Self-Defending Networks

Cisco Integrated Security

Jim Lord
Advanced Technologies - Security
October, 2004

5491_06_2002_c1

© 2001, Cisco Systems, Inc. All rights reserved.

1

Business Drivers

5491_06_2002_c1

© 2001, Cisco Systems, Inc. All rights reserved.

2

and secure the assets of the business. events and adopt a defense-in-depth strategy. Inc. vulnerabilities. All rights reserved. 3 . Cisco Systems.  More and more employees need to work and communicate while mobile and not infect the company with viruses. (counter productive)  Organizations need to better defend against threats.  Organizations need to maximize return on investment of their limited IT budgets to improve productivity. 5491_06_2002_c1 © 2001.Today’s Organizational Challenges  Due to continued economic challenges organizations and employees need to be more productive. mobility.

Inc. 4 . Cisco Systems.New forces are redefining business. All rights reserved. • Global markets • Networked Virtual Organization • Internet • Security • ROI • Fastest routes to Market 5491_06_2002_c1 © 2001.

All rights reserved. 5491_06_2002_c1 © 2001. 5 .Data. Cisco Systems. and presence … are becoming inter-dependent. audio. video. Inc.

) Patching OS is time consuming 4. Cisco Systems.) Smarter attacks propagate 2.) React to events 6.Sources of Pain . Inc.Cost 1.) Hope it doesn’t happen to us 5491_06_2002_c1 © 2001. All rights reserved.) Assets are at risk 5.) Managing different products 3. 6 .

) Employees catch and spread viruses.)Recovery to steady-state is now the challenge! 5491_06_2002_c1 © 2001.Sources of Pain .work against IT 3. Inc. Cisco Systems. 7 .) Too much time spent on managing separate products 4.) Tech staff spends too much time handling end user problems 5.Time 1. All rights reserved.) Employees are idle when infected2.

Inc. Cisco Systems.Threat Capabilities High Back Doors Exploiting Known Vulnerabilities Disabling Audits Password Cracking Packet Forging/ Spoofing Stealth Diagnostics DDOS Sweepers Sniffers Hijacking Sessions New Internet Worms Sophistication of Hacker Tools Self Replicating Code Password Guessing Technical Knowledge Required Low 5491_06_2002_c1 1980 © 2001. 1990 2000 8 . All rights reserved.

9 .The Self Defending Network 5491_06_2002_c1 Presentation_ID © 2001. All rights reserved. © 2003 Cisco Systems. Inc. Cisco Systems. Inc. All rights reserved.

and adapt identify. prevent. 10 . Cisco strategy to INTEGRATED SECURITY • Secure Connectivity • Threat Defense • Trust & Identity adapt to threats SECURITY TECHNOLOGY INNOVATION • • • • Endpoint Security Application Firewall SSL VPN Network Anomaly • Endpoints • Network • Services SYSTEM LEVEL SOLUTIONS 5491_06_2002_c1 © 2001. All rights reserved. Inc.Self Defending Network Strategy An initiative to dramatically dramatically improve the improve the network’s ability network’s ability to to identify. Cisco Systems. threats and to prevent.

Inc. Cisco Systems. 11 .Cisco’s Integrated Network Security Systems Threat Defense Defend the Edge: • Integrated Network FW+IDS Detects and Prevents External Attacks Internet Intranet Protect the Interior: • Catalyst Integrated Security Protects Against Internal Attacks Guard the Endpoints: • Cisco Security Agent (CSA) Protects Hosts Against Infection Secure Trust and Comm. Identity Verify the User and Device: • Identity-Based Networking/NAC Control Who/What Has Access Secure the Transport: • • • IPSec VPN SSL VPN MPLS Protects Data/Voice Confidentiality 5491_06_2002_c1 © 2001. All rights reserved.

5 Characteristics of a Self-Defending Network End Point Posture Enforcement Network Device Protection Dynamic/ Dynamic Secure Communication Connectivity Between Elements Automated Threat Response 5491_06_2002_c1 © 2001. All rights reserved. 12 . Inc. Cisco Systems.

Inc. Cisco Systems.Cisco Self-Defending Network . 13 . NBAR. Network Anomaly Detection (Riverhead) 5491_06_2002_c1 © 2001. Switch/Router/WAP protection technologies. • Dynamic/Secure connectivity Dynamic Multipoint VPN. VLAN • Dynamic communication between elements Netflow. Auto-Secure.In Action • End-point security enforcement Network Admission Control. Identity Based Network Services • Network device protection Control Plane Policing. Dynamic Intrusion Protection. All rights reserved. ‘AreYouThere?’ • Automatic response Cisco Security Agent.

14 . All rights reserved. Inc. Inc. All rights reserved.Network Admission Control 5491_06_2002_c1 Presentation_ID © 2001. Cisco Systems. © 2003 Cisco Systems.

quarantine. Limits network access to compliant. 15 . deny. Inc. and adapt to threats 5491_06_2002_c1 © 2001.Cisco Network Admission Control (NAC) Cisco-led. worms. etc. Cisco Systems. trusted endpoints Endpoint device interrogated for policy compliance Network determines appropriate admission enforcement: permit. multi-partner program Limits damage from viruses. restrict Phase I of Cisco Self-Defending Network Initiative Dramatically improves network’s ability to identify. All rights reserved. prevent.

