Building the Self Defending Network

muterollMobile - Wireless

Dec 10, 2013 (3 years and 10 months ago)

72 views

© 2003, Cisco Systems, Inc. All rights reserved.

1

1

1


8426_07_2003_Richardson_c11

Building the Self Defending Network

System Level Defense & Policy Compliance







OEDSA Conference


September 15, 2004

George Chopin


Cisco Security Specialist, CISSP



© 2003, Cisco Systems, Inc. All rights reserved.

2

2

2


8426_07_2003_Richardson_c11


A well defined and implemented security strategy significantly
helps schools mitigate and risk


Ensure for Application Resilience & System Availability

Compliance with Industry Legislation (FERPA, CIPA, etc)

Limiting Liability and Demonstrating Due Diligence

Protecting and Managing School Assets

Faculty, Student & Parent Confidence

Policy Definition & Enforcement




District
-
wide priorities require district
-
wide security approaches.


© 2003, Cisco Systems, Inc. All rights reserved.

3

3

3


8426_07_2003_Richardson_c11



A sound security policy is the best first line of defense




A security policy should expand the scope of the familiar
Acceptable Use Policy



Heavy burden on IT to secure all aspects of educating

-
Assessing Security Risks

-
Defining & Authoring District Security Policy

-
Designing & Implementing Security Infrastructure

-
Enforcement of District Security Policy



Policy Definition & Enforcement

© 2003, Cisco Systems, Inc. All rights reserved.

4

4

4


8426_07_2003_Richardson_c11

What are You Protecting?




Student Records


Confidential Info (FERPA, HIPAA)



User Documentation


Privacy & Theft



Student Access


Internet (CIPA, COPPA, E
-
Rate)



Hardware Assets


System Availability, Labs



Software


License Abuse, Viruses, etc.



Legal Liability


Due Diligence



Reputation


© 2003, Cisco Systems, Inc. All rights reserved.

5

5

5


8426_07_2003_Richardson_c11

Importance of a Security Policy & Strategy




Relevant to top district needs & concerns



Demonstrates increased due diligence



Reduces risk and legal liability



Increases key stakeholder customer confidence



Strengthens compliance efforts



Serves as a compass

© 2003, Cisco Systems, Inc. All rights reserved.

6

6

6


8426_07_2003_Richardson_c11

Current Landscape & Trends









* Applications are increasingly accessible district
-
wide



* Attacks place applications resilience & compliance at risk



* Speed of Infection



-

Code Red


Doubled infections every 37 minutes




-

Slammer


Doubled infections every 8.5 seconds



* Speed of Reverse Engineering of Published Patches



-

Slammer


January ’03


185 days


-

Sasser


April ’04


17 days



* Down
-
stream infections are a growing concern.

© 2003, Cisco Systems, Inc. All rights reserved.

7

7

7


8426_07_2003_Richardson_c11

Increased Risks

6
132
252
406
773
1,334
2,340
2,412
2,573
2,134
3,734
9,859
21,756
52,658
82,094
137,529
0
20,000
40,000
60,000
80,000
100,000
120,000
140,000
160,000
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
Source: CERT Coordination Center at Carnegie Mellon University in Pittsburgh

Number of Security Incidents Reported 1988
-
2003

137,529

52,658

82,094

21,756

Threats are more
numerous, faster,
blended, global and
increasingly malicious

Attention

© 2003, Cisco Systems, Inc. All rights reserved.

8

8

8


8426_07_2003_Richardson_c11






Some Challenges of Defense & Policy Enforcement

Speed of Virus and Worm Propagation

Speed of Reverse Engineering of Published Patches

Patch Management Processes

Budget Tightening
-

Risk vs. Cost Analysis

__________________________________________________

Culture


Enforce vs. Encourage

Users intentionally and unintentionally make poor choices

Users are increasingly mobile, and our world is hostile

7,000 new Internet sites each week

Compliance Tracking

Training and Awareness for employeests


© 2003, Cisco Systems, Inc. All rights reserved.

9

9

9


8426_07_2003_Richardson_c11

System Level Defense & Policy Enforcement

Increased access carries increased risks and vulnerabilities

Cisco’s Self Defending Network Initiative (SDNI)
elevates security well above the level of point
product to one of complete system awareness and
participation. It contends the network system, at all
points of access and authentication, must provide
strong defense while helping to enforce policy
compliance.

© 2003, Cisco Systems, Inc. All rights reserved.

