Security Architecture - cisco.com · 2 Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Traditional Corporate Border Corporate Border Branch Office

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1

Security Architecture

Haider Pasha, CISSPSSEM, Emerging CentralArchitectural [email protected]

2

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

Traditional Corporate Border

Corporate Border

Branch Office

Applications and Data

Corporate Office

Policy

Attackers CustomersPartners

3


Mobility and CollaborationIs Dissolving the Internet Border

Corporate Border

Branch Office


Corporate Office

Policy

Attackers Customers

Home Office

Coffee Shop

Airport

Mobile User Partners

4


Cloud Computing Is Dissolving the Data Center Border

Corporate Border

Branch Office


Corporate Office

Policy

Attackers

Home Office

Coffee ShopCustomers

Airport


Platformas a Service

Infrastructureas a Service

Xas a Service

Softwareas a Service

5


Customers Want Business Without Borders

Corporate Border

Branch Office


Corporate Office

Policy

Attackers

Home Office

Coffee ShopCustomers

Airport




Xas a Service


6


Cisco’s Network Security ArchitectureB

orderlessD

ata Center

3

BorderlessInternet

2

Borderless

End Zones

1

Policy

Corporate Border

Branch Office


Corporate Office

Policy(Access Control, Acceptable Use, Malware, Data Security)4

Home Office

AttackersCoffee ShopCustomers

Airport




Xas a Service


7


Cisco Security Architecture For Enterprise (SAFE)

Security Reference ArchitectureFree Technical Design and Implementation Guide

• Collaboration between security and network devices

• Uses network intelligence• Fully tested and validated• Speeds implementation• Modular design• Unifies security policy

8


SAFE Strategy

DataCenter

LAN/Campus

WANEdge Branch Internet

EdgeE-comm-erce

CiscoTeleworker

VirtualUser

PartnerSites

Policy and Device Management

Security Solutions

PCIDLPThreat Control

NetworkDevices

RoutersServersSwitches

IdentifyMonitor

Correlate

HardenIsolate

Enforce

Visibility Control

Secured Mobility, Unified Communications, Network Virtualization

Network Foundation Protection

Security DevicesVPNsMonitoring

Admission ControlIntrusion Prevention

FirewallEmail Filtering

9


SAFE Security Architecture Modules

Partner

WAN Edge

Internet Edge

E-Commerce

Core

Data Center

Management

Teleworker

Branch

SiSi

SiSi

SiSi

SiSi

SiSi

SiSi

ExtranetSiSi

SensorBase

LAN/CampusWAN

Internet

10


Securing the LAN

11


Campus/LANAccess

SiSi

SiSi

SiSi

SiSi

Core

Distribution

Catalyst Integrated Security Features

Threat Detection and Mitigation

Network Foundation Protection

Edge Protection

Network Access Control

Enhanced Availability and Resiliency

Secure Unified Communications

Secure Unified Wireless Network

Endpoint Security

12


SAFE Threat Response

Service Disruption Unauthorized Access Data LeakageData Disclosure and Modification Network Abuse Identity Theft and Fraud

Increasing Visibility for the LANIdentify Monitor Correlate

LAN/port AuthenticationUser AuthenticationFirewall Deep Packet InspectionTraffic Classification

Intrusion DetectionNetwork ManagementEvent MonitoringNetwork TelemetrySyslog

Event Analysis and Correlation

Increasing Control for the LANHarden Isolate Enforce

Network Foundation ProtectionOS HardeningCISFEndpoint SecurityLink and System Redundancy

VLANsNetwork Access ControlIPSFirewall Access Control

Stateful Firewall Access ControlACLs, uRPF, AntispoofingDHCP SnoopingPort SecurityIntrusion PreventionQoS EnforcementNetwork Access Control

13


Protecting the Network DevicesSecure Device Access - Protecting Device Access

Servers

Users

Management

Management Segment

OOB Mgmt Net

Inband, Clear

Inband, Secure

OOB, Secure

In-band, in the Clear (not recommended)

–Telnet, HTTP, FTP –TFTP, SNMPv2c

In-band, Secure (recommended)

