View
4
Download
0
Category
Preview:
Citation preview
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
Cisco Intrusion Prevention Solution Overview
Barbara FraserCorporate Consulting Engineering
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
Today’s Discussion
Introduction, Context and Vision1
Cisco IPS Product Portfolio2
Cisco IPS Solution Update3
IPS Application Examples4
Management and Signature Services5
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3
The Evolution of IntentFrom Hobbyists to Professionals
Threats Becoming Increasingly Difficult to Detect and Mitigate
Thre
at S
ever
ity
1990 1995 2000 2005 What’s Next?
Testing the Waters:Basic Intrusions and Viruses
Financial:Theft and Damage
Fame:Viruses and Malware
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 4
The Result: The Growing Costs of SecurityDisruption, Loss, and Damage
Disruption Affects Productivity (the CIO Problem)• Employee Disruption and Application Outages• Business Process Downtime
Loss Impacts Value (the CFO Problem)• Risk and Liability Management• (Non) Compliance Costs
Damage Affects Reputation (the CEO Problem)• Customer Satisfaction and Retention• Investor and Partner Confidence
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 5
One Recent Survey
Security technologies used by respondents:
98% anti-virus software
97% firewall technology
69% intrusion detection
47% intrusion prevention
Source: 2007 CSI/FBI Computer Crime and Security Survey
52% experienced a breach!
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6
Reducing the Grey: Uncertainty Equals Risk and Cost
Inefficient;Highly Manual
Efficient OperationsEffective Security
GOOD: Allow
RELEVANT: Pass and Log
SUSPICIOUS: Pass and Alarm
BAD: Block
GOOD: Allow
Relevant: Pass and Log
Suspicious: Pass and Alarm
BAD: Block
NACTraffic Shaping
IPS
IPS,Anti-X, DDoS,
Firewall
Monitoring & Correlation
Self-Defending Network
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 7
• Modular inspection engines: Rapid response with minimal downtime
• Behavioral anomaly detection: Protects against day-zero attacks
• Dynamic risk-based threat rating: Adapt threats policy in real time
• IPS integrated into the fabric of the network
• The most diverse line of IPS sensors: The right tool for the right job, anywhere in the network
• Built on Cisco security and network intelligence
Monitoring, Correlation,
and Response
Cisco Security AgentCisco Security AgentInternet Intranet
Day-Zero Endpoint
Protection
Branch Protection Converged
Perimeter Protection
Integrated Data Center Protection
Server Protection
Policy-Based Solution
Management
Cisco Intrusion Prevention Strategy Comprehensive Threat Protection for the SDN
Adaptive• Greater confidence through
on-box and networkwide correlation
• Greater visibility and effectiveness through network and endpoint collaboration
• Reduced operational costs with a common, solution-based management interface
CollaborativeIntegrated
Cisco® Security Agent
Cisco Security ManagerCisco Catalyst®
Services Modules
Cisco Integrated Services Routers
Cisco ASA 5500 Adaptive Security
ApplianceCisco
SecurityMARS
Cisco IPS 4200 Series
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 8
Today’s Discussion
Introduction, Context and Vision1
Cisco IPS Product Portfolio2
Cisco IPS Solution Update3
IPS Application Examples4
Management and Signature Services5
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 9
Cisco IPS Product Portfolio
IOS IPSAIM-IPS
Small Medium-sized Large
Organization Size
ASA5510-AIP10ASA5520-AIP10
ISR
ASA5520-AIP20ASA5540-AIP20
IPS 4215
IPS 4240IPS 4255
IPS 4260
ASA 5500
Series
IPS 4200
Series
Catalyst 6500
Appliance
Switch-Integrated
Branch
UTM
IPS 4270
IDSM2
Catalyst 6500 IDSM2 bundle
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 10
• Protecting media-rich environments
4 Gbps of protection for Web content, video, data replication, and other media-rich environments
• Protecting transactional environments
2 Gbps and 20,000 transactions per second of protection for e-Commerce, voice, IM, and other transactional environments
• Protecting the data center High-density interface support that brings high-performance IPS to the data center
New Cisco IPS 4270 SensorRelentless Performance for the Human Network
New High-Performance
IPS from the IPS Market Leader
Source: Infonetics Q2CY07 Network IDS/IPS Market ShareCisco IPS has been Number 1 market share holder for 4 consecutive quarters
New!
