1
© 2002 Cisco Systems, Inc. All rights reserved.
Cisco Advanced Services

Delivering a Secure Network


                                                           2
      ...
The Need to Outpace and Outsmart Threats

                                                                                ...
CIO and CSO Security Challenge


                                                                           Pressure on
• ...
Network Security is Integral
to Business Protection



                             Customer Care
           Supply Chain ...
Cisco Services Portfolio
            Accelerate Customer Success


                           Advisory
 Networked Virtual ...
Value of Cisco Advanced Services
for Network Security

                                                       • Deep secur...
Cisco Advanced Services
Delivering Business Benefits


 • Assure service                                                  ...
Advanced Services for Network Security
Delivery Capabilities
           People
           • CCIE® (networking) and CCSP™ (...
An Architectural Approach Is Required

                       • Protect the network at all points
   Access              •...
Service Offerings Across the
Security Life Cycle

                                                          Security Postu...
Security Posture Assessment—
Establish a Baseline

• Analyze existing security
  vulnerabilities
• Validate security polic...
Security Posture Assessment—
A Comprehensive Approach


• Baseline to identify active                                     ...
Security Posture Assessment
                                Dialup
                              Assessment               ...
Security Posture Assessment—
Sample Results and Findings
Architectural         66 Class A networks supporting 100,000 empl...
Security Posture Assessment—
Communicating Results
                                                                  The S...
SPA Case Study—
Fortune 125 Insurance Company

               • Protection of client financial portfolios
               •...
Network Security Design Benefits

• Maintain an optimized
  security implementation
• Ensure fast recovery in
  case of di...
Applying Best Practices for
Business Results




                                                                   Manage...
Tailoring SAFE from Cisco
to Your Environment

             Best Practice Security Blueprints for
           Implementing ...
Designing an End-to-End
Secure Network Infrastructure

   Secure the             Monitor and                              ...
Network Security Design Review

• Review network security
  architecture and design
    Perimeter security, remote access,...
Network Security Design Development

• Identify and analyze network
  infrastructure vulnerabilities
• Define network secu...
Network Security Design Development
Methodology

  Customer Input                                             Cisco Method...
Perimeter Security Architecture and Design
Small Business/Branch Office                                                   ...
User Authentication and Authorization Design
                                                                             ...
User Authentication and Authorization—
Sample Best Practices
                                                             ...
Intrusion Detection Architecture and Design
Extranet IDS                Business                                          ...
Data Center Network Security Design
Information Theft
                           Denial of Service
                       ...
Architecture and Design Case Study—
U.S. Government Institution

            • Provide security architecture and design
Re...
Network Security
Implementation Plan Review

• Understand the objectives, scope,
  and constraints of the deployment
• Ana...
Network Security
 Implementation Engineering

• Analyze solution test, installation,
  and integration strategy
• Develop ...
Cisco Security Agent
Implementation Service

      Assess and plan for                                      Develop Deploy...
NAC Implementation Service
                                                              Assess network operations and
   ...
Network Security Optimization

• Define criteria for network security
  optimization
• Collect and analyze data for trends...
Cisco Services Delivering
Customer Satisfaction

    Advisory Services
         Advisory Services
        Advanced Service...
Cisco Advanced Services
 Deliver a Secure Network
Delivered Uniquely by Cisco®                                            ...
Presentation_ID                                                      38
                  © 2001, Cisco Systems, Inc. All ...
Upcoming SlideShare
Loading in …5
×

ccmigration_09186a008033a3b4

824 views
729 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
824
On SlideShare
0
From Embeds
0
Number of Embeds
13
Actions
Shares
0
Downloads
70
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

