Your SlideShare is downloading. ×
Ccie security 01
Ccie security 01
Ccie security 01
Ccie security 01
Ccie security 01
Ccie security 01
Ccie security 01
Ccie security 01
Ccie security 01
Ccie security 01
Ccie security 01
Ccie security 01
Ccie security 01
Ccie security 01
Ccie security 01
Ccie security 01
Ccie security 01
Ccie security 01
Ccie security 01
Ccie security 01
Ccie security 01
Ccie security 01
Ccie security 01
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Ccie security 01

132

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
132
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Security is no longer about “products”: Security solutions must be chosen with business objectives in mind and integrated with operational procedures and tools. Scalability demands are increasing: With the increasing number of vulnerabilities and security threats, solutions must scale to thousands of hosts in large enterprises. Legacy endpoint security Total Cost of Ownership (TCO) is a challenge: Reactive products force deployment and renewal of multiple agents and management paradigms. Day zero damage: Rapidly propagating attacks (Slammer, Nimda, MyDoom) happen too fast for reactive products to control. Therefore, an automated, proactive security system is needed to combat the dynamic array of modern-day viruses and worms.With modern-day distributed networks, security cannot be enforced only at the network edge or perimeter. We will discuss perimeter security in more detail later in this chapter.Zero-day attacks or new and unknown viruses continue to plague enterprises and service provider networks.To attempt to establish protection against attacks, enterprises try to patch systems as vulnerabilities become known. This clearly cannot scale in large networks, and this situation can be addressed only with real-time proactive-based systems.
  • The sample list that follows covers some common policies that an organization should consider. Acceptable use: This policy outlines the acceptable use of computer equipment. The rules are established to protect the employee and the organization. Inappropriate use exposes the company to risks including virus attacks, compromise of network systems and services, and legal issues. Ethics: This policy emphasizes the employee’s and consumer’s expectations to be subject to fair business practices. It establishes a culture of openness, trust, and integrity in business practices. This policy can guide business behavior to ensure ethical conduct. Information sensitivity: This policy is intended to help employees determine what information can be disclosed to nonemployees, as well as the relative sensitivity of information that should not be disclosed outside an organization without proper authorization. The information covered in these guidelines includes but is not limited to information that is either stored or shared via any means. This includes electronic information, information on paper, and information shared orally or visually (such as by telephone, video conferencing, and teleconferencing). E-mail: This policy covers appropriate use of any e-mail sent from an organization’s e-mail address and applies to all employees, vendors, and agents operating on behalf of the company. Password: The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change. Risk assessment: This policy is used to empower the Information Security (InfoSec) group to perform periodic information security risk assessments (RA) for the purpose of determining areas of vulnerability and to initiate appropriate remediation.
  • As stated previously, today’s solutions are shifting toward the approach of placing safeguard mechanisms at various layers of the network, not just at the boundary or edge devices. Today, it is recommended to deploy Intrusion Prevention System (IPS) devices on both the inside and outside boundaries of private networks. Firewalls, on the other hand, are placed between various business segments or departments within the same organization, dividing the network into logical groupings and applying perimeter defense at each segment or department. In this multiperimeter model, each segment can have different layers of defense within it. Effective perimeter security has become increasingly important over recent years. Perimeter security cannot be trusted to only the traditional defense mechanisms of firewalls and IDS. Web applications, wireless access, network interconnectivities, and VPNs have made the perimeter a much more complicated concept than it was a couple of years ago. A layered approach requires implementing security solutions at different spectrums of the network. Another similar concept is islands of security . To implement islands of security, do not restrict your thinking to perimeter security. Do not depend on just one method for your security. You should, instead, have layers of protection—perimeter, distribution, core, and access layer. Figure 1-4 illustrates a basic multilayered security mechanism, which is designed to protect the data flow in the system.
  • As stated previously, today’s solutions are shifting toward the approach of placing safeguard mechanisms at various layers of the network, not just at the boundary or edge devices. Today, it is recommended to deploy Intrusion Prevention System (IPS) devices on both the inside and outside boundaries of private networks. Firewalls, on the other hand, are placed between various business segments or departments within the same organization, dividing the network into logical groupings and applying perimeter defense at each segment or department. In this multiperimeter model, each segment can have different layers of defense within it. Effective perimeter security has become increasingly important over recent years. Perimeter security cannot be trusted to only the traditional defense mechanisms of firewalls and IDS. Web applications, wireless access, network interconnectivities, and VPNs have made the perimeter a much more complicated concept than it was a couple of years ago. A layered approach requires implementing security solutions at different spectrums of the network. Another similar concept is islands of security . To implement islands of security, do not restrict your thinking to perimeter security. Do not depend on just one method for your security. You should, instead, have layers of protection—perimeter, distribution, core, and access layer. Figure 1-4 illustrates a basic multilayered security mechanism, which is designed to protect the data flow in the system.
