Cisco Security Strategy and Product...

1© 2005 Cisco Systems, Inc. All rights reserved.

Cisco Security Strategy and Product Announcements

Jayshree UllalSenior Vice President, Security Technology GroupCisco Systems


New Security Challenges

VPN AccessVPN Access

VPN

Edge Firewalling

Remote Access and Extranet

Internal Firewalling and Department

Separation

Intrusion & Worm Mitigation

Application & Port 80 Misuse?

Content Management

Trojans?

Virus, & Worm Mitigation?

Spyware?

Blended Threats?

Denial of Service?Location or User-based Policies?

Evolution of Threats


Evolution of Cisco Security Strategy

SDN Phase I “Integrated Security”SDN Phase I “Integrated Security”• Making every network element a point of defense

Routers, Switches, Appliances. Endpoints• Secure Connectivity (V3PN, DMVPN), Threat Defense, Trust & Identity• Network Foundation Protection

• Making every network element a point of defense Routers, Switches, Appliances. Endpoints

• Secure Connectivity (V3PN, DMVPN), Threat Defense, Trust & Identity• Network Foundation Protection

SDN Phase III “Adaptive Threat Defense”SDN Phase III “Adaptive Threat Defense”• Mutual awareness among & between security services &

network intelligence• Increases security effectiveness, enables proactive response• Consolidates services, improves operations efficiency• Application recognition and inspection for secure

application delivery/optimization

• Mutual awareness among & between security services & network intelligence

• Increases security effectiveness, enables proactive response• Consolidates services, improves operations efficiency• Application recognition and inspection for secure

application delivery/optimization

SDN Phase II “Collaborative Security Systems”SDN Phase II “Collaborative Security Systems”• Security becomes a Network-Wide System: Endpoints +

Network + Policies• Multiple services and devices working in coordination to

thwart attacks with active management• NAC, IBNS, SWAN

• Security becomes a Network-Wide System: Endpoints + Network + Policies

• Multiple services and devices working in coordination to thwart attacks with active management

• NAC, IBNS, SWAN

• MultipleSecurity Appliances

• Separate managementsoftware

• MultipleSecurity Appliances

• Separate managementsoftware

PointProducts

PointProducts


Self Defending Network…Path to Adaptive Security

FUTUREFUTUREDesktop AV/SignaturesDesktop AV/Signatures Behavioral /Trusted ClientsBehavioral /Trusted Clients

Basic Firewalls/IDSBasic Firewalls/IDS Adaptive Threat Defense (ATD)Adaptive Threat Defense (ATD)

Static Transport (VPN)Static Transport (VPN) Trusted Domains of SecurityTrusted Domains of Security

Basic ManagementBasic Management Correlation and ContainmentCorrelation and Containment

Disparate ApplicationsDisparate Applications Application SecurityApplication Security

NOWNOW


Adaptive Threat Defense in Action

Access Control, Packet InspectionAccess Control,

Packet InspectionApplication Intelligence, Content

Inspection, Virus Mitigation Application Intelligence, Content

Inspection, Virus Mitigation Identity, Virtualization, QoS

Segmentation, Traffic VisibilityIdentity, Virtualization, QoS

Segmentation, Traffic Visibility

PIXPIX

CSACSA

NACNAC

Quarantine VLANQuarantine VLAN

Cisco Router Cisco Router

CSACSA

VPN AccessVPN Access

VPN

Cisco DDoSCisco DDoS

CSACSA

Cisco Router Cisco Router Catalyst Catalyst

CatalystCatalyst

Identity-BasedNetworking

Identity-BasedNetworking

Cisco IPSCisco IPS

App Inspection, Use Enforcement, Web Control

Application Security

App Inspection, Use Enforcement, Web Control

Application Security

Malware/Content Defense, Anomaly DetectionAnti-X Defenses

Malware/Content Defense, Anomaly DetectionAnti-X Defenses

Traffic/Admission Control, Proactive Response

Containment & Control

Traffic/Admission Control, Proactive Response

Containment & Control


Adaptive Threat DefenseProduct Announcements

• Multi-Vector ThreatIdentification

• Multi-Vector ThreatIdentification

ProductsProducts Application SecurityApplication Security

IPS 5.0

VPN 3000 Concentrator 4.7

Anti-XAnti-X Containment & ControlContainment & Control

• Malware, virus, worm mitigation

• Malware, virus, worm mitigation

• Accurate Prevention Technologies for In-Line IPS

• Accurate Prevention Technologies for In-Line IPS

• SSL VPN Tunnel Client• Fully Clientless Citrix• SSL VPN Tunnel Client• Fully Clientless Citrix • Cisco Secure Desktop• Cisco Secure Desktop

