84
1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Expo Algerie : Architecture Réseaux de Nouvelle Génération - ( Cisco Borderless Networks) Zakaria BEN LETAIEF Consulting Systems Engineer

Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

  • Upload
    others

  • View
    4

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

1© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Expo Algerie :

Architecture Réseaux de Nouvelle Génération -

(Cisco Borderless Networks)

Zakaria BEN LETAIEF

Consulting Systems Engineer

Page 2: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 2

Why Borderless Networks?

Cisco’s Architectural Approach

Cisco TrustSec Solution

Delivering Business Value

New and Evolving Threats

Page 3: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 3

Why Borderless Networks?

Cisco’s Architectural Approach

Cisco TrustSec Solution

Delivering Business Value

New and Evolving Threats

Page 4: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 4

VideoMobilityWorkplaceExperience

© 2010 Cisco and/or its affiliates. All rights reserved.

7 Billion New

Wireless Devices

by 2015

Mobile Devices

IT Resources

Blurring the BordersConsumer ↔ Workforce

Employee ↔ Partner

Physical ↔ Virtual

Changing the Way

We WorkVideo projected to

quadruple IP traffic by

2014 to 767 exabytes

Anyone, Anywhere, Anytime

Page 5: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 5

IT Consumerization

Device Border

Mobile Worker

Location Border

Video/Cloud

IaaS,SaaS

Application Border

External-FacingApplications

Internal Applications

Page 6: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 6

Location

Device

Application

Scalability

Availability

Performance

Security

Manageability

Cost of Ownership

Scalability, Availability, Performance, Security

and Manageability

Across Non-IT-Controlled Environments

Then: Linear Now: Multi-Dimensional

Page 7: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 7

Borderless Experience

ANYWHERE

ANYONE

ANYTIME

ANYTHING

Securely, Reliably, Seamlessly

Page 8: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 8

Why Borderless Networks?

Cisco’s Architectural Approach

Cisco TrustSec Solution

Delivering Business Value

New and Evolving Threats

Page 9: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 9

Technology Portfolio

Borderless Networks

CollaborationData Center/Virtualization

WAASWirelessSwitching RoutingSecurity

Page 10: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2010 Cisco and/or its affiliates. All rights reserved. 10

BORDERLESSINFRASTRUCTURE

Application Networking/ Optimization

Switching SecurityRoutingWireless

BORDERLESS NETWORK SYSTEMS

BORDERLESS NETWORK SERVICES

BORDERLESS END-POINT/USER SERVICES

Securely, Reliably, Seamlessly: AnyConnect

Mobility:Motion

App Performance: App Velocity

Energy Management: EnergyWise

Multimedia Optimization:

Medianet

Security:TrustSec

Architecture for Agile Delivery of the Borderless Experience

Unified Fabric

Extended Cloud

ExtendedEdge

UnifiedAccess

CampusCore

CISCO

LIFECYCLE

SERVICES

POLICY

CISCO SMART

SERVICES

MANAGEMENT

PROFESSIONAL SERVICES:

Realize the Value of Borderless Networks Faster

Page 11: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 12

Context-Aware, Prioritized, High-Quality Voice and Video

No Resource Reservation, Degraded Voice and Video

CEO Meeting

M&A Negotiation

Sports Event

GLOBAL BUSINESS,

WORLDWIDE OFFICES

Can My Network Deliver Real-Time Collaboration Experiences?

CEO Meeting

M&A Negotiation

Sports Event

Transform Voice and Video Experiences

Page 12: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 13

Up to 2X Improved Response Time and 90% Reduced Bandwidth Cost

Compromisedand Costly Experience

Can My Network Optimize Performance of Applications Anytime, Anywhere?

SP CShortest path

selected!

No applicationcontrol

Wastedbandwidth

SP D

SP D

SP A

SP B

Real-time Fastest Path

Scalable App Visibility

Embedded WAN Optimization

SP C

SP D

SP D

SP C

SP D

SP D

SP A

SP B

SP A

SP B

Superior Application Performance, Better User Experience

Page 13: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 14

―Lean‖ Application Hosting Provides Branch-to-Cloud Application Survivability

and Infrastructure Agility

Unreliable WAN Leads to Poor Experience with Cloud/Data Center

Hosted Applications

Can my Network Optimize Performance of Applications Anytime, Anywhere?

