2© 2001, Cisco Systems, Inc. All rights reserved.
A Security Blueprintfor e-Business
Joshua McCloud, [email protected]
SAFESecurity Blue-Print for
e-Business
33© 2001, Cisco Systems, Inc. All rights reserved. 3
• Anatomy of Network Attacks
• Introducing: SAFE
• SAFE Network Design
• Cisco Security & VPN Products
• Security Certifications
Agenda
55© 2001, Cisco Systems, Inc. All rights reserved. 5
Disclaimer
“This presentation provides a tit for tat description of a fictional electronic war between an irritable yet determined cracker and an overworked, but well funded, IT staff. Any similarities to your customer’s environments are purely coincidental.
Cisco does not recommend such reactionary security design. Rather we suggest you base designs on the Cisco SAFE white papers for a systematic approach to security design.”
The Authors at Cisco Systems
66© 2001, Cisco Systems, Inc. All rights reserved. 6
• Scott Daniels (aka n3T51ay3r)College age, too much free time
Two notches above “script kiddie”
Recently banned from netgamesrus.com for cheating on their latest game “Xtreme Secret Agent”
Wants revenge
The Aggressor
77© 2001, Cisco Systems, Inc. All rights reserved. 7
The Defenders
• Netgamesrus.com
Web-based gaming company
Experienced explosive growth and hasn’t had much time to think about security
IT staff is minimal, and most have occupied their time play testing their newest creation
Just went through a second round of funding that hasn’t been spent yet
88© 2001, Cisco Systems, Inc. All rights reserved. 8
Public Hosts (WWW, DNS, SMTP, FTP)
Internal Net
Netgamesrus.comNetgamesrus.com
Initial Solution
• Router only provides WAN connectivity
• FW is concerned with internal net
Internet
99© 2001, Cisco Systems, Inc. All rights reserved. 9
In My Sleep
• Scan ports and vulnerabilities to find target
• Outdated bind discovered on web server
• Root privilege obtained, logs cleaned, and root kit installed
• “You are so owned”
n3T51ay3rn3T51ay3r
Internal NetInternet
BIND – Berkeley Internet Name Domain (DNS)Buffer overflow vulnerability
1010© 2001, Cisco Systems, Inc. All rights reserved. 10
Scanning Tools
http://www.insecure.org/nmap/
1111© 2001, Cisco Systems, Inc. All rights reserved. 11
Quick Fix
• A player with scanning software happens to find your host is compromised and tattles
• Turn off unwanted services
• Rinse and repeat (for all the hosts)
• Move public services off third leg of firewall for service isolation
Internet Internal Net
Netgamesrus.comNetgamesrus.com
1212© 2001, Cisco Systems, Inc. All rights reserved. 12
Internet Internal Net
Hey, What Happened?
• What happened to “my” system?
• RescanThere are less services available
Services are patched
• Wait for “new” vulnerability posting on net (no hurry…)
n3T51ay3rn3T51ay3r
1313© 2001, Cisco Systems, Inc. All rights reserved. 13
Odds in My Favor
• Exploit latest vulnerability (a race)
• Reinstall rootkit, clean logs
• Download add’l attack tools (getting angry)
• Scan isolated service network and internal net
• Own more public hosts
Internet Internal Net
n3T51ay3rn3T51ay3r
1414© 2001, Cisco Systems, Inc. All rights reserved. 14
Raise the Bar
• Internal scan finds compromised hosts
• Fix and rebuild hosts
• Install network IDS
• Turn on liberal shunning and TCP resetsMost signatures
Reconfigure ACLs on the router
Internet Internal Net
Netgamesrus.comNetgamesrus.com
1515© 2001, Cisco Systems, Inc. All rights reserved. 15
NIDS Response
7100he#show access-list
Extended IP access list 197
permit ip host 10.1.1.20 any
deny ip host 112.70.126.43 any
deny ip host 96.193.155.79 any
deny ip host 40.232.39.97 any
deny ip host 220.64.150.28 any
deny ip host 50.19.117.109 any
deny ip host 176.82.33.85 any
deny ip host 196.161.217.4 any
deny ip host 111.100.101.15 any
deny ip host 130.234.112.89 any
deny ip host 243.68.1.8 any
deny ip host 59.93.177.47 any
deny ip host 239.213.208.158 any
deny ip host 204.170.43.113 any
1616© 2001, Cisco Systems, Inc. All rights reserved. 16
Lost Tone Again?
