Cisco Security Strategy and Product...
Transcript of Cisco Security Strategy and Product...
1© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Security Strategy and Product Announcements
Jayshree UllalSenior Vice President, Security Technology GroupCisco Systems
222© 2005 Cisco Systems, Inc. All rights reserved.
New Security Challenges
VPN AccessVPN Access
VPN
Edge Firewalling
Remote Access and Extranet
Internal Firewalling and Department
Separation
Intrusion & Worm Mitigation
Application & Port 80 Misuse?
Content Management
Trojans?
Virus, & Worm Mitigation?
Spyware?
Blended Threats?
Denial of Service?Location or User-based Policies?
Evolution of Threats
333© 2005 Cisco Systems, Inc. All rights reserved.
Evolution of Cisco Security Strategy
SDN Phase I “Integrated Security”SDN Phase I “Integrated Security”• Making every network element a point of defense
Routers, Switches, Appliances. Endpoints• Secure Connectivity (V3PN, DMVPN), Threat Defense, Trust & Identity• Network Foundation Protection
• Making every network element a point of defense Routers, Switches, Appliances. Endpoints
• Secure Connectivity (V3PN, DMVPN), Threat Defense, Trust & Identity• Network Foundation Protection
SDN Phase III “Adaptive Threat Defense”SDN Phase III “Adaptive Threat Defense”• Mutual awareness among & between security services &
network intelligence• Increases security effectiveness, enables proactive response• Consolidates services, improves operations efficiency• Application recognition and inspection for secure
application delivery/optimization
• Mutual awareness among & between security services & network intelligence
• Increases security effectiveness, enables proactive response• Consolidates services, improves operations efficiency• Application recognition and inspection for secure
application delivery/optimization
SDN Phase II “Collaborative Security Systems”SDN Phase II “Collaborative Security Systems”• Security becomes a Network-Wide System: Endpoints +
Network + Policies• Multiple services and devices working in coordination to
thwart attacks with active management• NAC, IBNS, SWAN
• Security becomes a Network-Wide System: Endpoints + Network + Policies
• Multiple services and devices working in coordination to thwart attacks with active management
• NAC, IBNS, SWAN
• MultipleSecurity Appliances
• Separate managementsoftware
• MultipleSecurity Appliances
• Separate managementsoftware
PointProducts
PointProducts
444© 2005 Cisco Systems, Inc. All rights reserved.
Self Defending Network…Path to Adaptive Security
FUTUREFUTUREDesktop AV/SignaturesDesktop AV/Signatures Behavioral /Trusted ClientsBehavioral /Trusted Clients
Basic Firewalls/IDSBasic Firewalls/IDS Adaptive Threat Defense (ATD)Adaptive Threat Defense (ATD)
Static Transport (VPN)Static Transport (VPN) Trusted Domains of SecurityTrusted Domains of Security
Basic ManagementBasic Management Correlation and ContainmentCorrelation and Containment
Disparate ApplicationsDisparate Applications Application SecurityApplication Security
NOWNOW
555© 2005 Cisco Systems, Inc. All rights reserved.
Adaptive Threat Defense in Action
Access Control, Packet InspectionAccess Control,
Packet InspectionApplication Intelligence, Content
Inspection, Virus Mitigation Application Intelligence, Content
Inspection, Virus Mitigation Identity, Virtualization, QoS
Segmentation, Traffic VisibilityIdentity, Virtualization, QoS
Segmentation, Traffic Visibility
PIXPIX
CSACSA
NACNAC
Quarantine VLANQuarantine VLAN
Cisco Router Cisco Router
CSACSA
VPN AccessVPN Access
VPN
Cisco DDoSCisco DDoS
CSACSA
Cisco Router Cisco Router Catalyst Catalyst
CatalystCatalyst
Identity-BasedNetworking
Identity-BasedNetworking
Cisco IPSCisco IPS
App Inspection, Use Enforcement, Web Control
Application Security
App Inspection, Use Enforcement, Web Control
Application Security
Malware/Content Defense, Anomaly DetectionAnti-X Defenses
Malware/Content Defense, Anomaly DetectionAnti-X Defenses
Traffic/Admission Control, Proactive Response
Containment & Control
Traffic/Admission Control, Proactive Response
Containment & Control
666© 2005 Cisco Systems, Inc. All rights reserved.