ccmigration_09186a008033a3b4

  1. 1. 1 © 2002 Cisco Systems, Inc. All rights reserved.
  2. 2. Cisco Advanced Services Delivering a Secure Network 2 © 2003 Cisco Systems, Inc. All rights reserved.
  3. 3. The Need to Outpace and Outsmart Threats Internet Worms Intrusions Sophistication Packet Forging/ 25000 of Hacker Tools Spoofing Stealth Diagnostics DDOS Sweepers 20000 Back Sniffers Doors Exploiting Known Vulnerabilities Disabling 15000 Audits Self-replicating 10000 Password Code Cracking 5000 Technical Knowledge Password Required of Guessing Hacker 0 1988 1990 1992 1994 1996 1998 2000 Source: CERT, Carnegie Mellon University 3 © 2003 Cisco Systems, Inc. All rights reserved.
  4. 4. CIO and CSO Security Challenge Pressure on • Protect the business resources, security requirements, and from security threats budget • Improve security staff Dollars Applications productivity Cost • Reduce total cost of ownership for security infrastructure Budget Time 4 © 2003 Cisco Systems, Inc. All rights reserved.
  5. 5. Network Security is Integral to Business Protection Customer Care Supply Chain Workforce E-Commerce Management Optimization E-Learning • Protect business operations against directed attacks • Prevent damage from worms and viruses • Deploy consistent security policy 5 © 2003 Cisco Systems, Inc. All rights reserved.
  6. 6. Cisco Services Portfolio Accelerate Customer Success Advisory Networked Virtual Vision to Organization Reality Services Speed of Advanced Migration Network to Services Investment Application Optimization Technical Investment Device to Support Protection Network Services 6 © 2003 Cisco Systems, Inc. All rights reserved.
  7. 7. Value of Cisco Advanced Services for Network Security • Deep security expertise Advisory Services • Leading best practices Advanced Services • Specialized tools and Network Security methodology Technical Support Services Technical Support Services • Large network security architecture experience Cisco Trusted Advisor: Expertise in network security assessment, architecture, design, implementation, and optimization 7 © 2003 Cisco Systems, Inc. All rights reserved.
  8. 8. Cisco Advanced Services Delivering Business Benefits • Assure service Business availability Protection Advanced • Improve response to Services disruption for Network • Reduce overhead of Lower TCO Security security operations • Optimize investment in network infrastructure Plan, Design, Implement, Operate, and • Simplify integration and Productivity Optimize standardize operations 8 © 2003 Cisco Systems, Inc. All rights reserved.
  9. 9. Advanced Services for Network Security Delivery Capabilities People • CCIE® (networking) and CCSP™ (security) certified • Large enterprise and government or military backgrounds • Advanced technology expertise (IP telephony, wireless, storage) • Advisors to the Cisco® Product Security Incident Response Team Process • Proven, repeatable methodologies • Leading best practices across the security life cycle • Expertise in vulnerability research, identification, and resolution Tools • Specialized network security assessment tools • Award-winning Cisco Technical Assistance Center Website • Comprehensive best practices documentation Partners • Specialized services and technology • Integration with Cisco security technology • Global reach 9 © 2003 Cisco Systems, Inc. All rights reserved.
  10. 10. An Architectural Approach Is Required • Protect the network at all points Access • Reduce risk by deploying diverse security Manage security components to support policy • Ensure secure connectivity of diverse traffic and user access Distribution Restrict access Internet Data Center Remote Office and manage Secure VPN connectivity propagation and data privacy Core Internet Secure perimeter with firewalls VPN/Access Authentication services Data Center PSTN Mobile Office, Detect and react Telecommuter to intrusion Secure VPN connectivity 10 © 2003 Cisco Systems, Inc. All rights reserved.
  11. 11. Service Offerings Across the Security Life Cycle Security Posture Assessment Assess and plan for a sound architecture Network Security Architecture Review and design IP Telephony Security Review Network Security Design Review Build in scalable, adaptable, easy-to- Network Security Design Development upgrade solutions Network Security Implementation Plan Review Transparently integrate Network Security Implementation into the core network Engineering infrastructure Cisco Security Agent Implementation NAC Implementation Riverhead Implementation Continually identify and mitigate risk Network Security Optimization 11 © 2003 Cisco Systems, Inc. All rights reserved.
