Intrusion Prevention

System Modules
for Integrated
Services Routers

Cisco IPS AIM and IPS NME Overview

for Business Decision Marker
Tina Lam, Product Manager, Cisco Systems

C97-494048-00 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1
 Organizational Impacts
of Security Threats

Security Threats Who Sees the Pain

ƒ Distributed Denial
Disruption impacts productivity
of Service
ƒ Virus out-break CIO Problem

ƒ Random or direct theft Loss Impacts value

ƒ Break-in, espionage CFO Problem

Loss damages customer,

ƒ Web-site defacement
shareholder
h h ld confidence,
fid
ƒ Customer company reputation
information leak
CEO Problem

C97-494048-00 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2
 Reducing the Grey:
U
Uncertainty
t i t Equals
E l Ri
Risk
k and
dCCostt

NAC
GOOD: Allow Traffic Shaping
IPS GOOD: Allow
RELEVANT:
Pass and Log
Monitoring
g and Relevant: Pass and Log
Correlation Suspicious: Pass and Alarm
SUSPICIOUS:
Pass and Alarm
IPS,
Anti-X, DDoS, BAD: Block
BAD: Block Firewall

Self-
Inefficient; Efficient Operations;
D f di
Defending
Highly Manual Network Effective Security
C97-494048-00 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
 Cisco Intrusion Prevention Strategy
C
Comprehensive
h i ThThreatt P
Protection
t ti ffor the
th SDN
Cisco IPS 4200 Series
Cisco ASA 5500 Cisco Cisco
Cisco Security Cisco Integrated Adaptive Security CiscoCatalyst® Security Security
Agent Services Routers Appliance Services Modules MARS Manager

Internet Intranet

Endpoint Branch Perimeter Data Center Server Monitoring and Solution

Protection Protection Protection Protection Protection Correlation Management

Integrated Adaptive Collaborative

Location
ocat o Matters
atte s Focused
ocused Protection
otect o Better
ette Together
oget e

ƒ The most diverse line of IPS ƒ Modular inspection engines: ƒ On-box and network-wide
sensors: the right tool for respond rapidly with correlation to provide greater
the right job, anywhere in minimal downtime accuracy and confidence
the network ƒ Behavioral anomaly ƒ Endpoint and network
ƒ IPS integrated into the detection: protect against sensors sharing live network
fabric of the network zero-day attacks information
ƒ B
Built
ilt on Cisco
Ci security
it and
d ƒ D
Dynamic i risk-based
i kb d threat
th t ƒ R
Reduced
d d operational
ti l costs
t
network intelligence rating: adapt threats policy with a common, solution-
in real time based management interface
C97-494048-00 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4
 Intrusion Prevention System (IPS)
Ad
Advanced
d IIntegration
t ti M Module
d l and
dNNetwork
t kMModule
d l

Incorporates
Accelerated Threat ControlNetwork ® ISR
Admission
for Cisco
NEW
ƒ Enables inline Control (NAC) appliance
and promiscuous Intrusion server
ƒ Enforces security policies,
Prevention (IPS)
NME-IPS-K9
Cisco 2811, 2821, S (CIPS
Scans
ƒ Runs same software ffor latest
l 6.1)
t t and
anti-virus
ti enables
i software
ft
2851, 3800
Prevents
same features as Cisco IPSunauthorized
4200 access and
spread of viruses on the network
AIM IPS K9
AIM-IPS-K9 ƒ Performance improvement
p byy hardware
S
Supports
t wired,
i d wireless
i l and
d guestt NAC
Cisco 1841, 2800, 3800 acceleration; dedicated CPU and DRAM
to offload host Integrated
CPU into Cisco ISRs
Cisco IOS® Advanced Security AIM—Up to 45ƒ Mbps
Provides size and scale ideal for
or Above remote offices (<100 users)
NME—Up to 75 Mbps
AIM—12.4(15)XY, 12.4(20)T Works with NAC appliances at
NME—12.4(20)YA ƒ Device management through Cisco IPS
headquarters in a network system
Device Manager
g ((IDM),), Cisco Configuration
g
ƒ Benefits
Professional (CCP); of router integration
network-wide management
Systems
through Cisco Security Integration
Manager (CSM)
ƒ Supported
pp y IPS Lower
by gOperating
Manager p Costs
Express ((IME)) and
AIM-IPS CS-MARS on event monitoring and correlation
NME-IPS