  • As stated previously, today’s solutions are shifting toward the approach of placing safeguard mechanisms at various layers of the network, not just at the boundary or edge devices. Today, it is recommended to deploy Intrusion Prevention System (IPS) devices on both the inside and outside boundaries of private networks. Firewalls, on the other hand, are placed between various business segments or departments within the same organization, dividing the network into logical groupings and applying perimeter defense at each segment or department. In this multiperimeter model, each segment can have different layers of defense within it. Effective perimeter security has become increasingly important over recent years. Perimeter security cannot be trusted to only the traditional defense mechanisms of firewalls and IDS. Web applications, wireless access, network interconnectivities, and VPNs have made the perimeter a much more complicated concept than it was a couple of years ago. A layered approach requires implementing security solutions at different spectrums of the network. Another similar concept is islands of security . To implement islands of security, do not restrict your thinking to perimeter security. Do not depend on just one method for your security. You should, instead, have layers of protection—perimeter, distribution, core, and access layer. Figure 1-4 illustrates a basic multilayered security mechanism, which is designed to protect the data flow in the system.
  • Network security is a continuous process built around the corporate security policy. The security wheel depicted in Figure 1-6 shows a recursive, ongoing process of striving toward perfection—to achieve a secured network infrastructure. The paradigm incorporates the following five steps: Step 1 Develop a security policy A strong security policy should be clearly defined, implemented, and documented, yet simple enough that users can easily conduct business within its parameters. Step 2 Make the network secure Secure the network by implementing security solutions (implement authentication, encryption, firewalls, intrusion prevention, and other techniques) to stop or prevent unauthorized access or activities and to protect information and information systems Step 3 Monitor and respond. This phase detects violations to the security policy. It involves system auditing and real-time intrusion detection and prevention solutions. This also validates the security implementation in Step 2. Step 4 Test. This step validates the effectiveness of the security policy through system auditing and vulnerability scanning and tests existing security safeguards. Step 5 Manage and improve. Use information from the monitor and test phases to make improvements to the security implementation. Adjust the corporate security policy as security vulnerabilities and risks are identified. Manage and improve corporate security policy.
  • Transcript

    • 1. CISCO Security Solution Peter Cheong
    • 2. Fundament al Questions for Network Security ? 1. What areyou trying to protect or maintain? 2. What areyour businessobjectives? 3. What doyou needto accomplish these objectives? 4. What technologies or solutions arerequiredto support theseobjectives? 5. Areyour objectives compatiblewith your security infrastructure, operations, and tools?
    • 3. Fundament al Questions for Network Security ? 6. What risks areassociated with inadequatesecurity? 7. What arethe implications ofnot implementing security? 8. Will you introducenew risks not coveredby your current security solutionsor policy? 9. How do you reduce that risk? 10. What is your tolerancefor risk? YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012
    • 4. Transformation of the Security Paradigm • Security is no longer about “products” • Scalability demands are increasing • Legacy endpoint security Total Cost of Ownership (TCO) is a challenge • Day zero damage YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012
    • 5. Principles of Security— The CIA Model YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012
    • 6. Policies, Standards, Procedures, Baselines, Guidelines YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012 A security policy is a set ofrules, practices, and procedures dictating how sensitiveinformation is managed, protected, and distributed. In the network securityrealm, policies areusuallypoint specific, which means they cover a singlearea. A security policy is a document that expressesexactly what the securitylevel shouldbeby setting thegoals of what the security mechanisms are toaccomplish. Security policy is written by higher management and is intended to describethe “whats” ofinformation security.
    • 7. YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012 Thesamplelist that follows covers somecommon policies that an organization shouldconsider. •Acceptable use. •Ethics •Information sensitivity •E-mail •Password •Risk assessment Examples of Security Policies
    • 8. Relationships Among Security Policies, Standards, Procedures, Baselines, and Guidelines YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012
    • 9. Security Models An important element in thedesign andanalysis of securesystemsisthe securitymodel, becauseit integratesthesecurity policy that should be enforcedin the system. A securitymodel is a symbolic portrayal ofa security policy. It maps therequirements ofthepolicy makers into a set ofrules and regulations that aretobefollowed by a computer system or a network system. A security policy is a set of abstract goals and high-level requirements, and thesecurity model is thedo’s and don’tsto makethis happen. YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012
    • 10. Security Models • The Bell-LaPadula Model (BLM), also calledthe multilevelmodel, wasintroducedmainly to enforce access controlingovernment andmilitary applications.BLM protectsthe confidentiality of the informationwithina system. • The Biba model is a modificationof the Bell-LaPadula model that mainly emphasizes the integrity of the information withina system. • The Clark-Wilson model prevents authorizedusers frommaking unauthorized modification to the data.This model introducesa systemof triples: a subject, a program, and anobject. • The AccessControl Matrix is a general model of access control that is basedonthe concept of subjects and objects. YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012
    • 11. Security Models • The InformationFlow model restricts information inits flow so that it moves only to and fromapprovedsecurity levels. • The Chinese Wallmodel combines commercialdiscretionwithlegally enforceable mandatory controls.It is required inthe operationof many financial services organizations. • The Lattice model deals withmilitary information.Lattice-basedaccesscontrol models were developedin the early 1970s to deal with the confidentiality of militaryinformation.Inthe late 1970s and early 1980s, researchers applied these models to certain integrity concerns. Later, applicationof the modelsto the Chinese Wall policy, a confidentiality policy unique to the commercialsector, was developed.A balancedperspective onlattice-basedaccess controlmodels is provided. YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012
    • 12. Perimeter Security YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012 Opinions on perimeter security have changed a great deal over the past few years. Part of that change is that the very nature of perimeter security is becoming increasingly uncertain, and everyone has a different view of just what it is. The limits of the perimeter itself are becoming broad and extensive, with no geographic boundaries, and remote access is becoming part of the integral network.
