More Related Content Similar to ccmigration_09186a008033a3b4 (20) More from guest66dc5f (20) ccmigration_09186a008033a3b43. The Need to Outpace and Outsmart Threats
Internet Worms
Intrusions
Sophistication
Packet Forging/
25000 of Hacker Tools
Spoofing
Stealth
Diagnostics
DDOS
Sweepers
20000 Back
Sniffers
Doors
Exploiting Known
Vulnerabilities Disabling
15000
Audits
Self-replicating
10000 Password
Code
Cracking
5000 Technical
Knowledge
Password
Required of
Guessing
Hacker
0
1988 1990 1992 1994 1996 1998 2000
Source: CERT, Carnegie Mellon University
3
© 2003 Cisco Systems, Inc. All rights reserved. 4. CIO and CSO Security Challenge
Pressure on
• Protect the business resources, security
requirements, and
from security threats budget
• Improve security staff
Dollars
Applications
productivity
Cost
• Reduce total cost of
ownership for security
infrastructure Budget
Time
4
© 2003 Cisco Systems, Inc. All rights reserved. 5. Network Security is Integral
to Business Protection
Customer Care
Supply Chain Workforce
E-Commerce Management Optimization E-Learning
• Protect business operations against
directed attacks
• Prevent damage from worms and viruses
• Deploy consistent security policy
5
© 2003 Cisco Systems, Inc. All rights reserved. 6. Cisco Services Portfolio
Accelerate Customer Success
Advisory
Networked Virtual Vision to
Organization Reality
Services
Speed of
Advanced
Migration Network to
Services
Investment Application
Optimization
Technical
Investment Device to
Support
Protection Network
Services
6
© 2003 Cisco Systems, Inc. All rights reserved. 7. Value of Cisco Advanced Services
for Network Security
• Deep security expertise
Advisory Services
• Leading best practices
Advanced Services
• Specialized tools and
Network Security
methodology
Technical Support Services
Technical Support Services
• Large network security
architecture experience
Cisco Trusted Advisor: Expertise in network
security assessment, architecture, design,
implementation, and optimization
7
© 2003 Cisco Systems, Inc. All rights reserved. 8. Cisco Advanced Services
Delivering Business Benefits
• Assure service Business
availability Protection
Advanced
• Improve response to Services
disruption for
Network
• Reduce overhead of
Lower TCO
Security
security operations
• Optimize investment in
network infrastructure Plan, Design,
Implement,
Operate, and
• Simplify integration and Productivity
Optimize
standardize operations
8
© 2003 Cisco Systems, Inc. All rights reserved. 9. Advanced Services for Network Security
Delivery Capabilities
People
• CCIE® (networking) and CCSP™ (security) certified
• Large enterprise and government or military backgrounds
• Advanced technology expertise (IP telephony, wireless, storage)
• Advisors to the Cisco® Product Security Incident Response Team
Process
• Proven, repeatable methodologies
• Leading best practices across the security life cycle
• Expertise in vulnerability research, identification, and resolution
Tools
• Specialized network security assessment tools
• Award-winning Cisco Technical Assistance Center Website
• Comprehensive best practices documentation
Partners
• Specialized services and technology
• Integration with Cisco security technology
• Global reach
9
© 2003 Cisco Systems, Inc. All rights reserved. 10. An Architectural Approach Is Required
• Protect the network at all points
Access • Reduce risk by deploying diverse security
Manage security
components
to support policy
• Ensure secure connectivity of diverse traffic
and user access
Distribution
Restrict access
Internet Data Center Remote Office
and manage
Secure VPN connectivity
propagation
and data privacy
Core
Internet
Secure perimeter
with firewalls
VPN/Access
Authentication
services
Data Center
PSTN Mobile Office,
Detect and react
Telecommuter
to intrusion
Secure VPN connectivity
10
© 2003 Cisco Systems, Inc. All rights reserved. 11. Service Offerings Across the
Security Life Cycle
Security Posture Assessment
Assess and plan for
a sound architecture
Network Security Architecture Review
and design
IP Telephony Security Review
Network Security Design Review
Build in scalable,
adaptable, easy-to-
Network Security Design Development
upgrade solutions
Network Security Implementation Plan
Review
Transparently integrate
Network Security Implementation
into the core network
Engineering
infrastructure
Cisco Security Agent Implementation
NAC Implementation
Riverhead Implementation
Continually identify
and mitigate risk
Network Security Optimization
11
© 2003 Cisco Systems, Inc. All rights reserved. 12. Security Posture Assessment—
Establish a Baseline
• Analyze existing security
vulnerabilities
• Validate security policy and
procedures
• Report unauthorized data
and system access
• Provide recommendations
to prevent exploitation
