© 2002, Cisco Systems, Inc. All rights reserved.
Cisco SAFE NetworkingFor Higher Education
Network Security Team Cisco Systems, inc
The Challenge: To improve student academic achievement through the use of technology.
The Solution: Teach children how to use the technological tools available to them and integrate that technology into the curriculum to improve student achievement.
HOW TECHNOLOGY CAN WORK WELL IN SCHOOLSNo Child Left Behind focuses on how teachers and students can use technology Previous federal programs focused on increasing access to more technology. In an effort to improve student achievement through the use of technology, U.S. Secretary of Education Rod Paige announced a new Enhancing Education Through Technology (ED Tech) initiative. The goals of Education Technology are to:
•Improve student academic achievement through the use of technology in elementary schools and secondary schools. •Assist students to become technologically literate by the time they finish the eighth grade. •Ensure that teachers are able to integrate technology into the curriculum to improve student achievement.
Percentage of students who reported using a computer at school at least once a week, by grade.
The Facts About...21st-Century Technology
US DepartmentOf EducationNo child left behind program
Technologies and Procedures to Prevent Student Access to Inappropriate Material
on the Internet
•Among schools using technologies or procedures to prevent student access to inappropriate material on the Internet, 91 percent reported that teachers or other staff members monitored student Internet access .
•Eighty-seven percent used blocking or filtering software, 80 percent had a written contract that parents have to sign, 75 percent had a contract that
students have to sign, 46 percent used monitoring software, 44 percent had honor codes, and 26 percent used their intranet12. As these numbers suggest, most of the
schools (96 percent) used more than one procedure or technology as part of their Internet use policy
•Since 99 percent of public schools were connected to the Internet in 2001, most schools had the capability to make information available to parents and students directly via e-mail or through a Web site. This section presents key
findings on the availability of school-sponsored e-mail addresses and on school Web sites.
National Center for Education StatisticsOffice of Educational Research &
Improvement, U.S. Dept. of Education
Security and the Evolving Enterprise Needs
Sophistication of Hacker Tools
19901980
Packet Forging/ SpoofingPacket Forging/ Spoofing
Password GuessingPassword Guessing
Self Replicating CodeSelf Replicating Code
Password CrackingPassword Cracking
Exploiting Known Vulnerabilities
Exploiting Known Vulnerabilities
Disabling AuditsDisabling Audits
Back DoorsBack DoorsHijacking SessionsHijacking Sessions
SweepersSweepersSniffersSniffers
Stealth DiagnosticsStealth Diagnostics
Technical Knowledge Required
High
Low2000
What’s the Impact of Not Properly Securing Your Network ?
• Cost—directly affects the school’s budgetHow do you budget for a system outage?
• Credibility—end-user perceptionIs the children’s information safe?
• Productivity—ability to use your systemDowntime is lost time and productivity
• Viability—can ultimately affect your networkWhat are the staffing requirements?
• Liability—are you responsible?If you don’t take actions to stop outbound attacks, are you liable for damages inflicted on others?
* FBI and Computer Security Institute(CSI)―2002
© 2002, Cisco Systems, Inc. All rights reserved.
Intrusion Prevention: Security Without
Signatures
Proactive Security for Desktops and
Servers
© 2002, Cisco Systems, Inc. All rights reserved.
“Signature-based detection methods, which are already showing signs of extreme strain under current malicious code trends, will not be able to keep up with the new set of malicious-code risks created by the pervasive adoption and use of Web services and active content.”
John Pescatore and Arabella Hallawell, Gartner Research Note, 8/31/01
OKENA Aggregates Multiple Endpoint Security Functions
OKENAOKENA
Conventional Distributed
Firewall
Conventional Distributed
Firewall
Block Incoming Network RequestsBlock Incoming Network Requests
Stateful Packet AnalysisStateful Packet Analysis
Detect /Block Port ScansDetect /Block Port Scans
Detect /Prevent Malicious ApplicationsDetect /Prevent Malicious Applications
Detect/Prevent Known Buffer OverflowsDetect/Prevent Known Buffer Overflows
Detect/Prevent Unauthorized File ModificationDetect/Prevent Unauthorized File Modification
