31
1 © 2004, Cisco Systems, Inc. All rights reserved. VOI Day “Beveiliging in de KMO” LAN, WAN & Remote Access Peter Saenen Cisco Systems

1 © 2004, Cisco Systems, Inc. All rights reserved. VOI Day “Beveiliging in de KMO” LAN, WAN & Remote Access Peter Saenen Cisco Systems

Embed Size (px)

Citation preview

Page 1: 1 © 2004, Cisco Systems, Inc. All rights reserved. VOI Day “Beveiliging in de KMO” LAN, WAN & Remote Access Peter Saenen Cisco Systems

1© 2004, Cisco Systems, Inc. All rights reserved.VOI Day

“Beveiliging in de KMO”

LAN, WAN & Remote Access

Peter Saenen

Cisco Systems

Page 2: 1 © 2004, Cisco Systems, Inc. All rights reserved. VOI Day “Beveiliging in de KMO” LAN, WAN & Remote Access Peter Saenen Cisco Systems

© 2004, Cisco Systems, Inc. All rights reserved. 222VOI Day

Recente uitdagingen

222© 2003 Cisco Systems, Inc. All rights reserved.

Page 3: 1 © 2004, Cisco Systems, Inc. All rights reserved. VOI Day “Beveiliging in de KMO” LAN, WAN & Remote Access Peter Saenen Cisco Systems

© 2004, Cisco Systems, Inc. All rights reserved. 333VOI Day

Snelheid van de Internet aanvallenDo You Have Time To React?

1980s-1990sUsually had weeks or months

to put defense in place.

2000-2002Attacks progressed over hours, time

to assess danger and impact.Time to implement defense.

2003-FutureAttacks progress on the timeline

of seconds.

SQL Slammer Worm:Doubled every 8.5 secondsAfter 3 min : 55M scans/sec

1Gb Link is saturated after one minute

In 1/2 the time it took to read this slide, your network

And all of your applications would have become unreachable

SQL Slammer was a warning.Newer “Flash” worms are

exponentially faster.

Page 4: 1 © 2004, Cisco Systems, Inc. All rights reserved. VOI Day “Beveiliging in de KMO” LAN, WAN & Remote Access Peter Saenen Cisco Systems

© 2004, Cisco Systems, Inc. All rights reserved. 444VOI Day

Example – The Sapphire Worm, aka “Slammer”

2681111 0

• Infections doubled every 8.5 seconds

• Infected 75,000 hosts in first 11 minutes

• Caused network outages, cancelled airline flights and ATM failures

• Infections doubled every 8.5 seconds

• Infected 75,000 hosts in first 11 minutes

• Caused network outages, cancelled airline flights and ATM failures

At Peak,Scanned 55 Million Hosts per Second

At Peak,Scanned 55 Million Hosts per Second

Minutes after ReleaseMinutes after Release

Page 5: 1 © 2004, Cisco Systems, Inc. All rights reserved. VOI Day “Beveiliging in de KMO” LAN, WAN & Remote Access Peter Saenen Cisco Systems

© 2004, Cisco Systems, Inc. All rights reserved. 555VOI Day

Creates increased opportunityTo exploit the ”swiss cheese”

Perimeter policy

• Customers with an aggressive Internet business stance view perimeter security as less relevant as the access policy becomes more open.

• The perimeter is evolving from a simple perimeter, to layered perimeter, to ubiquitous embedded security.

• More interior security hardening/fortification is required.

Een open netwerk is vereistIncreased partnering, acquisitions, customer service, contractors, visitors, …

Corporate Resources

Increased requirement forCustomer/partner/supplier/

Contractor access

Page 6: 1 © 2004, Cisco Systems, Inc. All rights reserved. VOI Day “Beveiliging in de KMO” LAN, WAN & Remote Access Peter Saenen Cisco Systems

© 2004, Cisco Systems, Inc. All rights reserved. 666VOI Day

WAN

Airports, Hotels,WLAN Hotspots Etc

• Example – The Sapphire Worm or “Slammer”

Disabled Networks, Applications through brute force DDOS

Caused Network Outages, Cancelled Flights and ATM failures

Even the most effective perimeter defense won’t stop “piggyback” infections

Mobiliteit van onze systemenWhere has your PC been?