Cloud

WAN

Cloud

WAN

UCS-E

Enables Business Continuity and Network Reliability

Page 14: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 15

Managed

Nightly Shutdown

$280,000

Additional Energy

Policies

$150,000

Annual

Energy Costs

$770,000

Reducing Energy Costs

Am I Using My Network to Reduce My Energy Costs?

Countywide OfficeEnergy Management

No Energy Management

COUNTY OFFICES

10,000 PCSTotal Savings

$430,000

Page 15: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 16

―Guest‖ Access PolicyIT Devices Changed Manually

CONSULTANTFOR

A PROJECT

Guest Access Made Easy

Do I Have a Consistent Access Policy ArchitectureAcross My Network for All Users and Devices?

Page 16: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 17

Encrypted, Tamper-Proof Transactions

Clear Data and Video Streams in LAN

DD D D D D D D D

VV V V V V V V V

DD D D D D D D D

VV V V V V V V VMALICIOUS GUEST USER

Next-Generation Security

Is My Network Ready for Current and Future Regulatory Requirements?

Page 17: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 18

Next-Generation Security

Can Mobile Devices Access My Network Securely, Reliably and Seamlessly?

Secure Mobile ConnectivityUnmanaged Devices, Risk ofData Loss, and Lack of Access

AcceptableUse

Access Control

Data Loss Prevention

MOBILEEXECUTIVE

Page 18: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 19

802.11n Performance Protection

Can Mobile Devices Access My Network Securely, Reliably and Seamlessly?

CleanAir Detects and Mitigates Interference for Performance Protection

Wireless Interference Decreases 802.11n Performance

AIR QUALITY PERFORMANCE PERFORMANCEAIR QUALITY

WIRELESSPERFORMANCE

Page 19: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 20

Medianet

Offers converged architecture for video; removes complexity

Makes video ready-to-use as IP telephony

Offers automatic discoveryof video endpoints

Provides automaticvideo-optimized network configuration

Provides resource reservation and resource prioritization

Offers ―one-button‖ diagnostics for troubleshooting

Provides content auto-adaptation

Cisco EnergyWise

Offers network-integrated measurement, monitoring,and control of energy usage

Increases visibility, actively reduces energy costs

Integrates with borderless services: access control, identity, location

Phase 1: Network devices(IP phones, access points, and cameras)

Phase 2: IT devices(PCs and third-party devices)

Phase 3: Non-IT systems(air conditioning, HVAC, and lighting)

Cisco TrustSecTechnology

Offers foundation for identity-directed, policy-based access

Increases data security and satisfies regulatory guidelines

Offers granular access control:

Who is trying to access

Where are they located

What device are they using

What they are accessing

Provides secure, encrypted last-hop communications for wired and wireless networks

Provides security and policy for endpoints both on and offthe corporate network

Page 20: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 21

App Velocity

Large-scale discovery and prioritization optimizes application availability

WAN optimization and application-aware acceleration provides up to 99% improved response time

PfR adapts routing based on application and real-timenetwork conditions

UCS-Express provides branch-to-cloud application survivability

Motion

Protects the performance of 802.11n networks and delivers ROI for mission critical WLANs

CleanAir technology improves wireless ―air quality‖ through automated interference mitigation

ClientLink increases the throughput of legacy a/g clients by up to 65%

Location services offers unified monitoring and tracking of wired and wireless assets for end-to-end network security and business process optimization

Page 21: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 22

Management

Cisco EnergyWiseOrchestrator and Enhancements

CiscoEnergyWise Orchestrator

PC and PoE device power management

Sustainability dashboard forat-a-glance power usage, energysavings, costs, and ROI

Enhanced SDK

Extending energy management with leading intelligent Power Distribution Units partnerships

Enhanced Platform Support

New Cisco Catalyst 3750-X, Catalyst 3560-X, Catalyst 2960-S, Catalyst 4500-E, and ISR G2

CiscoWorksLMS 4.0

Next-Generation Network Management Platform

Work-center design that accelerates deployments and automates andstreamlines common tasks

New work centers for Cisco EnergyWise, Identity, Smart Operations, and Auto Smartports (Medianet)

Monitor and Troubleshoot, Manage Configurations

Immediate Platform Support

Cisco ISR G2 and Cisco Catalyst 2960-S, Catalyst 3560-X, Catalyst 3750-X, Catalyst 4500E

Page 22: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 23

Why Borderless Networks?

Cisco’s Architectural Approach

Cisco TrustSec Solution

Delivering Business Value

New and Evolving Threats

Page 23: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 24

What is a Threat?

An indication or warning of probable trouble

Where are Threats?