• Services found, though patched again
• Run vulnerability scans but inconsistent response
• Pings also blocked
• A “friend” observes the same result
• Drats…what’s going on?
Internet Internal Net
n3T51ay3rn3T51ay3r
1717© 2001, Cisco Systems, Inc. All rights reserved. 17
IT Success!
• Scan and exploit attempts captured
• Shunning worked
Internet Internal Net
Netgamesrus.comNetgamesrus.com
1818© 2001, Cisco Systems, Inc. All rights reserved. 18
Stick IDS
• Researched behavior, NIDS and shunning assumed
• Find method to defeat NIDS — Stick & Whisker utilityhttp://www.eurocompton.net/stick/
http://www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html
Overwhelms shunning capability
• Launch Stick/Whisker, re-exploit hosts, install toys
Internal NetInternet
n3T51ay3rn3T51ay3r
1919© 2001, Cisco Systems, Inc. All rights reserved. 19
Stick Tool
[root@sconvery-lnx stick]# ./stick -h
Usage: stick [sH ip_source] [sC ip_class_C_spoof] [sR start_spoof_ip end_spoof_ip][dH ip_target] [dC ip_class_C_target] [dR starttargetip
end_target_ip]-------------------------------------------------------------------------defaults destination to 10.0.0.1 and source default is 0.0.0.0-255.255.255.255 Software Design for limitted Stress Test capablity.
[root@sconvery-lnx stick]# ./stick dH 12.1.1.1Destination target value of: 101010cStress Test - Source target is set to all 2^32 possiblitiessending rule 496 sending rule 979 sending rule 896 sending rule 554 sending rule 735 sending rule 428
2121© 2001, Cisco Systems, Inc. All rights reserved. 21
New Management
• Two observationsNIDS shunning pre-FW may be overflowed so turn off shunning
Firewall logs show download of tools on hosts
• Install NIDS in public segment and liberally shun on FW
• FW ACLs to prevent public services segment outbound sessions
• Rebuild hosts using Ghost ☺ and patch
Internal NetInternet
Netgamesrus.comNetgamesrus.com
2222© 2001, Cisco Systems, Inc. All rights reserved. 22
Customer
Public Services
Internal Services
Internal Users
Source: Public ServicesDestination: InternetPort: Any
Source: Public ServicesDestination: InternetPort: Anyokok
okok
Specific Filtering
• No outbound for Web servers
• Be specific on other access
xx SiSi
2323© 2001, Cisco Systems, Inc. All rights reserved. 23
Lessons Learned:n3T51ay3r vs. Netgamesrus.com
• Bind hack—mitigated by patches and NIDS
• Root kit—found by scan, manually removed
• New vulnerability—found by FW logs, mitigated by patches
• Attack tool download—mitigated by outbound filtering on FW
• IDS shun DoS—stick—no shunning on NIDS in front of FW
2424© 2001, Cisco Systems, Inc. All rights reserved. 24
This Is Getting Tough
• Lost tone again, must still be shunning
• Use stick again
• Still no tone???
Internal NetInternet
??n3T51ay3rn3T51ay3r
2525© 2001, Cisco Systems, Inc. All rights reserved. 25
Internal NetInternet
Success Again
• NIDS alarming tracks cracker activities
• Shunning on FW working
• FW mitigates stick effects on NIDS in public services segment
Netgamesrus.comNetgamesrus.com
2626© 2001, Cisco Systems, Inc. All rights reserved. 26
The Empire Strikes Back
• What is being shunned?Looks like composite and atomic attacks are shunned
• Exploit poorly deployed shunning:Launch spoofed atomic attacks from proxy servers of large ISPs
• Now Legitimate Customers can’t get in!
