Upload
brooke-gibson
View
216
Download
1
Embed Size (px)
Citation preview
1© 2004, Cisco Systems, Inc. All rights reserved.VOI Day
“Beveiliging in de KMO”
LAN, WAN & Remote Access
Peter Saenen
Cisco Systems
© 2004, Cisco Systems, Inc. All rights reserved. 222VOI Day
Recente uitdagingen
222© 2003 Cisco Systems, Inc. All rights reserved.
© 2004, Cisco Systems, Inc. All rights reserved. 333VOI Day
Snelheid van de Internet aanvallenDo You Have Time To React?
1980s-1990sUsually had weeks or months
to put defense in place.
2000-2002Attacks progressed over hours, time
to assess danger and impact.Time to implement defense.
2003-FutureAttacks progress on the timeline
of seconds.
SQL Slammer Worm:Doubled every 8.5 secondsAfter 3 min : 55M scans/sec
1Gb Link is saturated after one minute
In 1/2 the time it took to read this slide, your network
And all of your applications would have become unreachable
SQL Slammer was a warning.Newer “Flash” worms are
exponentially faster.
© 2004, Cisco Systems, Inc. All rights reserved. 444VOI Day
Example – The Sapphire Worm, aka “Slammer”
2681111 0
• Infections doubled every 8.5 seconds
• Infected 75,000 hosts in first 11 minutes
• Caused network outages, cancelled airline flights and ATM failures
• Infections doubled every 8.5 seconds
• Infected 75,000 hosts in first 11 minutes
• Caused network outages, cancelled airline flights and ATM failures
At Peak,Scanned 55 Million Hosts per Second
At Peak,Scanned 55 Million Hosts per Second
Minutes after ReleaseMinutes after Release
© 2004, Cisco Systems, Inc. All rights reserved. 555VOI Day
Creates increased opportunityTo exploit the ”swiss cheese”
Perimeter policy
• Customers with an aggressive Internet business stance view perimeter security as less relevant as the access policy becomes more open.
• The perimeter is evolving from a simple perimeter, to layered perimeter, to ubiquitous embedded security.
• More interior security hardening/fortification is required.
Een open netwerk is vereistIncreased partnering, acquisitions, customer service, contractors, visitors, …
Corporate Resources
Increased requirement forCustomer/partner/supplier/
Contractor access
© 2004, Cisco Systems, Inc. All rights reserved. 666VOI Day
WAN
Airports, Hotels,WLAN Hotspots Etc
• Example – The Sapphire Worm or “Slammer”
Disabled Networks, Applications through brute force DDOS
Caused Network Outages, Cancelled Flights and ATM failures
Even the most effective perimeter defense won’t stop “piggyback” infections
Mobiliteit van onze systemenWhere has your PC been?
HQ
Branches Teleworker
© 2004, Cisco Systems, Inc. All rights reserved. 777VOI Day
Beveilingingsstrategie van Cisco
• Create Integrated and Secure Intelligent Networks with Auto-Response Capabilities (AKA, Self-Defending Network) to improve reaction times and reduce windows of vulnerability
• This requires:
A presence on the endpoint as well as the network
Security features into the network infra-structure
Complimentary Anomaly-based (coarse-grained) and Signature-based (fine-grained) detection methods
A proper Trust and Identity Infrastructure
© 2004, Cisco Systems, Inc. All rights reserved. 888VOI Day
Network-Network-BasedBased
SecuritySecurity
Network-Network-BasedBased
SecuritySecurity
IDSIDS
VPNVPN
IDSIDS
FWFW
SSL SSL VPNVPNSSL SSL VPNVPN
AD AD IPSIPS
DDOSDDOS
AD AD IPSIPS
DDOSDDOS
APP APP FWFW
APP APP FWFW
FW + FW + VPNVPNFW + FW + VPNVPNEnd End
System-System-BasedBased
SecuritySecurity
End End System-System-BasedBased
SecuritySecurity
AVAV
HIDSHIDS
IDID// TrustTrustIDID//
TrustTrust
Personal Personal FWFW
VPNVPN
BehaviorBehavior/ / Anomaly Anomaly IPSIPS//FWFW
BehaviorBehavior/ / Anomaly Anomaly IPSIPS//FWFW
Cisco’s Self Defending NetworkIntegrating the Endpoints with the Network
• Endpoint security solutions know security context and posture
• Policy servers know compliance and access rules
• Network infrastructure provides enforcement mechanisms
Intelligent Linkage of Endpoint with Network
Identity Identity and Trustand Trust Identity Identity
and Trustand Trust
© 2004, Cisco Systems, Inc. All rights reserved. 999VOI Day
Een goed beveiligingsbeleid
• List out each risk and analyze how often potential loss is likely to occur per year
• Play out sample scenarios
• Find your optimal risk/cost value
• Involve decision maker and confront with risk vs cost solution
Cost of Precaution < Probability of Loss * Likely amount of Loss
© 2004, Cisco Systems, Inc. All rights reserved. 101010VOI Day
Een ‘standaard’ KMO netwerk?