HQ

Branches Teleworker

Page 7: 1 © 2004, Cisco Systems, Inc. All rights reserved. VOI Day “Beveiliging in de KMO” LAN, WAN & Remote Access Peter Saenen Cisco Systems

© 2004, Cisco Systems, Inc. All rights reserved. 777VOI Day

Beveilingingsstrategie van Cisco

• Create Integrated and Secure Intelligent Networks with Auto-Response Capabilities (AKA, Self-Defending Network) to improve reaction times and reduce windows of vulnerability

• This requires:

A presence on the endpoint as well as the network

Security features into the network infra-structure

Complimentary Anomaly-based (coarse-grained) and Signature-based (fine-grained) detection methods

A proper Trust and Identity Infrastructure

Page 8: 1 © 2004, Cisco Systems, Inc. All rights reserved. VOI Day “Beveiliging in de KMO” LAN, WAN & Remote Access Peter Saenen Cisco Systems

© 2004, Cisco Systems, Inc. All rights reserved. 888VOI Day

Network-Network-BasedBased

SecuritySecurity

Network-Network-BasedBased

SecuritySecurity

IDSIDS

VPNVPN

IDSIDS

FWFW

SSL SSL VPNVPNSSL SSL VPNVPN

AD AD IPSIPS

DDOSDDOS

AD AD IPSIPS

DDOSDDOS

APP APP FWFW

APP APP FWFW

FW + FW + VPNVPNFW + FW + VPNVPNEnd End

System-System-BasedBased

SecuritySecurity

End End System-System-BasedBased

SecuritySecurity

AVAV

HIDSHIDS

IDID// TrustTrustIDID//

TrustTrust

Personal Personal FWFW

VPNVPN

BehaviorBehavior/ / Anomaly Anomaly IPSIPS//FWFW

BehaviorBehavior/ / Anomaly Anomaly IPSIPS//FWFW

Cisco’s Self Defending NetworkIntegrating the Endpoints with the Network

• Endpoint security solutions know security context and posture

• Policy servers know compliance and access rules

• Network infrastructure provides enforcement mechanisms

Intelligent Linkage of Endpoint with Network

Identity Identity and Trustand Trust Identity Identity

and Trustand Trust

Page 9: 1 © 2004, Cisco Systems, Inc. All rights reserved. VOI Day “Beveiliging in de KMO” LAN, WAN & Remote Access Peter Saenen Cisco Systems

© 2004, Cisco Systems, Inc. All rights reserved. 999VOI Day

Een goed beveiligingsbeleid

• List out each risk and analyze how often potential loss is likely to occur per year

• Play out sample scenarios

• Find your optimal risk/cost value

• Involve decision maker and confront with risk vs cost solution

Cost of Precaution < Probability of Loss * Likely amount of Loss

Page 10: 1 © 2004, Cisco Systems, Inc. All rights reserved. VOI Day “Beveiliging in de KMO” LAN, WAN & Remote Access Peter Saenen Cisco Systems

© 2004, Cisco Systems, Inc. All rights reserved. 101010VOI Day

Een ‘standaard’ KMO netwerk?

Internet

Provider

Page 11: 1 © 2004, Cisco Systems, Inc. All rights reserved. VOI Day “Beveiliging in de KMO” LAN, WAN & Remote Access Peter Saenen Cisco Systems

© 2004, Cisco Systems, Inc. All rights reserved. 111111VOI Day

Controle van Integriteit – Identiteit & compliance

Internet

Provider

Who/what is connecting? Can you trust them and the device?

End devices (PC, laptop, telephone, printer, …)Internal user groups (production, labs, development, testing, …)External user groups (consultants, customers, partners, …)

Who/what is connecting? Can you trust them and the device?

End devices (PC, laptop, telephone, printer, …)Internal user groups (production, labs, development, testing, …)External user groups (consultants, customers, partners, …)

Classification based on trust and identity

Page 12: 1 © 2004, Cisco Systems, Inc. All rights reserved. VOI Day “Beveiliging in de KMO” LAN, WAN & Remote Access Peter Saenen Cisco Systems

© 2004, Cisco Systems, Inc. All rights reserved. 121212VOI Day

Idenititeit:So, you said MAC Address ?

Win 2K & XP allow easy change for MAC addresses

MAC address is not an authentication mechanism…

Page 13: 1 © 2004, Cisco Systems, Inc. All rights reserved. VOI Day “Beveiliging in de KMO” LAN, WAN & Remote Access Peter Saenen Cisco Systems

© 2004, Cisco Systems, Inc. All rights reserved. 131313VOI Day

Customer Problems with Host Security

• Viruses and worms continue to disrupt business – downtime, patching, etc.

