regional
or PIX 506, 515 Office
Internet
Telecommuter Access
Cisco 3700, Data Center & Internal Firewalls
7200 Series Cisco FWSM or PIX 525, 535
with IOS
ASP
Firewall or PIX
515, 525

Cisco 800 Series with

IOS Firewall or PIX 501
Internal Firewalls Server Farm Firewalls
Cisco FWSM or PIX 525, 535 Cisco FWSM or PIX 525, 535

© 2004 ODVA
 ,'6'HSOR\PHQW2SWLRQV
Business Internet
Extranet
Protection Partner Users Protection (NIDS)
(NIDS) Augments FW and
VPN by Monitoring
Monitors Partner Traffic for Malicious
Traffic Where Activity
“Trust” is Implied
But Not Assured

Corporate
Data Center Office Internet

Intranet/Internal NAS
Protection
(NIDS/HIDS) e-Business
Remote Access Server Farm Servers
Protects Data Protection (NIDS)
Centers and Critical
Protection
Systems from Hardens Perimeter (NIDS/HIDS)
Internal Threats Control by Protects e-Business
Monitoring Remote Servers from Attack
Users and Compromise
© 2004 ODVA
 ,GHQWLW\3RUWIROLR² ,GHQWLW\
6HUYLFHV
Enterprise AAA
802.1x support
LEAP, PEAP, WPA
RADIUS, TACACS+
LDAP, plus

© 2004 ODVA
6HFXULW\LVD6\VWHPDWLF
3URFHVV
Architecture
Design and
Implementation

Vulnerabilities
Corrective Action and Risk
Assessment

Forensic Analysis Central Security Security Policy/

Procedures
Management

Incident Deploy Security

Response Policy

Surveillance, Monitoring,
Audit & Analysis

© 2004 ODVA
,QWUXVLRQ'HWHFWLRQ
2YHUYLHZ

© 2004 ODVA
,QWUXVLRQ'HWHFWLRQ$SSURDFKHV

Signature, Anomaly
Detection, Behavioral
Network and/or Host-
Based

© 2004 ODVA
$QRPDO\DQGRU6LJQDWXUH'HWHFWLRQ

• Misuse/signature detection -- explicitly define what

activity should be considered malicious. Most
commercial Network IDS products are signature-based
and combine the following techniques
²3DWWHUQ0DWFKLQJ
²6WDWHIXO $QDO\VLV
²+HXULVWLFV
²3URWRFRO'HFRGH%DVHG$QDO\VLV
• Anomaly detection -- define normal, authorized activity,
and consider everything else to be potential malicious
• Behavioral -- Policies allow “good” behavior and prevent
“bad” behavior

© 2004 ODVA
 +RVWYV1HWZRUN%DVHG

‡ +RVWEDVHG“Agent” software
monitoring network, kernel and application
activity on hosts
‡ 1HWZRUNEDVHGCollects and analyzes
data from the network

© 2004 ODVA
 6RPH*HQHUDO3URVDQG&RQV

Pros Cons
• Can verify success or failure • Impacts host resources
of attack
• Operating system dependent
Host- • Generally not impacted by
bandwidth or encryption • Scalability—Requires one
Based agent per host
• Understands host context and
may be able to stop attack

• Protects all hosts on • Can have a higher rate of false

monitored network positives without signature
Network- tuning and intelligent
• No host impact management
Based • Can detect network probes • Can’t stop day zero exploits or
and denial of service attacks worms without signatures

Should View as Complementary!

© 2004 ODVA
 *HQHULF$WWDFN6HTXHQFH
0Rapidly Mutating
0Continual signature
updates
0Inaccurate

Target

0 Most damaging
9 Change very slowly
9 Inspiration for host
intrusion prevention

© 2004 ODVA
 7\SLFDO,'6$UFKLWHFWXUH

Management console Management

Real-time event display Console

Event database
Sensor configuration
Component
Communications

Sensor
Detection analysis NIDS Sensor
Generate alarms
Response/
countermeasures
HIDS Sensor

© 2004 ODVA
1HWZRUN,'66HQVRU
Network Link to the
Management Console

IP Address

Passive Interface
No IP Address
Monitoring the Network
Data Capture

Data Flow

© 2004 ODVA
1HWZRUN,QWUXVLRQ3UHYHQWLRQ 
,QOLQH1HWZRUN,'6
Network Link to the
Management Console
IP Address

