Building Up Network Security: An Introduction

Building Up Network Security
Catherine Paquet, MBA (MIS)
CCSI, CICSI, CCNP Sec, CCNP R&S

© Global Knowledge Training LLC. All rights reserved. 7/22/2015 Page 2
About the presenter - Catherine Paquet
 Cisco security instructor
 Cisco Press author
 Cisco Systems emerging
countries guest speaker
 Graduate of Royal Military
College and York University
 Previously: DND WAN Manager
 Lives in Toronto

Topics: Building Up Network Security
 Current state of Network Security
 Firewall
 IPS and Sourcefire
 Identity Services and Cisco ISE
 Network Access Control
 Guest Services and BYOD
 Profiling and Posturing
 VPN and Site-to-Site
 Remote Access VPN and AnyConnect
 Email and Web Security

State of Network Security
Facts
Evolution
ROSI
Topology

Cisco Annual Security Report 2015: Findings
 Users unknowingly aiding cyber attacks
 Email exploits
 250% increase in spam and malvertising exploits
 Snowshoe Spam: low volumes of email from a large set of IP addresses
 Web exploits
 Less common kits used
 Malicious combinations: exploit over two files ex: flash + javascript
Source: www.cisco.com/go/securityreport

Cisco Annual Security Report 2015 - Actions
 Security must:
 support the business
 work with existing architecture – and be usable
 be transparent and informative
 enable visibility and appropriate action
 be viewed as a "people problem"
Source: www.cisco.com/go/securityreport

Evolution of Security Philosophy

Recent Shift in Security Approach
 Past → role-based control
 Present → rule-based control
CONTEXT
Who, What, Where, When, How

CONTEXT IS EVERYTHING
 Who: Jane Doe, member of the sales group
 What: Corporate laptop
 Where: HQ 2nd floor
 When: July 16th, 2016 at 13:27
 How: Wired Ethernet with 802.1X
IF….., THEN….., and sometimes, ELSE…...
User CustomLocationDevice Type TimePosture Access Method

Glossary
AAA: Authentication, Authorization, Accounting
AD: Active Directory
AES: Advanced Encryption Standard
AMP: Advanced Malware Protection
AP: Access Point
ASA: Adaptive Security Appliance (firewall)
BYOD: Bring Your Own Device
CDA: Cisco Directory Agent
CWA: Centralized Web Authentication
DES: Digital Encryption Standard
DHCP: Dynamic Host Configuration Protocol
DMZ: Demilitarized Zone
DART: Diagnostic And Reporting Tool AnyConnect
DC: Domain Controller
ESA: Email Security Appliance
FSMC: FireSIGHT Mgmt Center (formerly SFDC)
IDS: Intrusion Detection System
IP: Internet Protocol
IPS: Intrusion Prevention System
ISE: Identity Services Engine
ISR: Integrated Services Router
LAN: Local Area Network
LDAP: Light Directory Access Protocol
MAB: MAC Authentication Bypass
MAC: Media Access Control
Malvertising: Malware hidden in advertisement
MD5: Message Digest 5
MDM: Mobile Device Management
NAC: Network Admission Control
NAD: Network Access Device
NIC: Network Interface Card
NGFW: Next Generation Firewall
NGIPS: Next Generation IPS
PKI: Public Key Infrastructure
RADIUS: Remote Authentication Dial-In User Service
ROI: Return on Investment
ROSI: Return on Security Investment
SaaS: Security-as-a-Service
SAML: Security Assertion Markup Language
SSID: Service Set Identifier
SF: Sourcefire
SFDC: Sourcefire Defense Center
SHA: Secure Hash Algorithm
SIO: Security Intelligence Operations (Cisco)
SSL: Secure Session Layer
SYN: Synchronization flag and stage of TCP
TALOS: Cisco SIO + Sourcefire VRT
TCP: Transmission Control Protocol
VPN: Virtual Private Network
VRT: Vulnerability Research Team (Sourcefire)
WAN: Wide Area Network
WLAN: Wireless Local Area Network
WLC: Wireless LAN controller
WMI: Windows Management Instrumentation
WSA: Web Security Appliance