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 11
Cisco ASA 5500 Series IPS Edition
Cisco ASA 5500 Series IPS Edition
ASA 5510-AIP10150 Mbps
AIP SSM-10
ASA 5520-AIP10225 Mbps
ASA 5540-AIP20450 Mbps
AIP SSM-20
Cisco AIP-SSM Modules
Product Highlights• Integrated Firewall and IPS• Complete IPS feature set• Ease of management • Comprehensive, timely Signature coverage
Benefits• Ease of deployment• Ease of manageability• Highest security protection• Investment protection
ASA 5520-AIP20375 Mbps
#1 Market Share in both Firewall and
IPS
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 12
Flexible Deployment: IPS Throughout the Environment
Holistic network security solutionIPS at all points in the network ASA integration (FW and IPS)Branch-office integration (Cisco ISR)Common Policy ManagementComprehensive, timely signature coverage
IP WAN
RouterCSM, CS-MARS
CM
IPS
ASA (Firewall + IPS)
Switch+ IPS
Data and voice network
Data Center
Management
FW Router
Large Branch
Small Branch
Headquarters
ASA (Firewall + IPS)
ASA (Firewall
+ IPS)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 13
Today’s Discussion
Introduction, Context and Vision1
Cisco IPS Product Portfolio2
Cisco IPS Solution Update3
IPS Application Examples4
Management and Signature Services5
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 14
Cisco Intrusion Prevention ServicesIntelligent Detection
Vulnerability and Exploit specific SignaturesTraffic and Protocol Anomaly DetectionHeuristics (Statistical based algorithms)Knowledge base Anomaly Detection
Precision ResponseRisk Management-based PolicyOn-box Correlation through Meta Event Generator “Trustworthiness” Linkages with the Endpoint
Flexible DeploymentPassive and/or Inline with Flexible Response (IDS/IPS) Sensor VirtualizationPhysical and logical (VLAN) interface supportSoftware and Hardware bypass
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 15
Cisco IPS ArchitectureIntelligent Detection and Precision Response
Forensics Capture
• Before Attack• During Attack• After Attack
Modular Inspection
Engines
• Vulnerability• Exploit• Behavioral Anomaly• Protocol Anomaly
Signature Updates
Engine Updates
Cisco Threat Intelligence Services
Risk-based Policy Control
• Calibrated “Risk Rating”computed for each event
• Event Action policy based on risk categories (e.g. High / Med / Low)
• Filters for known benign triggers
Attack De-obfuscation
• Normalize inbound traffic to remove attempts to hide an attack
On-box Correlation
Engine
• Meta Event Generator for event correlation
Mitigation and Alarm
• “Threat Rating” of event indicates level of residual risk
Virtual Sensor Selection
• Traffic directed to appropriate virtual sensor by interface or VLAN
IN OUT
Context Data
Network Context
Information
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 16
• AIM/ICQ• AOL• MSN• Sametime• Yahoo• BitTorrent• Kazaa• eDonkey• Jabber
• Blaster• Nimda• Sasser• Code Red• Slammer• Backdoor Frenzy• Backdoor Beast• Backdoor Ghost• Backdoor Illusion• Backdoor Trojan Spirit• Backdoor Beast• Fatso Worm• Kelvir Worm
Adware/Spyware
Reconnaissance
Worm/Virus/Trojan P2P/IM
Cisco IPS Intelligent Detection Capabilities:Vulnerability and Exploit-based Signatures
DDOS/DOS
Secure Voice
Web Server
Email• POP• IMAP• SMTP• Microsoft Exchange
• ICMP host sweeps• TCP Port Sweeps• TCP/UDP Combo
Sweeps• UDP Port Sweeps
• ICMP/UDP/TCP Floods
• Perfect Keylogger Activity• Hotbar Activity
• SIP• H323• H225
• Apache• Internet Information Server (IIS)Network, L2/3/4• BGP• DHCP• DNS• TCP/UDP• IP• IP Fragment
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 17
Anomaly detection algorithms to detect and stop Day-Zero threats Real-time learning of normal network behaviorAutomatic detection and policy-based protection from anomalous threats to the networkResult: Protection against attacks for which there is no signature
Internet
Real-Time Anomaly Detection for Day Zero Threats
Traffic conforms to baseline
Traffic conforms to baseline
Anomalous activity detected, indicating potential zero-day attack!