16 . All rights reserved. Inc. Cisco Systems.Industry Collaboration Critical for Success Cisco Network Admission Control Program Co-Sponsors 5491_06_2002_c1 © 2001.

Cisco’s NAC Solution Overview NAC Solution: Leverage the network to intelligently enforce access privileges based on endpoint security compliance Host Attempting Network Access 1 EAP Cisco Trust Agent 7 Network Access Devices Policy Server Decision Points 1 Host Sends Credentials to Access Device using EAP (UDP or 802. Cisco Systems. All rights reserved.1x) Access Device forwards Credentials to Policy Server (ACS) using RADIUS ACS Server authenticates ID and passes AV info to AV Vendors Servers AV Vendors Servers respond with Compliance/Non-Compliance Message Policy Server Responds to Access Device with Access Rights and VLAN assignment Access Device accepts rights. and notifies client: (Allow/Deny/Restrict/Quarantine) 2 2 RADIUS 5 Cisco ACS Server 3 HTTPS 4 AV Vendor Server 3 4 5 6 6 7 5491_06_2002_c1 © 2001. 17 . Inc. enforces policy.

Inc. All rights reserved. Cisco Systems. © 2003 Cisco Systems. 18 . All rights reserved. Inc.Products and Technologies 5491_06_2002_c1 Presentation_ID © 2001.

Catalyst IDS Services Module. Cisco IOS IDS s/w Cisco Security Agent NetFlow. Cisco Systems. sink hole. control plane Cisco IOS Infrastructure Security policing. Cisco Threat Response technology Content engines. NBAR. Catalyst® 6500 Firewall Services Module IDS Sensors. access router IDS module. All rights reserved.Cisco Threat Defense System Products and Technologies Firewall Network IDS/IPS Endpoint Security Network Services PIX® security appliance. CiscoWorks SIMS. Catalyst Integrated Security features AutoSecure. Inc. CPU/Memory thresholding Intelligent Investigation Content Security Security Management 5491_06_2002_c1 © 2001. CiscoWorks VMS. IP Solution Center 19 . access router network modules Embedded device managers. secure ACL. Cisco IOS® FW.

. All rights reserved. Cisco Systems.Unifying Proven Cisco Security Services IPS Firewall VPN Services Encryption User Authentication Packet Authentication Features Easy VPN WebVPN Broad User Awareness Clustering Group-Based Management Client Technologies Services Pattern Recognition Protocol Analysis Protocol Validation Features Broad Attack Signatures Threat Response Multi-Sensor Technology Flexible Policy Language Services Packet Inspection Protocol Validation Application Inspection Features State Awareness Protocol Decoding L2 & L3 Integration Robust Failover Virtualization Cisco IDS Router & Catalyst IDS Modules 5491_06_2002_c1 PIX Catalyst Firewall Services Module VPN 3000 Catalyst. Routers & PIX 20 © 2001. Inc.

Cisco Security Agent Functions • System Hardening Syn-flood protection Malformed packet protection Restart of failed services • Application-related Application run control Executable file version control Protection against code injection Protection of process memory Protection against buffer overflows Protection against keystroke logging • Resource Protection File access control Network access control Registry access control COM component access control • Control of executable content Protection against email worms Protection against automatic execution of downloaded files or ActiveX controls • Detection Packet sniffers & unauthorized protocols Network scans Monitoring of OS event logs 5491_06_2002_c1 © 2001. Cisco Systems. Inc. 21 . All rights reserved.

2001: NIMDA Virus uses address book to email to target Payload pretends to be “audio/x-wav” and is automatically executed Inserts trojan program into executable files. hides its files. Inc.EXE from SYSTEM. email to known email addresses. starts LOAD. Cisco Systems. adds administrator account Copy to remote file shares.EXE in system directory. LOAD. 22 . All rights reserved. scan for remote web servers Deletes files 5491_06_2002_c1 © 2001.INI.

All rights reserved. Cisco Systems.Cisco Security Agent “MYDOOM” Screen Shot – Desktop Device 5491_06_2002_c1 © 2001. Inc. 23 .

Putting It All Together… • Build a business infrastructure for productivity and competitive advantage once!! (not rebuilding it every time you get hacked or infected) Clients and applications anywhere. 5491_06_2002_c1 © 2001. anytime Reduced administration Faster deployment Cost savings Business impact • Services Leverage a Secure IP infrastructure • Layer the threat Defense in each piece of the network!! Don’t make it easy for penetration. All rights reserved. Cisco Systems. Inc. 24 .

without human intervention Increased Productivity for the IT Staff & business worker 5491_06_2002_c1 © 2001. Inc. McAffee. Trend Micro as early pioneers Know who is allowed and what their security posture is A network that truly Defends Itself. Symantec. Cisco Systems.Business Benefits of Security TechnologiesToday This is NOT about Bits and Bytes Not just firewalls and Anti-virus This IS about Business Layers of security architecture results in available applications Cisco. 25 . All rights reserved.

5491_06_2002_c1 © 2001. Cisco Systems. 26 . All rights reserved. Inc.

Sign up to vote on this title
UsefulNot useful