C97-494048-00 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5
 Cisco IPS Product Portfolio
IPS 4200 Series
Dedicated appliances for IPS 4255
high performance, data IPS 4270
IPS 4240
center, and focused IPS 4260
function environments

Cisco Catalyst 6500 Series

Switch Integrated Service
Modules for data center IDSM2
Cisco Catalyst 6500
and switch integration IDSM2 Bundle

ASA 5500 Series

Firewall-integrated for
ASA5510-AIP10 ASA5540-AIP40
comprehensive
security and Unified
ASA5520-AIP20
Threat Management
ISR Series Routers
Remote Office/
Off /
Branch services
for scalable remote IPS AIM and
office protection Cisco IOS IPS IPS NME

Performance
C97-494048-00 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6
 Branch Needs for Self
Self-Defending
Defending Network
Trends Security
ƒ PCI Compliance (Retail); HIPAA (Healthcare); Sarbanes- ƒ Moves protection to the
Oxley/GLBA (Finance) edge before threats enter
corporate or SP network
ƒ Prone to attacks from split tunnels
tunnels, contaminated laptops
and rogue APs ƒ Helps to manage
unmanaged devices
Protect Servers
Threat at Branch
Servers
192.168.3.14-16/24

Protect WAN Link and

Upstream Corporate
Employees Resources IPSec
192.168.1.x/24 Tunnel

Threat
Internet Corporate
Office
ISR with IPS AIM
or IPS NME Threat

Wireless Guests
192.168.2.x/24
C97-494048-00 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7
 Benefits of Integrated IPS on ISR
42xx IPS Sensor Corporate Office
SMB Network
MSSP CE Router

AIM IPS
CS-MARS Cisco
Internet/ Security
ISR Manager
SP Network

AIM IPS NME IPS

Small Branch Large Branch

ƒ Full feature, high performance threat protection in the Branch or SMB network
ƒ Requires no additional footprint, cabling, and power requirements
ƒ Systems integration with data,
data security and voice features on ISR
ƒ Supports any routed WAN link—transport agnostic: T1/E1, T3/E3, Ethernet, xDSL,
MPLS, 3G WWAN
ƒ P
Provides
id d defense-in-depth
f i d th tto th
the perimeter
i t off the
th network:
t k ICSA-certified
ICSA tifi d Cisco
Ci IOS
Firewall, IPSec and SSL VPN, NAC, URL Filtering

C97-494048-00 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8
 Securing Cisco Unified Communication
Manager and Phones with Cisco IPS
ƒ In-line inspection of voice and video traffic
ƒ Protect infrastructure that voice runs on:
Protect Call Management infrastructure from attack
Real-time anomaly detection for day-zero threats
Drop calls that are coming from IP addresses identified
on the Cisco Security Agent “watch list”

ƒ Complements firewall application inspection technology

Cisco IPS’ Risk-Based Policy enables easy management of IPS by non-experts

Legitimate
Traffic
Protection against:
ƒ Application misuse
Firewall IPS ƒ DoS/hacking
ƒ Known attacks
ƒ Zero-day attacks
ƒ Viruses/worms, spyware
infecting traffic
C97-494048-00 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
 Cisco High-Performance
IPS Applications:
Wireless Intrusion Prevention
ƒ Protect the enterprise from wireless users
Cisco High-Performance IPS
High-performance IPS helps protect at
WLAN speeds for guest users’ and employees’
infected computers

ƒ Selectively block malicious traffic

Cisco IPS inspection
p services help
p enable
Ci
Cisco WLAN C
Controller
t ll
accurate protection from wireless traffic