Internet
Provider
© 2004, Cisco Systems, Inc. All rights reserved. 111111VOI Day
Controle van Integriteit – Identiteit & compliance
Internet
Provider
Who/what is connecting? Can you trust them and the device?
End devices (PC, laptop, telephone, printer, …)Internal user groups (production, labs, development, testing, …)External user groups (consultants, customers, partners, …)
Who/what is connecting? Can you trust them and the device?
End devices (PC, laptop, telephone, printer, …)Internal user groups (production, labs, development, testing, …)External user groups (consultants, customers, partners, …)
Classification based on trust and identity
© 2004, Cisco Systems, Inc. All rights reserved. 121212VOI Day
Idenititeit:So, you said MAC Address ?
Win 2K & XP allow easy change for MAC addresses
MAC address is not an authentication mechanism…
© 2004, Cisco Systems, Inc. All rights reserved. 131313VOI Day
Customer Problems with Host Security
• Viruses and worms continue to disrupt business – downtime, patching, etc.
• Non-compliant servers and desktops difficult to detect or contain
• Locating, isolating, and repairing infected systems time and resource intensive
• Point technologies preserve host rather than network availability and resiliency
© 2004, Cisco Systems, Inc. All rights reserved. 141414VOI Day
Understanding Trust and Identity
Identity-basedNetworking
Network Access Control
Identifies the user or device on the network and ensures access to
correct network resources
Identifies the posture (or compliance) of the device to ensure the device can safely be
admitted to the network without undue hazard
© 2004, Cisco Systems, Inc. All rights reserved. 151515VOI Day
How the Trust and Identity System Works
1. Who are you? 802.1x authenticates user in conjunction with ACS
2. Are you healthy? Using NAC, the end-station and network can check whether the device has the correct virus software and protection.
3. Where can you go? Based on authentication, user is placed in correct workgroup or VLAN
4. What service level to you receive? The user can be put into a firewalled VPN or
given specific QoS priority on the network
5. What are you doing? Using the identity and location of the user, tracking and accounting
can be better managed
© 2004, Cisco Systems, Inc. All rights reserved. 161616VOI Day
How It Works:
Each person trying to enter the network must receive authorization based on their personal username and password.