• Perform trending analysis
over repeated SPAs
12
© 2003 Cisco Systems, Inc. All rights reserved. 13. Security Posture Assessment—
A Comprehensive Approach
• Baseline to identify active Perimeter
hosts, operating systems, and Penetration
Test
services
• Targeting to identify all
network vulnerabilities Remote
Exploitation
• Exploitation to manually
confirm vulnerabilities
• Data intelligence and threat
Internal
analysis against requirements Simulated
and best practices Attack
13
© 2003 Cisco Systems, Inc. All rights reserved. 14. Security Posture Assessment
Dialup
Assessment Internal
Assessment
Internet
WAN
Enterprise
Network
External Wireless
Assessment Assessment
14
© 2003 Cisco Systems, Inc. All rights reserved. 15. Security Posture Assessment—
Sample Results and Findings
Architectural 66 Class A networks supporting 100,000 employees on the internal
weaknesses network (for example, one Class A network supports 16,777,214 hosts)
Access control External remote access connections to critical hosts on the internal
vulnerabilities network due to an unauthorized rogue modem
Network control and Identified 16 unknown, unauthenticated high-speed Internet connections
auditing weaknesses for a large enterprise with several global divisions
Detection and Five weeks of intensive attacks undetected due to lack of logging,
response monitoring, and employee awareness
weaknesses
Incomplete policy Firewall configured with no policy rules for 13 months
configuration
Use of default Standardized vendor passwords on network devices
passwords
Example: all Cisco routers configured to use “cisco” as the user ID
and password
Weak passwords Joe, null, or easily guessed passwords allowing access to critical or
sensitive hosts
Example: Over 140,000 user ID and password pairs for an online
financial institution were captured unencrypted, stored on a
vulnerable host that was accessible from the Internet
15
© 2003 Cisco Systems, Inc. All rights reserved. 16. Security Posture Assessment—
Communicating Results
The SPA Report
• Executive Summary
Metrics for baseline studies,
trending, and budget review
• Assessment Analysis
Vulnerabilities discovered and
data analysis
• Best Practices and
Strategy
Recommendations for
mitigating risk
16
© 2003 Cisco Systems, Inc. All rights reserved. 17. SPA Case Study—
Fortune 125 Insurance Company
• Protection of client financial portfolios
• Compliance with GLBA requirements
Requirements
• No disruption of production financial systems
• Working knowledge of European privacy laws
• External posture assessment to identify vulnerabilities
that allow outsiders to compromise client records
Scope
• Internal posture assessment to identify unauthorized
employee access to sensitive information
• Identified employees with unauthorized access to
management information
Results • Identified extensive external vulnerabilities
• Improved skills of internal staff who participated in
war games
17
© 2003 Cisco Systems, Inc. All rights reserved. 18. Network Security Design Benefits
• Maintain an optimized
security implementation
• Ensure fast recovery in
case of disruption
• Reduce operating costs of
security administration
• Avoid implementation
problems
• Prepare for future
deployment initiatives
• Identify deviations from
best practices and policy
18
© 2003 Cisco Systems, Inc. All rights reserved. 19. Applying Best Practices for
Business Results
Management Building E-Commerce
ISP
Distribution
Corporate Internet
CERT®
Edge
Core
Server
VPN/Remote Access
PSTN
FR/ATM
WAN
34
© 2002, Cisco Systems, Inc. All rights reserved.
19
© 2003 Cisco Systems, Inc. All rights reserved. 20. Tailoring SAFE from Cisco
to Your Environment
Best Practice Security Blueprints for
Implementing Integrated Network Security
Available Blueprints
Enterprise
Management Building E-Commerce
Small Business
ISP
Distribution
IPSec VPNs
Corporate Internet
Edge
Voice
Core
Wireless Update
Server
VPN/Remote Access
E-Commerce Update
PSTN
Layer 2 Networks New
FR/ATM
WAN
34
© 2002, Cisco Systems, Inc. All rights reserved.
20
© 2003 Cisco Systems, Inc. All rights reserved. 21. Designing an End-to-End
Secure Network Infrastructure
Secure the Monitor and Manage and
Infrastructure Respond Improve
Campus router and Intrusion detection Security and network
switch security policy, placement and management policy,
design placement and design
Data center system
and server security Internet access
monitoring
Firewall policy,
placement, and design Network attack
mitigation
VPN and dialup remote
access
Secure WAN
connections
Corporate extranet
security
21
© 2003 Cisco Systems, Inc. All rights reserved. 22. Network Security Design Review
• Review network security
architecture and design
Perimeter security, remote access, IDS,
firewalls, VPNs, e-commerce, etc.