ƒ Remove repeat offenders from

the network
Cisco IPS and Cisco WLAN Controllers work
collaboratively to detect attackers from Layer 2
to Layer 7,
7 and remove repeat offenders from Cisco Access Point
the network

C97-494048-00 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10
 Cisco IPS Manager Express (IME) NEW
All-in-One IPS Management Application
for up to Five IPS SensorsAt-A-Glance
At A Glance Dashboard
ƒ Startup Wizard: At-a-Glance Dashboard
Get up and running in
just minutes
ƒ Dashboard:
Put needed information
at your fingertips
ƒ Configuration:
Save time with intuitive
interface
ƒ Reporting:
Create and share security
and compliance reports
ƒ Monitoring:
See what’s happening with
real time and historical
real-time
security events
C97-494048-00 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11
 Cisco Security Manager
I t
Integrated
t d Security
S it Configuration
C fi ti Management
M t

Firewall Management VPN Management IPS Management Reduce OpEx

ƒ Support for PIX®, ƒ Support for PIX, ƒ Support for IPS ƒ Unified security
ASA, FWSM, and ASA, VPNSM, VPN Sensors, modules management for
Cisco IOS Routers SPA, and Cisco and Cisco IOS IPS Cisco devices
ƒ Rich FW rule IOS Routers ƒ Automatic policy-
policy supporting FW,
definition: shared ƒ Support for wide based IPS Sensor VPN, and IPS
objects, rule array of VPN software and ƒ Efficiently manage
grouping, and technologies such signature updates up to 5000 devices
inheritance as DMVPN, Easy ƒ Signature Update per server
ƒ Powerful analysis VPN, and SSL VPN Wizard allowing ƒ Multiple views for
tools: conflict ƒ VPN Wizard easy review/editing task optimization
detection rule
detection, for Three-Step
Three Step prior to deployment D i Vi
Device View
combiner, hit Point-and-Click Policy View
counts, … VPN Creation Topology View
C97-494048-00 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12
 Cisco Services for IPS
R id Si
Rapid Signature
t U
Updates
d t ffor E
Emerging
i ThThreats
t

Vulnerabilities ƒ Follow-the-Sun Research:

and Threats Extensive around-the-clock
research capability gathers,
identifies and classifies
Cisco IPS Signature vulnerabilities and threats
R&D Team
ƒ Rapid
p Response:
p
Signatures are created to
mitigate the vulnerabilities
Updated Signature
Package within hours of classification
ƒ Human Intelligence:
Applied Intelligence Reports
provide
id iinsight
i ht and
d guidance
id
on using IPS technology to
protect yourself

C97-494048-00 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13
 Cisco Security IntelliShield Alert
Manager Service
Now Includes IPS Signature-to-Threat Correlation
ƒ Complete vulnerability and threat
information in a single database
ƒ Notification of only those vulnerabilities
relevant to a p
pre-defined infrastructure
ƒ Actionable alerts in a standardized format
based on user-customized profiles
ƒ Each vulnerability or threat is analyzed and
validated by security analysts
ƒ Vulnerability and threat information is
vendor-neutral
vendor neutral and objectively graded
ƒ Comprehensive library of over 10,000
threats and vulnerabilities
ƒ B
Built-in
ilt i workflow
kfl allows
ll easy managementt
of tasks and remediation efforts

C97-494048-00 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14
 Cisco License Manager
ƒ Automates license management for IPS AIM
AIM, IPS NME and more
ƒ Increased productivity
Rapidly roll out new services—500 licenses deployed in two minutes
Scales to 30,000 devices

ƒ Enhanced Security and Virtualization

Role-Based Access Control via user roles
Access Control Lists limit access to PAKs and Devices

ƒ Reduced complexity
Automated licensing workflows
License reports aid in audit compliance

ƒ Investment protection
Full-functionality Java and Perl Software Development Kits (SDK)
to integrate with existing applications

ƒ Faster failure recovery

Restore device licenses from database backup
Resend all licenses from Cisco.com and deploy them quickly

C97-494048-00 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15
C97-494048-00 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16