  12. 12. Security Posture Assessment— Establish a Baseline • Analyze existing security vulnerabilities • Validate security policy and procedures • Report unauthorized data and system access • Provide recommendations to prevent exploitation • Perform trending analysis over repeated SPAs 12 © 2003 Cisco Systems, Inc. All rights reserved.
  13. 13. Security Posture Assessment— A Comprehensive Approach • Baseline to identify active Perimeter hosts, operating systems, and Penetration Test services • Targeting to identify all network vulnerabilities Remote Exploitation • Exploitation to manually confirm vulnerabilities • Data intelligence and threat Internal analysis against requirements Simulated and best practices Attack 13 © 2003 Cisco Systems, Inc. All rights reserved.
  14. 14. Security Posture Assessment Dialup Assessment Internal Assessment Internet WAN Enterprise Network External Wireless Assessment Assessment 14 © 2003 Cisco Systems, Inc. All rights reserved.
  15. 15. Security Posture Assessment— Sample Results and Findings Architectural 66 Class A networks supporting 100,000 employees on the internal weaknesses network (for example, one Class A network supports 16,777,214 hosts) Access control External remote access connections to critical hosts on the internal vulnerabilities network due to an unauthorized rogue modem Network control and Identified 16 unknown, unauthenticated high-speed Internet connections auditing weaknesses for a large enterprise with several global divisions Detection and Five weeks of intensive attacks undetected due to lack of logging, response monitoring, and employee awareness weaknesses Incomplete policy Firewall configured with no policy rules for 13 months configuration Use of default Standardized vendor passwords on network devices passwords Example: all Cisco routers configured to use “cisco” as the user ID and password Weak passwords Joe, null, or easily guessed passwords allowing access to critical or sensitive hosts Example: Over 140,000 user ID and password pairs for an online financial institution were captured unencrypted, stored on a vulnerable host that was accessible from the Internet 15 © 2003 Cisco Systems, Inc. All rights reserved.
  16. 16. Security Posture Assessment— Communicating Results The SPA Report • Executive Summary Metrics for baseline studies, trending, and budget review • Assessment Analysis Vulnerabilities discovered and data analysis • Best Practices and Strategy Recommendations for mitigating risk 16 © 2003 Cisco Systems, Inc. All rights reserved.
  17. 17. SPA Case Study— Fortune 125 Insurance Company • Protection of client financial portfolios • Compliance with GLBA requirements Requirements • No disruption of production financial systems • Working knowledge of European privacy laws • External posture assessment to identify vulnerabilities that allow outsiders to compromise client records Scope • Internal posture assessment to identify unauthorized employee access to sensitive information • Identified employees with unauthorized access to management information Results • Identified extensive external vulnerabilities • Improved skills of internal staff who participated in war games 17 © 2003 Cisco Systems, Inc. All rights reserved.
  18. 18. Network Security Design Benefits • Maintain an optimized security implementation • Ensure fast recovery in case of disruption • Reduce operating costs of security administration • Avoid implementation problems • Prepare for future deployment initiatives • Identify deviations from best practices and policy 18 © 2003 Cisco Systems, Inc. All rights reserved.
  19. 19. Applying Best Practices for Business Results Management Building E-Commerce ISP Distribution Corporate Internet CERT® Edge Core Server VPN/Remote Access PSTN FR/ATM WAN 34 © 2002, Cisco Systems, Inc. All rights reserved. 19 © 2003 Cisco Systems, Inc. All rights reserved.
  20. 20. Tailoring SAFE from Cisco to Your Environment Best Practice Security Blueprints for Implementing Integrated Network Security Available Blueprints Enterprise Management Building E-Commerce Small Business ISP Distribution IPSec VPNs Corporate Internet Edge Voice Core Wireless Update Server VPN/Remote Access E-Commerce Update PSTN Layer 2 Networks New FR/ATM WAN 34 © 2002, Cisco Systems, Inc. All rights reserved. 20 © 2003 Cisco Systems, Inc. All rights reserved.
  21. 21. Designing an End-to-End Secure Network Infrastructure Secure the Monitor and Manage and Infrastructure Respond Improve Campus router and Intrusion detection Security and network switch security policy, placement and management policy, design placement and design Data center system and server security Internet access monitoring Firewall policy, placement, and design Network attack mitigation VPN and dialup remote access Secure WAN connections Corporate extranet security 21 © 2003 Cisco Systems, Inc. All rights reserved.