–SSH, SSL, IPSec, –SNMPv3, SFTP

1. Out-of-band management, (most secure)

–Dedicated interfaces & Network–Logically separate (VLAN, VRF)–Strongest security

14


Protecting the Network DevicesDevice Resiliency & Survivability

Disable Unnecessary Services– Identify open ports

– Disable unneeded open ports

– Disable CDP on interfaces where it may pose a risk (e.g. data-only user ports in the campus)

– Ensure directed broadcasts are disabled on all interfaces

– Disable MOP, IP redirects, and proxy ARP on access lines

Implement Redundancy– Backup and redundant interfaces

– Redundant processors and modules

– Active-standby, active-active failover

– Topological redundancy

SiSi SiSi

SiSiSiSi

15


Protecting the LinksQoS Trust Boundary

Endpoints CoreAccess Distribution WAN Agg.

1. A device can be trusted if it correctly classifies packets2. For scalability, classification should be done as close to the edge as possible3. The outermost trusted devices represent the Trust Boundary4. 1 and 2 are optimal, 3 is acceptable (if access switch cannot perform

classification)

SiSi

SiSi

SiSi

SiSi

11

22

33Trust BoundaryTrust Boundary

16


Linecard Linecard

Ingress Control Plane

Forwarding ASICs

Applying Policy

Pre-configured System Traffic Types

User Configurable Traffic Types

Switch CPU

1. Hardware-based mechanisms2. Rate limit CPU bound traffic3. Protect from DoS attacks4. Control Plane Policing ensures routing

stability, reachability, & packet delivery5. Filters and rate limits traffic headed to

Control Plane

Data traffic is switched

by Forwarding

ASICs

Control pkts, and the pktsdestined to

CPU

Pkts conform to control-

plane service-policy

Protecting the Control PlaneControl Plane Policing - Incoming Traffic

17


1. Inspect a packet’s 7 key fields and identify the values. 2. If the set of key field values is unique create a flow record or cache entry.3. When the flow terminates export the flow to the collector.

NetFlowExport

Packets

Reporting

NetFlow’s 7 Key Fields

1

2

3

Monitoring and TelemetryNetFlow

NetFlow Benefits

Distributed traffic monitoring

Track each data flow that appears in the network (establish baseline)

Detect anomalies by analyzing traffic characteristics and deviations from baseline

18


Internal Perimeter Access Control and Security – NAC

1.Recognizes users, their devices, and their roles in the network

2.Evaluates whether machines are compliant with security policies

3.Enforces security policies by blocking, and isolating noncompliant machines

NAC Benefits:

NAM NAS

NAC Appliance Components

1. NAS

2. NAM

3. CCA

CCA

19


Internal Perimeter Access Control and Security – CISF

1.Port Security prevents MAC flooding, port access, rogue network extension, and DHCP starvation attacks.

2.DHCP Snooping prevents Rogue DHCP Server attacks and DHCP starvation attacks.

3.Dynamic ARP Inspection used with DHCP snooping to prevent ARP Spoofing Attacks & MiTM attacks.

4.IP Source Guard uses DHCP snooping table to mitigate IP Spoofing, impersonation attacks & unauthorized access.

00:0e:00:aa:aa:aa00:0e:00:bb:bb:bb00:0e:00:aa:aa:cc00:0e:00:bb:bb:ddetc132,000

Bogus MACs

Switch acts like a hub

DHCP Server

“Use this IP Address !”

X“DHCP Request”

DHCP DoS

Email Server

“ Your email passwd is

‘joecisco’ !”

Attacker = 10.1.1.25 Victim = 10.1.1.50

Gateway = 10.1.1.1MAC=A SiSi

“Hey, I’m 10.1.1.50 !”Port Security

20


Distributed SecurityInfrastructure Protection & Monitoring

SiSi SiSi

Access

Dist

Core

Mngt

SiSiSiSi

Infrastructure Protection & Monitoring

1.QoS Trust Boundary

2.Scavenger Class

3.Secure Management

4.NBAR

5.NetFlow

6.Control Plane Policing

7.Network Time Protocol

8.ACS

9.Cisco MARS

10.Syslog

21


Securing the Internet Edge

22


Enterprise Internet EdgeService Breakdown

DMZ - Network Services Application Segment

• Public facing services•FTP, DNS, NTP etc.

