Cisco Expo 2007 Les Fonctions de Sécurité de l'IOS

Sécurité de l’IOS
Christophe Sarrazin
csarrazi@cisco.com
i@ i
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1
Cisco Security Router Portfolio
Cisco 7600
Catalyst 6500
Cisco 7200
Cisco 7301
Perrformance and Services Density
Feature Breadth and Scale

at Highest Performance
Cisco 3800 ISR
High Density and Performance

for Concurrent Services
Cisco 2800 ISR
Embedded Advanced Voice,, Video,, Data and Securityy Services Cisco 1800 ISR
Cisco 800 ISR
Embedded Wireless, Security and Data
Small Office and

Head Office Branch Office Small Branch SMB Teleworker
Cisco Security Router Technologies
Cisco® Security
y Routers
Secure Network Solutions
Secure Secure Business

Compliance
Voice Mobility Continuity
Integrated Threat Defense

011111101010101
Advanced URL Intrusion Flexible Network Network

Firewall Filtering Prevention Packet Admission 802.1x Foundation
Matching Control Protection
Secure Connectivity Management and Instrumentation
Role Based
GET VPN DMVPN SSL VPN IPsec VPN SDM NetFlow IP SLA
Access
Threat 011111101010101
Defense Advanced URL

Firewall Filtering
Intrusion
Prevention
Flexible
Packet
Network
Admission 802.1x
Network
Foundation
Integrated Threat Defense Overview
Router Protection Secure Internet

• Automated router lockdown
• Router availability during DoS
access to branch,
Hacker
without the need
for additional
devices
Branch Office
Control worms
Branch Office Corporate Office
and viruses right
011111101010101
Internet Secure Internet at the remote site,
site
• Advanced Layer
Illegal
3-7 firewall conserve WAN
Worm/Virus Prevention
surfing • Web usage control bandwidth
• Distributed defense and
rapid response to
worms and viruses
Protect the router
• Control wired/wireless itself from hacking
user access and non-
non
compliant devices Small Office and
and DoS attacks
Telecommuter
Cisco IOS Firewall Overview Advanced
Firewall
Advanced Layer 3-7 Firewall
Cisco® IOS® Firewall is a ICSA and

Common Criteria certified firewall
Stateful filtering
Application inspection (Layer 3 through Layer 7)
Application control – Application Layer Gateway (ALG)
engines with wide range of protocols and applications
Built-in DoS protection capabilities
Supports deployments with VRFs, transparent mode
and stateful failover
Cisco.com/go/iosfw
Zone Based Policy Firewall
Zone-Based Advanced
Firewall
Allows grouping of physical and S

Supported
t d Features
F t
virtual interfaces into zones Stateful Inspection
Application Inspection: IM, POP,
Firewall policies are configured on IMAP SMTP/ESMTP
IMAP, SMTP/ESMTP, HTTP
URL Filtering
traffic moving between zones
Per-policy parameter
Si
Simple
l tto add
dd or remove iinterfaces
t f Transparent Firewall
and integrate into firewall policy VRF-Aware Firewall
Private-DMZ
P i t DMZ
Policy DMZ
DMZ-Private
Public-DMZ
Policy
Policy
Trusted Internet Untrusted
Private-Public
Policy
Zone Based Policy Firewall : configuration
Zone-Based
zone security Internet Zones definition

zone security dmz
interface serial0
zone-member security Internet Interface to zone mapping
interface Ethernet1
zone-member security dmz
interface Ethernet2
Zone-member security dmz zone-pair definition
And Service policy « policy_dmz »
zone-pair security internet_to_dmz source Internet destination dmz

service-policy type inspect policy_dmz
Zone Based Policy Firewall : configuration
Zone-Based
class-map type inspect class1
Class map
Class-map
match protocol http (Traffic to inspect)
match access
access-group
group 199
Class map
Class-map
policy-map type inspect policy_dmz (action : inspect, drop, policing)
class type inspect class1

inspect
Access-list 199 permit ……… Access-list
SDM 2
2.4
4 – Zone Based Firewall Policies
VRF Aware Zone-Based
VRF-Aware Zone Based Policy Firewall
Zone P Zone O
VRF Grey
VRF Grey VRF G
Grey
Zone T
IOS Firewall
VRF Blue WAN(VPN)
Internet Corporate
Head Quarters
VRF Orange
Zone G
Zone firewall has been VRF-aware since its inception

VRF-aware zone firewall has a few more rules:
– A firewall zone may contain interfaces in only one VRF
– A VRF may contain multiple zones
– Routing is required to allow traffic to move between VRFs; a Zone-pair policy is not sufficient to allow
traffic between VRFs
Firewall syslog messages indicate the zone/zone-pair and not the VRF IDs
Application Inspection and Control Advanced
Firewall
Multi Channel Inspection

Cisco® IOS® firewall recognizes Cisco IOS Firewall Recognized
application-specific protocols Application-Layer Protocols
including
g control & data
CU S M ((cuseeme))
CU-SeeMe
channels FTP (ftp)
Detects and prevents Java (http)
application-level attacks H.323 (h323)
Mi
Microsoftft NetShow
N tSh ((netshow)
t h )
Protocol Conformance RealAudio (realaudio)
remote-procedure call (rpc)
Checks varying levels Session Initiation Protocol (sip)
depending on the specific Ski
Skinny Client
Cli t Control
C t l Protocol
P t l (skinny)
( ki )
protocol Simple Mail Transfer Protocol (smtp/esmtp)
StreamWorks (streamworks)
Protocol Control Structured Query Language*Net (sqlnet)
Granular enforcement
G f for
f HTTP TFTP (tftp)
(tft )
and P2P e.g. permit PUTs but UNIX R commands (rcmd)
VDOLive (vdolive)
deny GETs
POP3 and IMAP (pop3 and imap)
U D fi d ((user d
UserDefined defined
fi d name))
1. Protect the Inside LAN at Remote Sites
Advanced
with Split Tunneling Deployed Firewall
Cisco® IOS® Firewall policies