  22. 22. Network Security Design Review • Review network security architecture and design Perimeter security, remote access, IDS, firewalls, VPNs, e-commerce, etc. • Identify architecture and design vulnerabilities • Prioritize security requirements for network devices • Recommend improvements to topology, components, functions, and features • Recommend tools for managing network security 22 © 2003 Cisco Systems, Inc. All rights reserved.
  23. 23. Network Security Design Development • Identify and analyze network infrastructure vulnerabilities • Define network security topology, components, and functions Perimeter security, remote access, IDS, firewalls, VPNs, e-commerce, etc. • Specify hardware and software requirements • Develop sample configurations for protocols, policy, and features • Recommend tools for managing network security 23 © 2003 Cisco Systems, Inc. All rights reserved.
  24. 24. Network Security Design Development Methodology Customer Input Cisco Methodology • Understand security business goals, objectives, and requirements Security Policy, Goals • Identify threats to critical assets and Requirements • Map security requirements to network architecture Network Topology, • Define security topology, Design, Inventory components, and functions • Deliver impact analysis of new requirements Network Device Configuration • Provide preliminary and final gap analysis • Deliver architecture/design Network Services and document with network diagrams Business Process 24 © 2003 Cisco Systems, Inc. All rights reserved.
  25. 25. Perimeter Security Architecture and Design Small Business/Branch Office Internet Access Corp HQ Internet Internet Service Sample Firewall Policy Checklist Provider As restrictive and simple as possible Internal Firewalls Authorization process for firewall Regional changes Office Governed by separation of duties for Telecommuter Internet approval and workflow Access Data Center & Internal Firewalls Combines firewall tools to balance policy with throughput requirements ASP Audit log for firewall administration Robust back-out and configuration management Home Access Test frequently with penetration tests Internal Firewalls and policy audits Firewalls Server Farm 25 © 2003 Cisco Systems, Inc. All rights reserved.
  26. 26. User Authentication and Authorization Design Allow only IPSec Traffic Authenticate Users Terminate IPSec Remote Focused Layer Access VPN 4–7 Analysis Broad Layer 4–7 Analysis Site-to- Site VPN Traditional Dial Stateful Packet Filtering Access Servers Basic Layer 7 Filtering PSTN Authenticate Authenticate Users Remote Site Terminate Terminate IPSec Analog Dial 26 © 2003 Cisco Systems, Inc. All rights reserved.
  27. 27. User Authentication and Authorization— Sample Best Practices Allow only IPSec Traffic Authenticate Users Terminate IPSec Remote Focused Layer Access VPN 4–7 Analysis Corporate Layer Broad Extranet VPN Dialup 4–7 Analysis Individual user authentication Termination of network Identification and Site-to- links on firewalled DMZs Strong authentication accreditation of all dialup Site VPN using OTP or certificates services Encryption of access from No split tunneling to limit the Internet Individual accountability attacks Strong authentication for Strong authentication for Triple DES unless access from the internet remote users Traditional Dial prevented Packet Filtering Stateful by export laws Limit communication Access Servers User access logging Ingress filtering7 Filtering Basic Layer limited to session to authorized hosts PSTN and services IKE and ESP protocols Authenticate Authenticate Users Tunnels terminated in Remote Site Terminate front of firewall Terminate IPSec Analog Dial 27 © 2003 Cisco Systems, Inc. All rights reserved.
  28. 28. Intrusion Detection Architecture and Design Extranet IDS Business Internet IDS Partner Monitors partner Users Complements firewall traffic where “trust” and VPN by is implied but not monitoring traffic for assured malicious activity Sample IDS Best Practices Test different intrusion profiles Corporate and alert/response methods Office Internet Determine location and interoperability with network management consoles Tune for the environment to Data Center manage false alarms Intranet/Internal Remote Access NAS Test a combination of HIDS IDS IDS DMZ and NIDS positioning Servers Protects data Hardens perimeter centers and critical control by Test frequently with assets from internal monitoring remote penetration tests and policy threats users audits 28 © 2003 Cisco Systems, Inc. All rights reserved.