Adaptive Threat DefenseProduct Announcements
• Multi-Vector ThreatIdentification
• Multi-Vector ThreatIdentification
ProductsProducts Application SecurityApplication Security
IPS 5.0
VPN 3000 Concentrator 4.7
Anti-XAnti-X Containment & ControlContainment & Control
• Malware, virus, worm mitigation
• Malware, virus, worm mitigation
• Accurate Prevention Technologies for In-Line IPS
• Accurate Prevention Technologies for In-Line IPS
• SSL VPN Tunnel Client• Fully Clientless Citrix• SSL VPN Tunnel Client• Fully Clientless Citrix • Cisco Secure Desktop• Cisco Secure Desktop
PIX 7.0
Cisco Security Agent 4.5
IOS 12.3(14)T
Catalyst DDoSModules
Cisco MARS
• Application Inspection/Control for IOS Firewall
• Application Inspection/Control for IOS Firewall
• Enhanced In-Line IPS• Enhanced In-Line IPS• Network Foundation
Protection, Virtual Firewall, IPSec Virtual Interface
• Network Foundation Protection, Virtual Firewall, IPSec Virtual Interface
• Application Inspection/Control for Firewall
• Enhanced VoIP Security
• Application Inspection/Control for Firewall
• Enhanced VoIP Security
• Virtual firewall, QoS, transparent firewall, IPv6
• Virtual firewall, QoS, transparent firewall, IPv6
• Spyware mitigation• System inventory/auditing• Spyware mitigation• System inventory/auditing
• Anomaly Guard Module• Traffic Anomaly Detector • Anomaly Guard Module• Traffic Anomaly Detector
• Event correlation for proactive response
• Event correlation for proactive response
Cisco Security Auditor
• Network-wide security policy auditing
• Network-wide security policy auditing
• Context-based policies• Context-based policies
• Cisco NAC• Cisco NAC
777© 2005 Cisco Systems, Inc. All rights reserved.
Cisco IPS v5.0Cisco IPS v5.0
777© 2004 Cisco Systems, Inc. All rights reserved.
888© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Intrusion Prevention SystemsNew Appliances, Catalyst 6500 Switch Module and Router Software
IPS 4240250 Mbps
Diskless Architecture
IPS 4255600 Mbps
Diskless Architecture
IPS 4250-XL1000 Mbps
IPS 421580 Mbps
IDSM-2600 Mbps to
7 Gbps
•• Comprehensive Network CoverageComprehensive Network Coverage –– Branch Branch office, data center, campus solutionsoffice, data center, campus solutions
•• Diverse Platform OptionsDiverse Platform Options –– Appliances, Appliances, switches, routersswitches, routers
•• Unified Management and MonitoringUnified Management and Monitoring
NCCNCCAnti-XAnti-X App SecApp Sec
IOS Router
•• MultiMulti--Vector Threat Identification Vector Threat Identification ––Addressing the evolution of threatsAddressing the evolution of threats
•• Accurate Prevention Technologies Accurate Prevention Technologies ––Appliances, switches, routersAppliances, switches, routers
999© 2005 Cisco Systems, Inc. All rights reserved.
Anti-XAnti-X App SecApp SecMultivector Threat IdentificationIPS v5.0 Enhancements
Spyware/Adware• Controls the transmission of
confidential data• Polices the network traffic to
filter out spyware communications
Network Virus• Leverages Trend Micro
partnership to integrate late-breaking malware
• Improves virus coverage and response time
Voice Over IP (VoIP)• Ensures protocol compliance for
call setup• Protects voice gateways from
attacks• Prevents excess memory
allocation of URL overflows
Application Abuse• Provides deep inspection for
web protection and control of “port 80 misuse”
• Controls usage of IM, P2P, methods/commands, MIME types
101010© 2005 Cisco Systems, Inc. All rights reserved.