Passive Interfaces
No IP Address
Monitoring the Network

Data Flow

© 2004 ODVA
 +RVW,'6,366HQVRU

Syslog

Passive Agent Active Agent

• Syslog monitoring • Attack interception via
• Detection signatures
• Wider platform support • Behavioral Intrusion
• File Integrity Checks Prevention
• Personal/Distributed
Firewalling

© 2004 ODVA
 'HSOR\LQJ
,'6,36LQD
&RQWURO
6\VWHPV
(QYLURQPHQW

© 2004 ODVA
 7HFKQRORJ\&KDOOHQJHV
• Scalability
–Large volume of data to analyze
• Access to the data stream
–Switch SPAN port sharing or Network Taps
–Remote Systems
–Non-IP Transport
• Skills required to monitor/operate
the systems
–Understand what the alarms mean and what to do
–Certifying Host Agents on Process Control Systems
–Adhering to regulatory CPU utilization guidelines

© 2004 ODVA
 )DOVH3RVLWLYH
(OLPLQDWLRQ$ODUP9DOLGDWLRQ
• Generally there are four primary ways that
vendors have attempted to eliminate false
positives or validate alarms
- Correlation of IDS and other security logs
- Correlation of active scanning and alarm data
- Correlation of passive scanning and alarm data
- Just in time analysis

© 2004 ODVA
 &276$WWDFN6HTXHQFH

Target

© 2004 ODVA
 'HSOR\PHQW&RQVLGHUDWLRQV
IRU3&1
• How do most commercial IDS protect the PCN system?
They protect the COTS systems that have protocols or
operating systems that are understood by the IDS.
• Specific threats to PCN embedded systems and PCN have
not been widely publicly identified, so most commercial
NIDS (host or network) do not support the protocols and
embedded operating systems in use by PCN systems
• Anomaly Detection based systems need testing to determine
the applicability to PCN systems.

© 2004 ODVA
 3&1$WWDFN6HTXHQFH
•Ping Addresses
•Scan ports for
particular PCN
protocols
•Send specific function
codes to cause specific
behavior on embedded
system
•Use default passwords
on system interface

•Modify existing
configuration on the
Target device
•Enable new services on
the device

Look to exploit more

COTS systems to
jump access control
boundaries
Scan for PCN
protocols
denial of service
specific to the PCN
device
modify or delete
available programs
files Steal secrets

© 2004 ODVA
 ,36&RQVLGHUDWLRQVIRU3URFHVV
&RQWURO1HWZRUNV3&1
• IPS is the marketing term of choice. However, their
applicability to a PCN system needs to be carefully evaluated.
• Anonymous Quote “People would be foolish to run IPS on a
regulated pipeline”
• However, IPS at the edge of the control system is sensible,
since the IPS can protect COTS systems that can’t be patched
or have run out of support and no patch is available.
• The deployment of an IPS revolves around the degree of
certainty the IDS operator has that the IDS dropped the correct
traffic. This is sometimes called the “fidelity” of the
alarm/signature.

© 2004 ODVA
6HFXULW\$UFKLWHFWXUH
IRU3ODQW)ORRU

© 2004 ODVA
 (QWHUSULVH+LJK/HYHO'HVLJQ
Corp. Engr

Internet Corporate IT Network Corp. IT

Business Partners Remote internal

Corp. Data Center
access to the
WAN/PSTN process control
systems in the plant.
Remote external access for
suppliers and vendors.
Dedicated lines, dial and VPN.

Corporate WAN
Remote external access for
suppliers and vendors.
Dedicated lines, dial and VPN.
Plant IT
Internet
Plant Engr Plant Network(s)
Corporate WAN

Business
Plant Data Center Partners WAN/PSTN
Process Controls Process Controls Process Controls

Local internal access PSTN

to the process
control systems in
the plant.

© 2004 ODVA
 /RJLFDO,QGXVWULDO(WKHUQHW3ODQW
7RSRORJ\
In all instances where applicable a QOS IT WAN
template should be engineered and deployed.
A minimum configuration to classify traffic at
the access layer must be employed to ensure Plant IT, Plant
Engineering, Plant Data
a QOS template in the future. Si Si
Center

Internet
Si Si

Remote Access

WAN/PSTN
VLAN 101

Zone
VLAN 104
VLAN 103
VLAN 102 VLAN 105
Direct Remote Access Cell Cell

PSTN

© 2004 ODVA
 /RJLFDO=RQH7RSRORJ\
Plant Network

PSTN

© 2004 ODVA
 (QWHUSULVH+LJK/HYHO'HVLJQ
Corp. Engr

Internet Corporate IT Network Corp. IT

Business Partners Remote internal

access to the Corp. Data Center
WAN/PSTN
process control
systems in the plant.
Remote external access for
suppliers and vendors.
Dedicated lines, dial and VPN. Possible Focal Points
Corporate WAN for policy enforcement

Remote external access for

suppliers and vendors.
Dedicated lines, dial and VPN.