  29. 29. Data Center Network Security Design Information Theft Denial of Service Unauthorized Entry Sample Data Center Security Best Practices N-Tier Front End Applications Network Endpoint protection of hosts, servers and desktops Data Interception Unprotected Assets Network-based intrusion detection for Web Servers IP Layer 2/3 threat monitoring, analysis and prevention Firewalls for filtering traffic Application Servers VPNs for secure communications between data centers Identity servers for strong DB Servers authentication IP Mainframe Communications Operations Management and monitoring of security devices, services and network activity Data Center 29 © 2003 Cisco Systems, Inc. All rights reserved.
  30. 30. Architecture and Design Case Study— U.S. Government Institution • Provide security architecture and design Requirements recommendations based on national security policy • Augment limited in-house expertise • Identify vulnerabilities on a classified network • Firewall and IPSec VPN design and configuration review for conformance with SAFE from Cisco® Scope • Security Design Review to identify nonconformance with security policy and Cisco best practices • Provided design recommendations prior to a major Results infrastructure upgrade • Customer implemented firewall and VPN design in less time, with less costly redesign 30 © 2003 Cisco Systems, Inc. All rights reserved.
  31. 31. Network Security Implementation Plan Review • Understand the objectives, scope, and constraints of the deployment • Analyze requirements for solution deployment, integration and management • Review implementation plans including tasks, milestones, resources and schedule • Analyze network staging, test, and installation plans, including topology, configurations, test scripts, and acceptance criteria • Analyze and recommend hardware and software changes 31 © 2003 Cisco Systems, Inc. All rights reserved.
  32. 32. Network Security Implementation Engineering • Analyze solution test, installation, and integration strategy • Develop implementation plan including tasks, milestones, and schedule • Develop network staging plan including topology, configurations, test scripts, and acceptance criteria • Analyze and recommend hardware and software changes • Provide custom installation, configuration, testing, tuning and integration • Deliver hands-on education and remote deployment support 32 © 2003 Cisco Systems, Inc. All rights reserved.
  33. 33. Cisco Security Agent Implementation Service Assess and plan for Develop Deployment a sound CSA architecture Strategy and Plan and design Build scalable, adaptable, Identify Requirements and easy-to-upgrade CSA Deliver a Design Specification solutions Deliver Limited Deployment With Integrate CSA into the Custom Policies that Meet network infrastructure and application environment Solution Requirements Continually improve Provide Ongoing Support for intrusion prevention Enterprise Deployment solution 33 © 2003 Cisco Systems, Inc. All rights reserved.
  34. 34. NAC Implementation Service Assess network operations and infrastructure to determine NAC Plan for a sound NAC architecture and design readiness. Install and test a limited deployment. Deliver NAC design specification Build scalable, adaptable, detailing topology, device easy-to-upgrade NAC solution configurations, HW/SW upgrades, and management. Develop a deployment plan and Integrate NAC into the provide onsite installation of a network infrastructure corporate-wide implementation. Provide ongoing/periodic Continually improve consultation to optimize NAC network admission for reliability, efficiency and control solution scalability. 34 © 2003 Cisco Systems, Inc. All rights reserved.
  35. 35. Network Security Optimization • Define criteria for network security optimization • Collect and analyze data for trends and exceptions • Review network security component placement and configuration • Provide recommendations for network and security component tuning • Deliver impact analysis of new software, features and configuration • Analyze and notify staff of network security advisories 35 © 2003 Cisco Systems, Inc. All rights reserved.
  36. 36. Cisco Services Delivering Customer Satisfaction Advisory Services Advisory Services Advanced Services Network Security Technical Support Services Technical Support Services World Class Partners 36 © 2003 Cisco Systems, Inc. All rights reserved.
  37. 37. Cisco Advanced Services Deliver a Secure Network Delivered Uniquely by Cisco® Customer Benefits Business Protection Reduce risk to business assets Knowledge Transfer People Best Practices Lower TCO Secure Process Optimize investment Corporate in secure network Tools infrastructure Network Partners Productivity Simplify and standardize operations 37 © 2003 Cisco Systems, Inc. All rights reserved.
  38. 38. Presentation_ID 38 © 2001, Cisco Systems, Inc. All rights reserved.

×