Tvr core gtri


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Tvr core gtri

  1. 1. Cybersecurity:TIO: Security Embedded in the Network
  2. 2. Cyber security Landscape
  3. 3. Cisco Embedded Capabilities What can your network do?
  4. 4. Cisco’s Turn It On Campaign• Developed to provide best practices to customers for Cyber Security features• 3 part Whitepaper series (1st published December 2010)• Focused on key security features that customers already have within IOS.• Effective features to enhance Cyber Security posture.
  5. 5. Embedded IOS Security features:
  6. 6. A word about “Turning the feature ON”• Deployment Methodology• Performance considerations• Test, Test, Test, deploy.
  7. 7. Netflow and Cyber security• A distributed sensor in the network• Anomaly, Discovery, Correlation• Security Information and Event Management Systems (SIEMs)• Incident "live" usage - top talkers on CLI
  8. 8. Internet Protocol Service LevelAgreement (IP-SLA) and Cyber security• Validation of expected network performance• Proper deployment, posturing, configuration, and placement of network related devices with respect to SLAs.• Continuous validation of QoS policies throughout the network• Embedded Event Manager (EEM)
  9. 9. Control Plane Processes (CoPP) and Cyber security• Configured and Protected Command/Control channel for network infrastructure devices.• Ensures access to devices to enforce security policies.
  10. 10. NBAR and Cybersecurity• Classification engine that recognizes and classifies• Guarantee bandwidth to critical applications• Limit bandwidth• P2P
  11. 11. Next Steps:• Testing methodology in the lab• Cisco Services for deployment
  12. 12. CyberSecurity IOS Assessment & EnablementEngagement Activities 3 to 8 Days (on site) with a Cisco CyberSecurity Expert (Security Engineer level) Perform an Assessment reviewing the Cisco IOS security configurations Recommendations and actions to enable one or more of the following: • Trust: IP-Service Level Agreements (SLA) & Control Plane Processes (CoPP) – [QoS assurance and DDOS Prevention] • Visibility: Prevent and Detect Incidents with Cisco Netflow features - [Anomaly and Correlation – visibility] • Resilience: Response /Recover/Report with: • Network Based Application Recognition (NBAR) – [QoS assurance and DDOS Prevention] • Peer-To-Peer (P2P) Blocking – [blocks all P2P traffic with NBAR policy mapping] Open discussion on other CyberSecurity customer challenges
  13. 13. Cisco Router Security Portfolio Service Integration 3800 Series Scaled to Fit Every Size Branch Office 3200 SeriesPerformance and Services Density 2800 Series High Density and 1800 Series Performance for Concurrent Rugged and Services 800 Series Mobile Applications Embedded, Advanced Voice, Video, Data, and Security Services Embedded Wireless, Security, and Data Small Office and Medium Mobile/Rugged Medium to Small Branch Teleworker Branch Branch Large Branch
  14. 14. Cisco Router SecurityLeadership in Innovation Industry FirstCisco Integrated Services Router Innovations in Security Industry-leading integration of VPN, routing, and QoS: DMVPN, GET VPN, SSL VPN, and Easy VPN Router-embedded security services: Application firewall, IPS, and URL filtering Cisco® Router and Cisco Configuration Professional (CCP) with one-touch lockdown and security audit Router-integrated voice and security Router-integrated wireless with advanced security Router-integrated switching; Layer 2/3 security Secure WAN backup over DSL, cable, 3G, or satellite
  15. 15. Only Cisco Router Security Delivers All This Secure Network Solutions Business Secure Secure Compliance Continuity Voice Mobility Integrated Threat Management 011111101010101 Advanced Content Intrusion Flexible Network Network Packet Admission 802.1x Foundation Firewall Filtering Prevention Matching Control Protection Secure Connectivity Management and Instrumentation Role-Based GET VPN DMVPN Easy VPN SSL VPN CCP NetFlow IP SLA Access
  16. 16. Cisco’s Turn It On Campaign Feature Capability Platform Value to Cyber WP NetFlow Provides usage statistics of traffic flows Majority of IOS Routers and Switches Provides network telemetry that greatly increases your 1 traversing a given network device that as well as the ASA. cybersecurity visability can be used for analysis. NBAR Cisco’s NBAR is a powerful classification IOS Routing & Switching Platforms In a Denial of Service (DoS) or Distributed Denial of 1 engine that recognizes and classifies a Service (DDoS) attack someone is trying to overwhelm wide variety of applications. NBAR your network capacity, which in effect prevents your ensures performance for mission- mission-critical applications from functioning. By critical applications by intelligently turning on NBAR, an attack is mitigated because critical classifying applications, providing applications have priority over the traffic generated by absolute priority and a guaranteed the attack. Critical applications continue to send traffic, amount of bandwidth. In addition, while NBAR drops selective packets to avoid NBAR limits the bandwidth consumed congestion. This limits the amount of traffic your by less critical applications. network will dedicate to the attacker’s request for data. By setting up NBAR you further mitigate the ability of a DoS/DDoS attack to be successful on Day 0. CoPP The Control Plane Policing feature IOS Routing & Switching Platforms CoPP protects against reconnaissance and Denial-of- 1 allows you to configure a QoS filter that Service (DoS) attacks. By turning on this feature, you manages the traffic flow of control can maintain packet forwarding and protocol states plane packets to protect the control despite an attack or heavy traffic load on the router or plane of Cisco IOS routers and switch. switches. IP-SLA/QOS IP SLA can be used as a verification Majority of IOS Routers and Switches IP SLA provides the capability to continually verify 1 toolset to ensure proper deployment, as well as the ASA. reachability and performance level of a mission critical posturing, configuration, and application during a cyber security DDOS attack. placement of network related devices with respect to SLAs.OER: Application Aware Routing: The OER Application-Aware Routing: IOS Routing & Switching Platforms The OER Application-Aware Routing: PBR feature allows 3 PBR PBR feature introduces the capability the user to route application traffic based on to optimize traffic based on portions of information other that desitnation ip address. This an IP packet, other than the destination allows the administrator to ensure that mission critical address. applications remain available during a network attack. IOS FW Feature Set: Router This feature allows any traffic initiate IOS Routing Platforms This allows simplification of router ACL configurations 3 Initiated traffic by the router to be included in the IOS since baseline traffic such as NTP are not inspected via FW state table, thus ACLs are no longer the FW Feature set. needed for this type of traffic.
  17. 17. Cisco Router Security Certifications FIPS Common Criteria 140-2, Firewall IPSec (EAL4) Level 2 (EAL4) Cisco® 870 ISR    Cisco 1800 ISR    Cisco 2800 ISR    Cisco 3800 ISR    Cisco 7200 VAM2+    Cisco 7200 VSA   --- Cisco 7301 VAM2+    Cisco 7600 IPSec VPN SPA   --- Catalyst 6500 IPSec VPN SPA   --- Cisco 7600   
  18. 18. Integrated Threat Control OverviewIndustry-Certified Security Embedded Within the Network Access branch office Router Protection has secure Internet • Automated router lockdown access and no need • Router availability during DoS for additional devices Hacker Solution controls worms, viruses, and Branch Office spyware right at the Corporate Office Branch Office remote site; conserves WAN 011111101010101 Internet Content Security bandwidth • Advanced Layer Illegal 3–7 firewall Surfing Solution protects the Malware Prevention • P2P and IM control • Reputation based router itself from • Integrated IPS for content filtering distributed defense and hacking and DoS rapid response attacks • Control of wired and wireless user access and noncompliant devices Small Office and Telecommuter