Plant IT
Internet

Plant Engr Plant Network(s)

Corporate WAN

Business
Plant Data Center Partners WAN/PSTN

Process Controls Process Controls Process Controls

Local internal access
to the process
control systems in
the plant. PSTN

© 2004 ODVA
 /RJLFDO,QGXVWULDO(WKHUQHW 3ODQW
7RSRORJ\
IT WAN Possible Focal Points
for policy enforcement
Plant IT, Plant
Engineering, Plant Data
Si Si
Center

Internet
Si Si

Remote Access

WAN/PSTN
VLAN 101

Zone
VLAN 104
VLAN 103
VLAN 102 VLAN 105
Direct Remote Access Cell Cell

PSTN

© 2004 ODVA
 /RJLFDO=RQH7RSRORJ\
Plant Network Possible Focal Points
for policy enforcement

PSTN

© 2004 ODVA
 (QWHUSULVH(GJH'HWDLO
To Internet Via
Central policy control of Partner Remote
authentication and authorization
the Corporate
Access Internet Module
VPN

To Edge
Distribution
Module Site-to-
Site VPN
Dial Access
Servers

PSTN

Business
Partner Routers

Central policy control of Partner

authentication and authorization WAN

© 2004 ODVA
 3ODQW(GJH
IT WAN
Central policy control of Partner
authentication and authorization

Si Si

Internet

Si Si

Remote Access

WAN/PSTN

© 2004 ODVA
 3ODQW'LVWULEXWLRQ
Central policy control of Partner
authentication and authorization.
Embed FW, VPN and NIDS
technology into the distribution
layer. Theses technologies protect
each set of production cells that feed Si Si
into them.

© 2004 ODVA
 /RJLFDO=RQH7RSRORJ\
Central policy control of Partner Possible Focal Points
authentication and authorization. Plant Network
for policy enforcement
Embed FW, VPN and NIDS
technology into the distribution
layer. Theses technologies protect
each set of production cells that feed
into them. Standards compliant
WPA security scheme
Additionally, if performance and should be used to
compatibility allows HIDS or secure 802.11 wireless VLANs provide user
Personal FWs can be deployed on Video segmentation. ACLs
the systems that run a general Feed for only authorized
purpose OS. production traffic?
Programmable Logic
Controllers (PLC)
Human Machine
Interface (HMI)
PC-Based
Controllers

Wireless Video
Monitoring

PSTN
Motors, Drives,
Actuators
Robotics

Scanner
Audit of direct dial
interfaces should be Handheld
conducted to
guarantee that the Sensors and other Device Level Network
lines are known and Input/Output
meet security policy Devices © 2004
Ethernet ODVA
&LVFR6HFXULW\$JHQW7RXU

© 2004 ODVA
 &LVFR6HFXULW\$JHQW.H\
$GYDQWDJHV
1. Agents are managed from same console as
Firewall, Network IDS, and VPN devices
2. Protection is proactive – no need for
repeated signature updates (“Zero Update”)
3. Simple to customize
4. Protects Windows and Unix, servers and
desktops

© 2004 ODVA
 $JHQWVDUHPDQDJHGIURPVDPHFRQVROH
DV)LUHZDOO1HWZRUN,'6DQG931
GHYLFHV
• Cisco Security Agent Management Center runs under
Cisco Works VPN and Security Management System
(VMS)
• CSA MC installs and configures all necessary components
automatically
– Manager software
– Web Server CGIs
– Database
• CSA MC automatically builds agent kits for distribution to
systems
• No encryption key distribution to agents
• No need to log in to CSA MC to get agent kits protecting
systems

