Seguridad ayer, hoy y mañana SDN 3.0 Seguridad de ... · Seguridad ayer, hoy y mañana ASA – Todo en Uno Agenda Seguridad de Mensajeria y Web SDN 3.0 Seguridad del EndPoint

© 2008 Cisco Systems, Inc. All rights reserved. 43

Seguridad ayer, hoy y mañana

ASA – Todo en Uno

Agenda

Seguridad de Mensajeria y Web

SDN 3.0

Seguridad del EndPoint

Para Llevar

http://www.cisco.es/expo


Integrates and extends the #1 deployed gateway content security technology to protect from viruses, spyware, spam, phishing, and employee productivity impacting websites

Content Security

Integrates and extends the #1 deployed IPS and IDS technology from the Cisco IPS 4200 SeriesProvides comprehensive security from directed attacks and many other threats

IPS Services

Integrates and extends the #1 deployed remote access VPN technology from Cisco VPN 3000 Concentrators and Cisco PIX Security Appliances, offering bothSSL and IPsec VPN services

VPN ServicesIntegrates and extends the #1 deployed firewall technology from Cisco PIX Security AppliancesBuilt upon the experience of overone million PIX deployed worldwideand 10+ years of innovation

Firewall Services

Cisco ASA 5500 Adaptive Security AppliancesDelivering Leading Threat Defense and VPN Services

Provides Converged Threat Defense, Flexible Secure Connectivity,Minimized Operation Costs, and Unique Adaptive Design to Combat Future Threats

Secure Unified CommunicationsComprehensive access control, threat protection, network policies, service protection and voice/video confidentiality for real-time Unified Communications traffic


SOHO Branch Office

InternetEdge

ASA 5550

Cisco ASA 5500 Series Adaptive Security AppliancesSolutions Ranging from Desktop to Data Center

ASA 5580-20

ASA 5580-40

ASA 5505

Data Center

ASA 5540

ASA 5520

ASA 5510

Cis

co A

SA 5

500

Plat

form

s

New

New

Campus


Cisco ASA 5500 Series High-End Lineup Solutions Ranging from Desktop to Internet Edge

Network Location

PerformanceMax Firewal throughputMax IPSec VPNMax IPSec/SSL VPN Peers

Platform CapabilitiesMax Firewall ConnsMax Conns/SecondPackets/Second (64 byte)Base I/OMax I/OVLANs SupportedHA Supported

CiscoASA 5510

Branch Office

300 Mbps170 Mbps

250

130,0009,000

190,0005 FE

2 GE + 3 FE + 4 SFP100

A/A and A/S

CiscoASA 5520

280,00012,000

320,0001FE + 4GE

1FE + 4GE + 4SFP150

A/A and A/S

CiscoASA 5505

SOHO

150 Mbps100 Mbps

25

25,0004,000

85,0008 FE (2POE)8 FE (2POE)

20A/S

* Supported in a future software release

InternetEdge

450 Mbps225 Mbps

750


Cisco ASA 5500 Series High-End Lineup Solutions Ranging from Internet Edge to Data Center

Network Location

PerformanceMax Firewall (Real-world HTTP)Max Firewall (UDP 1400/Jumbo)Max IPSec VPNMax IPSec/SSL VPN Peers

Platform CapabilitiesMax Firewall ConnsMax Conns/SecondPackets/Second (64 byte)Base I/OMax I/OVLANs SupportedHA Supported

CiscoASA 5550

InternetEdge / Campus

1 Gbps1.2 Gbps (1400)

425 Mbps5000 / 5000

650,00036,000600,000

8 GE + 1 FE8 GE + 1 FE

250A/A and A/S

CiscoASA 5580-20

Campus /Data Center

5 Gbps10 Gbps (Jum.)

1 Gbps10,000 / 10,000

1,000,00090,000

2,500,0002 Mgmt

24 GE / 12 10GE100 (250*)

A/A and A/S

CiscoASA 5580-40

Data Center

10 Gbps20 Gbps (Jum.)

1 Gbps10,000 / 10,000

2,000,000150,000

4,000,0002 Mgmt

24 GE / 12 10GE100 (250*)

A/A and A/S

New NewCisco

ASA 5540

InternetEdge

500 Mbps650 Mbps (1400)

325 Mbps5000 / 2500

400,00025,000

500,0004 GE + 1 FE8 GE + 1 FE

200A/A and A/S

* Supported in a future software release


Wide-Range of Cisco ASA 5500 SeriesSecurity Service Modules (SSMs)

