Professional Documents
Culture Documents
Christophe Sarrazin
csarrazi@cisco.com
i@ i
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1
Cisco Security Router Portfolio
Cisco 7600
Catalyst 6500
Cisco 7200
Cisco 7301
Perrformance and Services Density
Embedded Advanced Voice,, Video,, Data and Securityy Services Cisco 1800 ISR
Cisco 800 ISR
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2
Cisco Security Router Technologies
Cisco® Security
y Routers
Role Based
GET VPN DMVPN SSL VPN IPsec VPN SDM NetFlow IP SLA
Access
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
Integrated Threat Defense
Threat 011111101010101
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4
Integrated Threat Defense Overview
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5
Cisco IOS Firewall Overview Advanced
Firewall
Cisco.com/go/iosfw
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6
Zone Based Policy Firewall
Zone-Based Advanced
Firewall
Private-DMZ
P i t DMZ
Policy DMZ
DMZ-Private
Public-DMZ
Policy
Policy
Private-Public
Policy
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7
Zone Based Policy Firewall : configuration
Zone-Based
interface serial0
zone-member security Internet Interface to zone mapping
interface Ethernet1
zone-member security dmz
interface Ethernet2
Zone-member security dmz zone-pair definition
And Service policy « policy_dmz »
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8
Zone Based Policy Firewall : configuration
Zone-Based
class-map type inspect class1
Class map
Class-map
match protocol http (Traffic to inspect)
match access
access-group
group 199
Class map
Class-map
policy-map type inspect policy_dmz (action : inspect, drop, policing)
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
SDM 2
2.4
4 – Zone Based Firewall Policies
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10
VRF Aware Zone-Based
VRF-Aware Zone Based Policy Firewall
Zone P Zone O
VRF Grey
VRF Grey VRF G
Grey
Zone T
IOS Firewall
VRF Blue WAN(VPN)
Internet Corporate
Head Quarters
VRF Orange
Zone G
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11
Application Inspection and Control Advanced
Firewall
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12
1. Protect the Inside LAN at Remote Sites
Advanced
with Split Tunneling Deployed Firewall
IPsec
Employees Tunnel
192.168.1.x/24
Internet
Branch Office
Router Inspect Corporate
Internet Office
Guests can traffic
only access
Internet
Wireless Guests
192.168.2.x/24
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13
Advanced
2 Protect Servers at Remote Sites
2. Firewall
IPsec
Employees Tunnel
192.168.1.x/24
Internet
Branch Office
Router Corporate
Office
Wireless Guests
192.168.2.x/24
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14
Advanced
3 Protect WAN Link and Corporate Office
3. Firewall
Internet
Branch Office
Router Corporate
Office
Wireless Guests
192.168.2.x/24
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15
Advanced
4 Transparent Firewall and IPS
4. Firewall
Internet
Branch Office
Router Corporate
Office
Restricts access to
specified devices on
Wireless Guests a subnet
192.168.1.12/24
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16
Cisco IOS Stateful Firewall Failover Business
Continuity
WAN Router
Standby Firewall
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17
Advanced
Cisco IOS Firewall – Summary Firewall
Stateful Policy
y Filtering
g ((L3-L4)) Resilience
9 Advanced filtering by matching regular 9 DoS Protection
expressions anywhere within packet 9 Stateful Firewall Failover
9 Stateful Firewall - Dynamic filtering by 9 ICSA Common Criteria EAL4 certified
ICSA,
tracking IP address and port data for
flows 9 Miercom tested services
9 Transparent Firewall - Bridge-like Ease of Management
filtering to segregate network 9 Si
Simple
l tto create
t security
it policy
li
Application Inspection & Control between security zones
(L5-L7) 9 SDM: GUI device manager
9 Application Firewall – Protocol 9 CSM: policy management
Conformance 9 SNMP MIB: firewall monitoring
9 Defend against attacks disguised as
SMTP,, HTTP,, IMAP,, POP3 packets
p Granular Policy Enforcement
9 Application Control - restrict HTTP 9 Per-user policies to grant/deny access
get/post methods, refuse file to corporate assets
attachments in IM, block P2P 9 URL Filtering to control and monitor
applications such as Kazaa access to prohibited websites
9 VRF-aware firewall
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18
Cisco IOS URL Filtering URL
Filtering
Branch
Office
Corporate
C t
Office
Server Farm
http://www.cisco.com/go/iosips
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20
Cisco IOS Intrusion Prevention (IPS) IPS
Protect router
and local network Stop
p attacks
from DoS attacks before they fill
up the WAN
Branch Office
Internet Corporate
p Office
+
Capability Cisco IOS IPS IDS Network Module
D di
Dedicated
d CPU and
d DRAM ffor IPS N
No Y
Yes
Inline and promiscuous detection/
Yes No
mitigation
Supports a subset of
Supports all signatures
Signatures supported signatures subject to
simultaneously
available memory
Automatic signatures
g updates
p Yes Yes
Day zero anomaly detection No Yes
Rate limiting No Yes
IPv6 detection No Yes
CSA-IPS collaboration No Yes
Device management IOS CLI, SDM IPS CLI, IDM
System management CSM CSM
IEV, On box Meta Event
Event monitoring and correlation IEV, CS-MARS
Generator, CS-MARS
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 22
New!