Allow authenticated users to access corporate resources
Restrict guest users to Internet access only
Control Peer to Peer and Instant Messaging applications
Employees can
access corporate
network via
encrypted tunnel
IPsec
Employees Tunnel
192.168.1.x/24
Internet
Branch Office
Router Inspect Corporate
Internet Office
Guests can traffic
only access
Internet
Wireless Guests
192.168.2.x/24
Advanced
2 Protect Servers at Remote Sites
2. Firewall
Cisco® IOS® Firewall policies applied to DMZ protect distributed

application servers and web servers hosted at remote sites
Servers
192.168.3.14-16/24
Servers
hosted
separately
in DMZ
IPsec
Employees Tunnel
192.168.1.x/24
Internet
Branch Office
Router Corporate
Office
Wireless Guests
192.168.2.x/24
Advanced
3 Protect WAN Link and Corporate Office
3. Firewall
Cisco® IOS® Firewall policies applied to private interfaces protect

WAN link from worms and protocol misuse attacks
Servers
192.168.3.14-16/24
Protect WAN link

and upstream
corporate resources IPsec
Employees Tunnel
192.168.1.x/24
Internet
Branch Office
Router Corporate
Office
Wireless Guests
192.168.2.x/24
Advanced
4 Transparent Firewall and IPS
4. Firewall
Cisco® IOS® transparent firewall policies at bridge interfaces enforce

inspection and control of LAN traffic
Simplifies firewall and IPS deployment at small offices running key
applications in a single address space
No change to statically Servers
addressed devices 192.168.1.14-16/24
Supports DHCP pass

through to assign DHCP
addresses on opposite
i
interfaces
f IPsec
Contractors Tunnel
192.168.1.13/24
Internet
Branch Office
Router Corporate
Office
Restricts access to
specified devices on
Wireless Guests a subnet
192.168.1.12/24
Cisco IOS Stateful Firewall Failover Business
Continuity
For Cisco 3800 Integrated Services Routers

Supports
S t both
b th LAN/VPN iinterfaces
t f
Active/Standby configuration
Maximizes firewall uptime for mission-critical applications
Active Firewall
Protected
Network
Public
FAILOVER Network
WAN Router
Standby Firewall
Active Hub Active

Head
H dEEnd
d Firewallll
Fi
Network
FAILOVER Remote Site
Network
Standby
Standby Hub Firewall
Advanced
Cisco IOS Firewall – Summary Firewall
Stateful Policy
y Filtering
g ((L3-L4)) Resilience
9 Advanced filtering by matching regular 9 DoS Protection
expressions anywhere within packet 9 Stateful Firewall Failover
9 Stateful Firewall - Dynamic filtering by 9 ICSA Common Criteria EAL4 certified
ICSA,
tracking IP address and port data for
flows 9 Miercom tested services
9 Transparent Firewall - Bridge-like Ease of Management
filtering to segregate network 9 Si
Simple
l tto create
t security
it policy
li
Application Inspection & Control between security zones
(L5-L7) 9 SDM: GUI device manager
9 Application Firewall – Protocol 9 CSM: policy management
Conformance 9 SNMP MIB: firewall monitoring
9 Defend against attacks disguised as
SMTP,, HTTP,, IMAP,, POP3 packets
p Granular Policy Enforcement
9 Application Control - restrict HTTP 9 Per-user policies to grant/deny access
get/post methods, refuse file to corporate assets
attachments in IM, block P2P 9 URL Filtering to control and monitor
applications such as Kazaa access to prohibited websites
9 VRF-aware firewall
Cisco IOS URL Filtering URL
Filtering
Internet Usage Control

Control employee access to
entertainment sites during
work hours Internet
Control downloads of host Branch Illegal

objectionable or offensive Office surfing
material, limit liabilities
Cisco® IOS® supports static
white-list and black-list URL
filtering
External filtering servers e.g.
Websense, Smartfilter can be
used at the corporate office,
with Cisco IOS static lists as
backup
SDM 2.3 supports configuring
g g
static lists and importing .csv
files for URL lists
Cisco IOS IPS Overview IPS
Branch
Office
Corporate
C t
Office
Server Farm
Cisco® IOS® features inline IPS Signature Database
operation Sober Virus Signature

Scans packets and sessions flowing …
through the router
Regex: unolVamKObp6JoaFVaqKuYnaSoqWhnVV
Detects suspicious activity by matching
against
g Cisco IOS IPS signatures
g …
Responds in real-time through any of

the following actions:
ALARM,, DROP,, RESET,, DENY-
ATTACKER-INLINE, DENY-FLOW-INLINE
http://www.cisco.com/go/iosips
Cisco IOS Intrusion Prevention (IPS) IPS
Distributed Defense Against Worms and Viruses

Ci
Cisco® IOS® IPS stops
t attacks
tt k att the
th entry
t point,i t conserves WAN
bandwidth, and protects the router and remote network from DoS attacks
Integrated form factor makes it cost-effective and viable to deploy IPS in
Small and Medium Business and Enterprise branch/telecommuter sites
Supports 2000+ signatures sharing the same signature database available
with Cisco IPS sensors
Allows
All custom
t signature
i t sets
t andd actions
ti tto reactt quickly
i kl tto new th
threats
t
Protect router
and local network Stop
p attacks
from DoS attacks before they fill
up the WAN
Branch Office
Internet Corporate
p Office
Apply IPS on traffic from

Small Branch branches to kill worms
Small Office and from infected PCs
Telecommuter
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved.