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 18
Real-Time Risk-based PolicyRisk Rating and IPS Policy
Event Severity
Signature Fidelity
Attack Relevancy
Asset Value of Target
Urgency of threat?
How Prone to false positive?
Important to attack target?
How critical is this destination host?
= Risk Rating
++
+
Risk Rating IPS Policy Action
RR < 34 Alarm
RR >35 and < 84
Alarm and Log Packets
RR > 85 Deny Attacker
= IPS Policy Action
A quantitative measure of each threat before IPS mitigation
Network Context
What additional risk information is available?+
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 19
Network ScannerA
Windows Server Linux ServerNot Vulnerable
Filter EventVulnerable
Increase Risk Rating
Event / Action FilteringMonitoring Console:
Non-relevant events filteredAttacker initiates IIS attack destined for servers
Attack target contextual information used to refine security responseContextual information gathered through:
Passive OS fingerprinting Static OS mapping for exception handlingCSA Linkages
Dynamic Risk Rating adjustment based on attack relevanceResult: More appropriate and effective security response actions
Endpoint Attack Relevance VisibilityIncreasing the Fidelity of Risk-based Policy
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 20
Cisco Security Agent (CSA) provides data on suspicious hosts through Watch List (Network Context)IPS Sensor risk sensitivity increased dynamically for suspicioushosts (risk rating increase)Result: Improved risk management
1. Attacker tries to brute force attack an internal server
2. CSA blocks the attack and adds attacker to its watchlist
3. CSA collaborating with Cisco IPS is able to dynamically elevate the Risk Rating threshold for attacks coming from the attacker
4. Future attacks from hacker are blocked at the IPS device
Network-Endpoint CollaborationIncreasing the Fidelity of Risk-based Policy
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 21
A quantitative measure of each threat after IPS mitigation
• High risk attacks that have been denied no longer require urgent operator attention
• Prioritize incident response on Events with high Residual Risk
Example:• Event 2: Very high Risk Rating, but denied by policy
Low urgency, low Threat Rating• Event 4: Quite high Risk Rating, but not high enough
to deny Higher urgency and Threat Rating
Result: Increased efficiency of response and productivity of operations by automatic prioritization of high risk incidents
Threat RatingPrioritize Incident Response Efforts by Residual Risk
IPS Policy:RR > 85 Deny Attacker
0
10
20
30
40
50
60
70
80
90
100
1 2 3 4 5Event Number
Risk Rating Threat Rating
85
Risk measurement is updated based on IPS policy actions
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 22
Virtualized Sensor 1:Interface 1 + 2
Virtualized Sensor 2:Interface 3 + 4
Customized policy on Virtual Sensors based on Interface groupings
Flexible Context Definitions: Ability to define virtualized sensors based on physical interface and VLAN groupingsAssignment of Custom Signature / Policy Settings & response actions to each virtualized sensor
Customized policy on Virtual Sensors based on VLAN groupings
VLAN 1
VLAN 2
VLAN 3
VLAN 4Virtualized Sensor 1
Virtualized Sensor 2
Flexible Deployment: Sensor VirtualizationVirtualize Both Policy and Sensor State
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 23
Today’s Discussion
Introduction, Context and Vision1
Cisco IPS Product Portfolio2
Cisco IPS Solution Update3
IPS Application Examples4
Management and Signature Services5
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 24
Cisco High-Performance IPS Applications:Wireless Intrusion Prevention
• Protect the enterprise from wireless usersHigh-performance IPS helps protect at WLAN speeds for guest users’ and employees’ infected computers.
• Selectively block malicious trafficCisco IPS inspection services help enable accurate protection from wireless traffic.
• Remove repeat offenders from the networkCisco IPS and Cisco WLAN Controllers work collaboratively to detect attackers from Layer 2 to Layer 7, and remove repeat offenders from the network.
