Upload
global-knowledge-training
View
291
Download
0
Tags:
Embed Size (px)
Citation preview
Building Up Network SecurityCatherine Paquet, MBA (MIS)
CCSI, CICSI, CCNP Sec, CCNP R&S
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 2
About the presenter - Catherine Paquet
Cisco security instructorCisco Press authorCisco Systems emerging
countries guest speakerGraduate of Royal Military
College and York UniversityPreviously: DND WAN ManagerLives in Toronto
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 3
Topics: Building Up Network Security
Current state of Network SecurityFirewall IPS and Sourcefire Identity Services and Cisco ISENetwork Access ControlGuest Services and BYODProfiling and PosturingVPN and Site-to-SiteRemote Access VPN and AnyConnectEmail and Web Security
State of Network Security
FactsEvolution
ROSITopology
Facts
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 6
Cisco Annual Security Report 2015: Findings
Users unknowingly aiding cyber attacksEmail exploits
250% increase in spam and malvertising exploitsSnowshoe Spam: low volumes of email from a large set of IP addresses
Web exploitsLess common kits usedMalicious combinations: exploit over two files ex: flash + javascript
Source: www.cisco.com/go/securityreport
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 7
Cisco Annual Security Report 2015 - Actions
Security must:support the businesswork with existing architecture – and be usablebe transparent and informativeenable visibility and appropriate actionbe viewed as a "people problem"
Source: www.cisco.com/go/securityreport
Evolution of Security Philosophy
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 9
Recent Shift in Security Approach
Past → role-based control
Present → rule-based control
CONTEXT
Who, What, Where, When, How
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 10
CONTEXT IS EVERYTHING
Who: Jane Doe, member of the sales groupWhat: Corporate laptopWhere: HQ 2nd floorWhen: July 16th, 2016 at 13:27How: Wired Ethernet with 802.1X
IF….., THEN….., and sometimes, ELSE…...
User CustomLocationDevice Type TimePosture Access Method
Terminology
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 12
Glossary
AAA: Authentication, Authorization, Accounting
AD: Active Directory
AES: Advanced Encryption Standard
AMP: Advanced Malware Protection
AP: Access Point
ASA: Adaptive Security Appliance (firewall)
BYOD: Bring Your Own Device
CDA: Cisco Directory Agent
CWA: Centralized Web Authentication
DES: Digital Encryption Standard
DHCP: Dynamic Host Configuration Protocol
DMZ: Demilitarized Zone
DART: Diagnostic And Reporting Tool AnyConnect
DC: Domain Controller
ESA: Email Security Appliance
FSMC: FireSIGHT Mgmt Center (formerly SFDC)
IDS: Intrusion Detection System
IP: Internet Protocol
IPS: Intrusion Prevention System
ISE: Identity Services Engine
ISR: Integrated Services Router
LAN: Local Area Network
LDAP: Light Directory Access Protocol
MAB: MAC Authentication Bypass
MAC: Media Access Control
Malvertising: Malware hidden in advertisement
MD5: Message Digest 5
MDM: Mobile Device Management
NAC: Network Admission Control
NAD: Network Access Device
NIC: Network Interface Card
NGFW: Next Generation Firewall
NGIPS: Next Generation IPS
PKI: Public Key Infrastructure
RADIUS: Remote Authentication Dial-In User Service
ROI: Return on Investment
ROSI: Return on Security Investment
SaaS: Security-as-a-Service
SAML: Security Assertion Markup Language
SSID: Service Set Identifier
SF: Sourcefire
SFDC: Sourcefire Defense Center
SHA: Secure Hash Algorithm
SIO: Security Intelligence Operations (Cisco)
SSL: Secure Session Layer
SYN: Synchronization flag and stage of TCP
TALOS: Cisco SIO + Sourcefire VRT
TCP: Transmission Control Protocol
VPN: Virtual Private Network
VRT: Vulnerability Research Team (Sourcefire)
WAN: Wide Area Network
WLAN: Wireless Local Area Network
WLC: Wireless LAN controller
WMI: Windows Management Instrumentation
WSA: Web Security Appliance
Security Roadmap
Topology
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 14
Firewall
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 16
Most Bang for Your Buck: The Firewall
Basic Moderate Comprehensive
Security Expenditure
Ris
k
$
} residual risk
More on the subject of synergistic controls:Business Case for Network Security, The: Advocacy, Governance, and ROIBy Catherine Paquet, Cisco Press, 2005. ISBN ISBN-10: 1-58720-121-6
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 17
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 18
ASA Firewall Capabilities
Stateful Firewall with AIC Botnet detection IPS built in capability with service module SYN flood protection Scanning threat detection and prevention Decryption and inspection of specific protocols Modular Policy Framework Remote-Access VPN: IPsec and SSL Site-to-Site VPN Identity-Based Firewall
DHCP server and client Dynamic Routing Static Route Tracking Transparent and Routed modes Redundant interfaces EtherChannel Multimode aka virtualization Clustering Strong management with AAA OOB Management Failover Zero Downtime Upgrade