Cisco.com/go/iosips
Cisco Confidential 21
Cisco IOS IPS and IDS Network Module IPS
+
Capability Cisco IOS IPS IDS Network Module
D di
Dedicated
d CPU and
d DRAM ffor IPS N
No Y
Yes
Inline and promiscuous detection/
Yes No
mitigation
Supports a subset of
Supports all signatures
Signatures supported signatures subject to
simultaneously
available memory
Automatic signatures
g updates
p Yes Yes
Day zero anomaly detection No Yes
Rate limiting No Yes
IPv6 detection No Yes
CSA-IPS collaboration No Yes
Device management IOS CLI, SDM IPS CLI, IDM
System management CSM CSM
IEV, On box Meta Event
Event monitoring and correlation IEV, CS-MARS
Generator, CS-MARS
New!
Available
Cisco IOS IPS Deployment Nov 06 IPS
Download the latest Cisco® IPS signature package from

http://www.cisco.com/cgi-bin/tablebuild.pl/ios-v5sigup
Contains a digitally signed default (master) signature file that includes
signatures used by all Cisco IPS products
Select a base signature set for your Cisco Security Router using CLI
commands
Cisco recommended signature categories are IOS
IOS-Basic
Basic or IOS
IOS-Advanced
Advanced
Customize your signature list using CLI commands
Select additional signatures as desired
Delete signatures not relevant to the applications you’re running
Tune actions of individual signatures (e.g. add “drop” action) as desired
Note: Byy default,, all signatures
g onlyy send an alarm when triggered
gg
Test your custom signature set in a lab setting before actual deployment
For details, see Cisco IOS® IPS configuration guide at
http://www cisco com/univercd/cc/td/doc/product/software/ios124/124newft
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124newft
/124t/124t11/ips_v5.htm
Cisco IOS Transparent IPS IPS
Provides Layer 2 connectivity with Layer 3 Features Supported

IPS support Sub-interfaces and VLAN trunks
Spanning Tree protocol
Easily
y add IPS to existing
g networks –
Handles
H dl PBDU packets k t
no IP subnet renumbering required! correctly per 802.1d, not just
“pass/drop”
Operates on bridged packets; Layer 3 IPS Mix L2 and L3 IPS on the same
continues to operate on routed packets router
No need for IP addresses on the
interfaces
DHCP pass-through
pass through assigns
Remote Site addresses on opposite
interfaces (bidirectional)
Large Wireless Supports all standard
R
Range management tools
Wireless Corporate
How to restrict database Office
devices? server
IPS configuration :selective download
ip ips signature-category
Unselect all signature
category all
retired true
exit
Select specific category
ios_ips basic
category ios_ips basic
retired false
IPS configuration
fi ti
C
Create
t di
directory
t
mkdir flash:/ips5 (sig. configuration)
ip ips name mon_ips IPS configuration
ip ips config location flash:/ips5

interface Ethernet 0
ip ips mon_ips {in | out} Download signatures
copy tftp://tftp_server/ios-s276-cli.pkg idconf
Signatures Auto
Auto-Update
Update
ip ips auto
auto-update
update
occur-at 59 12 1 1
url ftp://intranet1.cisco.com
username cisco
Customize signatures
ip ips signature-definition
signature definition
signature signature-id [subsignature-id]
engine
event-action action
exit
alert-severity {high | medium | low | informational}
fidelity-rating rating
status
enabled {true | false}
deny-attacker-inline Deny Attacker
deny-connection-inline Deny Connection
deny-packet-inline Deny Packet
produce-alert Produce Alert
reset-tcp-connection Reset TCP Connection
011111101010101
Flexible
Flexible Packet Matching (FPM) Packet
Matching
Rapid Response to New and Emerging Attacks

Network managers require tools to filter Day Zero Flexible Classification
attacks e.g. prior to IPS signatures being available and Rapid Response
Traditional ACLs take a shotgung approach
pp – Goes beyond static
legitimate traffic could be blocked attributes – specify
arbitrary bits/bytes at any
Example: Stopping Slammer with ACLs meant
offset within the payload
blocking port 1434 i.e. deny business transactions or header
involving Microsoft SQL
Classify on multiple
FPM delivers flexible, granular Layer 2-7 matching attributes within a packet
Example: Port 1434 + Packet length 404B + Specific Set up custom filters
pattern
tt within l d Æ Slammer
ithi payload Sl rapidly using XML-based
policy language
Useful for CERT-like teams within Service
Providers and Enterprise customers
0111111010101010000111000100111110010001000100100010001001
Match Pattern And Or Not

Cisco.com/go/fpm
FPM through CLI For SQL-Slammer
Class-map fo UDP traffic
class-map type stack match-all ip_udp

