Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
1© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
MANAGING YOUR SECURITY PAIN:OUTBREAK PREVENTION ANDTHEFT OF INFORMATION PREVENTION
CISCO BUSINESS SOLUTIONS WORKSHOPFOR RESELLERS
222© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
Agenda Slide
222
• Security Challenges
• Self-Defending Networks
• Outbreak Prevention Using SDN
• Theft of Information Using SDN
• Summary
333© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
Key Issues Facing Organizations
SIMPLIFICATION AND COST REDUCTION• Scalability• Equipment cost• Staffing (total cost of ownership)• Integration and systems management
• Market growth
• Brand loyalty
• Customer care
• Efficiency
• Productivity
• Cost mgmt
• Partnerships
GOALS:
10983_04_2005_c1
APPLICATION AND SERVICE OPTIMIZATION• Enablers• Application management• Performance/Optimization• Resilience
SECURITY• Threats• Theft• Loss• Response time
444© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
Vanishing Patch to Outbreak WindowPatch: MS04-011
Apr. 13, 2004
SASSER
Patch: MS03-026 Jul. 16, 2003
Jan. 25, 2003
Aug. 11, 2003
May 1, 2004
18
26
185 SLAMMER
Patch: MS02-039Jul. 24, 2002
BLASTER.A
Time(days)
336
Sept. 18, 2001
NIMDA
Patch: MS00-078Oct.17, 2000
555© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
Why Business Disruptions Continue
• Viruses, worms, trojan horses, botnets penetrating defensesViruses now #1 cause of financial loss (2004 CSI/FBI)
• Day-zero attacks can negate reactive solutions
• Point technologies easily bypassed, not designed to preserve network integrity or resiliency
• Non-compliant servers/desktops common, difficult to detect and contain
• Locating and isolating infected systems time and resource intensive
555© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
666© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
Threat Classifications
• VIRUS: Propagates via executable code (SMTP, POP, FTP, HTTP, etc.) Exploits unwary user or application “convenience” to execute a script or attachment that typically creates email-based propagation and installs back doors and Trojans
Examples: Bagle, Netsky
• WORM: Propagates over network. Exploits vulnerability in a remotely exploitable network application, often without user intervention, which typically further propagates and installs back doors and trojans
Examples: Code Red, Nimda
• HYBRID: Note that some threats exhibit a hybrid nature: propagate as a virus but result can be more worm-like in that they both spread via email and exploit vulnerable network applications
Examples: Lovegate, Patbot, Netsky
777© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
Threat Classifications
• TROJAN HORSE: A malicious or destructive security-breaking program disguised as something benign, such as a screen saver, a game, or some other program. A Trojan horse does not distribute itself, but may be widely redistributed as part of a computer virus, can be downloaded from the Internet, or is sent as an email attachment
• BOTNETS: A group of computers infected by a worm or Trojan and taken oversurreptitiously by hackers. This network of computers can be used to attack networks by sending spam, viruses, Trojans, or launching distributed denial of service attacks. Individual computers in a botnet are sometimes known as zombies or agentsCurrent estimates claim more than 100,000 computers are being “recruited” into botnets every week, and may be responsible for everything from DoS attacks to spam email
• SPYWARE: Any program installed and running without the knowledge of the user. Spyware is designed to run in the background, track surfing habits, andrecord keystrokes; in other words, to spy on the user.
888© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
Security Paradigm Must Shift
A Secure Global Internet Can No Longer Rely onIMPLICIT TRUST
A Secure Global Internet Can No Longer Rely onIMPLICIT TRUST
An Intelligent Information Network Builds UponEXPLICIT TRUST
An Intelligent Information Network Builds UponEXPLICIT TRUST
888© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
999© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
Future of Security
IP + SecurityIP + Security
2. DisparateSecurity
2. DisparateSecurity
Collaborative SecurityCollaborative Security
1. Point Appliance
1. Point Appliance Integrated
SecurityIntegratedSecurity
3. Anti Virus3. Anti Virus AdaptiveSecurityAdaptiveSecurity
101010© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
Self-Defending Network Strategy
• Endpoints + Networks + Policies
• Services• Partnerships
• Endpoints + Networks + Policies
• Services• Partnerships
SECURITY TECHNOLOGYINNOVATION
SECURITY TECHNOLOGYINNOVATION
• Endpoint Security• Application Firewall• SSL VPN• Network Anomaly
Detection
• Endpoint Security• Application Firewall• SSL VPN• Network Anomaly
Detection
INTEGRATED SECURITY
INTEGRATED SECURITY
• Secure Connectivity• Threat Defense• Trust and Identity
• Secure Connectivity• Threat Defense• Trust and Identity
Cisco Strategy to Dramatically Improve the Network’s Ability to Identify, Prevent, and Adapt to Threats
SYSTEM-LEVEL SOLUTIONS
SYSTEM-LEVEL SOLUTIONS
SELF-DEFENDING NETWORK
111111© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
Integrated Security Is the SDN FoundationTr
ust a
nd
Iden
tity
Trus
t and
Id
entit
y Verify the User and Device• Control who/what has access
Verify the User and Device• Control who/what has access
Secu
reC
onne
ctiv
itySe
cure
Con
nect
ivity
Secure the Transport:Secure the Transport:•• Protect data and voice Protect data and voice
confidentialityconfidentiality
Thre
at D
efen
seTh
reat
Def
ense
Protect the InteriorProtect the Interior•• Protect against internal attacksProtect against internal attacks
Guard the Endpoints• Protect hosts against infection,
(trojans, spyware, backdoors, etc.)
Guard the Endpoints• Protect hosts against infection,
(trojans, spyware, backdoors, etc.)
Defend the EdgeDefend the Edge•• Detect and prevent external attacksDetect and prevent external attacks
Branch
U N I V E R S I T YU N I V E R S I T YU N I V E R S I T YU N I V E R S I T YAIRPORTAIRPORT
Data Center
Mobile WorkforceCampus
Teleworker
USING THE SELF-DEFENDING NETWORK FOR OUTBREAK PREVENTION
10983_04_2005_c1 121212121212© 2005 Cisco Systems, Inc. All rights reserved.
131313© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
Sources of Infection and Outbreak
• Infected remote devices connecting to the internal network
• Improperly protected internal devices that become infected whilebrowsing the Internet, etc.
• Malicious executables via email attachments or infected web sites
• Hackers planting trojan horses, time bombs, agent software (zombies), etc.
Unfortunately, these sorts of attacks continue to plague organizations in spite of significant investments in traditional security solutions
131313© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
141414© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
Outbreak Prevention Elements
Identify Anomalous
Behavior Perimeter Protectionfor Branch Against
Worms, Viruses, etc.via IOS FW / IPS
Prevent Outbreak Introduction and
Propagation
Prevent Outbreak
Introduction & Propagation
NAC, AVCSA
Identify and
Prevent Outbreaks
Enforce Outbreak Control• Quarantine• Remediate• Permit / Deny Access
Cisco ISR
Cisco “Clean Pipe”Offered Through
Managed Security Provider
Service ProviderNetwork
Cisco ISR
Cisco PIX
Cisco 4200IPS Sensor
CiscoCatalyst
6500
Identifyand ContainOutbreaks
EndpointProtection
CSA
WebServers
EmailServers
DNSServers
CiscoAccessControlServer
3rd
PartyPolicyServer
(NAC), AV,CSA
Identify Compliant and Non-Compliant
Endpoints
Cisco Works VMS
Non-ResponsiveAssessment
Server
Ensure Security Compliance Before Allowing Internet
Browsing
Content Engine
Prevent Web Server-Based
Infection
NAC, AV CSA
151515© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
NAC IN ACTION
Cisco NAC Solution Overview
NAC SOLUTION: Leverage the Network to Intelligently Enforce Access Privileges Based on Endpoint Security Posture
Ubiquitous Solution for Ubiquitous Solution for ALLALL Connection MethodsConnection Methods
NAC CHARACTERISTICS
Validates Validates ALLALL HostsHosts
Leverages Customer Investments In Cisco Network Leverages Customer Investments In Cisco Network and Antivirus Solutionsand Antivirus Solutions
Supports Multiple AntiSupports Multiple Anti--virus Vendors and virus Vendors and Cisco Security Agent (CSA)Cisco Security Agent (CSA)
Quarantine and Remediation ServicesQuarantine and Remediation Services
Deployment ScalabilityDeployment Scalability
161616© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
NAC Appliance—Cisco Clean Access
Turnkey Policy Compliance and Remediation Solution for the SMB• Role-based authentication
Clean Access Server enforces authorization policies and privilegesSupports multiple user roles (e.g. guests, employees, and contractors)
• Scans for security requirementsAgent scan for required versions of Hotfixes, AV, and other softwareNetwork scan for virus and worm infectionsNetwork scan for port vulnerabilities
• Network quarantineIsolate non-compliant machines from rest of network MAC & IP-based quarantine effective at a per-user level
• Repair and updateNetwork-based tools for vulnerability and threat remediationHelp-desk Integration
171717© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
Cisco Clean Access System Operation
Cisco Clean Access Agent (optional)
THE GOAL
Intranet/Network
3b. Device is “clean.”Machine gets on “clean list”and is granted access to network.