    • 13. A Solid Perimeter Security Solution • A comprehensiveperimeter security solution enables communications acrossit as defined by thesecurity policy, yet protects thenetwork resources from breaches, attacks, or unauthorized use. It controls multiplenetwork entry and exit points. It alsoincreases user assurance by implementing multiplelayersofsecurity. • TheCisco widerangeof Ciscoperimeter security solutionsprovides several levels ofperimeter security that can be deployed throughout your network as defined by your security policy. These solutions are highly flexible andcan betailoredto your securitypolicy. YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012
    • 14. Security in Layers As discussedearlier, security in layers is thepreferred andmost scalable approach tosafeguarda network. Onesinglemechanismcannot be relied on for thesecurity of asystem. Toprotect your infrastructure, you must apply security in layers. This layered approach is also called defensein depth. The idea is that you createmultiple systems sothat afailurein onedoes not leaveyou vulnerable, but iscaught in thenext layer. Additionally, in alayered approach, thevulnerability can belimited and contained to theaffected layer becauseoftheappliedsecurity at varyinglevels YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012
    • 15. Multilayer Perimeter Solution Asstatedpreviously, today’s solutions areshifting toward theapproach of placing safeguard mechanisms at various layers ofthenetwork, not just at theboundary or edgedevices. Today, it isrecommendedto deploy Intrusion Prevention System (IPS) devices on both the insideand outside boundaries of private networks. Firewalls, on theother hand, are placed between various business segments or departmentswithin the sameorganization, dividing the network into logical groupings andapplyingperimeter defenseat each segment or department. In thismultiperimeter model, each segment can have different layersof defensewithin it. YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012
    • 16. Multilayer Perimeter Solution Effective perimeter security has become increasingly important over recent years. Perimeter security cannot be trusted to only the traditional defense mechanisms of firewalls and IDS. Web applications, wireless access, network interconnectivities, and VPNs have made the perimeter a much more complicated concept than it was a couple of years ago. YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012
    • 17. Multilayer Perimeter Solution A layered approach requires implementing security solutions at different spectrums of the network. Another similar concept is islandsof security. To implement islands of security, do not restrict your thinking to perimeter security. Do not depend on just one method for your security. You should, instead, have layers of protection—perimeter, distribution, core, and access layer. YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012
    • 18. Security Applied Across All Layers of the System YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012
    • 19. The Domino Effect The OSI reference model was built to enable different layers to work independently of each other. The layered approach was developed to accommodate changes in the evolving technology. Each OSI layer is responsible for a specific function within the networking stack, with information flowing up and down to the next subsequent layer as data is processed. Unfortunately, this means that if one layer is hacked, communications are compromised without the other layers being aware of the problem. YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012
    • 20. The Domino Effect YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012
    • 21. Security Wheel YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012
    • 22. Summary • This chaptergave anoverview ofnetworksecurity and discussed the challenges ofmanagingasecured networkinfrastructure. The chapter discussed how the security paradigmischangingand that securitysolutionstoday arenolonger productbased.Instead,theyare moresolution oriented and designed with businessobjectives inmind. • Thechapteralso discussed the coreprinciplesofsecurity—the CIA triad of confidentiality,integrity,and availability—followed bybriefdiscussion ofaspects ofsecuritypolicies: standards,procedures, baselines,guidelines,and various security models.Thechapter takesadetailed lookattheperimeter securityissue and themultilayered securityapproach.Thechapterconcludeswith theCisco security wheelparadigminvolvingfivecyclical steps. YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012
    • 23. References • Harris, Shon. CISSP All-in-OneExamGuide, SecondEdition. McGraw-Hill OsborneMedia, 2003. https://www2.sans.org/resources/policies/#template http://www.cisco.com/go/securityconsulting http://www.doc.ic.ac.uk/~ajs300m/security/CIA.htm http://portal.acm.org/citation.cfm?id=619980 http://www.gammassl.co.uk/topics/chinesewall.html http://www.devx.com/security/Article/20472 • Guel, Michele. “A Short Primer for Developing Security Policy,” Cisco Systems, http://www.sans.org/resources/policies/#primer YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012

    ×