Everywhere you can, and more importantly, cannot think of

Why are there Threats?

• The almighty dollar (or euro or pound or rouble), the underground cyber crime industry is a growth industry

• Political and nationalistic motivations

Page 24: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 25

Criminal Specialization Driving More

Sophisticated Attacks

The Evolving Security Threats

Web Ecosystem Becomes Number

one Threat Vector

Criminals Exploit Users Trust, Challenging

Traditional Security Solutions

Creative Methods (Business Models)

Used to Attract Victims

25

Page 25: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 26

• Highly intelligent individuals are collaborating to create new viruses and other malicious code

• Software development tools for handling large projects are being used

• Development is not unlike normal software development in the IT industry

• The shared information and talents of many very skilled hackers when working together can be worse than any one working alone

Page 26: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 27

• Targeted Hacking

• Vulnerability Exploitation

• Malware Outbreaks

• Economic Espionage

• Intellectual Property Theft or Loss

• Network Access Abuse

• Theft of IT Resources

• Denial of Service

Page 27: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 28

Operating Systems

Network Services

Applications

Users

Movin

g u

p the s

tack

Page 28: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

29© 2010 Cisco and/or its affiliates. All rights reserved.

Source : Cisco Annual Security Report 2010

Page 29: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 30

Page 30: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 31

• Botnets

• TCP Stack Table Implementation (sockstress)

• Malicious Business Documents (PDF, Office)

• SQL Injection / Cross Site Scripting

• Social Networks / Web 2.0

• Cloud and Virtualization

• Transient Trust

• Wireless Network Encryption (WEP, WPA)

• MD5 / CA Root Certificates

• IPv6 Deployment

Page 31: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 32

• Botnet: A collection of compromised machines running programs under a common command and control infrastructure

• Building the Botnet:

Many, many malcode vectors

• Controlling the Botnet:

Covert-channel of some form; typically IRC or custom IRC-like channel

Historically have used free DNS hosting services to point bots to the IRC server

Recent attempts to sever the command infrastructure of botnets has resulted in more sophisticated control systems

Control services increasingly placed on compromised high-speed machines

Redundant systems and blind connects are implemented for resilience (fast-flux)

Do you know if Bots are loose on your network?

• See Infiltrating a Botnet http://www.cisco.com/web/about/security/intelligence/bots.html

Source: www.wikipedia.com

Page 32: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

33© 2010 Cisco and/or its affiliates. All rights reserved.

“Antivirus XP has found 2794

threats. It is recommended to

proceed with removal”

Fake AV is 15% of all malware -

Google

Page 33: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 34

SaaS

Affiliate marketing programs

Search Engine Optimization

Online marketplaces

Joint ventures

Page 34: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 35

• SQL injection attacks return

• ―Here you have‖ email

• Stuxnet

• LinkedIn / Zeus email

• Money mules

• And others…

Page 35: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 36

Page 36: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 37

• Discovered 9th September 2010

• Redirected users to an infected PDF file which downloaded and ran the malware

• Infected companies included Google, NASA, Comcast & other US giants

• 79% of clicks occurred within first three hours of the worm’s spread

• E-mail based virus is not dead…

Page 37: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 38

• Discovered in July 2010

• The complexity of the software is very unusual for malware, and consists of attacks against three different systems:

The Windows operating system,

An industrial software application that runs on Windows

A Siemens programmable logic controller (PLC) & SCADA networks

• Initial infections via USB flash drive

• Subsequent infections by USB flash drive, RPC and print spooler vulnerability

Page 38: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 39

• The malware communicates to the C&C server through http. A list of URLs is included in the Stuxnet configuration data of Stuxnet:

www.windowsupdate.com;

www.msn.com;

www.mypremierfutbol.com;

www.todaysfutbol.com

• The first two URLs are used to check that the system has connection to the Internet, while the third and the fourth are URLs of C&C servers.

Page 39: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 40

Page 40: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 41

• Highly sophisticated blended attack

Still not fully grasped, although multiple papers have been published

• Highly targeted

Industrial networks – used for industrial espionage

Precisely identifies the systems it infects through a finger-printing process

• Highly targeted

Geographically

Page 41: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 42

• Common threats discussed :

Botnets

Web malware

Application-layer malware

• Common themes mentioned :

Mobility

Social media

Cloud

―Hacktivism’

Privacy & Responsibility / Cyber espionage

Malicious / careless employees

Page 42: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 43

• More types of new devices being added to networks

• Diversity of OS’s and Apps

• New network entrance and exit points

• More data in more places to be protected

“…software glitches that need to be fixed—are part of the 'new reality' of making complex cell phones in large volumes.“

—Jim Balsillie, RIM CEO

Page 43: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 44

• Apple iOS devices cited by most analysts as ―the next targets‖

• Focus will be on applications, not the OS or related services

Page 44: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

45© 2010 Cisco and/or its affiliates. All rights reserved.