• Identify architecture and design
vulnerabilities
• Prioritize security requirements
for network devices
• Recommend improvements to
topology, components,
functions, and features
• Recommend tools for managing
network security
22
© 2003 Cisco Systems, Inc. All rights reserved. 23. Network Security Design Development
• Identify and analyze network
infrastructure vulnerabilities
• Define network security topology,
components, and functions
Perimeter security, remote access, IDS,
firewalls, VPNs, e-commerce, etc.
• Specify hardware and
software requirements
• Develop sample configurations
for protocols, policy, and features
• Recommend tools for managing
network security
23
© 2003 Cisco Systems, Inc. All rights reserved. 24. Network Security Design Development
Methodology
Customer Input Cisco Methodology
• Understand security business
goals, objectives, and requirements
Security Policy, Goals
• Identify threats to critical assets
and Requirements
• Map security requirements to
network architecture
Network Topology, • Define security topology,
Design, Inventory components, and functions
• Deliver impact analysis of new
requirements
Network Device
Configuration • Provide preliminary and final gap
analysis
• Deliver architecture/design
Network Services and
document with network diagrams
Business Process
24
© 2003 Cisco Systems, Inc. All rights reserved. 25. Perimeter Security Architecture and Design
Small Business/Branch Office Internet Access
Corp HQ
Internet
Internet
Service
Sample Firewall Policy Checklist
Provider
As restrictive and simple as possible
Internal Firewalls
Authorization process for firewall
Regional changes
Office
Governed by separation of duties for
Telecommuter Internet
approval and workflow
Access Data Center & Internal Firewalls
Combines firewall tools to balance
policy with throughput requirements
ASP
Audit log for firewall administration
Robust back-out and configuration
management
Home Access
Test frequently with penetration tests
Internal Firewalls and policy audits Firewalls
Server Farm
25
© 2003 Cisco Systems, Inc. All rights reserved. 26. User Authentication and Authorization Design
Allow only
IPSec Traffic
Authenticate Users
Terminate IPSec
Remote
Focused Layer
Access VPN
4–7 Analysis Broad Layer
4–7 Analysis
Site-to-
Site VPN
Traditional Dial
Stateful Packet Filtering Access Servers
Basic Layer 7 Filtering PSTN
Authenticate
Authenticate Users
Remote Site
Terminate
Terminate IPSec
Analog Dial
26
© 2003 Cisco Systems, Inc. All rights reserved. 27. User Authentication and Authorization—
Sample Best Practices
Allow only
IPSec Traffic
Authenticate Users
Terminate IPSec
Remote
Focused Layer
Access VPN
4–7 Analysis Corporate Layer
Broad Extranet
VPN Dialup
4–7 Analysis
Individual user
authentication
Termination of network
Identification and Site-to- links on firewalled DMZs
Strong authentication accreditation of all dialup
Site VPN
using OTP or certificates services
Encryption of access from
No split tunneling to limit the Internet
Individual accountability
attacks
Strong authentication for
Strong authentication for
Triple DES unless access from the internet
remote users Traditional Dial
prevented Packet Filtering
Stateful by export laws Limit communication
Access Servers
User access logging
Ingress filtering7 Filtering
Basic Layer limited to session to authorized hosts
PSTN
and services
IKE and ESP protocols
Authenticate
Authenticate Users
Tunnels terminated in Remote Site
Terminate
front of firewall Terminate IPSec
Analog Dial
27
© 2003 Cisco Systems, Inc. All rights reserved. 28. Intrusion Detection Architecture and Design
Extranet IDS Business Internet IDS
Partner
Monitors partner Users Complements firewall
traffic where “trust” and VPN by
is implied but not monitoring traffic for
assured malicious activity
Sample IDS Best Practices
Test different intrusion profiles
Corporate and alert/response methods
Office Internet
Determine location and
interoperability with network
management consoles
Tune for the environment to
Data Center
manage false alarms
Intranet/Internal Remote Access
NAS
Test a combination of HIDS
IDS IDS DMZ
and NIDS positioning
Servers
Protects data Hardens perimeter
centers and critical control by Test frequently with
assets from internal monitoring remote
penetration tests and policy
threats users
audits
28
© 2003 Cisco Systems, Inc. All rights reserved. 29. Data Center Network Security Design
Information Theft
Denial of Service
Unauthorized Entry Sample Data Center Security
Best Practices
N-Tier Front End
Applications Network Endpoint protection of hosts, servers