_
description “match UDP over IP packets” Class-map to identify
match field ip protocol eq 0x11 next udp
Slammer traffic
p type
class-map yp access-control match-all slammer
description “match on slammer packets”
match field udp dest-port eq 0x59A
match field ip length eq 0x194
match start UDP p
payload-start
y offset 224 size 4 eq
q
0x4011010
policy-map type access-control fpm_udp_policy

description “policy
policy for UDP based attacks”
attacks D
Drop slammer
l
class slammer
drop
policy map type access-control

policy-map access control fpm_policy
fpm policy
description “drop worms and malicious attacks”
class ip_udp
Apply service-policy to Interface
service-policy fpm_udp_policy
interface gigabitEthernet 0/1

service-policy type access-control input fpm_policy
FPM Traffic Classification Example
For SQL
SQL-Slammer
Slammer
load classification flash:sql-slammer.tcdf
q
<?xml version="1.0" encoding="UTF-8"?>

<t df>
<tcdf>
<class name="ip-udp" type="stack">
<match>
<eq field="ip.protocol" value="0x11" next="udp"></eq>
</match>
/ atc
</class>
<class name="slammer" type="access-control" match="all">

<match>
<eq field="udp.dest-port"
fi ld " d d t t" value="0x59A"></eq>
l "0 59A" /
<eq field="ip.length" value="0x194"></eq>
<eq start="l3-start" offset="224" size="4" value="0x00401010"></eq>
</match>
</class>
<policy type="access-control" name="fpm-udp-policy">

<class name="slammer"></class>
<action>drop</action>
</policy>
/
</tcdf>
Network
Network Admission Control Admission
Control
Detection and Isolation of Noncompliant Devices

Enforces access privileges
based on endpoint security Hosts
posture
p Attempting Enforcement
N t
Network k
Allows compliant, trusted Access
Policy (AAA) Vendor
endpoints only Server Server
Credentials Credentials Credentials
Restricts network access
by noncompliant devices EAP/UDP, RADIUS HTTPS
EAP/802.1x
Limits damage from viruses Notification
Access
Rights
Comply?
and worms Cisco Trust
Agent
Supports multiple AV
vendors and Cisco® Security Coalition of Market-Leading Vendors
A
Agent
t
Cisco® 3800, 2800, and
1800 ISR Securityy Bundles
ship with NAC capability
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Cisco.com/go/nac 32
Cisco IOS 802
802.1x
1x 802 1
802.1x
Controlled Network Access

New NME 1616, 24 and 48 port EtherSwitch modules
support 802.1x authentication and NAC Integrated
Smaller port density HWIC4-9 supports only basic 802.1 Branch Switching
authentication and Layer 3 NAC in router
Controls who gets access to the network
802.1x, Layer 2 NAC, ACL, Port security, MAC address notify
Secure management NME-ESW
RADIUS/TACAC+,
S/ C C SS SSH, S
SNMPv3
3
16, 24 and 48 Port
Plus Power over Ethernet (POE) 802.3af 10/100 EtherSwitch
802 1x Identity Enforcement

802.1x
AAA Server
Branch Router with

24 Port EtherSwitch
WAN
Corporate
Branch Router Office
with 802.1x
Network
Cisco IOS AutoSecure Foundation
Protection
One Touch Automated Router Lockdown
Disables Non
Non--Essential Services
Eliminates DoS attacks based on fake
requests
Disables mechanisms that could be
used to exploit security holes
Enforces Secure Access

Enforces enhanced security in
accessing device
Enhanced security logs
Prevents attackers from knowing
packets have been dropped
Secures Forwarding Plane

Protects against SYN attacks Cisco.com/go/autosecure
Anti
Anti-Spoofing
Spoofing
Enforces stateful firewall configuration
on external interfaces, where available
Network
Cisco IOS Control Plane Policing Foundation
Protection
Continual Router Availability Under Duress

Mitigates DoS attacks on control plane (route processor) e.g. ICMP floods
Polices and throttles incoming traffic to control plane, maintains packet
forwarding and protocol states during attacks or heavy traffic load
CONTROL PLANE
Management Routing Management

ICMP IPv6 …..
SNMP, Telnet
SNMP Updates SSH SSL
SSH,
INPUT OUTPUT
to Control Plane from Control Plane
CONTROL PLANE POLICING SILENT MODE

(Alleviates DoS attacks) (P
(Prevents
t
reconnaissance)
Processor
Switched Packets
PACKET OUTPUT PACKET

BUFFER BUFFER
INCOMING Locally
PACKETS Switched Packets
CEF/FIB LOOKUP
Cisco.com/go/nfp
Network
Cisco Network Foundation Protection Foundation
Protection
Data Plane Feature Function and Benefit