Cisco WLAN Controller
Cisco Access Point
Cisco High-Performance IPS
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 25
Securing Cisco Unified Communication Manager and Phones with Cisco IPS
In-line inspection of voice and video traffic
Protect Infrastructure that Voice runs on: Protect Call Management infrastructure from attackReal-time anomaly detection for day zero threatsDrop calls that are coming from IP addresses identified on the Cisco Security Agent “watch list”
Complements firewall application inspection technologyCisco IPS’ Risk-based Policy enables easy management of IPS by non-experts
Protection against• Application Misuse• DoS/Hacking• Known Attacks• Zero-day Attacks• Viruses/worms, spyware
infecting traffic
Legitimate traffic
Firewall IPS
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 26
Cisco ASA 5500 with IPS: Threat Protected VPN Protecting the VPN Threat Vector
ASA 5500
Worm/Virus
UnwantedApplication
Spyware
Illegal Access
Exploit
Remote AccessVPN User
Threat MitigationMalware DetectionWorm DetectionSpyware Detection
Application Firewall and Access ControlApplication Inspection/ControlGranular, Per-User/Group Access ControlProtocol Anomaly DetectionStateful Traffic Filtering
Accurate EnforcementReal-Time CorrelationRisk RatingAttack DropSession Removal and Resets
Comprehensive Endpoint SecurityPre-Connection Posture AssessmentMalware MitigationSession/Data SecurityPost-Session Clean-Up
Leverages Depth of Threat Defense Features to Stop Malicious Worms, Viruses, and More…and Without External Devices or Performance Loss!
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 27
Today’s Discussion
Introduction, Context and Vision1
Cisco IPS Product Portfolio2
Cisco IPS Solution Update3
IPS Application Examples4
Management and Signature Services5
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 28
Interface Status
Alert Counts
SystemResources
Device Information
Alert Profiles
Small Deployment Management and Troubleshooting: IPS Device Manager
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 29
CustomizableReporting
Visibility into applied Response
Actions, Virtual Sensor ID, Learned DST OS & Threat
Rating
Tunable Notification Actions
Support for IPSv6 through SDEE compatibility
Small Deployment Robust Monitoring and Event Viewing: IPS Event Viewer
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 30
Cisco Security Mars
Cisco Security Management Suite
Integration to Cisco Secure Access Control ServerRole-based access controlPrivilege-based access to management functionality
With the context of auditing services
Rapid Threat Identificationand Mitigation
Topology Awareness
Data Correlation
Cisco Security Manager
Simplified Policy Administration
End-to-EndConfiguration
Network-Wide or Device-Specific
ConfigurationProvisioning
MonitoringAnalysis
Mitigation
Self-Defending Network
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 31
Updated signature package
Vulnerabilities& Threats Follow-the-Sun Research:Extensive around the clock research capability gathers, identifies and classifies vulnerabilities and threatsRapid Response:Signatures are created to mitigate the vulnerabilities within hours of classificationHuman Intelligence:Applied Intelligence Reports provide insight and guidance on using IPS technology to protect yourself
Cisco Services for IPSRapid Signature Updates for Emerging Threats
Cisco IPS Signature R&D Team
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 32
• Cisco IPS protects your organization from malware and attackers as an integrated, collaborative, and adaptive network solution
Summary• Threats result in disruption, loss, and
damage to your organization
• Network Intrusion Prevention is a fundamental element to your security strategy
• Cisco IPS increases the effectiveness of threat response, reduces operational costs, and increases the efficiency of security operations
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 33
Cisco IPS Resources – On the WebCisco IPS site: http://www.cisco.com/go/ipsCisco Services for IPS:http://www.cisco.com/en/US/products/ps6076/serv_home.htmlCisco Security Site: http://www.cisco.com/security/Cisco Active Update Bulletins:http://www.cisco.com/offer/newsletter/123668_4/Cisco Security Advisories and Notices:http://www.cisco.com/go/psirt
Cisco IPS site: http://www.cisco.com/go/ipsCisco Services for IPS:http://www.cisco.com/en/US/products/ps6076/serv_home.htmlCisco Security Site: http://www.cisco.com/security/Cisco Active Update Bulletins:http://www.cisco.com/offer/newsletter/123668_4/Cisco Security Advisories and Notices:http://www.cisco.com/go/psirt
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 34
Recommended