2. User is redirected to a login pageCCA Server validates username and
password. Also performs device and network scans to assess vulnerabilities on the device.
Cisco Clean Access ServerCisco Clean Access Manager
1. End user attempts to access a web page or uses an optional client
Network access is blocked until end user provides login information. Authentication
Server
3a. Device is non compliant or login is incorrectUser is denied access and assigned to a quarantinerole with access to online remediation resources.
QuarantineRole
181818© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
Clean Access 3.5: Out of Band Deployment
• VLAN-based quarantineManager performs switch management and port assignment
Server performs remediation and is deployed on the quarantine VLAN.
• Support for multiple switch infrastructures (2950, 3550, 3750, 4500, 6500)
SNMP v1/v2c for “reads”
SNMP v1/v2c/v3 for “writes”
• Supports multigigabit network deployment because:
Server is only in the data path for non-certified devices
• Host retains IP address after “certification”
Based on smart internal VLANand DHCP mapping
• Does not require 802.1X infrastructure
CCA Server
CCA Manager
191919© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
Cisco Security Agent
• Next-generation security solution provides threat protection for servers and desktops
• Identifies and prevents malicious behavior before it occurs
• Unique behavior analysis addresses known and unknown threats
• Protects against: Port scansBuffer overflowsTrojan horsesMalformed packetsMalicious html requestsE-mail worms“Day-zero” attacksAnd more…
202020© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
Threat Defense System Example CSA Protection Against Sasser
SasserRandomly scans IP addresses on port 445/tcp. Can scan up to 1,024 addresses simultaneouslycreates remote shell on port 9996/tcp. It then starts an FTP server listening on port 5554/tcp3) Persist
5) Propagate
1) Probe2) Penetrate
4) Paralyze
Host
Victim system connects back to attacking system on port 5554/tcp to retrieve copy of worm
Crashes infected devicesCauses systems to reboot continuously
212121© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
Mitigating the Impact of an Internet Worm
AccessDistribution
Core
InfectedSource
SiSi
SiSi
SiSiSiSi
SystemUnder Attack
Protect the End Systems
• Cisco Security Agent Protect the Links
• QoS/ACL
Protect the Switches
• Cisco Express Forwarding (CEF)
• Rate Limiters
Prevent the Attack• ACLs and NBAR• Firewall / IPS• NAC for Posture Validation
Comprehensive Enterprise Security Strategy Directed at Protecting the ENTIRE Network
222222© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
Integrated Services RoutersCisco Self-Defending Networks at Wire Speed
Trust and IdentityTrust and Identity
Network Foundation ProtectionNetwork Foundation Protection
Secure ConnectivitySecure Connectivity
Threat DefenseThreat Defense
Leverage the Network to Intelligently Protect Endpoints
Protect the Network Infrastructure from Attacks and Vulnerabilities
Secure and Scalable Network Connectivity
Prevent and Respond to Network Attacks and Threats such as Worms
Network Admission Control, 802.1x
Device ProtectionRouting and Switching Protection
Secure Voice (sRTP, V3PN), DMVPN, MPLS & IPSec, Wirespeed Encryption
Inline IPS, URL Filtering, Content Caching, AV Gateway, Netflow, Firewall
Complete, Preventative, Scalable Security Solutions
Built in VPN HW Encryption
NME/NMENME/NME--XXHWICHWIC HWICHWICHWICHWIC HWICHWIC EVMEVM USBUSB
USBUSBGEGE GEGE
Secure Voice
High Performance AIM Security and Voice Services
USB Ports for Removable Credentials
232323© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
Integrated Security Services in the Small Office
Corporation Cisco 800/1800
Remote Office
IPSec VPN
Deep Packet Inspection Firewallfor Managed Firewall Service
High Seed Encryption for Managed IPSec or AES VPNs
Inline IPS Inline Threat Containment - Create Zones of Protection
Cisco SDM Used for Setup and Monitoring of Security Policy
User Authentication with 802.1x
Internet
SP Network
Antivirus PolicySystem
Router Enforces Firewall, Antivirus, URL access Policies at the Small Office
N2H2/ Websense URL Policy
Server
242424© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