NCCNCC
Accurate Prevention TechnologiesRisk Rating & Meta Event Generator Provide Threat Context and Correlation
+
+
+
Is attack relevant to host being attacked?
How prone to false positive?
How critical is this destination host?
Event Severity
Signature Fidelity
AttackRelevancy
Asset Valueof Target
RISK RATING
Drives Final Drives Final Mitigation Mitigation
PolicyPolicy
How urgent is the threat?
Risk Rating: Decision support balances attack urgency with business risk
Low
Medium
High
Risk Rating
Time: 0 2 4 6 8
Event A
Event B
Event C
Event D
A + B + C + D = WORM!
DROP Event D-Worm Stopped!
Meta Event Generator: On-box correlation links lower risk events into a high risk meta-event, triggering prevention actions
Models attack behavior by correlating:
- Event type- Time span
111111© 2005 Cisco Systems, Inc. All rights reserved.
Cisco VPN 3000 Concentrator v4.7 IPSec and WebVPN (SSL VPN)Cisco VPN 3000 Concentrator v4.7 IPSec and WebVPN (SSL VPN)
111111© 2004 Cisco Systems, Inc. All rights reserved.
121212© 2005 Cisco Systems, Inc. All rights reserved.
Customizable Application AccessDeployment Examples: Extending Appropriate Connectivity
All SSL VPN FeaturesAll SSL VPN FeaturesIncluded in Base Pricing Included in Base Pricing ––
No Special Licenses! No Special Licenses!
App SecApp Sec
Company-Managed Desktop:Controlled software environmentKnown security posture & system privilegesDiverse application requirementsPost-session clean-up optional“LAN-like” remote connectivity desired
Company-Managed Desktop:Controlled software environmentKnown security posture & system privilegesDiverse application requirementsPost-session clean-up optional“LAN-like” remote connectivity desired
Home/Kiosk Access:Uncontrolled environment - support issuesUnknown security posture & system privilegesLimited application access allowedPosture assessment, post-session clean-up requiredCustomized access portal often desirable
Home/Kiosk Access:Uncontrolled environment - support issuesUnknown security posture & system privilegesLimited application access allowedPosture assessment, post-session clean-up requiredCustomized access portal often desirable
Partner Access:Uncontrolled environment - support issuesUnknown security posture & system privilegesVery granular access controlsPosture assessment, post-session clean-up requiredCustomized access portal often desirable
Partner Access:Uncontrolled environment - support issuesUnknown security posture & system privilegesVery granular access controlsPosture assessment, post-session clean-up requiredCustomized access portal often desirable
Cisco SSL VPN Tunneling ClientPersistent, “LAN-like” networked connectivityAccess to virtually any applicationUtilizes small, dynamically loaded clientBest option for broad application access
Cisco SSL VPN Tunneling ClientPersistent, “LAN-like” networked connectivityAccess to virtually any applicationUtilizes small, dynamically loaded clientBest option for broad application access
Clientless, Web-Based AccessReverse proxy “firewalled” connectionAccess to web-based applications and CitrixNo software downloadedBest option for limited web application access and unmanaged desktops
Clientless, Web-Based AccessReverse proxy “firewalled” connectionAccess to web-based applications and CitrixNo software downloadedBest option for limited web application access and unmanaged desktops
Thin Client Port ForwardingReverse proxy “firewalled” connectionAccess to web, email, calendar, IM and many other TCP applicationsSmall Java applet dynamically loadedBest option for limited web and client/server applications and unmanaged desktops
Thin Client Port ForwardingReverse proxy “firewalled” connectionAccess to web, email, calendar, IM and many other TCP applicationsSmall Java applet dynamically loadedBest option for limited web and client/server applications and unmanaged desktops
131313© 2005 Cisco Systems, Inc. All rights reserved.