Corporate Internet Access

Firewall Based Teleworker

Branch Office WAN Backup

• Internet access for campus and branch users• Web browsing, email & other common internet services, web and email security

• Teleworker access to corporate resources• Internet access via headquarters firewall• Basic IP telephony service

• Internet backup for branches• Access to corporate resources• Web browsing, email & other common internet services

23


Internet Edge

Distribution

Corporate Access/DMZ

Edge

CVO termination

Remote Access VPN

SiSiSiSi

Core

EmailSecurityGateway

Web SecurityGateway

E-mail

HTTP-ServicesDNS

ISP A

ISP BISP B

ISP A

RemoteClient

Branchesw/ Voice Svcs

Internet Backup

SiSi SiSi

Internet

24


Firewall Design Considerations

DMZ

• Firewall Security Design Considerations– Firewall rules to implement

network security– Integrating Email and Web

Security Appliance with firewall

– Configuring and implementing Infrastructure Security

– Implementing and designing a secure public facing DMZ

– Enabling features for optimum monitoring and management

Internet

SP1

Firewalls

SP2

Data Center, Corporate Network

25


Firewall Design

Corporate Network

Corporate User

Email Security

Appliance

Email Server

Email Traffic

Web Traffic

Web Security

Appliance

Remote User

Public User

Internet

26


IPS at the Internet Edge

1.FW in active/standby stateful FO

2.IPS selection based on STP

3.Requires STP tuning

4.Required bandwidth satisfied with single IPS and FW

InternetSP

SiSi

SiSi

SiSi

SiSi

SiSi

SiSi

CorporateAccess/DMZ

Distribution

Core

27


Remote Access

Public Internet

ASA 5500

Clientless SSL VPN

Clientless SSL VPN

Client-based SSL or IPSec VPN

Partners / Consultants

Controlled access to specific resources and applications

Mobile Workers

Easy access to corporate network resources

Roamers

Seamless access to applications from unmanaged endpoints

Day Extenders / Home Office

Day extenders and mobile employees require consistent LAN-like, full-network access, to corporate resources and applications

Client-based SSL or IPSec VPN

28


Web Appliance (IronPort example)Consolidated Web Gateway

Web Proxy & Caching

Anti-Spyware

Anti-Virus

Anti-Phishing

URL Filtering

Policy Management

Internet

Firewall

IronPortL4 Traffic Monitor

IronPortPolicy Filters

Internet

Firewall

Consolidated Functionality IronPort Web

Security Appliance

Lower TCOHigher Accuracy

Users

Users

29


Securing the Data Center

30


Data Center Today: End-to-End Architecture

Security Services LayerFirewallEnforce Per-zone segmentation of servers

Virtual Contexts enable scale

IPSThreat mitigation and Hypervisor protections

Network SegmentationPer zone, enforced in Services Layer

Virtual Access Layer VisibilityFlow visibility in the vSwitch

Layer 2 SecurityConsistent protections in virtual and physical switch

Secure Server Access Layer

Enterprise and DC EdgeSaaS Gateway in WSAAccess Control for Software as a Service Apps

FirewallCoarse Inbound Filtering

wwwwww

ASA 5500 or FWSM

IPS

WSA ASA 5500

Nexus 1000v

Zone 1 Zone 2 Zone 3

CSM

Operations

31


Secure Borderless Data Center:Tomorrow’s Architecture

Security Services LayerFirewall and IPSIdentity-based policies

Service chaining connects physical to virtual

Virtual Layer 2 through 7 SecurityNexus 1000v and virtual firewall platform

Secure Virtual Access Layer

Cloud Services Security LayerEnterprise- or Cloud-ProvidedSecurity for applications in the Cloud