• Provides full-featured IPS and IDS services for protection of critical network assets

• Available in two models: SSM-10 and SSM-20• Delivers up to 450 Mbps of IPS throughput• Has thumbscrews for easy insertion/removal• 10/100/1000 out-of-band management port• Supported on ASA 5510, 5520, and 5540

IPS Security Services Module (AIP SSM)

Content Security Services Module (CSC SSM)• Provides full-featured Anti-X services

(anti-virus, anti-spyware, anti-spam,anti-phishing, URL filtering, and more)

• Available in two models SSM-10 and SSM-20• Anti-virus and anti-spyware services licensed

by number of users, others optional add-on• Supported on ASA 5510, 5520, and 5540

4-Port GE Services Module (4GE SSM)• I/O module offers four copper 10/100/1000

ports in addition to four SFP ports forimproved flexibility and network segmentation

• Customers can use up-to four ports total out of these eight ports, with the ability to mix and match copper and optical GE ports

• Supported on ASA 5510, 5520, and 5540


Introducing the Cisco ASA 5580 SeriesHigh Performance Firewall and Highly Scalable Remote Access VPN

Raising the Bar for Firewall and VPN Capabilities

Industry-leading performanceHighest connection rates in the industryData center class throughput with ultra low latency

High speed auditing and event monitoringNetFlow based monitoring and aggregation

Highly scalable remote accessSupports up to 10,000 simultaneous users


Cisco ASA 5580 Firewall: Industry-leading Performance

Unprecedented scalability, ultra-low latency

Up to two million connectionsUp to 150K connections/secondStrong small packet performance

with sub-30 microseconds latency

Blazing fast performanceUp to 10 Gbps of real world throughputUp to 20 Gbps for jumbo frame applicationsSupports up to 750,000 policies with line rate

performance as policies scale

Optimize operationsDevice consolidation with up to

50 virtual firewallsMultiple redundancy options:

Active/Active failover, redundant power, fans and network links

Supports up to 24 GE or 12 10GE ports

0

20000

40000

60000

80000

100000

120000

140000

160000

Firewall Connections/Second

Cisco ASA 5580 Nokia/CHKP IP 2450Juniper NS 5400

Multi-Gbps Class Firewall

5-7X Better than the Competition


Cisco ASA 5580 Series Innovation:NetFlow Security Event Logging

Security event correlation and reduction for multi-gigabit traffic

Introducing NetFlow v9 capabilities on ASA5580Extends 10+ years of NetFlow innovationEnables compliance auditing

Driving industry standardLeading standardization effort with IETF IPFIX Working GroupAligning with leading NetFlow monitoring solution providers

CiscoASA 5580

CS-MARS 3rd PartyNetFlow Collector

Netflow v9


High Performance Cisco ASA 5580 SeriesInterface Expansion Cards

• I/O module includes four 10/100/1000 Ethernet ports enabling granular network segmentation and security virtualization

• Up to 24 GE ports are supported by the ASA 5580 Series

4-Port 10/100/1000 Ethernet Card

2-Port 10 Gigabit Ethernet Fiber SR LC Card• I/O module offers two fiber 10GE ports for

maximum performance and scalability• Integrated short range (SR) optics and LC

connector simplify connectivity• Up to twelve 10GE ports are supported by

the ASA 5580 Series

4-Port Gigabit Ethernet Fiber SR LC Card• I/O module includes four fiber Gigabit

Ethernet ports enabling granular network segmentation and security virtualization

• Integrated short range (SR) optics and LC connector simplify connectivity

• Up to 24 GE ports are supported by the ASA 5580 Series


Cisco ASA and Secure Unified Communications

Access Access Control Control

Threat Threat Prevention Prevention

Network Network Policy Policy

Service Service Protection Protection

Voice & Video Voice & Video ConfidentialityConfidentiality

Call Control Infrastructure Endpoints Applications • SIP, SCCP, MGCP, H.323• Application inspection and

control• Call flow/ Header state

awareness • Protocol conformance• Prevent DoS attacks• TLS Proxy for encrypted

signaling• NAT/PAT

• Intrusion prevention services for UC

• Voice Signatures• Voice/video-enabled

secure connectivity (V3PN)