Anti-XAnti-XSecurity ChallengesSSL VPN Brings New Points of Integrity
Remote User
Employee at Home
Supply PartnerExtranet Device
Unmanaged Device
CustomerManaged Device
During SSL VPN Session
• Is session data protected?
• Are typed passwords protected?
• Has malware launched?
Before SSL VPN Session• Who owns the endpoint?• Endpoint security posture:
AV, personal firewall?• Is malware running?
After SSL VPN Session
• Browser cached intranet web pages?
• Browser stored passwords?
• Downloaded files left behind?
141414© 2005 Cisco Systems, Inc. All rights reserved.
Anti-XAnti-XCisco Secure Desktop Comprehensive Endpoint Security for SSL VPN
Complete Pre-Connect Assessment:• Location assessment – managed or
unmanaged desktop?• Security posture assessment – AV
operational/up-to-date, personal firewall operational, malware present?
Cisco Secure DesktopWindows 2000 or XP
Original User Desktop Temporary CSD Desktop
Works with Desktop Guest PermissionsNo admin privileges required
Works with Desktop Guest PermissionsNo admin privileges required
Comprehensive Session Protection:• Data sandbox and encryption protects
every aspect of session
• Malware detection with hooks to Microsoft free anti-spyware software
Post-Session Clean-Up:• Encrypted partition overwrite (not just
deletion) using DoD algorithm
• Cache, history and cookie overwrite
• File download and email attachment overwrite
• Auto-complete password overwrite
151515© 2005 Cisco Systems, Inc. All rights reserved.
PIX Security Appliance v7.0Firewall, Application Inspection, VPNPIX Security Appliance v7.0Firewall, Application Inspection, VPN
151515© 2004 Cisco Systems, Inc. All rights reserved.
161616© 2005 Cisco Systems, Inc. All rights reserved.
App SecApp SecAdvanced Application Inspection and ControlProvides Granular Application Security
Port 80Web Security• Introduces advanced HTTP firewall services to prevent web-
based attacks and “port 80 misuse”Controls peer-to-peer (KaZaA) to protect network capacityPolices Instant Messaging to control usage, compliance and covert transmissions of sensitive information
• Gives businesses control over what actions users can perform when accessing websites
Limits web server access to approved methods & commands to prevent unauthorized changesFilters MIME type and validate content to minimize risk of malware infectionChecks RFC protocol compliance for protocol anomaly detection
Voice Security• Enhances security for next-generation converged networks
Extends leading VoIP security with improved H.323, SIP, MGCP, RTSP, and fragmentation/segmentation supportSecures GSM wireless networks with new GTP/GPRS inspection engine
Web B
rowsing
Approved A
ccess
XX XX
Peer-to-PeerInstant M
sgH
TTP Delete
JPEG/EXE
171717© 2005 Cisco Systems, Inc. All rights reserved.
Virtualized Services and Transparent OperationSimplifies Deployment and Reduces Operational Costs
NCCNCC
Dept/Cust 2Dept/Cust 1 Dept/Cust 3
PIX
Scalable Security Services• Adds support for Security Contexts (virtual
firewalls) to lower operational costsEnables device consolidation and segmentation
Supports separated policies and administration
Easy to Deploy Firewall Services• Introduces transparent firewall capabilities for
rapid deployment of securityDrops into existing networks without need for readdressing the network
Simplifies deployments of internal firewalling and security zoning – new applications
Transparent Firewall
Existing Network
181818© 2005 Cisco Systems, Inc. All rights reserved.
Cisco IOS 12.3(14)TRouter Security FeaturesCisco IOS 12.3(14)TRouter Security Features
181818© 2004 Cisco Systems, Inc. All rights reserved.
191919© 2005 Cisco Systems, Inc. All rights reserved.