PIX 7.0

Cisco Security Agent 4.5

IOS 12.3(14)T

Catalyst DDoSModules

Cisco MARS

• Application Inspection/Control for IOS Firewall

• Application Inspection/Control for IOS Firewall

• Enhanced In-Line IPS• Enhanced In-Line IPS• Network Foundation

Protection, Virtual Firewall, IPSec Virtual Interface

• Network Foundation Protection, Virtual Firewall, IPSec Virtual Interface

• Application Inspection/Control for Firewall

• Enhanced VoIP Security

• Application Inspection/Control for Firewall

• Enhanced VoIP Security

• Virtual firewall, QoS, transparent firewall, IPv6

• Virtual firewall, QoS, transparent firewall, IPv6

• Spyware mitigation• System inventory/auditing• Spyware mitigation• System inventory/auditing

• Anomaly Guard Module• Traffic Anomaly Detector • Anomaly Guard Module• Traffic Anomaly Detector

• Event correlation for proactive response

• Event correlation for proactive response

Cisco Security Auditor

• Network-wide security policy auditing

• Network-wide security policy auditing

• Context-based policies• Context-based policies

• Cisco NAC• Cisco NAC


Cisco IPS v5.0Cisco IPS v5.0



Cisco Intrusion Prevention SystemsNew Appliances, Catalyst 6500 Switch Module and Router Software

IPS 4240250 Mbps

Diskless Architecture

IPS 4255600 Mbps

Diskless Architecture

IPS 4250-XL1000 Mbps

IPS 421580 Mbps

IDSM-2600 Mbps to

7 Gbps

•• Comprehensive Network CoverageComprehensive Network Coverage –– Branch Branch office, data center, campus solutionsoffice, data center, campus solutions

•• Diverse Platform OptionsDiverse Platform Options –– Appliances, Appliances, switches, routersswitches, routers

•• Unified Management and MonitoringUnified Management and Monitoring

NCCNCCAnti-XAnti-X App SecApp Sec

IOS Router

•• MultiMulti--Vector Threat Identification Vector Threat Identification ––Addressing the evolution of threatsAddressing the evolution of threats

•• Accurate Prevention Technologies Accurate Prevention Technologies ––Appliances, switches, routersAppliances, switches, routers


Anti-XAnti-X App SecApp SecMultivector Threat IdentificationIPS v5.0 Enhancements

Spyware/Adware• Controls the transmission of

confidential data• Polices the network traffic to

filter out spyware communications

Network Virus• Leverages Trend Micro

partnership to integrate late-breaking malware

• Improves virus coverage and response time

Voice Over IP (VoIP)• Ensures protocol compliance for

call setup• Protects voice gateways from

attacks• Prevents excess memory

allocation of URL overflows

Application Abuse• Provides deep inspection for

web protection and control of “port 80 misuse”

• Controls usage of IM, P2P, methods/commands, MIME types


NCCNCC

Accurate Prevention TechnologiesRisk Rating & Meta Event Generator Provide Threat Context and Correlation

+

+

+

Is attack relevant to host being attacked?

How prone to false positive?

How critical is this destination host?

Event Severity

Signature Fidelity

AttackRelevancy

Asset Valueof Target

RISK RATING

Drives Final Drives Final Mitigation Mitigation

PolicyPolicy

How urgent is the threat?

Risk Rating: Decision support balances attack urgency with business risk

Low

Medium

High

Risk Rating

Time: 0 2 4 6 8

Event A

Event B

Event C

Event D

A + B + C + D = WORM!

DROP Event D-Worm Stopped!

Meta Event Generator: On-box correlation links lower risk events into a high risk meta-event, triggering prevention actions

Models attack behavior by correlating:

- Event type- Time span


Cisco VPN 3000 Concentrator v4.7 IPSec and WebVPN (SSL VPN)Cisco VPN 3000 Concentrator v4.7 IPSec and WebVPN (SSL VPN)



Customizable Application AccessDeployment Examples: Extending Appropriate Connectivity

All SSL VPN FeaturesAll SSL VPN FeaturesIncluded in Base Pricing Included in Base Pricing ––

No Special Licenses! No Special Licenses!