"Know the enemy and know yourself; in a

hundred battles you will never be in peril.

When you are ignorant of the enemy, but

know yourself, your chances of winning or

losing are equal.

If ignorant both of your enemy and yourself,

you are certain in every battle to be in

peril.”

Page 45: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

46© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco Security Intelligence Operations including:

Global Threat Operations Centers

IntelliShield Threat and Vulnerability Analysis

Managed Services and IPS

SensorBase and SenderBase Analysts

Corporate Security Programs Office, Global Policy & Government Affairs

Global in scope

Encompasses network, content, physical & geopolitical security

Page 46: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

47© 2010 Cisco and/or its affiliates. All rights reserved.

• Audit

• Assess

• Evaluate

• Monitor

• Correlate

Page 47: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 48

• Integration of security in business processes is a must

• Integration of security standards in business processes

Compliance (ISO27001)

• Convergence of data security and privacy regulation worldwide

• Data security goes to the cloud

Page 48: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 49

• Process, process, process:

Implement strong processes up front, document them, and use them

• User education campaigns:

Ensure there is an end-user education component of your broader information security strategy

• Make effective use of technology:

Technology exists to mitigate much of your risk of exposure to new threats—make sure you’re using what’s available

Page 49: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

50© 2010 Cisco and/or its affiliates. All rights reserved.

• Attackers are always modifying their methods

• Users are the main focus of attacks

• Attackers follow the money

• Major systems (DNS, Internet PKI) have flaws, nothing is perfect

• Blended attacks are numerous and evolving

Page 50: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

51© 2010 Cisco and/or its affiliates. All rights reserved.

• User education and security awareness training are critical

• Keep an eye on ―old problems‖ while being vigilant about new risks

• Never underestimate the insider threat

• Develop strong (and realistic) policies for protecting sensitive data

• Security must move at the speed of crime

Page 51: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 52

Why Borderless Networks?

Cisco’s Architectural Approach

Cisco TrustSec Solution

Delivering Business Value

New and Evolving Threats

Page 52: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 53

53

• TrustSec provides a way to

Identify who is accessing to your network

Determine how this access is attempted

Locate where this person trying to access

Evaluate what privilege this person has

• Based on the results, TrustSec provides

Admission to the network

Scope of resources this person can access to

Level of services this person can access to

Record of network usage

Page 53: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved.55

NAC ProfilerACS5.1

Catalyst

Switch

802.1X

MAB

Directory Server

NAC Guest Server

Web Auth

RADIUS

Various Authorization Methods (VLAN,

Downloadable ACL, URL Redirect, etc)

Scalable / Flexible Policy

& Authentication Server

supporting RBAC

Industry Leading Guest Service Server to

provide full guest access management

with Web Authentication

Profiling System to perform

automatic device profiling for

unattended device or any type of

network attached device

Cisco IOS © intelligence to

provide phased deployment mode

for 802.1X (Monitor Mode, Low

Impact Mode, High Security Mode)

Flexible Authentication Methods

(802.1X, MAB, Web Auth in any order)

Guest

Employee

Printer

Page 54: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved.56

• Can I create / manage the new VLANs or IP Address scope?

• How do I deal with DHCP refresh in new subnet?

• How do I manage ACL on VLAN interface?

• Does protocol such as PXE or WOL work with VLAN assignment?

• Any impact to the route summarization?

• Who’s going to maintain ACLs?

• What if my destination IP addresses are changed?

• Does my switch have enough TCAM to handle all request?