App SecApp Sec Anti-XAnti-X NCCNCC
Advanced Router Security Services
Cisco IOS FirewallCisco IOS Firewall
Internet
Cisco IOS FW
Corporate LAN
Engineering
Accounting
Virtualized Firewall services
VRF-Aware Firewall & IPSec Virtual Interface
Advanced Application Inspection & Control
HTTP Inspection Engine
- Port 80 Misuse: IM and Peer-to-Peer
Email Protocol Inspection Engine
- SMTP, ESMTP, iMAP
String Engines enable custom matching
Customized signatures for new threats
400+ new worm and attack signatures
Dynamic selection of 1200 signatures
Supports new signatures from Trend Micro
+ Network Foundation Protection Extensions+ Network Foundation Protection Extensions
Cisco IOS IPSCisco IOS IPS
Drop Packet
IPS Server
Alarm
Attack
IPS
12
4
3 Reset Conn.
202020© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Security Agent v4.5Host Intrusion ProtectionCisco Security Agent v4.5Host Intrusion Protection
202020© 2004 Cisco Systems, Inc. All rights reserved.
212121© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Security Agent 4.5Malware Mitigation, Enhanced Posture Assessment, Context-Based Policies, Extended OS Support
Anti-XAnti-X NCCNCC
•Dynamic policy changes according to user or location ‘state’•Granular understanding of application use across deployments
•Dynamic policy changes according to user or location ‘state’•Granular understanding of application use across deployments
•Application inventory – helps identify vulnerable or non-compliant hosts•Helps establish patching prioritization
•Application inventory – helps identify vulnerable or non-compliant hosts•Helps establish patching prioritization
•Enhanced buffer overflow protection•Spyware mitigation•Enhanced buffer overflow protection•Spyware mitigation
•Cisco NAC integration provides communication integrity, extended posture decisions and dynamic policy changes
•Cisco NAC integration provides communication integrity, extended posture decisions and dynamic policy changes
2121
RequirementRequirement CSA 4.5 SolutionCSA 4.5 SolutionMitigate new and evolving threats on desktops and servers
Reduce the ‘update burden’ on distributed endpoints
Enforce ‘Acceptable Use’ policy on corporate assets
Enforce admission policy on networked endpoints
End-to-End protection across the organization
•Internationalization for non-English OS’s•Expanded OS platform support•Enterprise scalability from a single MC
•Internationalization for non-English OS’s•Expanded OS platform support•Enterprise scalability from a single MC
222222© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Catalyst Distributed Denial Of Service (DDoS) Modules
Cisco Catalyst Distributed Denial Of Service (DDoS) Modules
222222© 2004 Cisco Systems, Inc. All rights reserved.
232323© 2005 Cisco Systems, Inc. All rights reserved.
• Detects and mitigatesthe broadest range of (DDoS) attacks
• Integrated mitigation driven by behavioral anomaly recognition
• Granularity and accuracy to ensure business continuity by forwarding legitimate transactions
• Performance and architecture suitable for the largest enterprises and service provider managed services
Anti-XAnti-X
Cisco Anomaly Guard Module
Cisco Traffic Anomaly Detector Module
Guard XT 5650Anomaly Detector XT 5600
Cisco Denial of Service (DDoS) SolutionAppliances and New Service Modules
242424© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Security Monitoring, Analysis and Response System(CS-MARS)
Cisco Security Monitoring, Analysis and Response System(CS-MARS)
242424© 2004 Cisco Systems, Inc. All rights reserved.
252525© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Monitoring, Analysis and Response System (MARS)“Active Control and Containment”
NCCNCC
262626© 2005 Cisco Systems, Inc. All rights reserved.
Adaptive Threat DefenseProduct Announcement Summary
ProductsProducts Application SecurityApplication Security
IPS 5.0
VPN 3000 Concentrator 4.7
Anti-XAnti-X Containment & ControlContainment & Control
PIX 7.0
Cisco Security Agent 4.5
IOS 12.3(14)T
Catalyst DDoSModules
Cisco MARS
Cisco Security Auditor
272727© 2005 Cisco Systems, Inc. All rights reserved.Presentation_ID 272727© 2004 Cisco Systems, Inc. All rights reserved.