Operating System LockdownOperating System Lockdown
Conventional Host-based
IDS
Conventional Host-based
IDS
Detect/Prevent Unknown Buffer OverflowsDetect/Prevent Unknown Buffer Overflows
Block Outgoing Network RequestsBlock Outgoing Network Requests
Detect /Block Network DoS AttacksDetect /Block Network DoS Attacks
XX
XX
XX
XX
XX
XX
XX
XX
XX
XX
XX
XX
XX
XX
XX
Desktop/Laptop ProtectionDesktop/Laptop Protection XX XX
XX
XX
XX
XX
XX
OKENA ComplementsTraditional Desktop AV
OKENAOKENA Anti-VirusAnti-Virus
Malicious Code ProtectionMalicious Code Protection
XXStop Known Virus/Worm PropagationStop Known Virus/Worm Propagation
Stop Unknown Virus/Worm PropagationStop Unknown Virus/Worm Propagation
Scan/Detect Infected FilesScan/Detect Infected Files
“Clean” Infected Files“Clean” Infected Files
Identify Viruses/Worms by NameIdentify Viruses/Worms by Name
No Signature Updates RequiredNo Signature Updates Required
Distributed Firewall FunctionalityDistributed Firewall Functionality
Operating System LockdownOperating System Lockdown
Correlates Events Across EndpointsCorrelates Events Across Endpoints
XX
XX
XX
XX
XX
XX
XX
XX
XX
SECURE
MONITORandRESPOND
TEST
MANAGEand
IMPROVE
A Continual, Multistage ProcessFocused on Incremental Improvement
Security Philosophy:The Security Wheel
Top Ten Security Policies Today
1. Have a policy on virus updates and scanning.
2. Email policy – size limit and attachments.
3. Remote Access – Who should have it and what type of access.
4. Client side software images – Understand what needs to be loaded.
5. Firewall rule sets – Understand applications and port calls.
6. URL filtering – Understand the pro’s of this system.
7. VLAN the network – Key to removing assets from public view.
8. Host based policy – Server hardening techniques combined with HIDS.
9. Wireless – Have a clear policy and standard on how to deploy wireless
10. Change control process for policy review.
Legacy Security Solutions
• Most security designed when networks were simple and static
• Primarily single-point products (access-control) with no network integration or intelligence
• Such legacy products are still seen as default security solutions (a “cure-all”)
• Today, there are serious drawbacks to relying on such “overlay” security to protect sophisticated networks and services
Internet connections have dramatically increased as a frequent point of attack (from 59% in 2000 to 70% in 2001.) Of those organizations reporting attacks, we learn:
27% say they don't know if there had been unauthorized access or misuse
21% reported from two to five incidents in one year
58% reported ten or more incidents in a single year – something isn’t working!
Computer Security Institute & FBI ReportMarch, 2002
Case in Point…
Trends / Predictions
• Security is going MainstreamFundamental issue to e-education—not an afterthought
• Security is going to Main StreetEvery small school will be moving towards e-education
Increased outsourcing of solutions and services
• Security extends everywhereThe Classroom, remote students, and teachers
• The Bar will continue to be raisedCriticality of e-education applications
Increased regulation
• Organized Crime activities on the rise - Gambling• Student information – higher target risk
• Security is going MainstreamFundamental issue to e-education—not an afterthought
• Security is going to Main StreetEvery small school will be moving towards e-education
Increased outsourcing of solutions and services
• Security extends everywhereThe Classroom, remote students, and teachers
• The Bar will continue to be raisedCriticality of e-education applications
Increased regulation
• Organized Crime activities on the rise - Gambling• Student information – higher target risk
© 2002, Cisco Systems, Inc. All rights reserved. 18Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com
Security Protection : IDS & Connection
Solutions
Deploy Proven Technologies
•Firewalls – PIX 501, 506, 515, 525, 535, and FSM blade
•IDS – Network based intrusion systems
•Event correlation technology for SYSLOG reporting
•HIDS – Host based intrusion to protect the Kernel.eve
Cisco VPN 3000 Series
Number of UsersNumber of UsersEncryptionEncryption
WAN CapabilityWAN Capability
PerformancePerformance
MemoryMemory
SEPsSEPsUpgradableUpgradableSupports Dual PSSupports Dual PSRedundancyRedundancy
Site-to-Site SessionsSite-to-Site Sessions
30053005 30153015 30303030 30603060 30803080
100100 100100 15001500 50005000 10,00010,000SWSW SWSW HWHW HWHW HWHW
YesYes YesYes YesYes YesYes YesYes
4 Mb/s4 Mb/s 4 Mb/s4 Mb/s 50 Mb/s50 Mb/s 100 Mb/s100 Mb/s 100 Mb/s100 Mb/s
32 MB32 MB 128 MB128 MB 128 MB128 MB 256 MB256 MB 256 MB256 MB
00 00 11 22 44NoNo YesYes YesYes YesYes N/AN/ANoNo YesYes YesYes YesYes YesYesNoNo YesYes YesYes YesYes YesYes
100100 100100 500500 10001000 10001000
Remote Access Wireless VPN
Aironet Client
Aironet ClientCisco VPN 3000
ClientMobileCerticom
Client
Main Office
InternetCisco VPN 30xx
PIX Firewall Product Line Overview
Model
Market
MSRP
Licensed Users
Max VPN Peers
Size (RU)
Processor (MHz)
RAM (MB)
Max. Interfaces
Failover