10

10

10


8426_07_2003_Richardson_c11

Threat Evolution

Global

Infrastructure

Impact

Regional

Networks

Multiple

Networks

Individual

Networks

Individual

Computer

Target and
Scope of
Damage

1st Gen


Boot viruses

Weeks

2nd Gen


Macro viruses


Email


DoS


Limited
hacking

Days

Cisco Point
Products

3rd Gen


Network DoS


Blended threat
(worm + virus+
trojan)


Turbo worms


Widespread
system
hacking

Minutes

Cisco Integrated
Security

Next Gen


Infrastructure
hacking


Flash threats


Massive
worm driven


DDoS


Damaging
payload
viruses and
worms

Seconds

Cisco Self
Defending
Network

1980s

1990s

Today

Future

© 2003, Cisco Systems, Inc. All rights reserved.

11

11

11


8426_07_2003_Richardson_c11

Security is a Top Cisco Priority



Responding to our customers


Cisco Invests 30% of Security Revenue back
into R&D ($300M)


Security is now a $1B+ business for Cisco


Four security acquisitions in past two years


Cisco has captured #1 market position for VPN,
Firewall and Intrusion Detection (source: Infonetics Research)


John Chambers will hire 1,000 new employees focused around
advanced technologies

“Our goal is to minimize risk while
maximizing productivity
opportunities through integrated
network security solutions."



-

John Chambers


© 2003, Cisco Systems, Inc. All rights reserved.

12

12

12


8426_07_2003_Richardson_c11

Cisco has provided integrated security
blue
-
prints for many years




Cisco’s Self Defending Network Initiative takes

our leadership position to the next level

Blueprints available for:



Enterprise



Small Business



IPSec VPNs



Voice



Wireless



e Commerce


(w/ content security)

© 2002, Cisco Systems, Inc. All rights reserved.
34
© 2003, Cisco Systems, Inc. All rights reserved.

13

13

13


8426_07_2003_Richardson_c11

Example: Helping Customers Extend IT Investments

Continuously Increasing Security Capabilities of Core Devices

Secure WAN Routers include
:

* Site
-
to
-
Site VPN

* Remote VPN

* Stateful Firewall

* URL Filtering

* Intrusion Detection

* Network Admission Control

* Secure Mgt

Secure WAN
Router

Catalyst 6500 Security Modules
:

* VPN

* FireWall

*Intrusion Detection

* SSL

* NAM

* DDoS Detection & Guard (coming)


© 2003, Cisco Systems, Inc. All rights reserved.

14

14

14


8426_07_2003_Richardson_c11

Cisco’s Security Vision

System Level Defense & Policy Compliance


INDUSTRY
COLLABORATION




INTEGRATED
SECURITY


SYSTEM LEVEL
SOLUTION



Secure Connectivity

Threat Defense

Trust and Identity

Network Admission

Control Program

Dynamically identify,
prevent, and respond
to threats

End
-
to
-
End

Multi
-
phased initiative
to dramatically improve
the network’s ability
to identify, prevent, and adapt
to threats


© 2003, Cisco Systems, Inc. All rights reserved.

15

15

15


8426_07_2003_Richardson_c11

Cisco Network Admission Control (NAC)

Security Credential Checking

Endpoints
attempting
Network Access

AV Vendor Policy
Server

Or

Network
Management Server

Cisco Network
Access Device

Security Policy
Enforcement

Cisco
Secure ACS
Policy
Server

Security Policy
Creation

AV/OS Policy
Evaluation

Anti
-

Virus
client

Cisco
Trust
Agent

Permit, deny,
quarantine, restrict

1) Cisco Trust Agent reports endpoint credentials such as anti
-
virus, operating information, etc.

2) Cisco router or switch passes credentials to policy servers.

3) If user is not compliant, admission control software on router or switch quarantines endpoint

4) AV and/or Network Management servers remediate endpoint to achieve compliance

5) Network access is allowed now that endpoint is compliant

Cisco Security Agent
reports Microsoft OS
credentials

Cisco
Security
Agent

© 2003, Cisco Systems, Inc. All rights reserved.

16

16

16


8426_07_2003_Richardson_c11

NAC Schedule (
best efforts to accelerate
)

Phase 1

Summer 2004

Phase 2

Winter 2004

Network

Devices

IOS Routers

800


72xx

Cisco Trust

Agent

Support


Industry

Partners


Device

Communications

Phase 3

Summer 2005

Windows

NT, 2000, XP

AV Vendors


Layer 3

EAP/UDP


Switches

Wireless Access


Points

Windows 2003

Red Hat Linux

Solaris

OS Vendors

Mgmt Vendors


Layer 2

EAP/802.1x


Security Devices

VPN Concentrators

IP Phones

Cisco Appliances

MAC OS, HPUX, AIX

Broad Vendor
Support


HTTP/SSL


© 2003, Cisco Systems, Inc. All rights reserved.