Intrusion Prevention + Anti-Virus
Cisco and Trend Micro Symbiosis:• Address the network virus/worm life cycle by providing
system-level worm and virus defense across Cisco infrastructure• Provide key extensions to the Cisco Self-Defending Network
• Integration of Trend Micro virus signature technologies into Cisco IPS signature database
Enhanced anti-virus at the IPS sensor
Better anti-virus signature response times
No added cost, configuration or management burden
Available since August 2004
• NEXT: Licensing of additional Trend Micro technology to address real-time protection against new threats
Outbreak Prevention Service for real-time protection against new threats
252525© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
New Cisco 800 Series Integrated Services Routers for Small Offices
• High performance for broadband accessin small offices
• Advanced security including:Stateful inspection firewallIPSec VPNs (3DES or AES)Intrusion Prevention System (IPS) Antivirus support through Network Admission Control (NAC) and enforcement of secure access policies Cisco Easy VPN & DMVPN with Autosecure
• Secure WLAN 802.11b/g option with use of multiple, replaceable antennas
• 4-port 10/100 managed switch with 802.1q VLAN support & inline power using mid-span module
• Easy set up and deployment and remote management capabilities through Web-based tools and Cisco IOS Software
262626© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
Cisco 1800 Series Fixed Configuration Integrated Services Routers (Cisco 1811 Shown)
Dual, Replaceable Antennas
DSL WAN Port:• ADSL (1801)• ADSL over ISDN (1802)• G.SHDSL (1803)
Console Port
Security Cable Lock
Internal Power Supply
8-Port 10/100 Switch with optional POE
AUX PortDual 10/100 MB FE WAN Ports (1811, 1812)
USB 2.0 Ports for Security Tokens (1811/1812)
ISDN S/T (1801, 1802, 1803, 1812) or Analog Modem (1811) for Backup and Out-of-Band Management Cisco 1811 Shown
MemoryFlashDefault: 32 MBMax: 128 MB
DRAMDefault: 128 MBMax: 384 MB
PoE Power Input
Antenna Options
272727© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
Cisco Security Device Manager (SDM) Combining Ease Of Use and Application Intelligence
Intuitive, Web-Based Device Management Tool Embedded in Cisco ISRs
• New Express Set Up feature• Supports WLAN configurations and
new ISRs• Intelligent wizards: Auto-detect
misconfiguration and proposes fixes• Quick deployment: 1-Step Router
lockdown (firewall), and VPN wizard (Site-to-site, easy VPN)
• Security audit: ICSA, TAC recommended security configuration
• Run from the Router (no software install needed)
• Run from a PC (ease of always using the most up-to-date version)
282828© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
Miercom 1812 W and SDM 2.1.1 Test Findings Redefining Integrated Services and Ease of Use
Verified Concurrent Secure, Broadband Wireless Services
“In our tests, the Cisco 1812 Wireless router ran multiple applications, including Network Admission Control, Firewall, and Intrusion Prevention, as well as NAT, QoS, SLA monitoring, and 3DES encryption over a backup link with DMVPN - all concurrent with routing traffic.
We figure that the latest version 2.1.1 of the SDM configuration and management application reduces in half the technical expertise required to properly configure and deploy the router with these services.”
Ed MierPresident, Mier Communications Inc.
View the Test Report at:www.miercom.com
* after external launch
292929© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
USING THE SELF-DEFENDING NETWORK TO PREVENT THEFT OF INFORMATION
292929
303030© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
Theft of Information Characteristics
2825
82
40
77
26 26
82
38
75
25
31
81
49
76
2126
77
44
81
21
30
74
53
86
0
20
40
60
80
100
ForeignGov.
IndependentHackers
DisgruntledEmployees
2003
2002
2001
2000
1999
Foreign Corp.
U.S. Competitors
Likely Sources of Attack• Proprietary information
stolen from the organizationIntellectual property, patents, engineering designs, strategy, customer lists/data, etc.
• Committed by EXTERNAL or INTERNAL resources to the company
Industrial espionage, organized crime, vandals, disgruntled employees, bragging rights, etc.
• Malicious intent, not accidental!