Client AccessingSwitch (802.1x Suplicant)
TACACS+ or Radius Server
Valid UsernameValid Password
YesYes
Invalid UsernameInvalid Password
NoNo
Understanding 802.1x
TACACS+ orRADIUS
TACACS+ orRADIUS
© 2004, Cisco Systems, Inc. All rights reserved. 171717VOI Day
Using the Guest VLAN and User Group Segmentation
Identity based
802.1x Authentication
√√Valid CredentialsValid Credentials
MarketingNetwork
AuthorizedUser
√√Invalid/No CredentialsInvalid/No Credentials
GuestNetwork
Guest User
Internet
XX FinanceNetwork
© 2004, Cisco Systems, Inc. All rights reserved. 181818VOI Day
Desktop
• Access Granted• Access Denied• Quarantine
Remediation
Authentication and policy check of client
Quarantine VLANQuarantine VLAN
Remediation Cisco® Trust Agent
Corporate Net
Client attempts connection
SiSi
Network Admission ControlValidate security compliance and build trust
© 2004, Cisco Systems, Inc. All rights reserved. 191919VOI Day
Current NAC Program Participants
ANTI VIRUS
PATCH MGT
INITIAL SPONSORS
CLIENT SECURITY
© 2004, Cisco Systems, Inc. All rights reserved. 202020VOI Day
End point control and security
Internet
Provider
Bescherming tegen nieuwe en nog ongekende aanvallen
Bescherming tegen Spyware en addware
Personal firewall & Intrusion Detection
Voorziet een oplossing naar patchmanagement
Waar kunnen we welke data bewaren?
Geen updates nodig
Welke software mag gebruikt worden onder welke voorwaarden
Inventaris van welke software geinstalleerd is op de systemen
Een plaatsafhankelijke policy
Cisco Security Agent
© 2004, Cisco Systems, Inc. All rights reserved. 212121VOI Day
Cisco Secure Connectivity Solutions
212121
© 2004, Cisco Systems, Inc. All rights reserved. 222222VOI Day
Remote Access VPN solutions
VPN3000IOS router
ASA
Roaming users:Browser based accessany place any PC(SSL based VPN’s)
Roaming users/tele workers:Cisco IPsec client Windows embedded client
Roaming users:PDA support
Tele worker/home worker low end PIX and routers
Suitable ISR for any size of branch connection
© 2004, Cisco Systems, Inc. All rights reserved. 232323VOI Day
Flexibiliteit, beveiliging en toegevoegde waarde
Controle geintegreerde beveiliging
Add. diensten
Cisco Security Agent
SSL VPN Afhankelijk van PC
CSD/NAC neen Afhankelijk van PC
IPsec VPN Gedeeltelijk /mobiel
FW/ST/NAC & IPsec
neen ja
PIX Gedeeltelijk/thuisPC
FW/IDS & IPsec
Voice support ja
Router Volledig FW/IPS & anti-virus outbreak prevention
Voice services
Video
Content
ja
© 2004, Cisco Systems, Inc. All rights reserved. 242424VOI Day
Firewall
IPS
Geintegreerde beveiliging reduceert het RISICO
Risk-ometer
Gevaar
gemiddeld
Laag
Sterk gereduceerd
RISICO
DM
VP
NV3PN
Eas
y VP
NNA
C
802.
1x
CP
P
AC
L
OpenNetwork
Hoog
© 2004, Cisco Systems, Inc. All rights reserved. 252525VOI Day
Een voorbeeld van geintegreerde beveiliging
252525
© 2004, Cisco Systems, Inc. All rights reserved. 262626VOI Day
Security Services Silos Force Trade-OffsComplementary Defenses, Limited Deployability
IPSServicesBroad Attack Detection
Granular PacketInspection
Application Control
Dynamic Response
ServicesAccess ControlServices
Packet Inspection
Protocol Validation
Accurate Enforcement
Robust Resiliency
Firewall Network AVServicesVirus Mitigation
Spyware, Adware, Malware Detection and Control
Malicious Mobile Code Mitigation
Access BreachesSession AbusePort ScansMalformed Packets
Application MisuseDoS/HackingKnown Attacks