Internal NetInternet
Proxied CustomersProxied Customers
n3T51ay3rn3T51ay3r
Proxy Svr50.50.50.5
0
2727© 2001, Cisco Systems, Inc. All rights reserved. 27
To Shun or Not to Shun
• Public exposure (due to shun problem) creates job uncertainties among the IT staff
• Perhaps shunning everything is a bad idea?Set shun posture to only critical multi-packet TCP attacks
Tune IDS (shun length, false positives, alarm levels, hire staff to monitor IDS 24x7)
Optional: Tier IDS log analysis for better attack visibility
Internal NetInternet
Netgamesrus.comNetgamesrus.com
2828© 2001, Cisco Systems, Inc. All rights reserved. 28
Try, Try Again
• Looks like they’ve got their act together
Trying the ISP DoS again doesn’t work
Shunning must have been tuned
• Shift gears, what CGI scripts are running on the box?
Internal NetInternet
Hmm…Hmm…n3T51ay3rn3T51ay3r
3030© 2001, Cisco Systems, Inc. All rights reserved. 30
godzilla.d
• Found a public domain CGI in use
Examine source code and run tools to find an unpublished vulnerability
• After substantial research, success
• Compromise web server with new toy (godzilla.d)
Internal NetInternet
godzilla!!godzilla!!n3T51ay3rn3T51ay3r
3232© 2001, Cisco Systems, Inc. All rights reserved. 32
Why Me?
• Find, Ghost, and patch hosts
• Fix CGI script (with outside help)
• Post to Bugtraq (or not)
Do we really want more visibility?• Install host IDS on appropriate hosts
Internal NetInternet
Netgamesrus.comNetgamesrus.com
3333© 2001, Cisco Systems, Inc. All rights reserved. 33
Host Intrusion Detection
• Host IDS is best installed on key servers
• Features vary per product, including watching for:
File system
Process table
I/O
System resource usage
Memory allocation
• Actions include alarm and sometimes prevent
• Financially and operationally impractical to install on all hosts
3434© 2001, Cisco Systems, Inc. All rights reserved. 34
What Happened - DDoS
• Requires a available, reliable, secure network infrastructure…..
MicrosoftInternet ROOT DNS Servers
( Oct 21 02)
3535© 2001, Cisco Systems, Inc. All rights reserved. 35
2. Install Software toScan for, Compromiseand Infect Agents
HandlerSystems
ClientSystem
4. Client IssuesCommands toHandlers WhichControl Agentsin a Mass Attack
1. Scan for Systems to Hack
AgentSystems
3. Agents Get Loaded with Remote Control Attack Software
DDoS, How Does It Work?
3636© 2001, Cisco Systems, Inc. All rights reserved. 36
Legitimate CustomerClient
Handler
Agents (25)
Handler
Agents (25)
Handler
Agents (25)
xInternet
Stacheldraht Attack
3737© 2001, Cisco Systems, Inc. All rights reserved. 37
Oh My Goodness!
• So that’s what DDoS does
• Research problem and call ISP
• Request that ISP implement CAR
• Reconsider edge architecture: Should we move our e-commerce elsewhere?