• Non-compliant servers and desktops difficult to detect or contain

• Locating, isolating, and repairing infected systems time and resource intensive

• Point technologies preserve host rather than network availability and resiliency

Page 14: 1 © 2004, Cisco Systems, Inc. All rights reserved. VOI Day “Beveiliging in de KMO” LAN, WAN & Remote Access Peter Saenen Cisco Systems

© 2004, Cisco Systems, Inc. All rights reserved. 141414VOI Day

Understanding Trust and Identity

Identity-basedNetworking

Network Access Control

Identifies the user or device on the network and ensures access to

correct network resources

Identifies the posture (or compliance) of the device to ensure the device can safely be

admitted to the network without undue hazard

Page 15: 1 © 2004, Cisco Systems, Inc. All rights reserved. VOI Day “Beveiliging in de KMO” LAN, WAN & Remote Access Peter Saenen Cisco Systems

© 2004, Cisco Systems, Inc. All rights reserved. 151515VOI Day

How the Trust and Identity System Works

1. Who are you? 802.1x authenticates user in conjunction with ACS

2. Are you healthy? Using NAC, the end-station and network can check whether the device has the correct virus software and protection.

3. Where can you go? Based on authentication, user is placed in correct workgroup or VLAN

4. What service level to you receive? The user can be put into a firewalled VPN or

given specific QoS priority on the network

5. What are you doing? Using the identity and location of the user, tracking and accounting

can be better managed

Page 16: 1 © 2004, Cisco Systems, Inc. All rights reserved. VOI Day “Beveiliging in de KMO” LAN, WAN & Remote Access Peter Saenen Cisco Systems

© 2004, Cisco Systems, Inc. All rights reserved. 161616VOI Day

How It Works:

Each person trying to enter the network must receive authorization based on their personal username and password.

Client AccessingSwitch (802.1x Suplicant)

TACACS+ or Radius Server

Valid UsernameValid Password

YesYes

Invalid UsernameInvalid Password

NoNo

Understanding 802.1x

TACACS+ orRADIUS

TACACS+ orRADIUS

Page 17: 1 © 2004, Cisco Systems, Inc. All rights reserved. VOI Day “Beveiliging in de KMO” LAN, WAN & Remote Access Peter Saenen Cisco Systems

© 2004, Cisco Systems, Inc. All rights reserved. 171717VOI Day

Using the Guest VLAN and User Group Segmentation

Identity based

802.1x Authentication

√√Valid CredentialsValid Credentials

MarketingNetwork

AuthorizedUser

√√Invalid/No CredentialsInvalid/No Credentials

GuestNetwork

Guest User

Internet

XX FinanceNetwork

Page 18: 1 © 2004, Cisco Systems, Inc. All rights reserved. VOI Day “Beveiliging in de KMO” LAN, WAN & Remote Access Peter Saenen Cisco Systems

© 2004, Cisco Systems, Inc. All rights reserved. 181818VOI Day

Desktop

• Access Granted• Access Denied• Quarantine

Remediation

Authentication and policy check of client

Quarantine VLANQuarantine VLAN

Remediation Cisco® Trust Agent

Corporate Net

Client attempts connection

SiSi

Network Admission ControlValidate security compliance and build trust

Page 19: 1 © 2004, Cisco Systems, Inc. All rights reserved. VOI Day “Beveiliging in de KMO” LAN, WAN & Remote Access Peter Saenen Cisco Systems

© 2004, Cisco Systems, Inc. All rights reserved. 191919VOI Day

Current NAC Program Participants

ANTI VIRUS

PATCH MGT

INITIAL SPONSORS

CLIENT SECURITY

Page 20: 1 © 2004, Cisco Systems, Inc. All rights reserved. VOI Day “Beveiliging in de KMO” LAN, WAN & Remote Access Peter Saenen Cisco Systems

© 2004, Cisco Systems, Inc. All rights reserved. 202020VOI Day

End point control and security

Internet

Provider

Bescherming tegen nieuwe en nog ongekende aanvallen

Bescherming tegen Spyware en addware

Personal firewall & Intrusion Detection

Voorziet een oplossing naar patchmanagement

Waar kunnen we welke data bewaren?