Available
Cisco IOS IPS Deployment Nov 06 IPS
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23
Cisco IOS Transparent IPS IPS
Wireless Corporate
How to restrict database Office
devices? server
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24
IPS configuration :selective download
ip ips signature-category
Unselect all signature
category all
retired true
exit
Select specific category
ios_ips basic
category ios_ips basic
retired false
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25
IPS configuration
fi ti
C
Create
t di
directory
t
mkdir flash:/ips5 (sig. configuration)
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 26
Signatures Auto
Auto-Update
Update
ip ips auto
auto-update
update
occur-at 59 12 1 1
url ftp://intranet1.cisco.com
username cisco
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27
Customize signatures
ip ips signature-definition
signature definition
signature signature-id [subsignature-id]
engine
event-action action
exit
alert-severity {high | medium | low | informational}
fidelity-rating rating
status
enabled {true | false}
deny-attacker-inline Deny Attacker
deny-connection-inline Deny Connection
deny-packet-inline Deny Packet
produce-alert Produce Alert
reset-tcp-connection Reset TCP Connection
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 28
011111101010101
Flexible
Flexible Packet Matching (FPM) Packet
Matching
0111111010101010000111000100111110010001000100100010001001
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 31
Network
Network Admission Control Admission
Control
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Cisco.com/go/nac 32
Cisco IOS 802
802.1x
1x 802 1
802.1x
AAA Server
Corporate
Branch Router Office
with 802.1x
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 33
Network
Cisco IOS AutoSecure Foundation
Protection
Disables Non
Non--Essential Services
Eliminates DoS attacks based on fake
requests
Disables mechanisms that could be
used to exploit security holes
CONTROL PLANE
INPUT OUTPUT
to Control Plane from Control Plane
CEF/FIB LOOKUP
Cisco.com/go/nfp
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 35
Network
Cisco Network Foundation Protection Foundation
Protection
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 36
Integrated Threat Defense Summary
Safeguard the remote LAN and Integrated solution
servers from attacks Simplifies deployment and
Advanced Firewall, IPS, Flexible management (SDM, CSM,
Packet Matching (FPM) CS-MARS)
CS MARS)
Defend against worms, and Minimizes cost of support and
keep the WAN clean software subscription
IPS, FPM, NAC, 802.1x Ci
Cisco® Security
S it Routers
R t can
satisfy a majority of PCI
Protect the router itself from compliance requirements
hacking
g and DoS attacks
Now viable
N i bl tto d
deploy
l FiFirewallll
One Touch Router Lockdown, and IPS at remote sites
Control Plane Protection,
Advanced Firewall, IPS, FPM
Secure Connectivity
GET VPN DMVPN SSL VPN IPsec VPN
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 38
Cisco IOS Secure Connectivity Overview
Industry-Leading VPN Solutions
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 39
Cisco IOS Secure Connectivity Portfolio
uter Security
y
Cisco
Cisco Cisco Cisco Cisco Cisco Cisco Cisco Catalyst XR12000
Platfforms
800 ISR 1800 ISR 2800 ISR 3800 ISR 7301 7200 7600 6500
Cisco Rou
IPsec
30 Mbps 45 Mbps 66 Mbps 180 Mbps 5K tunnels 5K tunnels 16K tunnels 16K tunnels
VPN
SSL
2 users 25 users 50 users 100 users 150 users 150 users
VPN
VPN Modules
SSL
50 users 100 users 200 users
VPN
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 40
Tunnel less VPNs
Tunnel-less GET VPN
WAN
Multicast
Key Benefits
Large-scale any-to-any encrypted
communications
Native routing infrastructure
Any-to-Any
Any-to-Any without overlay
Connectivity
Connectivity
Optimal for QoS and multicast—
improves application performance
Transport agnostic—private
Cisco GET LAN/WAN, FR/AATM, IP, MPLS
Offers flexible span of control
VPN among subscribers and providers
Scalable Real-Time Available on Cisco Integrated
Services Routers, Cisco 7200 and
Cisco 7301
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 42
Inside
s de C
Cisco
sco G
GET VPN GET VPN
GET VPN simplifies security policy GET VPN uses IP header preservation
and key distribution to mitigate routing overlay
Group
Original IP packet
Group
Member Member IP IP Header IP Payload
Subnet 1 Packet
Subnet 3
ec
New IP Original
IPSe
Member Member ESP Header
H d Original
IPIP IP Payload
P l d
Header Header
Header
Subnet 2 Subnet 4
IP Header Preservation
ET
Key server Original
g IP Original
gg
Original
GE
ESP Header IPIP
Header IP Payload
Header Header
Key server
Overlay
y VPN network IP header p
preservation
Overlay routing Multicast replication done by network core
Sub-optimal Multicast replication Optimal routing introduced in VPN
Lack of Advanced QoS Advanced QoS for encrypted traffic
S
Service
i iintegration
t ti
Service
delivers greater value, Provider NOC
stronger branding Customer A
SP owned
Increased
I d security
it Customer B key servers
Cisco
2800
Helps businesses comply Cisco
with regulations: HIPAA, 1800
PCI Customer B
SP Private Cisco
Operational simplicity Customer A Network 7200
Centralized key server Cisco (MPLS)
2800
reduces complexity
p y
Easy service rollout Cisco
3800
Optimized network Encrypted traffic is demand-driven
utilization ISR
S can have ““VRF-aware contexts” Customer C