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 19
Intrusion Prevention Systems
Sourcefire
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 21
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 22
Sourcefire Acquisition
Mid-2013$2.7BHardware and softwareBased on Snort IPSFile thumbprints, sandboxingProtection beyond point-in-timeVisibility through dashboardsAnalysis of behavioursContainment
Martin Roesch created Snort, on open-based IDS, in 1998 and founded Sourcefire in 2001
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 23
Integrated and Standalone Platforms
AMP applianceASA moduleESAWSACWSAMPfire (Desktop: AnyConnect 4.1 AMP Enabler)
Cisco AMP 8140 (hardware)
Cisco WSA with AMP (software)
HQ-ASA# show module sfr details Getting details from the Service Module, please wait... Card Type: FirePOWER Services Software ModuleModel: ASA5515Hardware version: N/ASerial Number: FCH180278XU
Cisco ASA with Sourcefire (software)
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 24
The Sourcefire Advantage
AMP* everywhere, with real before, during, after
* Advanced Malware Protection
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 25
Sourcefire Visibility and Management
FireSIGHT Management Center*
* formerly Sourcefire Defense Center
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 26
Network File Trajectory
Identity Services
ISE
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 28
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 29
ISE Capabilities
Authentication*802.1XMABWeb Authentication
Authorization*Guest Services
BYODMDM
ProfilingPosturingCA server
ISE
Source: Cisco Blog > Security> BYOD Presentations at Cisco Live Cancun 2012* ISE is a RADIUS server
Network Access Control
802.1X / MABWeb Authentication
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 31
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 32
Authentication and Authorization: ISE RADIUS server
ISE
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 33
802.1X / MAB Authentication
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 34
Centralized Web Authentication
Source: Cisco Identity Services Engine User Guide, Release 1.2
Guest Services and BYOD
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 36
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 37
Guest Services
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 38
Guests: Access to Internet
ISE
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 39
BYOD: For employees not visitors
Source: Cisco SISE 1.1 Courseware
Before BYOD:
With BYOD - Onboarding:
ISE recognizes that an employee authenticated on AD through Guest Portal1. CA Certificate installation2. Device Registration3. Certificate Enrollment4. WIFI Profile installation
Profiling and Posturing
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 41
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 42
Advantages of Profiling
Discover and locate endpoints Maintain a learnt inventoryDetermine endpoint capabilities and identity group
Attributes are used in authentication and authorization conditions
Source: Cisco SISE 1.1 courseware
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 43
Profiling
If Device: Apple-iPad, then apply Authorization Policies: TabletsSource: Cisco SISE 1.1 courseware
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 44
Profiling Results: Endpoints database in ISE
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 45
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 46
ISE Posturing policies
Provisioning
Posturing
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 47
MDM: Posturing for Mobile Devices
Source: Cisco Identity Services Engine Administrator Guide, Release 1.4
VPN
Site-to-Site
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 49
VPN
Confidentiality: EncryptionAES3DES
Integrity: HashingMD5SHA
Authenticity: Authentication Pre-shared KeyPKI
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 50
VPN
Site-to-Site
Remote Access IPsec
SSL Client
Clientless
Client VPN Client (legacy)
AnyConnect
Port Forwarding
Plug-ins
Smart Tunnels
Thin client
IPsec*
** AnyConnect 3.x offers IPSec IKEv2
* On Cisco Routers, Site-to-Site VPN can also be achieved with DMVPN and GET
IKEv2
VPN Technologies
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 51
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 52
Site-to-Site VPN
Source: Cisco SIMOS courseware
Remote-Access VPN
AnyConnect
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 54
VPN
Site-to-Site
Remote Access IPsec
SSL Client
Clientless
Client VPN Client (legacy)
AnyConnect
Port Forwarding
Plug-ins
Smart Tunnels
Thin client
IPsec*
** AnyConnect 3.x offers IPSec IKEv2* On Cisco Routers, Site-to-Site VPN can also be achieved with DMVPN and GET
IKEv2
VPN Technologies
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 55
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 56
What comes to mind when you hear AnyConnect?