Geen updates nodig

Welke software mag gebruikt worden onder welke voorwaarden

Inventaris van welke software geinstalleerd is op de systemen

Een plaatsafhankelijke policy

Cisco Security Agent

Page 21: 1 © 2004, Cisco Systems, Inc. All rights reserved. VOI Day “Beveiliging in de KMO” LAN, WAN & Remote Access Peter Saenen Cisco Systems

© 2004, Cisco Systems, Inc. All rights reserved. 212121VOI Day

Cisco Secure Connectivity Solutions

212121

Page 22: 1 © 2004, Cisco Systems, Inc. All rights reserved. VOI Day “Beveiliging in de KMO” LAN, WAN & Remote Access Peter Saenen Cisco Systems

© 2004, Cisco Systems, Inc. All rights reserved. 222222VOI Day

Remote Access VPN solutions

VPN3000IOS router

ASA

Roaming users:Browser based accessany place any PC(SSL based VPN’s)

Roaming users/tele workers:Cisco IPsec client Windows embedded client

Roaming users:PDA support

Tele worker/home worker low end PIX and routers

Suitable ISR for any size of branch connection

Page 23: 1 © 2004, Cisco Systems, Inc. All rights reserved. VOI Day “Beveiliging in de KMO” LAN, WAN & Remote Access Peter Saenen Cisco Systems

© 2004, Cisco Systems, Inc. All rights reserved. 232323VOI Day

Flexibiliteit, beveiliging en toegevoegde waarde

Controle geintegreerde beveiliging

Add. diensten

Cisco Security Agent

SSL VPN Afhankelijk van PC

CSD/NAC neen Afhankelijk van PC

IPsec VPN Gedeeltelijk /mobiel

FW/ST/NAC & IPsec

neen ja

PIX Gedeeltelijk/thuisPC

FW/IDS & IPsec

Voice support ja

Router Volledig FW/IPS & anti-virus outbreak prevention

Voice services

Video

Content

ja

Page 24: 1 © 2004, Cisco Systems, Inc. All rights reserved. VOI Day “Beveiliging in de KMO” LAN, WAN & Remote Access Peter Saenen Cisco Systems

© 2004, Cisco Systems, Inc. All rights reserved. 242424VOI Day

Firewall

IPS

Geintegreerde beveiliging reduceert het RISICO

Risk-ometer

Gevaar

gemiddeld

Laag

Sterk gereduceerd

RISICO

DM

VP

NV3PN

Eas

y VP

NNA

C

802.

1x

CP

P

AC

L

OpenNetwork

Hoog

Page 25: 1 © 2004, Cisco Systems, Inc. All rights reserved. VOI Day “Beveiliging in de KMO” LAN, WAN & Remote Access Peter Saenen Cisco Systems

© 2004, Cisco Systems, Inc. All rights reserved. 252525VOI Day

Een voorbeeld van geintegreerde beveiliging

252525

Page 26: 1 © 2004, Cisco Systems, Inc. All rights reserved. VOI Day “Beveiliging in de KMO” LAN, WAN & Remote Access Peter Saenen Cisco Systems

© 2004, Cisco Systems, Inc. All rights reserved. 262626VOI Day

Security Services Silos Force Trade-OffsComplementary Defenses, Limited Deployability

IPSServicesBroad Attack Detection

Granular PacketInspection

Application Control

Dynamic Response

ServicesAccess ControlServices

Packet Inspection

Protocol Validation

Accurate Enforcement

Robust Resiliency

Firewall Network AVServicesVirus Mitigation

Spyware, Adware, Malware Detection and Control

Malicious Mobile Code Mitigation

Access BreachesSession AbusePort ScansMalformed Packets

Application MisuseDoS/HackingKnown Attacks

Infected Traffic

IPSec/SSL VPNServices

SSL VPN

IPSec VPN

User-Based Security

Group-Based Management

Clustering

Tunneled TrafficLimited Protections

Multiple Discrete Services Multiple Discrete Services xx Multiple Locations Multiple Locations = Security Trade-Offs= Security Trade-OffsMultiple Discrete Services Multiple Discrete Services xx Multiple Locations Multiple Locations = Security Trade-Offs= Security Trade-Offs

Page 27: 1 © 2004, Cisco Systems, Inc. All rights reserved. VOI Day “Beveiliging in de KMO” LAN, WAN & Remote Access Peter Saenen Cisco Systems

© 2004, Cisco Systems, Inc. All rights reserved. 272727VOI Day

Cisco ASA 5500 SeriesConvergence of Robust, Market-Proven Technologies

Firewall TechnologyFirewall TechnologyCisco PIXCisco PIX

IPS TechnologyIPS TechnologyCisco IPSCisco IPS

NW-AV TechnologyNW-AV TechnologyCisco IPS, AVCisco IPS, AV

VPN TechnologyVPN TechnologyCisco VPN 3000Cisco VPN 3000

Network IntelligenceNetwork Intelligence

Cisco Network Cisco Network ServicesServices

App Inspection, UseApp Inspection, Use Enforcement, Web ControlEnforcement, Web Control