• Prevent buffer overflow attacks

• SIP/SCCP/CTIQBE/TAP/JTAPI inspection

• Access Control and inspection for services -Cisco Unity, Meetingplace, Presence, Cisco Telepresence, IM over SIP, Microsoft

• Timeouts for audio/video connections

• RTP/RTCP inspection• SIP and SCCP Video

Endpoints – IP phones, VT Advantage, Cisco Unified Personal Communicator

• Policies - allow/deny calls from unregistered phones, callers, whitelist, blacklist


Innovative Security for Unified Communications Protect Cisco Communication Manager and IP Phones

Ensure SIP, SCCP, H.323, MGCP requests conform to standardsPrevent inappropriate SIP Methods from being sent to Communication ManagerNetwork Rate Limit SIP RequestsPolicy enforcement of calls (whitelist, blacklist, caller/called party, SIP URI) Dynamic port opening for Cisco applications Enable only “registered phones”to make callsEnable inspection of encrypted phone calls

Internet

WAN

Cisco ASA with SSL VPN

Cisco Security Agent (CSA)

Cisco ASA with VPN

Cisco ASA with IPS and VPN

Protection Against Attacks On Unified Communications Call Control, Endpoints And Applications


Industry-First Encrypted Voice Security SolutionNow Available with Cisco ASA 5500 Software v8.0

SRTP media

TLS signaling

Any Cisco voice/video communications encrypted with SRTP/TLS can now be inspected by Cisco ASA 5500 Adaptive Security Appliances:

• Maintains integrity and confidentiality of call while enforcing security policy through advanced SIP/SCCP firewall services

• TLS signaling is terminated and inspected, then re-encrypted for connection to destination (leveraging integrated hardware encryption services for scalable performance)

• Dynamic port is opened for SRTP encrypted media stream, and automatically closed when call ends

Encrypted Endpoint Encrypted

Endpoint

Newin 8.0!


Prevents installation of malware and blocks “phone home” communicationsFrees network bandwidth and controls the transmission of confidential data

Removes traffic ambiguities such as overwritten fragments, TCP segment overwrites, TTL discrepanciesSimulates end host behavior to increase inspection accuracy

Controls corporate espionageStops web defacing by preventing web attacksPrevents zombie, backdoor, and bot placement thus stopping automated attacks (e.g., denial of service (DoS)

Cisco IPS Offers Multi-Vector Threat IdentificationDelivers Broad Attack and Malware Protection

Stops the infection and propagation of malwareLeverages internal development and partnership with Trend Micro

Traffic Cleansing

Network Worms & VirusesSpyware/Adware

Directed Attacks


RiskRating

Event Severity

Signature Fidelity

AttackRelevancy

Asset Valueof Target

Is Attack Relevant to Host Being Attacked?

How Prone to False Positive?

How Critical Is this Destination Host?

How Urgent Is the Threat?

Decision Support Balances Attack

Urgency with Business Risk

+

+

+

+

Accurate Prevention TechnologiesRisk Rating Provides Threat Context

Drives Mitigation

Policy


Cisco Security Agent (CSA) provides notion of suspicious hosts through CSA Watch ListIPS Sensor risk sensitivity increased dynamically for suspicious hosts (risk rating increase)Result: Better manage risk from suspicious sources

1. Attacker tries to brute force attack an internal server

2. CSA blocks the attack and adds attacker to its watchlist

3. CSA collaborating with Cisco IPS is able to dynamically elevate the Risk Rating threshold for attacks coming from the attacker

4. Future attacks from hacker are blocked at the IPS device

New in IPS 6.0:Visibility to Endpoint Trustworthiness – CSA Collaboration

New!