and desktops
Data Interception
Unprotected Assets
Network-based intrusion detection for
Web Servers
IP Layer 2/3
threat monitoring, analysis and
prevention
Firewalls for filtering traffic
Application Servers
VPNs for secure communications
between data centers
Identity servers for strong
DB Servers
authentication
IP
Mainframe Communications Operations
Management and monitoring of
security devices, services and network
activity
Data Center
29
© 2003 Cisco Systems, Inc. All rights reserved. 30. Architecture and Design Case Study—
U.S. Government Institution
• Provide security architecture and design
Requirements recommendations based on national security policy
• Augment limited in-house expertise
• Identify vulnerabilities on a classified network
• Firewall and IPSec VPN design and configuration
review for conformance with SAFE from Cisco®
Scope
• Security Design Review to identify nonconformance
with security policy and Cisco best practices
• Provided design recommendations prior to a major
Results
infrastructure upgrade
• Customer implemented firewall and VPN design in less
time, with less costly redesign
30
© 2003 Cisco Systems, Inc. All rights reserved. 31. Network Security
Implementation Plan Review
• Understand the objectives, scope,
and constraints of the deployment
• Analyze requirements for solution
deployment, integration and
management
• Review implementation plans
including tasks, milestones,
resources and schedule
• Analyze network staging, test, and
installation plans, including
topology, configurations, test
scripts, and acceptance criteria
• Analyze and recommend hardware
and software changes
31
© 2003 Cisco Systems, Inc. All rights reserved. 32. Network Security
Implementation Engineering
• Analyze solution test, installation,
and integration strategy
• Develop implementation plan
including tasks, milestones, and
schedule
• Develop network staging plan
including topology, configurations,
test scripts, and acceptance criteria
• Analyze and recommend hardware
and software changes
• Provide custom installation,
configuration, testing, tuning and
integration
• Deliver hands-on education and
remote deployment support
32
© 2003 Cisco Systems, Inc. All rights reserved. 33. Cisco Security Agent
Implementation Service
Assess and plan for Develop Deployment
a sound CSA architecture
Strategy and Plan
and design
Build scalable, adaptable, Identify Requirements and
easy-to-upgrade CSA
Deliver a Design Specification
solutions
Deliver Limited Deployment With
Integrate CSA into the
Custom Policies that Meet
network infrastructure and
application environment Solution Requirements
Continually improve
Provide Ongoing Support for
intrusion prevention
Enterprise Deployment
solution
33
© 2003 Cisco Systems, Inc. All rights reserved. 34. NAC Implementation Service
Assess network operations and
infrastructure to determine NAC
Plan for a sound NAC
architecture and design readiness. Install and test a
limited deployment.
Deliver NAC design specification
Build scalable, adaptable,
detailing topology, device
easy-to-upgrade NAC
solution configurations, HW/SW
upgrades, and management.
Develop a deployment plan and
Integrate NAC into the
provide onsite installation of a
network infrastructure
corporate-wide implementation.
Provide ongoing/periodic
Continually improve
consultation to optimize NAC
network admission
for reliability, efficiency and
control solution
scalability.
34
© 2003 Cisco Systems, Inc. All rights reserved. 35. Network Security Optimization
• Define criteria for network security
optimization
• Collect and analyze data for trends
and exceptions
• Review network security
component placement and
configuration
• Provide recommendations for
network and security component
tuning
• Deliver impact analysis of new
software, features and
configuration
• Analyze and notify staff of network
security advisories
35
© 2003 Cisco Systems, Inc. All rights reserved. 36. Cisco Services Delivering
Customer Satisfaction
Advisory Services
Advisory Services
Advanced Services
Network Security
Technical Support Services
Technical Support Services
World Class Partners
36
© 2003 Cisco Systems, Inc. All rights reserved. 37. Cisco Advanced Services
Deliver a Secure Network
Delivered Uniquely by Cisco® Customer Benefits
Business Protection
Reduce risk to
business assets
Knowledge Transfer
People
Best Practices
Lower TCO
Secure
Process
Optimize investment
Corporate in secure network
Tools infrastructure
Network
Partners
Productivity
Simplify and
standardize operations
37
© 2003 Cisco Systems, Inc. All rights reserved.