App SecApp Sec

Company-Managed Desktop:Controlled software environmentKnown security posture & system privilegesDiverse application requirementsPost-session clean-up optional“LAN-like” remote connectivity desired

Company-Managed Desktop:Controlled software environmentKnown security posture & system privilegesDiverse application requirementsPost-session clean-up optional“LAN-like” remote connectivity desired

Home/Kiosk Access:Uncontrolled environment - support issuesUnknown security posture & system privilegesLimited application access allowedPosture assessment, post-session clean-up requiredCustomized access portal often desirable

Home/Kiosk Access:Uncontrolled environment - support issuesUnknown security posture & system privilegesLimited application access allowedPosture assessment, post-session clean-up requiredCustomized access portal often desirable

Partner Access:Uncontrolled environment - support issuesUnknown security posture & system privilegesVery granular access controlsPosture assessment, post-session clean-up requiredCustomized access portal often desirable

Partner Access:Uncontrolled environment - support issuesUnknown security posture & system privilegesVery granular access controlsPosture assessment, post-session clean-up requiredCustomized access portal often desirable

Cisco SSL VPN Tunneling ClientPersistent, “LAN-like” networked connectivityAccess to virtually any applicationUtilizes small, dynamically loaded clientBest option for broad application access

Cisco SSL VPN Tunneling ClientPersistent, “LAN-like” networked connectivityAccess to virtually any applicationUtilizes small, dynamically loaded clientBest option for broad application access

Clientless, Web-Based AccessReverse proxy “firewalled” connectionAccess to web-based applications and CitrixNo software downloadedBest option for limited web application access and unmanaged desktops

Clientless, Web-Based AccessReverse proxy “firewalled” connectionAccess to web-based applications and CitrixNo software downloadedBest option for limited web application access and unmanaged desktops

Thin Client Port ForwardingReverse proxy “firewalled” connectionAccess to web, email, calendar, IM and many other TCP applicationsSmall Java applet dynamically loadedBest option for limited web and client/server applications and unmanaged desktops

Thin Client Port ForwardingReverse proxy “firewalled” connectionAccess to web, email, calendar, IM and many other TCP applicationsSmall Java applet dynamically loadedBest option for limited web and client/server applications and unmanaged desktops


Anti-XAnti-XSecurity ChallengesSSL VPN Brings New Points of Integrity

Remote User

Employee at Home

Supply PartnerExtranet Device

Unmanaged Device

CustomerManaged Device

During SSL VPN Session

• Is session data protected?

• Are typed passwords protected?

• Has malware launched?

Before SSL VPN Session• Who owns the endpoint?• Endpoint security posture:

AV, personal firewall?• Is malware running?

After SSL VPN Session

• Browser cached intranet web pages?

• Browser stored passwords?

• Downloaded files left behind?


Anti-XAnti-XCisco Secure Desktop Comprehensive Endpoint Security for SSL VPN

Complete Pre-Connect Assessment:• Location assessment – managed or

unmanaged desktop?• Security posture assessment – AV

operational/up-to-date, personal firewall operational, malware present?

Cisco Secure DesktopWindows 2000 or XP

Original User Desktop Temporary CSD Desktop

Works with Desktop Guest PermissionsNo admin privileges required

Works with Desktop Guest PermissionsNo admin privileges required

Comprehensive Session Protection:• Data sandbox and encryption protects

every aspect of session

• Malware detection with hooks to Microsoft free anti-spyware software

Post-Session Clean-Up:• Encrypted partition overwrite (not just

deletion) using DoD algorithm

• Cache, history and cookie overwrite

• File download and email attachment overwrite

• Auto-complete password overwrite


PIX Security Appliance v7.0Firewall, Application Inspection, VPNPIX Security Appliance v7.0Firewall, Application Inspection, VPN



App SecApp SecAdvanced Application Inspection and ControlProvides Granular Application Security

Port 80Web Security• Introduces advanced HTTP firewall services to prevent web-

based attacks and “port 80 misuse”Controls peer-to-peer (KaZaA) to protect network capacityPolices Instant Messaging to control usage, compliance and covert transmissions of sensitive information

• Gives businesses control over what actions users can perform when accessing websites

Limits web server access to approved methods & commands to prevent unauthorized changesFilters MIME type and validate content to minimize risk of malware infectionChecks RFC protocol compliance for protocol anomaly detection

Voice Security• Enhances security for next-generation converged networks

Extends leading VoIP security with improved H.323, SIP, MGCP, RTSP, and fragmentation/segmentation supportSecures GSM wireless networks with new GTP/GPRS inspection engine

Web B

rowsing

Approved A

ccess

XX XX

Peer-to-PeerInstant M

sgH

TTP Delete

JPEG/EXE


Virtualized Services and Transparent OperationSimplifies Deployment and Reduces Operational Costs