• Implement RFC 1918 and 2827 filtering
• Find and read SAFE White Paper
Internet AdminSystems
$$$sAAA Svr
PublicNet
Employees
Netgamesrus.comNetgamesrus.com
SiSi
3838© 2001, Cisco Systems, Inc. All rights reserved. 38
Traffic Matching
Specification
Traffic Matching
Specification
Traffic Measurement
Instrumentation
Traffic Measurement
Instrumentation
Action PolicyAction Policy
Next Policy
Excess Traffic
Conforming Traffic
Burst Limit
Tokens
Committed Access Rate
• Rate limiting
• Several ways to filter
• “Token bucket” implementation
3939© 2001, Cisco Systems, Inc. All rights reserved. 39
• Limit outbound ping to 256 Kbps
• Limit inbound TCP SYN packets to 8 Kbpsinterface xy
rate-limit input access-group 103 8000 8000 8000conform-action transmit exceed-action drop
!access-list 103 deny tcp any host 142.142.42.1 establishedaccess-list 103 permit tcp any host 142.142.42.1
interface xy rate-limit output access-group 102 256000 8000 8000
conform-action transmit exceed-action drop !access-list 102 permit icmp any any echoaccess-list 102 permit icmp any any echo-reply
CAR Rate Limiting
ACL Ave. Rate Burst Excess
Traffic can burst 8K above 256K average for 8k worth of data
4040© 2001, Cisco Systems, Inc. All rights reserved. 40
ISPNetwork
CustomerNetwork
Ingress to Internet
RFC 1918 Filtering
interface Serial n ip access-group 101 in
!access-list 101 deny ip 10.0.0.0 0.255.255.255 anyaccess-list 101 deny ip 192.168.0.0 0.0.255.255 anyaccess-list 101 deny ip 172.16.0.0 0.15.255.255 anyaccess-list 101 permit ip any any
interface Serial n ip access-group 101 in
!access-list 101 deny ip 10.0.0.0 0.255.255.255 anyaccess-list 101 deny ip 192.168.0.0 0.0.255.255 anyaccess-list 101 deny ip 172.16.0.0 0.15.255.255 anyaccess-list 101 permit ip any any
4141© 2001, Cisco Systems, Inc. All rights reserved. 41
ISPNetwork
CustomerNetwork:
142.142.0.0/16
RFC 2827 Filtering • Ingress packets
must be from customer addresses
interface Serial n ip access-group 120 inip access-group 130 out
!access-list 120 deny ip 142.142.0.0 0.0.255.255 anyaccess-list 120 permit ip any any!access-list 130 permit 142.142.0.0 0.0.255.255 anyaccess-list 130 deny ip any any
interface Serial n ip access-group 120 inip access-group 130 out
!access-list 120 deny ip 142.142.0.0 0.0.255.255 anyaccess-list 120 permit ip any any!access-list 130 permit 142.142.0.0 0.0.255.255 anyaccess-list 130 deny ip any any
Egress from Internet
• Egress packets cannot be from and to customer
• Ensure ingress packets are valid
Ingress to Internet
interface Serial n ip access-group 101 in
!access-list 101 permit 142.142.0.0 0.0.255.255 anyaccess-list 101 deny ip any any
interface Serial n ip access-group 101 in
!access-list 101 permit 142.142.0.0 0.0.255.255 anyaccess-list 101 deny ip any any
4242© 2001, Cisco Systems, Inc. All rights reserved. 42
At the End of the Day
• n3t51ay3r:Used several ISPs
Several favors
Lots of Mountain Dew
And lots of time
• Netgamesrus.com:Several admins and managers
$200K of gear & software
Countless patching, re-imaging, password refreshes
Downtime and unhappy customers
PR nightmare
4343© 2001, Cisco Systems, Inc. All rights reserved. 43
Is There a Better Way?
• Comprehensive security architectureHave a security policy
Technologies work together as a system
No single point of failure
Overwhelming defense (barriers, trip-wires, reactions)
• Skilled staffPrudent deployment and tuning of products
Limit how much is learned the hard way
• Know the threat and your weaknessesTrack threat tools and security technologies
Proactive approach to mitigation
Audit posture regularly
• Cheaper to pay upfront than after the factStay employed and in business!