SSL VPN IPsec
AnyConnect replaces: VPN Client Secure Services Client AnyWhere+ NAC Agent
Host Scan Phone Home DART AMP*
Cloud Web Security
Network Access Manager
ISE Posture NEW: next slide
* Released with AnyConnect 4.1
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 57
AnyConnect for ISE Posture
No need for NAC client anymore
Email and Web Security
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 59
Cisco and Email/Web Security
Cisco is not commonly known for a focus on proxies
In 2007, Cisco paid $830M for IronPort Application Security Gateways:Email Security ApplianceWeb Security Appliance
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 60
The Artist Formerly Known as: Ironport
So, why paying so much for server?SenderBase – Reputation Score
SensorBase
SIO
TALOS
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 61
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 62
Hygiene Pipeline of Cisco ESA
Source: Cisco SESA 2.1 courseware
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 63
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 64
Web Security
Old adage: HTTP is the new TCP Many applications and services now run overtop HTTP and HTTPS
Filtering and inspecting web traffic is becoming a requirement:CompliancePeace of mind
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 65
WSA Acceptable Usage Policies
URL filteringAnti-malware securityBandwidth controlsApplication controls
Identity-based securityHTTPS inspectionData Loss protectionSaaS Access Control
Q & A
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 67
Conclusion
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 69
Cisco Security Courses
CCNA Security e-Camp IINS - Implementing Cisco IOS Network Security SAEXS - Cisco ASA Express Security SENSS - Implementing Cisco Edge Network Security
Solutions SIMOS - Implementing Cisco Secure Mobility
Solutions SISAS - Implementing Cisco Secure Access
Solutions SITCS - Implementing Cisco Threat Control Solution
ASA Lab Camp v9.0 SASAA - Implementing Advanced Cisco ASA Security SASAC - Implementing Core Cisco ASA Security ACS - Cisco Secure Access Control System SISAS - Implementing Cisco Secure Access
Solutions
SISE - Implementing and Configuring Cisco Identity Services Engine
SESA - Securing Email with Cisco Email Security Appliance
SWSA - Securing the Web with Cisco Web Security Appliance
Cisco FirePOWER Services and Cloud Web Security Workshop v1.0
SSFAMP - Securing Cisco Networks with Sourcefire FireAMP Endpoints
SSFIPS - Securing Cisco Networks with Sourcefire Intrusion Prevention System
SSFRULES - Securing Cisco Networks with Snort Rule Writing Best Practices
SSFSNORT - Securing Cisco Networks with Open Source Snort
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 70
Sources
Cisco Security BlogCisco SAFE Design GuideCisco Identity Services Engine User GuideCisco PKI Service for Large Scale IPsec Aggregation Design GuideCisco Live presentations (CCO login required)
BRKSEC-1030 San Diego 2015Cisco courseware SIMOS / SISE / SESA / SWSA / SASAA / SASAC
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 71
GK Cisco Training Exclusives
6 months of Anytime access to Cisco Practice Labs Anytime Access to Boson Practice Exams On-Demand Access to Searchable Class Recordings of Your Virtual Class Unlimited Retakes of Your Class Free Cisco Certification Exam Voucher
© Global Knowledge Training LLC. All rights reserved. 04/15/2023 Page 72
Find Out More
www.globalknowledge.ca
On-demand & live webinars, white papers, blog...
www.globalknowledge.ca/security
Courses