© 2004 ODVA
 7HVWLQJ3URWHFWLRQ
‡ 8QOLNH+RVW,'6V\VWHPV\RXQHHGWRDWWDFNWKH&6$WRVHH
DOHUWV
7RRO 6LWH &RPPHQWV
QPDS KWWSZZZLQVHFXUHRUJ 0RVWVRSKLVWLFDWHGQHWZRUNPDSSLQJ
DQGGLVFRYHU\WRRO'RHVDQ
H[FHOOHQWMRERILGHQWLI\LQJWKH
1HVVX KWWSZZZQHVVXVRUJ $IUHH/LQX[EDVHG2SHQ6RXUFH
2SHUDWLQJ6\VWHPRIWKHWDUJHW
V YXOQHUDELOLW\VFDQQHU&RQWDLQVD
GHYLFH
YHU\ODUJHOLVWRIFXUUHQWH[SORLWVIRU
:LQGX KWWSZLQGXPSSROLWRLW +LJKTXDOLW\IUHHQHWZRUNSDFNHW
ERWK8QL[DQG:LQGRZVV\VWHPV
PS DQGSDVVZRUGFDSWXUHWRRO:LQGRZV
(WKHU KWWSZZZZLOGSDFNHWVFRP YHUVLRQRI8QL[WFSGXPS
*RRGFRPPHUFLDOSDFNHWVQLIIHU
SHHN
6LOHQWO KWWSSDFNHWVWRUPGHFHSWLFRQVRUJ:L .H\VWURNHORJJHUZLWKVRXUFHFRGH
RJ Q6LOHQW/RJ]LS
3ZGX KWWSUD]RUELQGYLHZFRPWRROVILOHVSZ $OORZVHQFU\SWHGSDVVZRUGVWREH
PS GXPS]LS GXPSHGHYHQLIWKH:LQGRZV
)LUHKR KWWSNHLUQHWILUHKROHKWPO V\VWHPLVSURWHFWHGZLWK6<6.(<
3HUVRQDO)LUHZDOOWHVWLQJWRROWKDW
OH XVHV'//,QMHFWLRQ
QHWFD KWWSZZZDWVWDNHFRPUHVHDUFKWRROV $PRQJRWKHUIHDWXUHVFDQDFWDVD
W  UHPRWHORJLQVHUYHURQDQ\SRUW
&RPP 6\VWHPURRW?V\VWHP?FPGH[H /HWV\RXUXQFRPPDQGV
DQG :LQGRZVELQVK 8QL[
6KHOO
© 2004 ODVA
 3URDFWLYH3URWHFWLRQ

Query the user

(default deny) …

… when any
application …

… tries to write …

… system
executables,
libraries, or
drivers.

© 2004 ODVA
 6LPSOHWR&XVWRPL]H

Query the user

(default deny) …

… when any
application …

… tries to write …

… system
executables,
libraries, or
drivers.

© 2004 ODVA
 3ROLF\7XQLQJ:L]DUG

‡ 7KH7XQLQJ:L]DUGDXWRPDWHVSROLF\
FXVWRPL]DWLRQDFFRUGLQJWR&LVFR
UHFRPPHQGHG´%HVW3UDFWLFHVµ
‡ +RWOLQNVIURPDOHUWVLQYRNHDZL]DUG
WKDWGHWHUPLQHVKRZWRXSGDWHSROLFLHV
LQWKHDSSURSULDWHPDQQHU
‡ ,I\RXDUHXVLQJWKH&LVFR6HFXULW\
$JHQW3URILOHUSURGXFWWKHZL]DUGZLOO
FRQILJXUHWKH3URILOHUWRLQYHVWLJDWH
DSSOLFDWLRQV
© 2004 ODVA
3URWHFWV8QL[DQG:LQGRZV
6HUYHUVDQG'HVNWRSV
‡ 7KH&LVFR6HFXULW\$JHQWSURWHFWVQRW
RQO\:LQGRZV'HVNWRSVDQG6HUYHUVEXW
6RODULVVHUYHUVDVZHOO
‡ 'HIDXOW8QL[6HUYHUSROLF\SURYLGHV
UREXVWVHFXULW\´RXWRIWKHER[µ
² +DUGHQVWKH2SHUDWLQJ6\VWHPDQGHQVXUHV
LWVLQWHJULW\
² %XIIHU2YHUIORZSURWHFWLRQ
² %ORFNVSDFNHWVQLIIHUV
² %ORFNV7URMDQ+RUVH´EDFNGRRUµ SURJUDPV

© 2004 ODVA
 &LVFR6HFXULW\$JHQW6XPPDU\

1. Agents are managed from same console

as Firewall, Network IDS, and VPN devices
2. Protection is proactive – no need for
repeated signature updates (Zero Update)
3. Simple to customize
4. Protects Windows and Unix servers and
PCs

© 2004 ODVA
Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. © 2004 ODVA 60