Most Bang for Your Buck: The Firewall
Basic Moderate Comprehensive
Security Expenditure
Risk
$
} residual risk
More on the subject of synergistic controls:
Business Case for Network Security, The: Advocacy, Governance, and ROI
By Catherine Paquet, Cisco Press, 2005. ISBN ISBN-10: 1-58720-121-6

ASA Firewall Capabilities
 Stateful Firewall with AIC
 Botnet detection
 IPS built in capability with service module
 SYN flood protection
 Scanning threat detection and prevention
 Decryption and inspection of specific protocols
 Modular Policy Framework
 Remote-Access VPN: IPsec and SSL
 Site-to-Site VPN
 Identity-Based Firewall
 DHCP server and client
 Dynamic Routing
 Static Route Tracking
 Transparent and Routed modes
 Redundant interfaces
 EtherChannel
 Multimode aka virtualization
 Clustering
 Strong management with AAA
 OOB Management
 Failover
 Zero Downtime Upgrade

Intrusion Prevention Systems
Sourcefire

Sourcefire Acquisition
 Mid-2013
 $2.7B
 Hardware and software
 Based on Snort IPS
 File thumbprints, sandboxing
 Protection beyond point-in-time
 Visibility through dashboards
 Analysis of behaviours
 Containment
 Martin Roesch created Snort, on open-based IDS, in 1998 and founded Sourcefire in 2001

Integrated and Standalone Platforms
 AMP appliance
 ASA module
 ESA
 WSA
 CWS
 AMPfire (Desktop: AnyConnect 4.1 AMP Enabler)
Cisco AMP 8140 (hardware)
Cisco WSA with AMP (software)
HQ-ASA# show module sfr details
Getting details from the Service Module, please wait...
Card Type: FirePOWER Services Software Module
Model: ASA5515
Hardware version: N/A
Serial Number: FCH180278XU
Cisco ASA with Sourcefire (software)

The Sourcefire Advantage
 AMP* everywhere, with real before, during, after
* Advanced Malware Protection

Sourcefire Visibility and Management
 FireSIGHT Management Center*
* formerly Sourcefire Defense Center

Network File Trajectory

ISE Capabilities
 Authentication*
 802.1X
 MAB
 Web Authentication
 Authorization*
 Guest Services
 BYOD
 MDM
 Profiling
 Posturing
 CA server
ISE
Source: Cisco Blog > Security> BYOD Presentations at Cisco Live Cancun 2012* ISE is a RADIUS server

Network Access Control
802.1X / MAB
Web Authentication

Authentication and Authorization: ISE RADIUS server
ISE

802.1X / MAB Authentication

Centralized Web Authentication
Source: Cisco Identity Services Engine User Guide, Release 1.2

Guest Services

Guests: Access to Internet
ISE

BYOD: For employees not visitors
Source: Cisco SISE 1.1 Courseware
Before BYOD:
With BYOD - Onboarding:
ISE recognizes that an employee authenticated on AD through Guest Portal
1. CA Certificate installation
2. Device Registration
3. Certificate Enrollment
4. WIFI Profile installation

Advantages of Profiling
 Discover and locate endpoints
 Maintain a learnt inventory
 Determine endpoint capabilities and identity group
 Attributes are used in authentication and authorization conditions
Source: Cisco SISE 1.1 courseware

Profiling
If Device: Apple-iPad, then apply Authorization Policies: Tablets
Source: Cisco SISE 1.1 courseware

Profiling Results: Endpoints database in ISE

ISE Posturing policies
 Provisioning
 Posturing

MDM: Posturing for Mobile Devices
Source: Cisco Identity Services Engine Administrator Guide, Release 1.4

VPN
 Confidentiality: Encryption
 AES
 3DES
 Integrity: Hashing
 MD5
 SHA
 Authenticity: Authentication
 Pre-shared Key
 PKI

VPN
Site-to-Site
Remote Access IPsec
SSL Client
Clientless
Client VPN Client (legacy)
AnyConnect
Port Forwarding
Plug-ins
Smart Tunnels
Thin client
IPsec*
** AnyConnect 3.x offers IPSec IKEv2
* On Cisco Routers, Site-to-Site VPN can also be achieved with DMVPN and GET
VPN Technologies