Service innovation, Centrally managed key servers enable group encryption
unique offering
High-value
Hi h l services
i
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 45
Cisco Dynamic Multipoint VPN DMVPN
1. Call Site 2
Site 1
Hub Corporate
Office
4. On-Demand Tunnel
2.168.2.0/24
4
192 168 100 0/30
192.168.100.0/30
192
192
.1 Tunnel 0 .2
Internet
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 47
Cisco Easy VPN IP
IPsec VPN
Digital
g
Certificate
Branch
Office A
Digital
g Corporate
Certificate Offi
Office
Internet
Cisco IOS
Certificate
Branch Authority
Office B Server
Digital
Certificate
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 49
Cisco IOS SSL VPN SSL VPN
Internet Internet
Ci
Cisco R
Router
t and
dSSecurity
it D
Device
i MManager – simple
i l GUI b based
d provisioning
i i i andd
management with step by step Wizards for turn key deployment
Cisco Secure Desktop – prevents digital leakage, protects user privacy, easy to
implement & manage,
manage and works with desktop guest permissions
Virtualization and VRF awareness – pool resources while masking the physical
attributes and boundaries of the resources
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 50
Management and Instrumentation
Management and
Instrumentation SDM
Role Based
NetFlow IP SLA
Access
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 51
Cisco Security Management Suite
Cisco Security
MARS
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 53
Cisco SDM: Extensive Application
Intelligence SDM
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 54
Cisco Security Manager CSM
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 55
Cisco Security Monitoring, Analysis
and Response System (CS
(CS-MARS)
MARS)
Cisco® CS-MARS “Know the battlefield” Firewall Log IDS Event Server Log
Mitigation and response turn
turn-key
key system Switch Log Firewall Cfg. AV Alert
Gain network intelligence Switch Cfg. NAT Cfg. App Log
Use the network you have, correlate router’s
NetFlow (WAN data) with FW
FW, IDS,
IDS switch data
Router Cfg.
...
Netflow VA Scanner
ContextCorrelation™
Sessions
Correlates, Reduces, Categorizes events, Validates
incidents
Rules
Allows for Response
Verify
Valid Incidents
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 56
Cisco IOS – Industry Leadership in
Instrumentation
Your network management system is only as good as the data you
can get from the devices in the network
E.g. Netflow and IPS feed into CS-MARS, deliver superior monitoring
Cisco® IOS®
Value to Network Manager
Instrumentation Feature
NBAR Network
N t k performance
f data
d t (latency
(l t & jitt
jitter))
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 57
NetFlow Day Zero Attack Detection N tFl
NetFlow
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 58
Role Based
Role Based CLI Access
Role-Based Access
Provide a view
view-based
based Customized
C t i dA Access tto
access to CLI commands Match Operational Needs
View: Set of operational Security
y operator
p
• Config AAA,
commands and configuration NetFlow
capabilities • Show Cisco IOS
Firewall, IPS
User authentication is done
via an external or internal
AAA server (or TACACS+)
Customer can define up to
fifteen views
views, plus one
reserved for the root user
Network engineer
• Config routing
• Config interfaces
• Show
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 59
Cisco IOS Secure Device Operation
Cisco® IOS®
Function and Benefit
Security Feature
Encrypted web
Web-based device management (SDM) access encrypted with HTTPS
access
Encrypted CLI
Telnet CLI and HTTPS secured with SSHv2 and SSL encryption
access
SNMPv3 allows secure management using off-the-shelf and custom applications
Secure
Cisco IOS supports DES and AES encryption
management
access SANS Institute recently rated the highest network security concern after basic concerns
like password
Public key Provides advanced security when compared with traditional pre-shared keys
infrastructure (PKI) Removes the danger of pre-shared keys falling into the wrong hands
Secure RSA Protects against routers being taken over: if the hacker attempts to change the
private key configuration, the private key is erased, rendering the router useless
Certificate server Lightweight certificate server provided within Cisco IOS to ease deployment
AAA integration Allows user or group specific
f permissions to be stored conveniently in a AAA server
Security audit Provides audit trail of configuration changes
Role based CLI Allows separate sets of commands and levels of access
access Policy making separated from ongoing operations
Policy-making operations, providing accountability
Configuration and Logs configuration changes on per-user and per-session basis, ensures reliable logging
event logging More visibility and accountability, greater confidence in reporting mechanism
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 60
60
Summary
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 61
Leadership in Innovation and
Integrated Solutions
Cisco® Security
y Routers
Role Based
GET VPN DMVPN SSL VPN IPsec VPN SDM NetFlow IP SLA
Access
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 62
Cisco Security Router Certifications
STG-Router-Security
Cisco.com/go/securitycert
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 63
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 64