Macro-level,
Macro-level anomaly-based DDoS detection through counting the number of
NetFlow
flows (instead of contents); provides rapid confirmation and isolation of attack
Access Control Lists Protect edge routers from malicious traffic; explicitly permit the legitimate traffic
(ACLs) that can be sent to the edge router's destination address
Next generation “Super ACL” – pattern matching capability for more granular
Flexible Packet Matching
andd customized
i d packetk fil
filters, minimizing
i i i i iinadvertent
d bl
blocking
ki off llegitimate
ii
(FPM)
business traffic
Unicast Reverse Path Mitigates problems caused by the introduction of malformed or spoofed IP
Forwarding (uRPF) source addresses into either the service provider or customer network
Drops packets based on source IP address; filtering is at line rate on most
R
Remotely
t l Triggered
Ti d
capable platforms. Hundreds of lines of filters can be deployed to multiple
Black Holing (RTBH)
routers even while the attack is in progress
Protects against flooding attacks by defining QoS policies to limit bandwidth or
QoS Tools
drop offending traffic (identify, classify and rate limit)
Control
C t l Plane
Pl Function
F ti andd Benefit
B fit
Receive ACLs Control the type of traffic that can be forwarded to the processor
Provides QoS control for packets destined to the control plane of the routers
Control Plane Policing
Ensures adequate bandwidth for high-priority traffic such as routing protocols
MD5 neighbor
i hb authentication
th ti ti protects t t routing
ti domain
d i from
f spoofing
fi attacks
tt k
Routing Protection Redistribution protection safe-guards network from excessive conditions
Overload protection (e.g. prefix limits) enhances routing stability
Management Plane Function and Benefit
CPU and
dMMemory
Protects CPU and memory of Cisco® IOS® Software device against DoS attacks
Thresholding
Dual Export Syslog Syslog exported to dual collectors for increased availability
Integrated Threat Defense Summary
Safeguard the remote LAN and Integrated solution
servers from attacks Simplifies deployment and
Advanced Firewall, IPS, Flexible management (SDM, CSM,
Packet Matching (FPM) CS-MARS)
CS MARS)
Defend against worms, and Minimizes cost of support and
keep the WAN clean software subscription
IPS, FPM, NAC, 802.1x Ci
Cisco® Security
S it Routers
R t can
satisfy a majority of PCI
Protect the router itself from compliance requirements
hacking
g and DoS attacks
Now viable
N i bl tto d
deploy
l FiFirewallll
One Touch Router Lockdown, and IPS at remote sites
Control Plane Protection,
Advanced Firewall, IPS, FPM

011111101010101

Secure Connectivity
Secure Connectivity
GET VPN DMVPN SSL VPN IPsec VPN
Cisco IOS Secure Connectivity Overview
Industry-Leading VPN Solutions
Solution Key Technologies

Group-Encrypted
p yp Transport
p ((GET)) VPN for tunnel-less
Site-to-Site VPN any-to-any connectivity
(Mesh) Dynamic Multi Point VPN (DMVPN) for on-demand
VPNs
Enhanced Easy VPN: Dynamic Virtual Tunnel
Site-to-Site VPN Interfaces, dynamic policy push and high scalability
((Hub-and-Spoke)
ub a d Spo e)
Routed IPsec + GRE: With dynamic routing support
SSL VPN: No client installation required
Remote Access
VPN Easy VPN (IPsec): Cisco dynamic policy push and
free VPN Clients for Windows, Linux, Solaris and Mac
Full standards compliance for interoperability with
Standard IPsec other
th vendors
d
Cisco IOS Secure Connectivity Portfolio
uter Security
y
Cisco
Cisco Cisco Cisco Cisco Cisco Cisco Cisco Catalyst XR12000
Platfforms
800 ISR 1800 ISR 2800 ISR 3800 ISR 7301 7200 7600 6500
Cisco Rou
IPsec
30 Mbps 45 Mbps 66 Mbps 180 Mbps 5K tunnels 5K tunnels 16K tunnels 16K tunnels
VPN
SSL
2 users 25 users 50 users 100 users 150 users 150 users
VPN
VPN Modules
NEW! NEW! NEW!

SSL & IPsec SSL & IPsec SSL & IPsec NEW! NEW!
AIM-VPN/ AIM-VPN/ AIM-VPN/ IPsec VPN SPA IPsec VPN SPA

VAM II+ VSA SPA-IPSEC-2G-2
SSL-1 SSL-2 SSL-3 SPA-IPSEC-2G
IPsec
95 Mbps 145 Mbps 200 Mbps 280 Mbps 960 Mbps 2.5 Gbps 2.5 Gbps
VPN
SSL
50 users 100 users 200 users
VPN
Tunnel less VPNs
Tunnel-less GET VPN
A New Security Model

IPSec Point-to-Point Tunnels Tunnel-less VPN
WAN
Multicast
Scalability—an issue (N^2

(N 2 problem) Data is encrypted without need for tunnel
Overlay routing overlay—scalable any-to-any
Any-to-any instant connectivity can not Routing/multicast/QoS integration
be done to scale is optimal—native routing
Limited advanced QoS Encryption can be managed by either
subscribers or service providers
Multicast replication inefficient
STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Customized, per-application encryption 41
New!
Cisco Group-Encrypted Transport Available
(GET) VPN Nov 06 GET VPN
Cisco® GET VPN delivers a revolutionary solution for

tunnel-less, any-to-any branch confidential communications
Key Benefits
Large-scale any-to-any encrypted
communications
Native routing infrastructure
Any-to-Any
Any-to-Any without overlay
Connectivity
Connectivity
Optimal for QoS and multicast—
improves application performance
Transport agnostic—private
Cisco GET LAN/WAN, FR/AATM, IP, MPLS
Offers flexible span of control
VPN among subscribers and providers
Scalable Real-Time Available on Cisco Integrated
Services Routers, Cisco 7200 and
Cisco 7301
Inside
s de C
Cisco
sco G
GET VPN GET VPN
GET VPN simplifies security policy GET VPN uses IP header preservation
and key distribution to mitigate routing overlay
Group
Original IP packet
Group
Member Member IP IP Header IP Payload
Subnet 1 Packet
Subnet 3
Private IPSec Tunnel Mode