Traditional access authorization methods leave some deployment concerns

Detailed design before deployment is required, otherwise…

Not so flexible for changes required by today’s business

Access control project ends up with redesigning whole network

802.1X/MAB/Web Auth

VLAN

Assignment

ACL

Download

Page 55: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2010 Cisco and/or its affiliates. All rights reserved.Presentation_ID 57

Source Group Tag Solution Overview

Page 56: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 58

58

• TrustSec is a broad umbrella for security improvements based on the capability to strongly identify users, hosts and network devices within a network

• TrustSec provides topology independent and scalable access controls by uniquely classifying data traffic for a particular role

• TrustSec ensures data confidentiality and integrity by establishing trust among authenticated peer and encrypting links with those peers

Page 57: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 59

59

Topology independent access control based on roles

Scalable ingress tagging via Source Group Tag (SGT) / egress filtering via Source Group ACL (SGACL)

Centralized Policy Management / Distributed Policy Enforcement

Encryption based on IEEE802.1AE (AES-GCM 128-Bit)

Wire rate hop to hop layer 2 encryption

Key management based on 802.11n (SAP), awaiting for standardization in 802.1X-REV

Endpoint admission enforced via 802.1X authentication, MAB, Web Auth (Full IBNS compatibility)

Network device admission control based on 802.1X creates trusted networking environment

Only trusted network imposes Security Group TAG

Security Group Based Access Control

Confidentiality and

Integrity

Authenticated Networking

Environment

Page 58: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 60

60

SGACL

Security Group Based Access Control allows customers

To keep existing logical design at access layer

To change / apply policy to meet today’s business requirement

To distribute policy from central management server

802.1X/MAB/Web Auth

Finance (SGT=4)

HR (SGT=10)

I’m a contractor

My group is HR

Contactor

& HR

SGT = 100

SGT=100

Page 59: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 61

61

Unique 16 bit (65K) tag assigned to unique role

Represents privilege of the source user, device, or entity

Tagged at ingress of TrustSec domain

SGACLSG

SecurityGroup

Tag

Filtered (SGACL) at egress of TrustSec domain

No IP address required in ACE (IP address is bound to SGT)

Policy (ACL) is distributed from central policy server (ACS) or

configured locally on TrustSec device

Provides topology independent policy

Flexible and scalable policy based on user role

Centralized Policy Management for Dynamic policy provisioning

Egress filtering results to reduce TCAM impact

Customer Benefits

Page 60: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 62

62

are the L2 802.1AE + TrustSec overhead

Frame is always tagged at ingress port of TrustSec capable device

Tagging process prior to other L2 service such as QoS

SGT namespace is managed on central policy server (ACS 5.x)

No impact IP MTU/Fragmentation

Cisco Meta Data

DMAC SMAC 802.1AE Header 802.1Q CMD ETYPE PAYLOAD ICV CRC

Version LengthCMD EtherType SGT Opt Type SGT Value Other CMD Options

Encrypted

Authenticated

802.1AE Header CMD ICV

Layer 2 SGT Frame and Cisco Meta Data Format

Page 61: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 63

63

• Traditional Firewall ACLs typically use an "any" for the source in their rules because they can't classify the source effectively

• Firewalls have started to evolve to use some extra mechanism to classify the source via identity

• Significant overhead can be created when using dynamic Identity classification for the source

More ACLs since each IP address is filled in for every rule on the FW

More resource consumption (TCAM, CPU, etc.)

This is exacerbated when you try to enforcement outside of the DC since the closer you are to the access layer the more hosts you have to defend.

Page 62: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 64

64

User (Source)

S1

• (# of sources) * (# of Destinations) * permissions = # ACEs

• Source (S1~S4) * Destination (S1~S6) * Permission (4) = 96 ACEs for S1~4

• The growing number of ACEs leads to resource consumption on the enforcement point

• Network Admin manages every IP source to IP destination relationship explicitly

D1

D2

D3

D4

D5

D6

S2

S3

S4

Servers (Destination)

permit tcp S1 D1 eq https

permit tcp S1 D1 eq 8081

permit tcp S1 D1 eq 445

deny ip S1 D1

Sales

HR

Finance

Managers

IT Admins

HR Rep

S1 to D1 Access Control

Access Control Entry -

ACE # grows as # of

permission statement

increases

Page 63: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 65

65

User

S1

D1

D2

D3

D4

D5

D6

S2

S3

S4

ServersSecurity Group

(Source)

MGMT A

(SGT 10)

HR Rep

(SGT 30)

IT Admins

(SGT 40)

Security Group

(Destination)

Sales SRV

(SGT 500)

HR SRV

(SGT 600)

Finance SRV

(SGT 700)

MGMT B

(SGT 20)

SGACL

• Network Admin manages every source “group” to destination “group” relationship

• This abstracts the network topology from the policy and reducing the number of

policy rules necessary for the admin to maintain

• The network automates the alignment of users/servers to groups

Page 64: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 66

66

• Assume current Firewall technology that we don’t specify specific source (source = Any)