NCCNCC

Dept/Cust 2Dept/Cust 1 Dept/Cust 3

PIX

Scalable Security Services• Adds support for Security Contexts (virtual

firewalls) to lower operational costsEnables device consolidation and segmentation

Supports separated policies and administration

Easy to Deploy Firewall Services• Introduces transparent firewall capabilities for

rapid deployment of securityDrops into existing networks without need for readdressing the network

Simplifies deployments of internal firewalling and security zoning – new applications

Transparent Firewall

Existing Network


Cisco IOS 12.3(14)TRouter Security FeaturesCisco IOS 12.3(14)TRouter Security Features



App SecApp Sec Anti-XAnti-X NCCNCC

Advanced Router Security Services

Cisco IOS FirewallCisco IOS Firewall

Internet

Cisco IOS FW

Corporate LAN

Engineering

Accounting

Virtualized Firewall services

VRF-Aware Firewall & IPSec Virtual Interface

Advanced Application Inspection & Control

HTTP Inspection Engine

- Port 80 Misuse: IM and Peer-to-Peer

Email Protocol Inspection Engine

- SMTP, ESMTP, iMAP

String Engines enable custom matching

Customized signatures for new threats

400+ new worm and attack signatures

Dynamic selection of 1200 signatures

Supports new signatures from Trend Micro

+ Network Foundation Protection Extensions+ Network Foundation Protection Extensions

Cisco IOS IPSCisco IOS IPS

Drop Packet

IPS Server

Alarm

Attack

IPS

12

4

3 Reset Conn.


Cisco Security Agent v4.5Host Intrusion ProtectionCisco Security Agent v4.5Host Intrusion Protection



Cisco Security Agent 4.5Malware Mitigation, Enhanced Posture Assessment, Context-Based Policies, Extended OS Support

Anti-XAnti-X NCCNCC

•Dynamic policy changes according to user or location ‘state’•Granular understanding of application use across deployments

•Dynamic policy changes according to user or location ‘state’•Granular understanding of application use across deployments

•Application inventory – helps identify vulnerable or non-compliant hosts•Helps establish patching prioritization

•Application inventory – helps identify vulnerable or non-compliant hosts•Helps establish patching prioritization

•Enhanced buffer overflow protection•Spyware mitigation•Enhanced buffer overflow protection•Spyware mitigation

•Cisco NAC integration provides communication integrity, extended posture decisions and dynamic policy changes

•Cisco NAC integration provides communication integrity, extended posture decisions and dynamic policy changes

2121

RequirementRequirement CSA 4.5 SolutionCSA 4.5 SolutionMitigate new and evolving threats on desktops and servers

Reduce the ‘update burden’ on distributed endpoints

Enforce ‘Acceptable Use’ policy on corporate assets

Enforce admission policy on networked endpoints

End-to-End protection across the organization

•Internationalization for non-English OS’s•Expanded OS platform support•Enterprise scalability from a single MC

•Internationalization for non-English OS’s•Expanded OS platform support•Enterprise scalability from a single MC


Cisco Catalyst Distributed Denial Of Service (DDoS) Modules

Cisco Catalyst Distributed Denial Of Service (DDoS) Modules



• Detects and mitigatesthe broadest range of (DDoS) attacks

• Integrated mitigation driven by behavioral anomaly recognition

• Granularity and accuracy to ensure business continuity by forwarding legitimate transactions

• Performance and architecture suitable for the largest enterprises and service provider managed services

Anti-XAnti-X

Cisco Anomaly Guard Module

Cisco Traffic Anomaly Detector Module

Guard XT 5650Anomaly Detector XT 5600

Cisco Denial of Service (DDoS) SolutionAppliances and New Service Modules


Cisco Security Monitoring, Analysis and Response System(CS-MARS)

Cisco Security Monitoring, Analysis and Response System(CS-MARS)



Cisco Monitoring, Analysis and Response System (MARS)“Active Control and Containment”

NCCNCC


Adaptive Threat DefenseProduct Announcement Summary

ProductsProducts Application SecurityApplication Security

IPS 5.0

VPN 3000 Concentrator 4.7

Anti-XAnti-X Containment & ControlContainment & Control

PIX 7.0

Cisco Security Agent 4.5

IOS 12.3(14)T

Catalyst DDoSModules

Cisco MARS

Cisco Security Auditor

Cisco Security Strategy and Product...

Documents

Transcript of Cisco Security Strategy and Product...