Group WAN Group
ec
New IP Original
IPSe
Member Member ESP Header
H d Original
IPIP IP Payload
P l d
Header Header
Header
Subnet 2 Subnet 4
IP Header Preservation
ET
Key server Original
g IP Original
gg
Original
GE
ESP Header IPIP
Header IP Payload
Header Header
Key server
GET uses Group

G Domain
D i off Interpretation
I t t ti (GDOI):
(GDOI) RFC 3547 standards-based
t d d b d
key distribution
GET adds cooperative key servers for high availability
Key servers authenticate and distribute keys and policies; group member
provisioning is minimized; application traffic is encrypted by group members
Cisco GET VPN Features and Benefits G
GET VPN
Previous Limitations New Feature and Associated Benefits

Encryption for native Multicast and
Multicast traffic encryption Unicast traffic with GDOI
through IPsec tunnels:
Allows higher scalability
Not scalable
Simplifies troubleshooting
Difficult to troubleshoot
Extensible standards-based framework
Overlay
y VPN network IP header p
preservation
Overlay routing Multicast replication done by network core
Sub-optimal Multicast replication Optimal routing introduced in VPN
Lack of Advanced QoS Advanced QoS for encrypted traffic
No full mesh scalability Any-to-any instant Enterprise connectivity

Primarily hub-and-spoke
Primaril h b and spoke Leverages
Le erages MPLS for instant communication
comm nication
Spoke-to-spoke not scalable Optimal for Voice over VPN deployments
Managed Tunnel-less
Tunnel less VPN Services GET VPN
S
Service
i iintegration
t ti
Service
delivers greater value, Provider NOC
stronger branding Customer A
SP owned
Increased
I d security
it Customer B key servers
Cisco
2800
Helps businesses comply Cisco
with regulations: HIPAA, 1800
PCI Customer B
SP Private Cisco
Operational simplicity Customer A Network 7200
Centralized key server Cisco (MPLS)
2800
reduces complexity
p y
Easy service rollout Cisco
3800
Optimized network Encrypted traffic is demand-driven
utilization ISR
S can have ““VRF-aware contexts” Customer C
Service innovation, Centrally managed key servers enable group encryption
unique offering
High-value
Hi h l services
i
Cisco Dynamic Multipoint VPN DMVPN
1. Call Site 2
Site 1
Hub Corporate
Office
4. On-Demand Tunnel
Internet Static IP address

5. Ring Dynamic IP address
… Site n Permanent tunnel

On-demand tunnel
Site 2
Scalable mesh – on-demand tunnels torn down after use

Reduced latency and jitter for voice – avoids double hop over hub
Improved throughput – avoids encrypt and decrypt at hub
Easy to deploy and maintain – on-demand tunnels are automatic,
minimal hub configuration and change management
IPSec Virtual Tunnel Interface (VTI) IP
IPsec VPN
Simplified VPN Deployment
Eliminates crypto maps, ACLs, Generic Route Encapsulation (GRE)

1:1 relationship between tunnels and sites with dedicated logical interface
Scales better than GRE
Supports QoS, multicast, and other functions that previously required GRE
Improves
I VPN interoperability
i t bilit with
ith other
th vendors
d
2.168.1.0/24
4
2.168.2.0/24
4
192 168 100 0/30
192.168.100.0/30
192
192
.1 Tunnel 0 .2
Internet
Cisco Easy VPN IP
IPsec VPN
Centralized Policy-Based Management

Automated
A t t d deployments
d l t – no user intervention
i t ti What’s New in Easy VPN?
Enforces consistent policy on remote devices CTA/NAC policy
Add new devices without changes at head-end enforcement
Centralized
C t li d policyli push h ffor
Supports dynamic connections with VPN integrated client firewall
Interoperable across Cisco® access and Password aging via AAA
securityy devices cTCP NAT transparency and
firewall traversal
Cisco VPN client – the only FIPS-certified client DHCP client proxy and
DDNS registration
1 Remote calls ‘home’
1. home Split DNS
Per user policy from Radius
3. VPN tunnel Support for identically
Cisco Security addressed spokes
p behind
Router Corporate
NAT with split tunnels
2. Validate, Policy push
Office VTI manageability – display
of VRF information,
Internet
summary y commands
Cisco VPN Software

Hardware Client: Cisco Cisco.com/go/easyvpn
ASA, PIX, Security Router Client on PC/MAC/UNIX
Cisco IOS Certificate Authority Server IP
IPsec VPN
Simplified PKI Deployment

Router can now be Certificate Authority (CA) server – eliminates
complexity of installing separate PKI/CA server
Keyy rollover for certificate renewal – allows certificate renewal request
q to
be made before certificate expires
Easy VPN now works with PKI certificates – can use Cisco® IOS® CA
server for enrollment
Digital
g
Certificate
Branch
Office A
Digital
g Corporate
Certificate Offi
Office
Internet
Cisco IOS
Certificate
Branch Authority
Office B Server
Digital
Certificate
Cisco IOS SSL VPN SSL VPN
Clientless Access Full Network Access
Internet Internet
SSL IP over SSL
Web based + Application

pp Helper
p IP Based Applications
pp
Browser-based (clientless) Application Agnostic
Gateway performs content Tunnel Client dynamically loaded
transformation No re-boot required after installation
File
Fil Sh
Sharing
i (CIFS)
(CIFS), OWA
OWA, Citrix
Cit i Client may be permanently installed
Java Based application helper or removed dynamically
Ci
Cisco R
Router
t and
dSSecurity
it D
Device
i MManager – simple
i l GUI b based
d provisioning
i i i andd
management with step by step Wizards for turn key deployment
Cisco Secure Desktop – prevents digital leakage, protects user privacy, easy to
implement & manage,
manage and works with desktop guest permissions
Virtualization and VRF awareness – pool resources while masking the physical
attributes and boundaries of the resources
Management and Instrumentation
Management and
Instrumentation SDM
Role Based
NetFlow IP SLA
Access
Cisco Security Management Suite
Cisco® Security Cisco Security