Application SecurityApplication Security

Malware/Content Defense,Malware/Content Defense,Anomaly DetectionAnomaly Detection

Anti-X DefensesAnti-X Defenses

Traffic/Admission Control,Traffic/Admission Control,Proactive ResponseProactive Response

Network Containment & Network Containment & ControlControl

Secure ConnectivitySecure ConnectivityIPSec & SSL VPNIPSec & SSL VPN

Market-ProvenMarket-ProvenTechnologiesTechnologies

Adaptive Threat Defense,Adaptive Threat Defense,Secure ConnectivitySecure Connectivity

Page 28: 1 © 2004, Cisco Systems, Inc. All rights reserved. VOI Day “Beveiliging in de KMO” LAN, WAN & Remote Access Peter Saenen Cisco Systems

© 2004, Cisco Systems, Inc. All rights reserved. 282828VOI Day

Cisco ASA PlatformsKey Platform Performance Metrics

FeaturesASA 5510

(► Sec Plus)ASA 5520

ASA 5520VPN Plus

ASA 5540ASA 5540VPN Plus

ASA 5540VPN Premium

Firewall Throughput(300 / 1400 Byte)

100 / 300 Mbps 200 / 450 Mbps 200 / 450 Mbps 400 / 650 Mbps 400 / 650 Mbps 400 / 650 Mbps

VPN Throughput(300 / 1400 Byte)

50 / 100 Mbps 100 / 200 Mbps 100 / 200 Mbps 200 / 360 Mbps 200 / 360 Mbps 200 / 360 Mbps

IPS Throughput(500 Byte)

100 Mbpswith SSM-AIP 10

200 Mbpswith SSM-AIP 20

200 Mbpswith SSM-AIP 20

200 Mbpswith SSM-AIP 20

200 Mbpswith SSM-AIP 20

200 Mbpswith SSM-AIP 20

Maximum Connections 32,000 ► 64,000 130,000 130,000 280,000 280,000 280,000

S2S and IPSec RA VPN Peers

50 ► 150 300 750 500 2,000 5,000

SSL VPN Connections Shared Shared Shared SharedShared, up to

1,250Shared, up to 2,500

VPN Clustering / Load Bal. No Yes Yes Yes Yes Yes

High Availability None ► A/S A/A and A/S A/A and A/S A/A and A/S A/A and A/S A/A and A/S

Interfaces3 x 10/100 +

OOB ► 5 10/100

4 x 10/100/1000,1 10/100

4 x 10/100/1000,1 10/100

4 x 10/100/1000,1 10/100

4 x 10/100/1000,1 10/100

4 x 10/100/1000,1 10/100

Security Contexts No Up to 10 Up to 10 Up to 50 Up to 50 Up to 50

VLANs Supported 0 ► 10 25 25 100 100 100

Comparable PIX Model PIX 515E PIX 515E/525 PIX 515E/525 PIX 525+ PIX 525+ PIX 525+

Comparable VPN3K Model VPN 3005 VPN 3015 VPN 3020 VPN 3015 VPN 3030 VPN 3060

Page 29: 1 © 2004, Cisco Systems, Inc. All rights reserved. VOI Day “Beveiliging in de KMO” LAN, WAN & Remote Access Peter Saenen Cisco Systems

© 2004, Cisco Systems, Inc. All rights reserved. 292929VOI Day

Is beveiliging werkelijk een optie?

Security as a Option

Security is an add-on

Challenging integration

Not cost effective

Cannot focus on core priority

Security as part of a System

Security is built-in

Intelligent collaboration

Appropriate security

Direct focus on core priority

Page 30: 1 © 2004, Cisco Systems, Inc. All rights reserved. VOI Day “Beveiliging in de KMO” LAN, WAN & Remote Access Peter Saenen Cisco Systems

© 2004, Cisco Systems, Inc. All rights reserved. 303030VOI Day

Questions?

303030

Page 31: 1 © 2004, Cisco Systems, Inc. All rights reserved. VOI Day “Beveiliging in de KMO” LAN, WAN & Remote Access Peter Saenen Cisco Systems

© 2004, Cisco Systems, Inc. All rights reserved. 313131VOI Day 313131