• Damage can be severeCost, intellectual property lost, company image tarnished, competitive advantage reduced
2003: 488 Respondents/92%2002: 414 Respondents/82%2001: 484 Respondents/91%2000: 583 Respondents/90%1999: 460 Respondents/88%
313131© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
Wired Connection Site-to-Site
Security via IPSec VPN
Remote Access Security via SSL and IPSec VPN
VLAN Creation and Assignment
Cisco Catalyst
Wireless Connection
Cisco IP PhoneEncrypted Voice
Cisco PIX Firewall
Cisco 4200IPS Sensor
Cisco VPN 3000
VLAN1HRVLAN2Finance
VLAN3Marketing
Service Provider Network
Cisco ISR
Cisco ISR
CiscoWorks VMS
CSA
CSA
Identity ManagementIdentity ManagementAccess EnforcementAccess Enforcement
The Cisco Theft of Information Prevention Solution
Data Data Confidentiality Confidentiality and Integrityand Integrity
Network Network Admission Admission
ControlControl
BehavioralBehavioralPolicyPolicy
EnforcementEnforcement
Cisco VPN Client
Secure Transport of Secure Transport of Applications and Data Across Applications and Data Across
Untrusted NetworksUntrusted Networks
Perimeter ProtectionPerimeter ProtectionAgainst UnauthorizedAgainst Unauthorized
ActionsActions
Grant and Enforce Grant and Enforce Access According Access According
to Trust Levelto Trust LevelServer Server
ProtectionProtection
323232© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
Steps to Protect Against Theft
1) Determine if the device/user is trustedNAC, IBNS
2) Once trusted, protect the user’s informationVPN
3) Protect endpoints and network from those “trusted” people (>70% thefts are committed by INTERNAL people!)CSA, FW, IPS, network intelligence
333333© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
Grant Access Based on User Trust
802.1x Authentication Challenge
802.1x Authentication Info
2. Verify Login and Check with Policy DB
4. Credentials VerifiedLogin grantedSend Policies
• Set port to enable• Set port vlan 106. VLAN 10
Engineering VLAN
5. Switch applies policies and enables port.
Login + Certificate
Login Verified
CiscoSecure ACSAAA Radius Server
802.1x Authentication Server
Active Directory3. Login and Certificate Services
6500 Series Access Points
4000 Series3550/2950 Series
802.1x Capable Access Devices
1. 802.1x Capable Client
Secure Access In Action
Identity Based Networking Services
343434© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
Protect the Voice and Data
Cisco CallManagerCall setup and signalingHost IDS protection
Cisco IP PhonePhone handset with integrated QoS
RemoteOffice Headquarters
VPN
Cisco VPN Branch RoutersIntegrated LAN, WAN, IP Routing, voice gateway and security
• Firewall• VPN• Intrusion Protection
Cisco VPN Head-End RouterIPSec integration with Voice, Video, Data
• Scalable VPN termination• Site to site / remote access VPN• Bandwidth allocation
Data Privacy and Integrity
353535© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
Cisco Rated Only Fully-Secure IPT System
• Cisco had the only solution named “Secure” in grueling independent test:
• Breaking Through IP TelephonyNetwork World Magazine, May 24, 2004
Hundreds of tests over 3 days, Layers 2–6
Cisco had highest grade awarded
NO exploitable vulnerabilities found
NO negative effect on voice quality
• Other vendor solutions had “serious vulnerabilities”
“To date we have not seen a VoIP solution that outperforms the security provided by Cisco.”Randall Birdsall, Miercom
353535© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
363636© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
Remote Access—SSL and IPSec VPNs Deployment Scenarios
SSL VPN IPSEC VPN
• Uses a standard web browser to access the corporate network
• SSL encryption native to browser provides transport security
• Applications accessed through browser portal
• Limited client/server applications accessed using applets
• Granular access control can limit access to specific web pages or other internal resources
• IT department may have limited or no control over the remote system, especially in the case of a partner
• Strong authentication a necessity
• Uses purpose-built client software for network access
• Client provides encryption and desktop security
• Client establishes seamless connection to network
• All applications are accessible through their native interface - no browser dependency
• Access control less granular - wide open or limited to certain internal hosts or subnets
• IT department often maintains complementary applications on PC like anti-virus and personal firewall software
• Strong authentication desirable
373737© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
Protecting Proprietary Data: Example
Q. How do you allow access to sensitive data from a potentially hostile environment?
Contractors, partners, consultants that need access to some of your information to do their work, but you don’t want them to take that information with them when they leave
A. Don’t let data stay in hostile environmentControl the applications accessing data and prevent them from storing or printing the sensitive data in non-protected locations
373737© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
383838© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
Cisco Secure DesktopComprehensive Endpoint Security for SSL VPN
THE TECHNOLOGY: VIRTUAL SECURE DESKTOPRemoves sensitive security information (cookies, browser cache/history, e-mail file attachments, etc.) related to an SSL VPN connection at the close of the session. This protects from exploitation of such information for host network or system penetration.