Site-to-Site VPN
Source: Cisco SIMOS courseware

VPN
Site-to-Site
Remote Access IPsec
SSL Client
Clientless
Client VPN Client (legacy)
AnyConnect
Port Forwarding
Plug-ins
Smart Tunnels
Thin client
IPsec*
** AnyConnect 3.x offers IPSec IKEv2
* On Cisco Routers, Site-to-Site VPN can also be achieved with DMVPN and GET
VPN Technologies

What comes to mind when you hear AnyConnect?
SSL VPN
 IPsec
AnyConnect replaces:
 VPN Client
 Secure Services Client
 AnyWhere+
 NAC Agent
 Host Scan
 Phone Home
 DART
 AMP*
 Cloud Web Security
 Network Access Manager
 ISE Posture NEW: next slide
* Released with AnyConnect 4.1

AnyConnect for ISE Posture
 No need for NAC client anymore

Cisco and Email/Web Security
 Cisco is not commonly known for a focus on proxies
 In 2007, Cisco paid $830M for IronPort Application Security Gateways:
 Email Security Appliance
 Web Security Appliance

The Artist Formerly Known as: Ironport
 So, why paying so much for server?
 SenderBase – Reputation Score
SensorBase
SIO
TALOS

Hygiene Pipeline of Cisco ESA
Source: Cisco SESA 2.1 courseware

Web Security
 Old adage: HTTP is the new TCP
 Many applications and services now run overtop HTTP and HTTPS
 Filtering and inspecting web traffic is becoming a requirement:
 Compliance
 Peace of mind

WSA Acceptable Usage Policies
 URL filtering
 Anti-malware security
 Bandwidth controls
 Application controls
 Identity-based security
 HTTPS inspection
 Data Loss protection
 SaaS Access Control

Cisco Security Courses
 CCNA Security e-Camp
 IINS - Implementing Cisco IOS Network Security
 SAEXS - Cisco ASA Express Security
 SENSS - Implementing Cisco Edge Network Security
Solutions
 SIMOS - Implementing Cisco Secure Mobility
Solutions
 SISAS - Implementing Cisco Secure Access
Solutions
 SITCS - Implementing Cisco Threat Control Solution
 ASA Lab Camp v9.0
 SASAA - Implementing Advanced Cisco ASA
Security
 SASAC - Implementing Core Cisco ASA Security
 ACS - Cisco Secure Access Control System
 SISAS - Implementing Cisco Secure Access
Solutions
 SISE - Implementing and Configuring Cisco Identity
Services Engine
 SESA - Securing Email with Cisco Email Security
Appliance
 SWSA - Securing the Web with Cisco Web Security
Appliance
 Cisco FirePOWER Services and Cloud Web Security
Workshop v1.0
 SSFAMP - Securing Cisco Networks with Sourcefire
FireAMP Endpoints
 SSFIPS - Securing Cisco Networks with Sourcefire
Intrusion Prevention System
 SSFRULES - Securing Cisco Networks with Snort
Rule Writing Best Practices
 SSFSNORT - Securing Cisco Networks with Open
Source Snort

Sources
 Cisco Security Blog
 Cisco SAFE Design Guide
 Cisco Identity Services Engine User Guide
 Cisco PKI Service for Large Scale IPsec Aggregation Design Guide
 Cisco Live presentations (CCO login required)
 BRKSEC-1030 San Diego 2015
 Cisco courseware SIMOS / SISE / SESA / SWSA / SASAA / SASAC

GK Cisco Training Exclusives
 6 months of
 Anytime access to Cisco Practice Labs
 Anytime Access to Boson Practice Exams
 On-Demand Access to Searchable Class Recordings of Your Virtual Class
 Unlimited Retakes of Your Class
 Free Cisco Certification Exam Voucher

Find Out More
www.globalknowledge.ca
On-demand & live webinars, white papers, blog...
www.globalknowledge.ca/security
Courses

Building Up Network Security: An Introduction

More Related Content

What's hot

Similar to Building Up Network Security: An Introduction

More from Global Knowledge Training

Recently uploaded

Building Up Network Security: An Introduction