Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Ccie security 01

367 views

Published on

Published in: Technology
  • Be the first to comment

Ccie security 01

  1. 1. CISCO Security Solution Peter Cheong
  2. 2. Fundament al Questions for Network Security ? 1. What areyou trying to protect or maintain? 2. What areyour businessobjectives? 3. What doyou needto accomplish these objectives? 4. What technologies or solutions arerequiredto support theseobjectives? 5. Areyour objectives compatiblewith your security infrastructure, operations, and tools?
  3. 3. Fundament al Questions for Network Security ? 6. What risks areassociated with inadequatesecurity? 7. What arethe implications ofnot implementing security? 8. Will you introducenew risks not coveredby your current security solutionsor policy? 9. How do you reduce that risk? 10. What is your tolerancefor risk? YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012
  4. 4. Transformation of the Security Paradigm • Security is no longer about “products” • Scalability demands are increasing • Legacy endpoint security Total Cost of Ownership (TCO) is a challenge • Day zero damage YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012
  5. 5. Principles of Security— The CIA Model YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012
  6. 6. Policies, Standards, Procedures, Baselines, Guidelines YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012 A security policy is a set ofrules, practices, and procedures dictating how sensitiveinformation is managed, protected, and distributed. In the network securityrealm, policies areusuallypoint specific, which means they cover a singlearea. A security policy is a document that expressesexactly what the securitylevel shouldbeby setting thegoals of what the security mechanisms are toaccomplish. Security policy is written by higher management and is intended to describethe “whats” ofinformation security.
  7. 7. YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012 Thesamplelist that follows covers somecommon policies that an organization shouldconsider. •Acceptable use. •Ethics •Information sensitivity •E-mail •Password •Risk assessment Examples of Security Policies
  8. 8. Relationships Among Security Policies, Standards, Procedures, Baselines, and Guidelines YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012
  9. 9. Security Models An important element in thedesign andanalysis of securesystemsisthe securitymodel, becauseit integratesthesecurity policy that should be enforcedin the system. A securitymodel is a symbolic portrayal ofa security policy. It maps therequirements ofthepolicy makers into a set ofrules and regulations that aretobefollowed by a computer system or a network system. A security policy is a set of abstract goals and high-level requirements, and thesecurity model is thedo’s and don’tsto makethis happen. YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012
  10. 10. Security Models • The Bell-LaPadula Model (BLM), also calledthe multilevelmodel, wasintroducedmainly to enforce access controlingovernment andmilitary applications.BLM protectsthe confidentiality of the informationwithina system. • The Biba model is a modificationof the Bell-LaPadula model that mainly emphasizes the integrity of the information withina system. • The Clark-Wilson model prevents authorizedusers frommaking unauthorized modification to the data.This model introducesa systemof triples: a subject, a program, and anobject. • The AccessControl Matrix is a general model of access control that is basedonthe concept of subjects and objects. YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012
  11. 11. Security Models • The InformationFlow model restricts information inits flow so that it moves only to and fromapprovedsecurity levels. • The Chinese Wallmodel combines commercialdiscretionwithlegally enforceable mandatory controls.It is required inthe operationof many financial services organizations. • The Lattice model deals withmilitary information.Lattice-basedaccesscontrol models were developedin the early 1970s to deal with the confidentiality of militaryinformation.Inthe late 1970s and early 1980s, researchers applied these models to certain integrity concerns. Later, applicationof the modelsto the Chinese Wall policy, a confidentiality policy unique to the commercialsector, was developed.A balancedperspective onlattice-basedaccess controlmodels is provided. YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012
  12. 12. Perimeter Security YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012 Opinions on perimeter security have changed a great deal over the past few years. Part of that change is that the very nature of perimeter security is becoming increasingly uncertain, and everyone has a different view of just what it is. The limits of the perimeter itself are becoming broad and extensive, with no geographic boundaries, and remote access is becoming part of the integral network.