4545© 2001, Cisco Systems, Inc. All rights reserved. 45
Cisco SAFE is a flexible framework that empowers companies to securely take advantage of the Internet Economy
Cisco SAFE
4646© 2001, Cisco Systems, Inc. All rights reserved. 46
• Cisco SAFE outlines a blueprint for secure networking solutions
• Cisco SAFE builds on intelligent security services embedded in routers, switches, appliances and applications
• Cisco SAFE offers a rich ecosystem of products, partners and services that enable companies to implement secure e-business infrastructures today
• Cisco SAFE builds on AVVID
Cisco SAFE
4747© 2001, Cisco Systems, Inc. All rights reserved. 47
SAFE Positioning
Business Needs • Analyze business requirements• Define performance metrics
Security Policy• Define critical resources• Define trust model• Define network usage policy
SAFE• Define functional design• Define network threat• Define threat mitigation
Implementation• Implement network security• Implement application security• Manage to security life-cycle
4848© 2001, Cisco Systems, Inc. All rights reserved. 48
WAN Module WANModule
Corporate Internet
VPN&Remote Access PSTNModule
ISP AModule
Public ServicesModule
ISP BModule
Cisco SAFE Architecture Goal:SecurityResiliencePerformanceScalabilityQoS AwarenessManageability
Cisco SAFE Architecture Goal:SecurityResiliencePerformanceScalabilityQoS AwarenessManageabilityDistribution
Core Management
Server
User Access
Distribution
Enterprise EdgeEnterprise Campus ISP Edge
SAFE Enterprise Network Design Guide
5050© 2001, Cisco Systems, Inc. All rights reserved. 50
User Access
Server
Management
Core
Distribution
VPN&Remote Access WANModule
ISPModule
SAFE Axioms• Routers are targets
• Switches are targets
• Hosts are targets
• Networks are targets
• Applications are targets
Distribution
Design Approach• Security through infrastructure
• Resiliency and scalability
• Secure management/reporting
• Authentication of users/operators
• Intrusion detection
• Voice/Video awareness
Public ServicesModule
Enterprise EdgeEnterprise Campus ISP Edge
Enterprise SAFE Network
5151© 2001, Cisco Systems, Inc. All rights reserved. 51
Threats Mitigated:• Packet Sniffers: Switched infrastructure
and VLANs limit traffic snooping
• Private VLANs
• Port-level Authentication
• 802.1x Dynamic WEP
• VPN Client
• Virus & Trojan Horse Applications: Host based virus scans eliminate most viruses and Trojan horse applications
Access Switch
PC & IP Phone
Access Point
Hand HeldDevice
User Access Module
5252© 2001, Cisco Systems, Inc. All rights reserved. 52
Threats Mitigated:• Unauthorized Access: Layer 3 filtering
limits attacks on server module
• IP Spoofing: RFC 2827 filtering stops most spoofing attempts
Distribution Switch
Distribution Module
5353© 2001, Cisco Systems, Inc. All rights reserved. 53
Threats Mitigated:• None: Relies on security deployed at
edge modules
Core Switch
Core Module
5454© 2001, Cisco Systems, Inc. All rights reserved. 54
Threats Mitigated:• Unauthorized Access: Mitigated through
host -based intrusion detection
• Application Layer Attacks: OS kept up to date with latest patches
• IP Spoofing: RFC 2827 filtering stops most spoofing attempts
• Packet Sniffers: Switched infrastructure and VLANs limit traffic snooping
• Trust Exploitation: Private VLANs prevent compromised devices from masquerading as management hosts
• Port Redirection: Host based IDS prevents port redirection software from being installed
IDS IDS
Access Switch
Internal E-mail DepartmentServer
Call ManagerCorporate
Server
Server Modules
5555© 2001, Cisco Systems, Inc. All rights reserved. 55
IDS
Firewall
SwitchVPN Gateway
Router(VPN Optimized)
Threats Mitigated:• Network Topology Discovery: Eliminates
network “foot-printing”
• Password Attack: Blocks password discovery
• Unauthorized Access: Remote access connections require authentication and IPSec
VPN & Remote Access Module
ISP
5656© 2001, Cisco Systems, Inc. All rights reserved. 56
Threats Mitigated:• Unauthorized Access: Firewall blocks