Network ScannerA

Windows Server Linux ServerNot Vulnerable

Filter EventVulnerable

Increase Risk Rating

Event / Action FilteringMonitoring Console:

Non-relevant events filteredAttacker initiates IIS attack destined for servers

Contextual information on attack target used to refine security responseContextual information gathered through:

Passive OS fingerprinting Static OS mapping for exception handling

Dynamic Risk Rating adjustment based on attack relevanceResult: More appropriate and effective security response actions

New in IPS 6.0:Endpoint Attack Relevance Visibility

New!


Introducing the Content Security and Control

Security Services Modules

Content Security in the Cisco ASA 5500 Series

Comprehensive content security services on a single module

Incorporates security technology from Trend Micro’s award-winning InterScanVirusWall suite

Seamless management and monitoring through Cisco ASDM, multi-device management with Trend TMCM

Enables a single-box solution for all the needs of the SMB


Threat Types

Unauthorized Access

Intrusions and Attacks

Insecure Comms.

Viruses

Spyware

Malware

Phishing

Spam

Inappropriate URLs

Identity Theft

Offensive ContentNEW

Ant

i-X S

ervi

ce E

xten

sion

s

ProtectionResource and Information Access Protection

Hacker Protection

Client Protection

DDoS Protection

Protected Email Communication

Protected Web Browsing

Protected File Exchange

Unwanted Visitor Control

Audit and Regulatory Assistance

Non-work Related Web Sites

Identity Protection

Granular Policy Controls

Comprehensive Malware Protection

Advanced Content Filtering

Integrated Message Security

Easy to Use

Cisco ASA 5500 with CSC-SSM

Cisco ASA 5500 Content SecurityDelivering Comprehensive Protection and Control


Comprehensive Secure ConnectivityVPN Services for Any Access Scenario

Public Internet

ASA 5500

Clientless SSL VPN

Clientless SSL VPN

Client-based SSL or IPSec VPN

Partner Access

Requires “locked-down” access to specific extranet resources and applications

Company Managed Desktop

Remote access users require seamless, easy to use, access to corporate network resources

Public KioskRemote users may require lightweight access to e-mail and web-based applications from a public machine

Company Managed Desktops at Home

Day extenders and mobile employees require consistent LAN-like, full-network access, to corporate resources and applications

Client-based SSL or IPSec VPN


Threat Protected VPN ServicesLeveraging On-Board Security to Protect the VPN Threat Vector

ASA 5500

Worm/Virus

UnwantedApplication

Spyware

Illegal Access

Exploit

Remote AccessVPN User

Threat MitigationIncident Control Virus DetectionWorm MitigationSpyware Detection

Application Firewall and Access ControlApplication Inspection/ControlGranular, Per-User/Group Access ControlProtocol Anomaly DetectionStateful Traffic Filtering

Accurate EnforcementReal-Time CorrelationRisk RatingAttack DropSession Removal and Resets

Comprehensive Endpoint SecurityPre-Connection Posture AssessmentMalware MitigationSession/Data SecurityPost-Session Clean-Up

Leverages Depth of Threat Defense Features to Stop Malicious Worms, Viruses, and More…and Without External Devices or Performance Loss!


Cisco Adaptive Security Device Manager v6.0Introduces a Wealth of New Features and Usability Enhancements

Fresh new interfaceprovides easy access to all services offered by ASA

Supports drag-and-dropand in-place editing for simplified policy editing

Offers user interface customization with dockable windows and toolbars

Introduces new Firewall Dashboard that provides at-a-glance status of firewall services

Provides live ACL hitcountin firewall rule table for easy policy auditing


Cisco ASDM Feature HighlightsSyslog to ACL Correlation Features

Syslog Messages now includeunique hash and line numberof ACL entry that created it

Buttons in ASDM Live Log viewer allow admins to view/edit an existing ACL, or create a new ACL entry



ASA – Todo en Uno

Agenda


SDN 3.0


Para Llevar


Seguridad Total del Endpoint

Protección contra ataques día cero

Parte Integral de la Red

Antivirus

Antispyware

Firewall

Prevención de Intrusión

Prevención de Perdida de Datos

Integridad del Sistema

Cum

plim

ient

o co

n po

lític

as


Seguridad del PC/ServidorProtección contra ataques tipo “Día Cero”Defensa contra Spyware y ataques enfocadosAsegura la integridad del sistema operativo

Garantía de Aplicaciones criticasPer-Application network Prioritization (QoS)Wireless bandwidth optimization (QoS - WMM)

Cumplimiento de NormativasControl del Wireless NICControl de medios desmontablesControl del Uso Aceptable

¿Cuán Rápido Podemos Reaccionar?