• 400 users accessing 30 network resources with 4 permissions each

With Traditional ACL on FW

Any (src) * 30 (dst) * 4 permission = 120 ACEs

Traditional ACL on VLAN interface on router or FW - use

subnet ranges for source group

4 VLANs (src) * 30 (dst) * 4 permission = 480 ACEs

With SGACL

4 SGT (src) * 3 SGT (dst) * 4 permission = 48 ACEs

Per source IP on port with Downloadable ACL

1 Group (src) * 30 (dst) * 4 permission = 120 ACEs

Page 65: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 67

67

SRC\ DST SRVSGT 111 SRVSGT 222 SRVSGT 333

User SGT 10 Permit all Deny all Deny all

User SGT 20 SGACL-B SGACL-C Deny all

User SGT 30 Deny all SGACL-D Permit all

permit tcp src dst eq 1433

#remark destination SQL permit

permit tcp src eq 1433 dst

#remark source SQL permit

permit tcp src dst eq 80

# web permit

permit tcp src dst eq 443

# secure web permit

deny all

SGACL D All SGTs are mapped to SGACL using

Egress Policy Matrix - available via ACS5.x

interface

Matrix Row represents Source SGT

Matrix Column represents Destination SGT

Content of SGACL and whole matrix entries

are provisioned to TrustSec capable devices

Page 66: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 68

68

ACS5.x

Server CServer BServer A Directory

Service

Campus Access

Data Center

TrustSec Enabled

Network

User A User C

Step 1

AD User Role SG

T

User A Contractor 10

User B Finance 20

User C HR 30

ACS populates its SGT policy

Server Role IP SG

T

HTTP

Server

Server Group A 10.1.100.111 111

File Server Server Group B 10.1.100.222 222

SQL Server Server Group C 10.1.200.3 333

ACS is configured for its policy and all endpoints

need to be mapped to SGT in policy

Page 67: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 69

69

ACS5.x

Server CServer BServer A Directory

Service

Campus Access

Data Center

TrustSec Enabled

Network

User A User C

111222333

Step 2

AD User Role SG

T

User A Contractor 10

User B Finance 20

User C HR 30

SGTs are assigned to role and bound to IP

address

Server Role IP SG

T

HTTP

Server

Server Group A 10.1.100.111 111

File Server Server Group B 10.1.100.222 222

SQL Server Server Group C 10.1.200.3 333

With 802.1X / MAB / Web Authentication, SGTs are

assigned in an authorization policy via RADIUS

Access devices snoops ARP and / or DHCP for

authenticated MAC Address, then bind assigned

SGT to snooped IP Address

For Servers IP addresses are bound to SGT

statically on access switch or dynamically looked

up on ACS using IPM feature

802.1X / MAB / Web Auth

3010

Page 68: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 70

70

ACS5.x

Server CServer BServer A Directory

Service

Campus Access

Data Center

TrustSec Enabled

Network

User A User C

111 222 333

Step 3 ACS provisions Egress Policy (SGT

Matrix) to TrustSec capable Device

Each TrustSec capable device downloads policy

from central policy server, that is, ACS server3010

SRC\ DSTServer A

(111)

Server B

(222)

Server C

(333)

User A (10) Permit all Deny all Deny all

User B (20) SGACL-B SGACL-C Deny all

User C (30) Deny all SGACL-D Permit all

SGACL-D

permit tcp src dst eq 1433

#remark destination SQL permit

permit tcp src eq 1433 dst

#remark source SQL permit

permit tcp src dst eq 80

# web permit

permit tcp src dst eq 443

# secure web permit

deny all

SGACLSGACLSGACL

Page 69: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 71

71

ACS5.x

Server CServer BServer A Directory

Service

Campus Access

Data Center

TrustSec Enabled

Network

User A User C

111 222 333

Step 4 Now TrustSec network is ready to enforce

the policy

User’s traffic is tagged at ingress of TrustSec domain

SGT is carried when packet traverses within domain

At egress port, TrustSec device looks up local policy

and drops packet if needed

3010

SRC\ DSTServer A

(111)

Server B

(222)

Server C

(333)

User A (10) Permit all Deny all Deny all

User B (20) SGACL-B SGACL-C Deny all

User C (30) Deny all SGACL-D Permit all

Packets are tagged

with SGT at ingress

interface

SGACL Applied

SGT10 to SGT111

Permit all

CMD Tagged Traffic

Untagged Traffic

Page 70: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 72

72

ACS5.x

Server CServer BServer A Directory

Service

Campus Access

Data Center

TrustSec Enabled

Network

User A User C

111 222 333

Step 5 SGACL allows topology independent

access control

Even another user accesses on same VLAN as

previous example, his traffic is tagged differently

If traffic is destined to restricted resources, packet

will be dropped at egress port of TrustSec domain

3010

SRC\ DSTServer A

(111)