• The Virtual Secure Desktop is transparent to the end user and automatically creates a secure session under Windows 2000 and Windows XP
• User can still have access to all of the PC’s hardware and software resources
• All applications and processes that run in the Virtual Secure Desktop are controlled
• The Virtual Secure Desktop creates a cryptographic file system on the fly and nothing is ever written in clear on the disk
393939© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
CSA Protects Against Theft
• CSA can prevent files from being copied to removable hard drives (ex. USB stick)
• CSA can prevent sensitive information from being saved on local machines
• CSA can identify protect against port scans
• CSA can thwart hackers trying to gain access to the system using strange methods (i.e. bad behavior profiles)
404040© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
Cisco Self-Defending Network: Controlling the Who, What, Where, When, Why, and How
Cisco Self-Defending Network Solution That Strictly Controls Access to Sensitive Data
• Who—allow access to sensitive data only by authorized personnel
• What—prevent data from ever being stored, copied, or printed outside the secure environment
• Where—ensure data is only stored in the secure location
• When—users process data normally, but the data never “sleeps”outside of the secure area, control access time
• Why— better protect sensitive data with higher levels of security
• How—data access is restricted, authenticated, and audited by Cisco Self-Defending Network
414141© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
Solution Example
SECURE AREA
INSECURE AREA
SAN Disks
CSAMC Printers
VPN3000
PIX
11
CSA + VPNCSA + VPN33
Workstations
CSA + VPN3
CSA + VPN3
CSA + VPN3
CSA + VPN3
IPS
2
1. Workstations use VPN to access secure area
AYT + CSAPIX rejects all other traffic
2. Inline IPS blocks all non-file access to NAS
File and Print OKAll else dropped
3. CSA controls access to NAS
Only approved appsApps can only store data on NASApps can only print to NAS printersAccess audited
424242© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
INTERNAL Theft of Information Risk:Man-in-the-Middle Attack Protection
Catalyst Integrated Security Features (CISF) Protect Both Data and VoIP Applications Against Theft
CISF Technologies:• Port Security• DHCP Snooping• Dynamic ARP Inspection• IP Source Guard• BPDU Guard• Root Guard• ACLs
434343© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
Port Security Protects Against MAC Address Flooding Attacks
Port Security Limits the number of devices that can use that port.
Thief can not gain access
00:0e:00:aa:aa:aa00:0e:00:bb:bb:bb00:0e:00:aa:aa:aa00:0e:00:bb:bb:bb
Thief can plug a device onto the wire before the switch port and
gain access to the network
Only 3 MAC Only 3 MAC Addresses Addresses allowed on allowed on
the port: the port: ShutdownShutdown
Problem: Solution:
XXXX
434343© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
444444© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
Dynamic ARP Inspection
My GW Is10.1.1.1
IP: 10.1.1.1
10.1.1.2I’m Your
GW: 10.1.1.1
Not by my Binding Table
MAC: 0000.0000.0001
Gratuitous ARP to Change End Device MAC to ARP Tables
What It Does:Maintains a binding table containing IP and MAC address associations dynamically populated using DHCP Snooping
Benefit:Ensures integrity of user and default gateway information such that traffic cannot be captured
444444© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
454545© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
Integrated Security Advantages
Use What You Have
Leverage existing network infrastructure by enabling security through Cisco IOS
Protect Your Infrastructure
Use the network to protect the network
Save Time and Money
Minimize the number of devices and management tools; maximize IT staff efficiency
Deploy Security Where You Need It Most
Apply security functionality anywhere in the network—protect all network entry points
Reduce Your Risk!
Deploy integrated security to minimize exposure to risk
“ANYONE CAN BUILD A STOP SIGN—OR EVEN A TRAFFIC LIGHT—BUT IT TAKES A DIFFERENT MIND-SET ENTIRELY TO CONCEIVE OF A CITY-WIDE TRAFFIC CONTROL SYSTEM.”
Bruce Schneier, “Beyond Fear”
464646© 2005 Cisco Systems, Inc. All rights reserved.10983_04_2005_c1
10983_04_2005_c1 474747© 2005 Cisco Systems, Inc. All rights reserved.