  13. 13. A Solid Perimeter Security Solution • A comprehensiveperimeter security solution enables communications acrossit as defined by thesecurity policy, yet protects thenetwork resources from breaches, attacks, or unauthorized use. It controls multiplenetwork entry and exit points. It alsoincreases user assurance by implementing multiplelayersofsecurity. • TheCisco widerangeof Ciscoperimeter security solutionsprovides several levels ofperimeter security that can be deployed throughout your network as defined by your security policy. These solutions are highly flexible andcan betailoredto your securitypolicy. YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012
  14. 14. Security in Layers As discussedearlier, security in layers is thepreferred andmost scalable approach tosafeguarda network. Onesinglemechanismcannot be relied on for thesecurity of asystem. Toprotect your infrastructure, you must apply security in layers. This layered approach is also called defensein depth. The idea is that you createmultiple systems sothat afailurein onedoes not leaveyou vulnerable, but iscaught in thenext layer. Additionally, in alayered approach, thevulnerability can belimited and contained to theaffected layer becauseoftheappliedsecurity at varyinglevels YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012
  15. 15. Multilayer Perimeter Solution Asstatedpreviously, today’s solutions areshifting toward theapproach of placing safeguard mechanisms at various layers ofthenetwork, not just at theboundary or edgedevices. Today, it isrecommendedto deploy Intrusion Prevention System (IPS) devices on both the insideand outside boundaries of private networks. Firewalls, on theother hand, are placed between various business segments or departmentswithin the sameorganization, dividing the network into logical groupings andapplyingperimeter defenseat each segment or department. In thismultiperimeter model, each segment can have different layersof defensewithin it. YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012
  16. 16. Multilayer Perimeter Solution Effective perimeter security has become increasingly important over recent years. Perimeter security cannot be trusted to only the traditional defense mechanisms of firewalls and IDS. Web applications, wireless access, network interconnectivities, and VPNs have made the perimeter a much more complicated concept than it was a couple of years ago. YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012
  17. 17. Multilayer Perimeter Solution A layered approach requires implementing security solutions at different spectrums of the network. Another similar concept is islandsof security. To implement islands of security, do not restrict your thinking to perimeter security. Do not depend on just one method for your security. You should, instead, have layers of protection—perimeter, distribution, core, and access layer. YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012
  18. 18. Security Applied Across All Layers of the System YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012
  19. 19. The Domino Effect The OSI reference model was built to enable different layers to work independently of each other. The layered approach was developed to accommodate changes in the evolving technology. Each OSI layer is responsible for a specific function within the networking stack, with information flowing up and down to the next subsequent layer as data is processed. Unfortunately, this means that if one layer is hacked, communications are compromised without the other layers being aware of the problem. YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012
  20. 20. The Domino Effect YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012
  21. 21. Security Wheel YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012
  22. 22. Summary • This chaptergave anoverview ofnetworksecurity and discussed the challenges ofmanagingasecured networkinfrastructure. The chapter discussed how the security paradigmischangingand that securitysolutionstoday arenolonger productbased.Instead,theyare moresolution oriented and designed with businessobjectives inmind. • Thechapteralso discussed the coreprinciplesofsecurity—the CIA triad of confidentiality,integrity,and availability—followed bybriefdiscussion ofaspects ofsecuritypolicies: standards,procedures, baselines,guidelines,and various security models.Thechapter takesadetailed lookattheperimeter securityissue and themultilayered securityapproach.Thechapterconcludeswith theCisco security wheelparadigminvolvingfivecyclical steps. YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012
  23. 23. References • Harris, Shon. CISSP All-in-OneExamGuide, SecondEdition. McGraw-Hill OsborneMedia, 2003. https://www2.sans.org/resources/policies/#template http://www.cisco.com/go/securityconsulting http://www.doc.ic.ac.uk/~ajs300m/security/CIA.htm http://portal.acm.org/citation.cfm?id=619980 http://www.gammassl.co.uk/topics/chinesewall.html http://www.devx.com/security/Article/20472 • Guel, Michele. “A Short Primer for Developing Security Policy,” Cisco Systems, http://www.sans.org/resources/policies/#primer YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012YOUR COMPANYNAME | LONGAND INTERESTING PRESENTATION TITLE | VERSION NO. XX | 06/06/2012

×