Device Manager Manager
• Quickest wayy to
setup a device
Quickest way to setup a device New solution for configuring
• Configures all routers, appliances, switches
device
Wizards toparameters
configure FW, IPS,
• VPN,Ships
, QoSwith
anddevice
Wireless New user centered design
g
Ships with device New levels of scalability
Cisco Security
MARS
Solution for monitoring

and mitigation
Uses control capabilities within

i f t t
infrastructure to
t eliminate
li i t attacks
tt k
Visualizes attack paths

Cisco Security Device Manager (SDM) SDM
Ease of Use with Application Intelligence
Cisco SDM is an intuitive, Web-

based tool for easy and reliable
deployment and management of
services on Cisco IOS® routers
Ease of use: Smart wizards, built-
in tutorials
Application intelligence:
Knowledgebase of TAC-approved
TAC approved
Cisco IOS configurations
Integrated services management:
Routing switching,
Routing, switching security,
security
wireless, QoS
Cisco SDM: Extensive Application
Intelligence SDM
Cisco® IOS® Firewall Policy View LAN/WAN Interface Monitoring
In-Line IPS QoS Wizard
Cisco Security Manager CSM
Feature rich front

front-end
end Topology View
Different views for

different administration
preference
Policy View
Device, Policy and
Topology Views
Unified security service
management independent Device View
of the enforcing device
Firewall, VPN, IPS
Supports ISR, ASA, PIX,
IPS sensors and Catalyst
Service modules
Cisco Security Monitoring, Analysis
and Response System (CS
(CS-MARS)
MARS)
Cisco® CS-MARS “Know the battlefield” Firewall Log IDS Event Server Log
Mitigation and response turn
turn-key
key system Switch Log Firewall Cfg. AV Alert
Gain network intelligence Switch Cfg. NAT Cfg. App Log
Use the network you have, correlate router’s
NetFlow (WAN data) with FW
FW, IDS,
IDS switch data
Router Cfg.
...
Netflow VA Scanner
Build topology and traffic flow model

Know device configuration, enforcement abilities Isolated Events
ContextCorrelation™
Sessions
Correlates, Reduces, Categorizes events, Validates
incidents
Rules
Allows for Response
Verify
Valid Incidents
Cisco IOS – Industry Leadership in
Instrumentation
Your network management system is only as good as the data you
can get from the devices in the network
E.g. Netflow and IPS feed into CS-MARS, deliver superior monitoring
Cisco® IOS®
Value to Network Manager
Instrumentation Feature
NBAR Network
N t k performance
f data
d t (latency
(l t & jitt
jitter))
Netflow Detailed statistics for all data flows in the network

Provides
Pro ides partitioned
partitioned, non
non-hierarchical
hierarchical access (e.g.
(e g
Role-Based CLI Access
Network and Security Operations)
SNMP V3 and SNMP
Reliable traps using SNMP informs
informs
Syslog Manager and Total flexibility to parse and control syslog messages
XML-formatted syslog on the router itself
TCL Scripting and Kron
Fl ibl programmatic
Flexible, ti control
t l off the
th router
t
(Cron) jobs
NetFlow Day Zero Attack Detection N tFl
NetFlow
Monitor traffic for anomalies

Cisco® IT prevented
Identify and classify the attack SQL slammer at Cisco,
Trace attack to its source watching flows per port
Role Based
Role Based CLI Access
Role-Based Access
Provide a view
view-based
based Customized
C t i dA Access tto
access to CLI commands Match Operational Needs
View: Set of operational Security
y operator
p
• Config AAA,
commands and configuration NetFlow
capabilities • Show Cisco IOS
Firewall, IPS
User authentication is done
via an external or internal
AAA server (or TACACS+)
Customer can define up to
fifteen views
views, plus one
reserved for the root user
Network engineer
• Config routing
• Config interfaces
• Show
Cisco IOS Secure Device Operation
Cisco® IOS®
Function and Benefit
Security Feature
Encrypted web
Web-based device management (SDM) access encrypted with HTTPS
access
Encrypted CLI
Telnet CLI and HTTPS secured with SSHv2 and SSL encryption
access
SNMPv3 allows secure management using off-the-shelf and custom applications
Secure
Cisco IOS supports DES and AES encryption
management
access SANS Institute recently rated the highest network security concern after basic concerns
like password
Public key Provides advanced security when compared with traditional pre-shared keys
infrastructure (PKI) Removes the danger of pre-shared keys falling into the wrong hands
Secure RSA Protects against routers being taken over: if the hacker attempts to change the
private key configuration, the private key is erased, rendering the router useless
Certificate server Lightweight certificate server provided within Cisco IOS to ease deployment
AAA integration Allows user or group specific
f permissions to be stored conveniently in a AAA server
Security audit Provides audit trail of configuration changes
Role based CLI Allows separate sets of commands and levels of access
access Policy making separated from ongoing operations
Policy-making operations, providing accountability
Configuration and Logs configuration changes on per-user and per-session basis, ensures reliable logging
event logging More visibility and accountability, greater confidence in reporting mechanism
60
Summary
Leadership in Innovation and
Integrated Solutions
Cisco® Security
y Routers
Secure Network Solutions
Secure Secure Business