Server B

(222)

Server C

(333)

User A (10) Permit all Deny all Deny all

User B (20) SGACL-B SGACL-C Deny all

User C (30) Deny all SGACL-D Permit all

SGACL-D

permit tcp src dst eq 1433

#remark destination SQL permit

permit tcp src eq 1433 dst

#remark source SQL permit

permit tcp src dst eq 80

# web permit

permit tcp src dst eq 443

# secure web permit

deny all

Packets are tagged

with SGT at ingress

interface

SGACL-D is applied

SQL = OK

SMB = NG

SMB traffic

SQL traffic

SGACL

Page 71: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 73

73

• Any member of TrustSec domain needs to establish trust relationship to its peer, otherwise not trusted

• Only SGT from trusted member can be ―trusted‖ and processed by its peer

• SGT from distrusted device is tagged as ―Unknown‖, a special SGT (value is zero)

• A process of authenticating a PC is called ―Endpoint Admission Control‖ (e.g. SGT tagging via 802.1X)

• A process of authenticating network device is called ―Network Device Admission Control‖ or NDAC in short

Page 72: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 74

74

Network Device Admission Control (NDAC) provides

strong mutual authentication (EAP-FAST) to form

trusted domain

Only SGT from trusted peer is honored

Authentication leads to Security Association

Protocol (SAP) to negotiate keys and cipher suite for

encryption automatically (mechanism defined in

802.11i)

802.1X-2010/MKA will succeed and replace SAP

Trusted device acquires trust and policies from ACS

server

Mitigate rogue network devices, establish trusted network

fabric to ensure SGT integrity and its privilege

Automatic key and cipher suite negotiation for strong 802.1AE

based encryption

Customer Benefits

NDAC

Page 73: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 75

75

ACS5.x

NDAC validates peer identity before peer

becomes the circle of Trust!

The first device to authenticate against ACS is called

TrustSec Seed Device

Seed Device becomes authenticator to its peer

supplicant

Role determination process selects both

Authenticator and Supplicant role

NDAC utilizes EAP-FAST/MSCHAPv2

Credential (including PAC) is stored in hardware key

store

ACS5.xSeed Device

EAP-FAST over

RADIUS

Authorization

(PAC, Env Data,

Policy)

Page 74: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 76

76

ACS5.x

As device connects to its peer, TrustSec domain

expands its border of trust

If the device is not connected to ACS directly, the

device is called non-Seed Device

First peer to gain ACS server connectivity wins

authenticator role

In case of tie, lower MAC address wins

Seed

Device

ACS5.xSeed Device

Authenticator

Supplicant

802.1X NDAC

Non-Seed Device

Supplicant

802.1X NDAC

Non-Seed Device

AuthenticatorSupplicant

802.1X NDAC

Page 75: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 77

77

CTS7K-DS10.1.50.1

CTS7K-CORE# show cts interface ethernet 1/15

CTS Information for Interface Ethernet1/15:

CTS is enabled, mode: CTS_MODE_DOT1X

IFC state:

CTS_IFC_ST_CTS_OPEN_STATE

Authentication Status: CTS_AUTHC_SUCCESS

Peer Identity: CTS7K-DC

Peer is: CTS Capable

802.1X role: CTS_ROLE_SUP

Last Re-Authentication:

Authorization Status: CTS_AUTHZ_SUCCESS

PEER SGT: 2

Peer SGT assignment: Trusted

SAP Status: CTS_SAP_SUCCESS

Configured pairwise ciphers: GCM_ENCRYPT

Replay protection: Enabled

Replay protection mode: Strict

Selected cipher: GCM_ENCRYPT

Current receive SPI: sci:18bad853520000 an:2

Current transmit SPI: sci:18bad853460000 an:2

CTS7K-CORE10.1.50.1

CTS7K-DC# show cts interface ethernet 1/3

CTS Information for Interface Ethernet1/3:

CTS is enabled, mode: CTS_MODE_DOT1X

IFC state:

CTS_IFC_ST_CTS_OPEN_STATE

Authentication Status: CTS_AUTHC_SUCCESS

Peer Identity: CTS7K-CORE

Peer is: CTS Capable

802.1X role: CTS_ROLE_AUTH

Last Re-Authentication:

Authorization Status: CTS_AUTHZ_SUCCESS

PEER SGT: 2

Peer SGT assignment: Trusted

SAP Status: CTS_SAP_SUCCESS

Configured pairwise ciphers: GCM_ENCRYPT

Replay protection: Enabled

Replay protection mode: Strict

Selected cipher: GCM_ENCRYPT

Current receive SPI: sci:18bad853460000 an:2

Current transmit SPI: sci:18bad853520000 an:2

Page 76: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 79

79* NIST Special Publication 800-38D (http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf)

802.1AE

TrustSec provides Layer 2 hop-by-hop encryption and integrity,

based on IEEE 802.1AE standard

128bit AES-GCM (Galois/Counter Mode) – NIST Approved *

Line rate Encryption / Decryption for both 10GbE/1GbE interface

Replay Protection of each and every frame

802.1AE encryption to protect CMD field (SGT value)

Protects against man-in-the-middle attacks (snooping, tampering, replay)

Standards based frame format and algorithm (AES-GCM)

802.1X-REV/MKA addition supports per-device security associations in shared media environments (e.g. PC vs. IP Phone) to provide secured communication

Network service amenable hop-by-hop approach compared to end-to-end approach (e.g. Microsoft Domain Isolation/IPsec)

Customer Benefits

Page 77: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 80

80

MACSec Tag Format

DMAC SMAC 802.1AE Header 802.1Q CMD ETYPE PAYLOAD ICV CRC

MACSec EtherType TCI/AN SL Packet Number SCI (optional)

TrustSec Frame Format

Encrypted

Authenticated

0x88e5

Page 78: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 81

81

128bit AES GCM Encryption 128bit AES GCM Encryption 128bit AES GCM Encryption

011010010001100010010010001010010011101010

1

0110100100011000100100100001001010001001001000101001001110101

everything in clear01101001010001001

0

01101001010001001

0

ASIC

―Bump-in-the-wire‖ model

-Packets are encrypted on egress

-Packets are decrypted on ingress

-Packets are in the clear in the device

Allows the network to continue to perform all the packet inspection features currently used

Decrypt at

Ingress

Encrypt at

Egress

Page 79: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 82

Why Borderless Networks?

Cisco’s Architectural Approach

Cisco TrustSec Solution

Delivering Business Value

New and Evolving Threats

Page 80: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 83

Do I have a consistent Access Policy Architecture across my network for all Users and Devices?

Can mobile devices access my network securely, reliably and seamlessly?

Can my network deliver real-time collaboration experiences?

Can my network deliver protection from the premises to the Cloud?

Can my network optimize performance of applications Anytime, Anywhere?

Am I using my network to reduce my energy costs?

Is my network ready for current and future regulatory requirements?

Where am I now? Where do I start?

Page 81: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 84

Enablea Smart Network

Enablethe Architecture

EnableBusiness Solutions

Services to Accelerate the Transformation

Where Do I Start?

Network Services

Deployment

EnergyWise Services

TrustSec Services

Application Velocity Services

Video Experience Service

How Do I Keep It Current?

Network Life Cycle Services

Network Optimization Service

Smart Net Total

Care Services

Smart Care Service

SMARTnet

IT Cost Optimization Service

Remote Security

Monitoring Service

Where am I Now?

Architectural Assessments

IPv6 Services

Medianet Readiness

Assessment

With Services from Cisco and Our Partners

© 2011 Cisco and/or its affiliates. All rights reserved.

Page 82: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 85

Lower Total Cost of Ownership

• Network performance is improvedwith a pretested architecture

Prescriptive Solutions

• Preselected Cisco solutions providethe right functions for customers

Modular Design for the Future

• Build a network platform ready to support future deployments of unified communications, switching, wireless, routing, video, and data center

Complete designs with deployment guides fororganizations scaling from 100 to 10,000 endpoints

© 2011 Cisco and/or its affiliates. All rights reserved.

Page 83: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

© 2011 Cisco and/or its affiliates. All rights reserved. 86

Cisco Delivers the Platform for Your

Business Innovations

The Borderless Organization Needs a Borderless Network

Architecture

Cisco Is Uniquely Equipped to Deliver That Architecture

with ―Broad and Deep‖ Network Innovation

© 2011 Cisco and/or its affiliates. All rights reserved.

Page 84: Cisco Expo Algerie: Architecture Réseauxde Nouvelle ... · Controlling the Botnet: Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free

Thank you.