attempts to penetrate internal network
• Application Layer Attacks: OS kept up to date with latest patches
• Password Attacks: Blocks password discovery
• Denial of Service Attacks: CAR and Firewall helps defend against DoS
• IP Spoofing: RFC 2827 filtering stops most spoofing attempts
• Trust Exploitation: Private VLANs prevent compromised devices from masquerading as management hosts
• Port Redirection: Host based IDS prevents port redirection software from being installed
• Network Topology Discovery: Eliminates network “foot-printing”
IDS
DB Servers Application Servers
Firewall
Switch
Router
E-Commerce Module
ISP
5757© 2001, Cisco Systems, Inc. All rights reserved. 57
OTP Server
AuthenticationServer
NetworkMonitoring
SecurityManagement
Syslog 1
Syslog 2
SystemAdministration
Terminal ServerIDS
Out-of-BandNetwork Management
EncryptedIn-Band
Network Management
Threats Mitigated:• Unauthorized Access: IOS filtering stops
unauthorized traffic in both directions
• Man in the Middle Attacks: Management data crosses private network
• Password Attacks: ACS enforces strong, two-factor device authentication
• IP Spoofing: Firewall stops spoofing in both directions
• Packet Sniffers: Switched infrastructure limits effectiveness of traffic snooping
• Trust Exploitation: Private VLANs prevent compromised devices from masquerading as management hosts
Network Management Module
5959© 2001, Cisco Systems, Inc. All rights reserved. 59
SecurityManagement Identity Perimeter
Security Security
Monitoring Secure
Connectivity
Key Components of a SAFE Module
6060© 2001, Cisco Systems, Inc. All rights reserved. 60
• OS: Windows 2000, NT, Solaris
• RADIUS/ TACACS+ server for user access control
• Interface to NT Domain, Active Directory, NDS, LDAP
• Web based management
• Vital component for access control in large scale VPN, dial, voice networks
Identity
Cisco Secure Access Control Server
Authentication Authorization Accounting
6161© 2001, Cisco Systems, Inc. All rights reserved. 61
• PIX 535: Very Large enterprise
500,000 Connections
• PIX 525: Large enterprise
250,000 Connections
• PIX 515: Enterprise branch office and small-to-medium businesses
150,000 Connections
• PIX 506: Small branch office and small businesses
DES/3DES VPN
• PIX 501: Home office and home user
Full PIX OS - DES/3DES VPN
PerimeterSecurity
Cisco Secure PIX Firewall Family
6262© 2001, Cisco Systems, Inc. All rights reserved. 62
• Enhanced, integrated security for Cisco IOS platformsFull-featured firewall
Active in-line intrusion detection
Authentication proxy
Supports NAT, IPSec VPN
Secure remote administration
• Strong security at low cost
• Leverages investment in Cisco infrastructure
PerimeterSecurity
Cisco IOS Firewall Feature Set
6363© 2001, Cisco Systems, Inc. All rights reserved. 63
Catalyst 6500 Firewall Module
• PIX 6.0 base Feature Set + some features of 6.2• High Performance Firewall, up to OC48 or 5GB aggregate throughput• 1 million concurrent connections• 3 million pps• 100K new connections/sec for HTTP, DNS• 100 VLANs• LAN failover active/standby (both intra/inter chassis)• Dynamic Routing i.e. RIP, OSPF • Supports multiple IN/OUT and DMZs• IPSEC for management only
Fabric EnabledFabric Enabled
6464© 2001, Cisco Systems, Inc. All rights reserved. 64
Cisco Provides the Industry’s Broadest VPN Solution Set!
Medium Enterprise 3030 Concentrator 7x00, 37xx, 3600 Routers PIX Firewall 525,
PIX Firewall 515E
Large Enterprise 3080, 3060 Concentrators 7x VPN Routers/Cat 6k PIX Firewall 525PIX Firewall 535
Customer Remote Access Site-to-Site Firewall-based
Small Business/ 3015, 3005 Concentrators 3600, 2600, 1700 Routers PIX Firewall 515EBranch Office PIX Firewall 506E
800 Routers
SOHO Market VPN 3000 Client 1400 DSL Modem PIX Firewall 506E
VPN 3002 uBR 925 Cable Modem PIX Firewall 501
SecureConnectivity
Cisco’s VPN Portfolio Summary
6565© 2001, Cisco Systems, Inc. All rights reserved. 65
Catalyst 6500 VPN Module
•Integrated into the Catalyst 6500 to address high bandwidth, rich service delivery, and leverage integrated IDS module.•Performance & Scalability:
Gbps 3DES (IMIX traffic)200 tunnels / second setup rate8,000 VPN sessions/tunnels
•VPN Ingress through Ethernet modules•Interoperates with IDS module•Switch Fabric Enabled
Fabric EnabledFabric Enabled
6666© 2001, Cisco Systems, Inc. All rights reserved. 66
Cisco Remote Access VPN Solution
Cisco VPN 3000 Cisco VPN 3000 Concentrator SeriesConcentrator Series
Cisco VPN 3000 Cisco VPN 3000 ClientClient
HTMLHTML--Based Based ManagementManagement
Software
Hardware
SecureConnectivity
6767© 2001, Cisco Systems, Inc. All rights reserved. 67
Features 3005 3015 3030 3060 3080Number of Users 100 100 1500 5000 10,000Encryption SW SW HW HW HWWAN Capability Yes Yes Yes Yes YesPerformance 4 Mb/s 4 Mb/s 50 Mb/s 100 Mb/s 100 Mb/sSEP 0 0 1 2 4Upgradeable No Yes Yes Yes N/ASupports Dual PS No Yes Yes Yes YesRedundancy No Yes Yes Yes Yes
SecureConnectivity
Cisco VPN 3000 Concentrator Series
6868© 2001, Cisco Systems, Inc. All rights reserved. 68
Solution BreadthSolution Breadth
SwitchSensorSwitchSensor
RouterSensorRouterSensor
HostSensorHostSensor
FirewallSensorFirewallSensor
MgmtMgmt
NetworkSensorNetworkSensor
Pervasive ProtectionIDS Everywhere
42104210 42204220 42304230 42354235 42504250
IDSM-1IDSM-1
Standard SensorStandard Sensor Web SensorWeb Sensor
800800 17001700 26002600 3xxx3xxx 7xxx7xxx
501501 506E506E 515E515E 525525 535535
Secure Command Line
Secure Command Line
Web UIEmbedded Mgr
Web UIEmbedded Mgr
Enterprise MgmtVMS
Enterprise MgmtVMS
……
6969© 2001, Cisco Systems, Inc. All rights reserved. 69
Cisco IDS Host Sensor
• Comprehensive protection for the server OS and server applications utilizing call interception techniques
• Sophisticated attack protection
OS and application attacks
Buffer Overflow attacks
Web server application attacks
SSL encrypted HTTP attacks
• Prevents access to server resources before any unauthorized activity occurs
• Complementary technology to Cisco IDS Network Sensors
Host + Network = Complete IDS Solution
7070© 2001, Cisco Systems, Inc. All rights reserved. 70
Catalyst 6500 SSL Service Module
• High Performance SSL Termination on the Switch• Superior price/performance & functionality
• 3k~4k new connections per second• 50k~60k concurrent connections• 400 mbps bulk-rate encryption
• Enables Intelligent Content Switching of Encrypted Traffic • Centralized Key/Certificate Storage/Management
• Active-Passive Redundancy
• Multiple Blades supported per Chassis
• Switch Fabric Enabled
Fabric EnabledFabric Enabled
7171© 2001, Cisco Systems, Inc. All rights reserved. 71
Cisco’s VPN and Security Management Architecture
Web
-In
ternet A
rchitectu
re
Automatic Policy ManagementCSPM
Embedded Device Managers
Cisco
Secu
re AC
S 2000
Device AdministrationCiscoWorks2000 CiscoView, RME
Cisco
AV
VID
Eco
systemC
isco A
VV
ID E
cosystemPIX IOS
Monitoring Centerfor Security
IDSManagement CentersManagement CentersManagement Centers
VPN Monitor
Host IDSSensor
7272© 2001, Cisco Systems, Inc. All rights reserved. 72
Identity
Application Security Security
Management & Monitoring
Secure Connectivity Perimeter Security
Cisco SAFE Ecosystem:Security & VPN Associates
Entercept
7373© 2001, Cisco Systems, Inc. All rights reserved. 73
The premier on-line repository for security vulnerability information and solutions
Provides Partner on-line access to network security expertise Enhances security monitoring, detection, and response solutions
Cisco Security Encyclopedia
7474© 2001, Cisco Systems, Inc. All rights reserved. 74
Cisco VPNs
Cisco Training Partners provide certification training for Cisco security and VPN productsEnhance Cisco Channel Partner ability to install, monitor and manage security solutions
Cisco S
ecure
PIX Firew
all
Cisco Secure Intrusion Detection
CCNP - Security Specialization
7575© 2001, Cisco Systems, Inc. All rights reserved. 75
For More Information Regarding Security and SAFE
• http://www.cisco.com/en/US/netsol/ns110/ns129/net_solution_home.html
• http://www.cisco.com/en/US/netsol/nettidx.html
Top Related