Infected Traffic
IPSec/SSL VPNServices
SSL VPN
IPSec VPN
User-Based Security
Group-Based Management
Clustering
Tunneled TrafficLimited Protections
Multiple Discrete Services Multiple Discrete Services xx Multiple Locations Multiple Locations = Security Trade-Offs= Security Trade-OffsMultiple Discrete Services Multiple Discrete Services xx Multiple Locations Multiple Locations = Security Trade-Offs= Security Trade-Offs
© 2004, Cisco Systems, Inc. All rights reserved. 272727VOI Day
Cisco ASA 5500 SeriesConvergence of Robust, Market-Proven Technologies
Firewall TechnologyFirewall TechnologyCisco PIXCisco PIX
IPS TechnologyIPS TechnologyCisco IPSCisco IPS
NW-AV TechnologyNW-AV TechnologyCisco IPS, AVCisco IPS, AV
VPN TechnologyVPN TechnologyCisco VPN 3000Cisco VPN 3000
Network IntelligenceNetwork Intelligence
Cisco Network Cisco Network ServicesServices
App Inspection, UseApp Inspection, Use Enforcement, Web ControlEnforcement, Web Control
Application SecurityApplication Security
Malware/Content Defense,Malware/Content Defense,Anomaly DetectionAnomaly Detection
Anti-X DefensesAnti-X Defenses
Traffic/Admission Control,Traffic/Admission Control,Proactive ResponseProactive Response
Network Containment & Network Containment & ControlControl
Secure ConnectivitySecure ConnectivityIPSec & SSL VPNIPSec & SSL VPN
Market-ProvenMarket-ProvenTechnologiesTechnologies
Adaptive Threat Defense,Adaptive Threat Defense,Secure ConnectivitySecure Connectivity
© 2004, Cisco Systems, Inc. All rights reserved. 282828VOI Day
Cisco ASA PlatformsKey Platform Performance Metrics
FeaturesASA 5510
(► Sec Plus)ASA 5520
ASA 5520VPN Plus
ASA 5540ASA 5540VPN Plus
ASA 5540VPN Premium
Firewall Throughput(300 / 1400 Byte)
100 / 300 Mbps 200 / 450 Mbps 200 / 450 Mbps 400 / 650 Mbps 400 / 650 Mbps 400 / 650 Mbps
VPN Throughput(300 / 1400 Byte)
50 / 100 Mbps 100 / 200 Mbps 100 / 200 Mbps 200 / 360 Mbps 200 / 360 Mbps 200 / 360 Mbps
IPS Throughput(500 Byte)
100 Mbpswith SSM-AIP 10
200 Mbpswith SSM-AIP 20
200 Mbpswith SSM-AIP 20
200 Mbpswith SSM-AIP 20
200 Mbpswith SSM-AIP 20
200 Mbpswith SSM-AIP 20
Maximum Connections 32,000 ► 64,000 130,000 130,000 280,000 280,000 280,000
S2S and IPSec RA VPN Peers
50 ► 150 300 750 500 2,000 5,000
SSL VPN Connections Shared Shared Shared SharedShared, up to
1,250Shared, up to 2,500
VPN Clustering / Load Bal. No Yes Yes Yes Yes Yes
High Availability None ► A/S A/A and A/S A/A and A/S A/A and A/S A/A and A/S A/A and A/S
Interfaces3 x 10/100 +
OOB ► 5 10/100
4 x 10/100/1000,1 10/100
4 x 10/100/1000,1 10/100
4 x 10/100/1000,1 10/100
4 x 10/100/1000,1 10/100
4 x 10/100/1000,1 10/100
Security Contexts No Up to 10 Up to 10 Up to 50 Up to 50 Up to 50
VLANs Supported 0 ► 10 25 25 100 100 100
Comparable PIX Model PIX 515E PIX 515E/525 PIX 515E/525 PIX 525+ PIX 525+ PIX 525+
Comparable VPN3K Model VPN 3005 VPN 3015 VPN 3020 VPN 3015 VPN 3030 VPN 3060
© 2004, Cisco Systems, Inc. All rights reserved. 292929VOI Day
Is beveiliging werkelijk een optie?
Security as a Option
Security is an add-on
Challenging integration
Not cost effective
Cannot focus on core priority
Security as part of a System
Security is built-in
Intelligent collaboration
Appropriate security
Direct focus on core priority
© 2004, Cisco Systems, Inc. All rights reserved. 303030VOI Day
Questions?
303030
© 2004, Cisco Systems, Inc. All rights reserved. 313131VOI Day 313131