Cisco Embedded Capabilities What can your network do?
Cisco’s Turn It On Campaign• Developed to provide best practices to customers for Cyber Security features• 3 part Whitepaper series (1st published December 2010)• Focused on key security features that customers already have within IOS.• Effective features to enhance Cyber Security posture.
A word about “Turning the feature ON”• Deployment Methodology• Performance considerations• Test, Test, Test, deploy.
Netflow and Cyber security• A distributed sensor in the network• Anomaly, Discovery, Correlation• Security Information and Event Management Systems (SIEMs)• Incident "live" usage - top talkers on CLI
Internet Protocol Service LevelAgreement (IP-SLA) and Cyber security• Validation of expected network performance• Proper deployment, posturing, configuration, and placement of network related devices with respect to SLAs.• Continuous validation of QoS policies throughout the network• Embedded Event Manager (EEM)
Control Plane Processes (CoPP) and Cyber security• Configured and Protected Command/Control channel for network infrastructure devices.• Ensures access to devices to enforce security policies.
NBAR and Cybersecurity• Classification engine that recognizes and classifies• Guarantee bandwidth to critical applications• Limit bandwidth• P2P
Next Steps:• Testing methodology in the lab• Cisco Services for deployment
CyberSecurity IOS Assessment & EnablementEngagement Activities 3 to 8 Days (on site) with a Cisco CyberSecurity Expert (Security Engineer level) Perform an Assessment reviewing the Cisco IOS security configurations Recommendations and actions to enable one or more of the following: • Trust: IP-Service Level Agreements (SLA) & Control Plane Processes (CoPP) – [QoS assurance and DDOS Prevention] • Visibility: Prevent and Detect Incidents with Cisco Netflow features - [Anomaly and Correlation – visibility] • Resilience: Response /Recover/Report with: • Network Based Application Recognition (NBAR) – [QoS assurance and DDOS Prevention] • Peer-To-Peer (P2P) Blocking – [blocks all P2P traffic with NBAR policy mapping] Open discussion on other CyberSecurity customer challenges
Cisco Router Security Portfolio Service Integration 3800 Series Scaled to Fit Every Size Branch Office 3200 SeriesPerformance and Services Density 2800 Series High Density and 1800 Series Performance for Concurrent Rugged and Services 800 Series Mobile Applications Embedded, Advanced Voice, Video, Data, and Security Services Embedded Wireless, Security, and Data Small Office and Medium Mobile/Rugged Medium to Small Branch Teleworker Branch Branch Large Branch
Cisco Router SecurityLeadership in Innovation Industry FirstCisco Integrated Services Router Innovations in Security Industry-leading integration of VPN, routing, and QoS: DMVPN, GET VPN, SSL VPN, and Easy VPN Router-embedded security services: Application firewall, IPS, and URL filtering Cisco® Router and Cisco Configuration Professional (CCP) with one-touch lockdown and security audit Router-integrated voice and security Router-integrated wireless with advanced security Router-integrated switching; Layer 2/3 security Secure WAN backup over DSL, cable, 3G, or satellite
Only Cisco Router Security Delivers All This Secure Network Solutions Business Secure Secure Compliance Continuity Voice Mobility Integrated Threat Management 011111101010101 Advanced Content Intrusion Flexible Network Network Packet Admission 802.1x Foundation Firewall Filtering Prevention Matching Control Protection Secure Connectivity Management and Instrumentation Role-Based GET VPN DMVPN Easy VPN SSL VPN CCP NetFlow IP SLA Access
Cisco’s Turn It On Campaign Feature Capability Platform Value to Cyber WP NetFlow Provides usage statistics of traffic flows Majority of IOS Routers and Switches Provides network telemetry that greatly increases your 1 traversing a given network device that as well as the ASA. cybersecurity visability can be used for analysis. NBAR Cisco’s NBAR is a powerful classification IOS Routing & Switching Platforms In a Denial of Service (DoS) or Distributed Denial of 1 engine that recognizes and classifies a Service (DDoS) attack someone is trying to overwhelm wide variety of applications. NBAR your network capacity, which in effect prevents your ensures performance for mission- mission-critical applications from functioning. By critical applications by intelligently turning on NBAR, an attack is mitigated because critical classifying applications, providing applications have priority over the traffic generated by absolute priority and a guaranteed the attack. Critical applications continue to send traffic, amount of bandwidth. In addition, while NBAR drops selective packets to avoid NBAR limits the bandwidth consumed congestion. This limits the amount of traffic your by less critical applications. network will dedicate to the attacker’s request for data. By setting up NBAR you further mitigate the ability of a DoS/DDoS attack to be successful on Day 0. CoPP The Control Plane Policing feature IOS Routing & Switching Platforms CoPP protects against reconnaissance and Denial-of- 1 allows you to configure a QoS filter that Service (DoS) attacks. By turning on this feature, you manages the traffic flow of control can maintain packet forwarding and protocol states plane packets to protect the control despite an attack or heavy traffic load on the router or plane of Cisco IOS routers and switch. switches. IP-SLA/QOS IP SLA can be used as a verification Majority of IOS Routers and Switches IP SLA provides the capability to continually verify 1 toolset to ensure proper deployment, as well as the ASA. reachability and performance level of a mission critical posturing, configuration, and application during a cyber security DDOS attack. placement of network related devices with respect to SLAs.OER: Application Aware Routing: The OER Application-Aware Routing: IOS Routing & Switching Platforms The OER Application-Aware Routing: PBR feature allows 3 PBR PBR feature introduces the capability the user to route application traffic based on to optimize traffic based on portions of information other that desitnation ip address. This an IP packet, other than the destination allows the administrator to ensure that mission critical address. applications remain available during a network attack. IOS FW Feature Set: Router This feature allows any traffic initiate IOS Routing Platforms This allows simplification of router ACL configurations 3 Initiated traffic by the router to be included in the IOS since baseline traffic such as NTP are not inspected via FW state table, thus ACLs are no longer the FW Feature set. needed for this type of traffic.
Integrated Threat Control OverviewIndustry-Certified Security Embedded Within the Network Access branch office Router Protection has secure Internet • Automated router lockdown access and no need • Router availability during DoS for additional devices Hacker Solution controls worms, viruses, and Branch Office spyware right at the Corporate Office Branch Office remote site; conserves WAN 011111101010101 Internet Content Security bandwidth • Advanced Layer Illegal 3–7 firewall Surfing Solution protects the Malware Prevention • P2P and IM control • Reputation based router itself from • Integrated IPS for content filtering distributed defense and hacking and DoS rapid response attacks • Control of wired and wireless user access and noncompliant devices Small Office and Telecommuter