Cleartext (Mbps)
3DES (Mbps)
ROBO
$1,695
Unlimited
25
1
300
32
2 10BaseT
No
20
16
SMB
$7,995
Unlimited
2,000
1
433
64
6
Yes
188
63
Enterprise
$18,495
Unlimited
2,000
2
600
256
8
Yes
360
70
Ent.+, SP
$59,000
Unlimited
2,000
3
1 GHz
1 GB
10
Yes
1.7 Gbps
95
SOHO
$595 or $1195
10 or 50
5
< 1
133
16
1 10BT + 4 FE
No
10
3
506E 515E-UR 525-UR 535-UR501
GigEGigEEnabledEnabled
• Complements firewalls analyzing permitted traffic: shun sessions, send alarms back to central mgmt. console
• Watch for unauthorized activity in real time
• Implement in front of firewall to audit attacks against network
• Implement behind firewall approving traffic by firewall packets leaving corporate network
IDS: Real Time Alerts
Overview – Intrusion Detection Drivers
NASDMZ Servers
Data Center
Users
Internet
Corporate Office
Business Partner
Intranet/Internal IDS
Protects Data Centers and Critical Assets from Internal Threats
Intranet/Internal IDS
Protects Data Centers and Critical Assets from Internal Threats
Internet IDS
Complements FW and VPN by Monitoring Traffic for Malicious Activity
Internet IDS
Complements FW and VPN by Monitoring Traffic for Malicious Activity
Extranet IDS
Monitors Partner Traffic Where “Trust” is Implied But Not Assured
Extranet IDS
Monitors Partner Traffic Where “Trust” is Implied But Not Assured
Remote Access IDS
Hardens Perimeter Control by Monitoring Remote Users
Remote Access IDS
Hardens Perimeter Control by Monitoring Remote Users
Cisco IDS Solutions
• Cisco IOS firewall with IDS
Embedded software solution
WAN-based
• Cisco Secure IDS
Dedicated IDS appliance
High-performance
Scalable
• Catalyst 6000 IDS Module
Integrated security module
Investment protection
• Linkage to host-based and application monitoring
Action Plan:Implementing a Process1. Develop a comprehensive security policy
Based on assessment of assets, threats, vulnerabilities
2. Implement itFocus on key exposuresBuild defense in depth Security and network experts engageIn-source or out-source
3. Monitor and auditIt’s what you don’t know...Be selective
4. React—according to planRecovery needs to be rapid and organizedStick to the plan!!!
5. Repeat Cycle!Continuous improvement to address new threats
Prediction 2004... IT Security
• Focus of IT security will shift from the “Three As” (authentication, authorization, administration) to network continuity
• Physical and IT security will be integrated
• Focus of IT security will shift from the “Three As” (authentication, authorization, administration) to network continuity
• Physical and IT security will be integrated
Prediction:
Rationale:
• Higher ED’s are looking more into security as a operational requirement.
• Higher ED’s are looking more into security as a operational requirement.
Source: IDC 2002; * Security Authorization, Authentication, AdministrationSource: IDC 2002; * Security Authorization, Authentication, Administration
Cisco Security Directions
Mission
• Educate you the client on security
Strategy
• Embrace integration into e-education infrastructure and technology initiatives
• Provide most comprehensive security/solution
• Utilize solutions and services ecosystems/partners
Mission
• Educate you the client on security
Strategy
• Embrace integration into e-education infrastructure and technology initiatives
• Provide most comprehensive security/solution
• Utilize solutions and services ecosystems/partners
• Integrates security and network issues
• Includes specific configurations for Cisco and partner solutions
• Based on existing, shipping capabilities
• Over 3,000 hours of lab testing
• Currently, five SAFE white papers:SAFE for Enterprise, SAFE for SMB, SAFE Blueprint for IP Telephony, Wireless LAN Security in Depth, Combating Internet Worms
• Integrates security and network issues
• Includes specific configurations for Cisco and partner solutions
• Based on existing, shipping capabilities
• Over 3,000 hours of lab testing
• Currently, five SAFE white papers:SAFE for Enterprise, SAFE for SMB, SAFE Blueprint for IP Telephony, Wireless LAN Security in Depth, Combating Internet Worms
SAFE Security Blueprint
More Information
• www.cisco.com/go/security
• www.cisco.com/go/safe
• www.cisco.com/go/evpn
• www.cisco.com/go/securitypartners
• www.cisco.com/go/csec
• www.cisco.com/go/netpro
• www.cisco.com/go/securitytrng
• www.cert.org
• www.incidents.org
• www.infosecuritymag.com
• Internet Vital to Core of education systems
• Security Fundamental to Health of Internet
• Attacks Increasing Dramatically – Targeted at New Network and Internet Services
• Security Must be Part of Network Infrastructure
• Partnership (education and Government) Critical to a Global Security Strategy
• Best Practices is the Security of the future
• Internet Vital to Core of education systems
• Security Fundamental to Health of Internet
• Attacks Increasing Dramatically – Targeted at New Network and Internet Services
• Security Must be Part of Network Infrastructure
• Partnership (education and Government) Critical to a Global Security Strategy
• Best Practices is the Security of the future
In Summary...
Top Related