Scribd
Upload
50 views

5 Cisco

5

Uploaded by

abhiraj1234
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
50 views

5 Cisco

5

Uploaded by

abhiraj1234
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

The Self-Defending Network

Innovations in Meeting Tomorrows Blended Threats

Ricky Elias Business Development Manager Advanced Technology Cisco Systems (USA) Pte Ltd [email protected]
NGC Security
2003 Cisco Systems, Inc. All rights reserved.

Top Security Issues for 2005


Chief Security Officers from several top technology firms and government agencies say computer worms, viruses and regulatory compliance are likely to be the hot button issues that will keep them awake at night in 2005
http://www.aspnews.com/news/article.php/3445521

2nd CSO Interchange New York, December 2004

The need to quickly patch vulnerabilities is becoming a major security pain point Customers are considering using hyper-patching and mass roll-out systems (push technology) to start solving hyper-patching problems
NGC Security Exec
2003 Cisco Systems, Inc. All rights reserved.

Security Threat Evolution


Target and Scope of Damage
Global Infrastructure Impact Regional Networks Multiple Networks Individual Networks Individual Computer

Increased Risk of Theft and Disruption

Seconds
Next Gen
Infrastructure hacking Flash threats Massive worm driven DDoS Damaging payload worms Wide-spread data theft

Minutes Days Weeks


1st Gen
Boot viruses

3rd Gen
Network DoS Blended threat (worm + virus+ trojan) Turbo worms Widespread system hacking

2nd Gen
Macro viruses Email DoS Limited hacking

1980s
NGC Security Exec
2003 Cisco Systems, Inc. All rights reserved.

1990s

Today

Future
3

The Year in Review

Bot, Phishing, Spyware, Blended Attack

Phishing

NGC Security Exec

2003 Cisco Systems, Inc. All rights reserved.

The Year in Review


Increased Mobility

HQ

WAN
Airports, Hotels, WLAN Hotspots, etc. Branches Teleworker

Even the most effective perimeter defense will not stop piggy-back infections It is not cost effective to manually check each laptop and device as it comes in from the outside
NGC Security Exec
2003 Cisco Systems, Inc. All rights reserved.

The Year in Review

Emerging Threats in the Corporate Interior


Innocent User Email Server
# ettercap NCsz
combina tions hig hligh ted below]

[captures username /pass word

ettercap 0.6.3.1 2001 AloR & NaGA Your IP: 192.168.0.70 with MAC: 00:03:FF:BE:F0:52: eth0 Loading plugins Done. Resolving 1 hostnames Press h for help Sniffing (IP based): ANY:0 < -- > ANY:0 TCP packets o nly (Default) Collecting passwords 00:22:10 192.168.0.70:1107 < -- > 192.168.0.42:80 www

Man-in-the-Middle Attack

Attacker with Simple Network Access

Record Data

USER: root PASS: hamhocks4#age http://mail.victim.com/root.asp <password was e ntered] [ the site where username a nd

Works for traffic within or outside of a building Attacker only needs to be attached on same subnet as one victim Tools easily downloadable and is simpler than most video games (GUI or CLI, your choice)
NGC Security Exec
2003 Cisco Systems, Inc. All rights reserved.

Evolution of Security Requirements

PAST Reactive Standalone Product Level

NEEDED NOW Automated, Proactive Integrated Multiple Layers System-level Services

A Collaborative Systems Approach


NGC Security Exec
2003 Cisco Systems, Inc. All rights reserved.

A Logical Strategic Response


Self-Defending System
Behavior/ Behavior/ Anomaly IPS/FW IPS/ IPS/FW

Intelligent Linkage of Endpoint with Network

SSL VPN VPN FW + VPN FW APP FW

AV HIPS
Personal FW

End SystemSystemBased Security

Identity and Trusted Network

NetworkNetworkBased Security
IDS AD IDS IPS DDOS

VPN ID/ ID/ Trust

An integrated system
Endpoint security solutions know security context and posture Policy servers know compliance/access rules Network infrastructure provides enforcement mechanisms
2003 Cisco Systems, Inc. All rights reserved.

NGC Security Exec

Multiple Layers of Network Defense


Risk-ometer
High
all ew Fir
IPS

Easy VPN

ACL

DMVPN

CPP

Open Network

Medium

NAC

Moderate
8 02 .1 x

Low Risk has been minimized!

NGC Security Exec

V 3P N

2003 Cisco Systems, Inc. All rights reserved.

You Can Protect The Interior


Keep the Insiders Honest
IP Source Guard

Protect the Interior

Catalyst Integrated Security Features


Layered Cisco Integrated Security Prevents Common Attacks

Dynamic ARP Inspection DHCP Snooping Port Security

Innocent User

No Your Not!

Email Server

Im Your Email Server

Im The User

Catalyst Integrated Security Features help administrators prevent and track man-in-themiddle attacks Prevents DHCP starvation attacks Prevents IP Spoofed DoS Attacks Hardens the Ethernet standard

NGC Security Exec

2003 Cisco Systems, Inc. All rights reserved.

10

Segment The Campus

Assign Access Based on Identity

Identity and Trust

Based upon users credentials via 802.1x (user identity) Guest users or those without 802.1x running on their laptop can be denied or placed into a guest VLAN

Multip le W
Eng VLA N=9 9
NGC Security Exec

LAN V

LANs

Co r VL p W AN LA =3 N 3

Unauthenticated User Is Blocked Access to the Network


2003 Cisco Systems, Inc. All rights reserved.

Sales =99 VLAN

802.11b WLAN

t es Gu =99 AN
11

VL

Network Admission Control


Detect and Remediate

Identity and Trust

1. Non-compliant endpoint attempts connection


BRANCH OR CAMPUS NAD CTA

2. PC is denied access to the corporate Net Corporate Net

3. Quarantine area and remediation


CAMPUS

Remediation

Quarantine Area

ACS

NAD CTA ACS


NGC Security Exec

Network Admission Device Cisco Trust Agent Access Control Server


12

2003 Cisco Systems, Inc. All rights reserved.

Multiple Layers of Endpoint Behavior Protection


Probe phase Ping scans Port scans Penetrate phase Transfer exploit code to target Persist phase Install new code Modify configuration Propagate phase Attack other targets Paralyze phase Erase files Crash system Steal data
NGC Security Exec
2003 Cisco Systems, Inc. All rights reserved.

Protect the Endpoints

Desktop protected by CSA

Server protected by CSA

Distributed Firewall O/S Hardening Host IDS/IPS File Monitoring System Policy Control Patch Management Malicious Code Protection
13

Self Defending Network Strategy


SELF-DEFENDING NETWORK
Dramatically Improve the Networks Ability to Identify, Prevent, and Adapt to Threats
INTEGRATED SECURITY
Secure Connectivity Threat Defense Trust and Identity

SECURITY TECHNOLOGY INNOVATION


Endpoint Security Application Firewall SSL VPN Network Anomaly Detection

SYSTEM-LEVEL SOLUTIONS
Endpoints + Networks + Policies Services Partnerships

NGC Security Exec

2003 Cisco Systems, Inc. All rights reserved.

14

Questions?

NGC Security Exec

2003 Cisco Systems, Inc. All rights reserved.

15

The Self-Defending Network

Innovations in Meeting Tomorrows Blended Threats

Ricky Elias Business Development Manager Advanced Technology Cisco Systems (USA) Pte Ltd [email protected]
NGC Security
2003 Cisco Systems, Inc. All rights reserved.

16

You might also like