Cloud EdgeProtecting the Cloud Provider Network

Enterprise and Data Center EdgeSaaS Gateway - In WSA

Firewall—Coarse Filtering

wwwwww

WSA

ASA 5500 with IPS

Nexus 1000v

ASA 5500 with IPS

Virtual FW

ASA Virtual

Context

Trust Zones via TrustSec

Operations

Virtual FW

ASA Switch Modules:

Catalyst and Nexus

CSM AAA & Policy

32


Real World Customer Example

FWSM

Catalyst 6513 Catalyst 6513

FWSMVFW1 VFW2 VFW2

DATABASESERVERS

DMZ-2FRONT-ENDWEB SERVERS

APPLICATIONSERVERS

VFW1

IDSM IDSMACE ACE

Fiber ChannelStorage Array

Fabric BFabric A

Cisco Nexus

FC, FICON

FC, FICON iSCSI

Management Servers1. NAC Manager2. Security Manager3. Security MARS4. Call Manager/Cisco Unity5. Cisco ACS

Global Site SelectorGSS 4492

Global Site Selector

GSS 4492

Management Servers

Layer 3 Switches in High Availability ModeFirewall Services Module (FWSM) to protect against Layer 2 to Layer 7 attacks FWSM set in Virtual Firewall Mode. VFW1 to protect Management Servers and VFW2 to protect Data Center ServersNetwork Intrusion Detection/Prevention for MonitoringApplication Control Engine (ACE) used for Load Balancing, SSL Offloading, and Layer 7 Deep inspectionACE Module to be used for all Front-End Web and Application server SSL Offloading and Load Balancing (after Layer 7 Firewall)Traffic flow moves from Yellow, to Blue, to Orange VLANsPrivate VLAN design to be implemented within each Server farm to segment against DOS/DDOS and Network attacks. Cisco Security Agent to be used on each server to protect against Day Zero attacks like Worms/viruses and DOS/DDOS attacks.NAC Appliance Manager for network wide policy enforcementCisco Security Manager to manage security devicesCisco Security MARS for event correlation, Dynamic Threat Mitigation, and Incident LoggingCisco Call Manager/Unity for Voice ServicesCisco Access Control Server for AAA and TACACS+ servicesFCIP Server backup with Disaster Recovery and Backup SiteDHCP Snooping, IP Source Guard, Dynamic ARP Inspection, Port Security & Advanced Security via ACL Catalyst Rate Limiting for Blasting Worm Protection/RemediationOptimized Routing Protocols Multicast Subsecond Convergence First Hop Redundancy ProtocolsSpanning Tree, EtherChannel/GigEChannel with Core switches in Campus ModuleSupervisor/Power Supply Redundancy Etc.HSRP for redundant gateway servicePath Diversity Documentation Layer 3 Switching utilizing IGP Load balancing & Fast convergence Provide first-hop redundancyProtects the Core from High Density Peering Aggregates the Access Layer elementsPolicy Enforcement QoS, ToS, IP PrecedenceEfficient handling of multicastsNetwork Trust or Policy BoundaryDual active links to Core switches in Campus ModuleWire-Rate Application-Aware using ACE and FWSMIOS-Based Intelligent Network Services in SupervisorTraffic Detection/Classification using NETFLOWIP Multicast SupportAdmission control & Traffic PolicingAdvanced Security via Access Control ListsLoad Balancing & Fast convergence Scalable High-Speed servicesNo unnecessary features10 Gigabit Scalability Normal Operations: ~20*C (68* F)

Data Center Module Features

MAN/WANFCIP

33


SAFE Resources

Cisco SAFE and Design Guide:

http://www.cisco.com/go/safehttp://www.cisco.com/en/US/docs/solutions/Enterprise/Security/SAFE_RG/SAFE_rg.html

Cisco Design Zone:

http://www.cisco.com/go/cvd

Cisco Security Lifecycle Services:

http://www.cisco.com/go/services/security

Cisco’s Security Products:

http://www.cisco.com/go/security

34


Documents

Security Architecture - cisco.com · 2 Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Traditional Corporate Border Corporate Border Branch Office