CSA


Control de Políticas y Prevención de Pérdida de Datos

Controla copiando datos confidenciales a medios desmontablesUSB, floppy disk, CD Burner

Controla el envío de datos confidenciales por interfaces no autorizadas

Modem, Bluetooth, impresoraBloquea el envío de datos confidenciales por webmail, p2p, IMLas direcciones de red que cada aplicación se puede comunicar conInstalación de aplicaciones o drivers

EMAILSecurity

Appliance

WEBSecurity

Appliance


Control de medios desmontables Controles para USB, CD, iPod

Monitorea el Uso

Controles de archivos confidenciales

Controles de usuarios autorizados

Controles basados en la ubicación

Consolidatedevent reportingof USB usage

Justificación del usuario para auditoria


Forzando las Políticas para usuarios móviles

Exige el uso de VPN

bloquea sesiones SSL que no pasan por el proxycorporativo

Asegura que todo el trafico pasa por las protecciones mail & web corporativos

VPN

Email/Web

Internet

CorporateNetwork

Remote Employees


CSA monitorea y controla todas las aplicaciones y procesos

Niveles de Confianza ofrecen control flexible y fácil de administrar

White List : Trusted Business Apps (controles permisivos)Grey List: Aplicaciones permitidas (controles mas restrictivos)Black List: Aplicaciones no deseadas (bloquea el uso)

Control de Políticas -Niveles de Confianza de Aplicaciones


Cumplimiento de NormativasPCI DSS

Ofrece soluciones que cumplan con 9 de los 12 requerimientos PCI Políticas PCI predefinidas

26 Rule Modules, 150 rules

Validado por Cybertrust (Auditor oficial de PCI)

http://www.cisco.com/go/retail


CSA Aumenta el Valor de la Red Existente

PER-APPLICATION QoSOptimize network performance

EnhanceNetwork

Value

WIRELESS POLICY CONTROLSIncreases security & network bandwidth utilization efficiency

NAC POLICY VERIFICATION

Ensure host security and health

INFORM NIPS OF HOSTILE HOSTS

Stop attacks in the network before they reach other hosts


CSA Wireless Control

Desactiva el wireless NIC cuando esta conectado por cable

Restricciones de la conexión -SSIDs, codificación, ad-hoc

Requiere conexión VPN cuando esta fuera de la oficina

QoS por aplicaciones


NAC Enforcement Point

NAC Manager

Remediación

Laptop

Workstation

RouterNAC Server

Colaboración NAC & CSA

CSA MC

• CSA detecta actividad y establece un system state.

• NAC utiliza esta información para determinar el rol y la remediación necesaria

CSA Enforcement Point


Colaboración NAC & CSA – Inicio Seguro

BIOS Update

No CSA runningNo CSA running

NAC Posture: QUARANTINENAC Posture: QUARANTINE

CSA State: INSECURE BOOTCSA State: INSECURE BOOT

NAC Posture: REMEDIATENAC Posture: REMEDIATE

Boot to Boot to primaryprimarydiskdisk

DynamicPolicy

Change

NAC

Boot to nonBoot to non--primaryprimarydiskdisk


NAC Failed Compliance- Insecure Boot Detected

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 79

DesktopDesktop

DSCP Marcando por aplicación o OSDSCP Marcando por aplicación o OS

QoS por Aplicación

Internet Explorer

BitTorrent

Cisco IP Communicator

FTP Client

DSCP Marcando por CSA

DSCP Marcando por CSA

Default

AF11

EF

Default

AF11

Default

EF

AF11

Class-Based Weighted Fair Queuing (CB-WFQ)

Low-Latency Queuing (LLQ)

Class-Based Weighted Fair Queuing (CB-WFQ)

Low-Latency Queuing (LLQ)

AF11: 50% (CB-WFQ)EF: 15% (LLQ)Default: 10% (CB-WFQ)