Compliance
Voice Mobility Continuity

011111101010101

Secure Connectivity Management and Instrumentation
Role Based
GET VPN DMVPN SSL VPN IPsec VPN SDM NetFlow IP SLA
Access
Cisco Security Router Certifications
FIPS ICSA Common Criteria

140-2, IPsec Firewall
Level 2 IPsec Firewall (EAL4) (EAL4)
Cisco® 870 ISR 9 9 9 Q3CY07 9
Cisco 1800 ISR 9 9 9 Q3CY07 9
Cisco 2800 ISR 9 9 9 Q3CY07 9
Cisco 3800 ISR 9 9 9 Q3CY07 9
Cisco 7200 VAM2+ 9 9 9 Q3CY07 9
Cisco 7200 VSA Q4CY07 Q2CY07 Q2CY07 Q3CY07 ---
Cisco 7301 VAM2+ 9 9 9 Q3CY07 9

Cisco 7600
9 9 9 Q3CY07 ---
IPsec VPN SPA
Catalyst 6500
9 9 --- Q3CY07 ---
IPsec VPN SPA
Cisco 7600 9 9 --- Q3CY07 9
STG-Router-Security
Cisco.com/go/securitycert
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 63

Cisco Expo 2007 Les Fonctions de Sécurité de l'IOS

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco Expo 2007 Les Fonctions de Sécurité de l'IOS

Uploaded by

Copyright:

Available Formats

Sécurité de l’IOS

Feature Breadth and Scale

High Density and Performance

Embedded Wireless, Security and Data

Small Office and

Secure Network Solutions

Secure Secure Business

Integrated Threat Defense

Advanced URL Intrusion Flexible Network Network

Secure Connectivity Management and Instrumentation

Defense Advanced URL

Router Protection  Secure Internet

Advanced Layer 3-7 Firewall

 Cisco® IOS® Firewall is a ICSA and

 Allows grouping of physical and S

Trusted Internet Untrusted

zone security Internet Zones definition

zone-pair security internet_to_dmz source Internet destination dmz

class type inspect class1

Access-list 199 permit ……… Access-list

 Zone firewall has been VRF-aware since its inception

 Multi Channel Inspection

Cisco® IOS® Firewall policies

 Cisco® IOS® Firewall policies applied to DMZ protect distributed

 Cisco® IOS® Firewall policies applied to private interfaces protect

Protect WAN link

 Cisco® IOS® transparent firewall policies at bridge interfaces enforce

Supports DHCP pass

For Cisco 3800 Integrated Services Routers

Active Hub Active

Internet Usage Control

 Control downloads of host Branch Illegal

 Cisco® IOS® features inline IPS Signature Database

operation Sober Virus Signature

 Responds in real-time through any of

Distributed Defense Against Worms and Viruses

Apply IPS on traffic from

STG-Router-Security © 2007 Cisco Systems, Inc. All rights reserved.

 Download the latest Cisco® IPS signature package from

 Provides Layer 2 connectivity with Layer 3 Features Supported

ip ips name mon_ips IPS configuration

ip ips config location flash:/ips5

copy tftp://tftp_server/ios-s276-cli.pkg idconf

Rapid Response to New and Emerging Attacks

Match Pattern And Or Not

class-map type stack match-all ip_udp

policy-map type access-control fpm_udp_policy

policy map type access-control

interface gigabitEthernet 0/1

<?xml version="1.0" encoding="UTF-8"?>

<class name="slammer" type="access-control" match="all">

<policy type="access-control" name="fpm-udp-policy">

Detection and Isolation of Noncompliant Devices

Controlled Network Access

802 1x Identity Enforcement

Branch Router with

One Touch Automated Router Lockdown

Enforces Secure Access

Secures Forwarding Plane

Continual Router Availability Under Duress

Management Routing Management

CONTROL PLANE POLICING SILENT MODE

PACKET OUTPUT PACKET

Router Protection Secure Internet

Cisco® IOS® Firewall is a ICSA and

Allows grouping of physical and S

Zone firewall has been VRF-aware since its inception

Multi Channel Inspection

Cisco® IOS® Firewall policies applied to DMZ protect distributed

Cisco® IOS® Firewall policies applied to private interfaces protect

Cisco® IOS® transparent firewall policies at bridge interfaces enforce

Control downloads of host Branch Illegal

Cisco® IOS® features inline IPS Signature Database

Responds in real-time through any of

Download the latest Cisco® IPS signature package from

Provides Layer 2 connectivity with Layer 3 Features Supported

Scalability—an issue (N^2

GET uses Group

No full mesh scalability Any-to-any instant Enterprise connectivity

Scalable mesh – on-demand tunnels torn down after use

Eliminates crypto maps, ACLs, Generic Route Encapsulation (GRE)

Cisco SDM is an intuitive, Web-

Feature rich front

Different views for

Monitor traffic for anomalies