AF11: 50% (CB-WFQ)EF: 15% (LLQ)Default: 10% (CB-WFQ)

“Mal” software puede marcar paquetes para:Obtener mejor servicio de la redRealizar un ataque (e.g. flooding con paquetes marcados con el QoS de voz causando DoS para telefonía IP)

CSA remarca los paquetes según el diseño del QoS

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 80

2. Correlación global en el CSAMC - recibe información de los servidores escaneados y actualiza todos los agentes CSA con las características de la nueva amenaza

Colaboración CSA & IPS

1. Hacker escanea servidores internos buscando vulnerabilidades

3. Todos los intentos del hacker a conectarse a servidores y desktops protegidos por CSA están dinámicamente bloqueados

4. CSA colabora con Cisco IPS para dinámicamente elevar la valuación del riesgo para conexiones que llegan del hacker

CSA MC

Servers

Desktops


Problma:Anti-Virus software no es suficienteParches, apagando incendios,2003-Incidente menor ~$250k gastos de operación2003-Ataque mayor ~$2.5M gastos de operaciónAumento de gastos: Previsto 2X a 4X aumento de

outbreak en 2004.

Solución:CSA a 60,000 desktops & servidores en 3 semanas Cero outbreaks desde el despliegue del CSA en 2003Gastos de operación: ½ IngenieroDisminuyendo la urgencia de instalar parcheswww.cisco.com/go/csa.

La mejor tecnología que hemos desplegado aquí en Cisco…”

— John Stewart, CSO, Cisco



ASA – Todo en Uno

Agenda


Para Llevar

SDN 3.0



Centro de Seguridad CiscoInforma, Protege y Responde

www.cisco.com/security

Event-based, early-warning security intelligenceComprehensive alert analysis and mitigation solutionsReal-time e-mail threat, virus, and spam tracking and trendingEasy access to comprehensive security best-practice guidance

Featured ContentCisco® 2007 Security Annual Report

2008 major risk categories 2008 Cisco expert outlook

Cisco Security IntelliShield Cyber Risk Report podcast Cisco Security IntelliShield Event Response reports


Respondiendo a los eventos de Seguridad cuando ocurren : Actividades estándar para Microsoft Patch Tuesday

Security IntelligenceServices

Security IntelligenceServices

Cisco® SecurityCenter and EventResponse Page

“One-stop shop” forall securityintelligence relatedto the Microsoft disclosures

IntelliShieldAlerts for NewVulnerabilitiesIn-depth reports andanalysis on each ofthe newvulnerabilities

IPS SignatureUpdates

Signature updates toprovide protectionfrom each newnetwork-exploitablevulnerability

Cisco® AppliedMitigation Bulletin

Comprehensivebulletin on using allCisco securitytechnologies toprotect yourself

Cisco Response to Microsoft

Bulletin E-Mail

Summary bulletin ofthe Microsoft announcement andCisco responses


www.ciscowebtools.com/securebusinessadvisor/

Una Herramienta gratis Que les puede ayudar con:Construyendo estrategia de seguridad

Establecer un “businessreason” para la seguridad

Evaluar los requerimientos actuales de la seguridad de red

Valorar las estrategias existentes


H+ una nueva religión, es totalmente positiva

El Énfasis no es en pecados que hay que evitar sino en cosas positivas que hay que hacer

'H' significa humano, felicidad, ayuda, esperanza, salud y humor, ‘un lubricante clave de la vida'

Seguridad – Mejor Juntos – Nueva Religión!


C+ es una nueva religión totalmente positiva

El Énfasis no es en productos aislados de seguridad sino en la colaboración, adaptación e integración

‘C' significa CSA, CCA, CS-MARS, CSC, C-Series y CISCO , ‘un lubricante clave del comercio electrónico'

Seguridad – Mejor Juntos – Nueva Religión!

HOW TO RUN YOUR BUSINESS EFFECTIVELY WITH

CSA, CCA, CS-MARS, CSC, C-SERIES, CISCO


Documents

Seguridad ayer, hoy y mañana SDN 3.0 Seguridad de ... · Seguridad ayer, hoy y mañana ASA – Todo en Uno Agenda Seguridad de Mensajeria y Web SDN 3.0 Seguridad del EndPoint