17

17

17


8426_07_2003_Richardson_c11

Phase 1 Deployment Scenarios

Router
-
Based compliance enforcement Q2CY04

Main Office

Branch Office

Lab

Data Center

AAA & AV Svrs

VPN Edge

Extranet
Edge

Users

Partner

Private
WAN

Partner
WAN

VPN
Edge

Internet
Edge

Internet


Branch office compliance


Focus first on less
trusted/managed offices


Extranet compliance


Partner hosts are patched
and comply


Internet compliance


Ensure hosts are hardened
prior to browsing


Lab compliance


Production network access
only for compliant devices


Data center protection


Devices accessing
protected servers must
comply

© 2003, Cisco Systems, Inc. All rights reserved.

18

18

18


8426_07_2003_Richardson_c11

Cisco Integrated Security Portfolio

SELF DEFENDING NETWORK

MANAGEMENT
AND

ANALYSIS


Centralized security management


Security policy, security event monitoring and analysis


Threat validation and investigation


Embedded device

management

COMPLETE
COVERAGE

Protecting Desktops, Servers and Networks

FLEXIBLE
DEPLOYMENT

Security

Appliances

Switches

Routers

Security

Software

SECURITY
SERVICES &
SOLUTIONS

VPN

Firewall

Intrusion
Detection

Identity

Behavior
Based Threat
Defense

SECURE
INFRASTRUC
-

TURE

Device Authentication, Port Level Security, Secure

and Trusted Devices, Secure Access, Transport Security

CSA

© 2003, Cisco Systems, Inc. All rights reserved.

19

19

19


8426_07_2003_Richardson_c11

CSA


Already Protecting Voice

CSA

Main Office

Branch Office

Data Center

Private
WAN

Internet

Application
Servers

Mobile Worker

Unity

Call

Manager

Secure

Wireless

© 2003, Cisco Systems, Inc. All rights reserved.

20

20

20


8426_07_2003_Richardson_c11

CSA should also be protecting your other
business critical applications.


HR

Finance

Student
Records

Web

© 2003, Cisco Systems, Inc. All rights reserved.

21

21

21


8426_07_2003_Richardson_c11

Why Cisco Security Agent (CSA) is a Great First Step


Provides “Day Zero Defense” against attacks



Policies stop new attacks that attempt malicious behavior


Policies allow “good”
behavior

and prevent “bad”
behavior

Helps Alleviate Patch Management Crisis


CSA enables
fewer

updates to endpoints in a proactive and
scheduled fashion …..which means a lower TCO per server

Integration with NAC



Provides operating system patch and hot fix information to Cisco
Trust Agent for compliance validation

Customer Defined Policies


First point of enforcing customer defined policies (i.e.


no MP3s)


© 2003, Cisco Systems, Inc. All rights reserved.

22

22

22


8426_07_2003_Richardson_c11

Cisco Security Agent (CSA):

Behavioral Protection From Attacks

CSA stops known and
unknown attacks
based upon the
behaviors they exhibit
and does not rely on
signature matching

CSA

© 2003, Cisco Systems, Inc. All rights reserved.

23

23

23


8426_07_2003_Richardson_c11

Malicious Behavior

Always undesired

Policy

Violations

May be undesired

Types of Behavior Control

Strict Control



CSA Protection:

Default Server &

Desktop Policies


CSA Protection:

Default Application

Policies

All Possible Types of Security
-
Relevant Behavior


CSA Protection:

CSA Profiler


CSA provides out
-
of
-
the
-
box protection against
known and unknown
malicious behavior


CSA can also provide
customized behavioral
security for any
environment

© 2003, Cisco Systems, Inc. All rights reserved.

24

24

24


8426_07_2003_Richardson_c11

CSA stops Mydoom with default policies
based upon the behavior this worm exhibits.

What is suspect? After the user has opened the attachment it is attempting to access a
network related resource. This is suspect behavior, and therefore CSA stops it.

If customers are not confident their employees will regularly select to terminate,

CSA can be configured to take preventative action without querying the user.

© 2003, Cisco Systems, Inc. All rights reserved.

25

25

25


8426_07_2003_Richardson_c11

The Challenge of Patch Relief

“We’re between a rock and a hard place. No one can manage this
effectively. I can’t just automatically deploy a patch. And because
the time it takes for a virus to spread is so compressed, I don’t have
time to test them before I patch either.”




-

Bob Wynn, CISO State of Georgia, in





CSO Magazine August 2003


http://www.csoonline.com/read/080103/patch.html




© 2003, Cisco Systems, Inc. All rights reserved.

26

26

26


8426_07_2003_Richardson_c11

The Value of Patch Relief


CSA enables more cost effective patch management
(providing relief from today’s reactive approach):

Vulnerable hosts have protection in the face of new attacks

Customer may wait for ‘roll
-
ups’ and Service Packs, which
come better qualified from vendor

Testing and implementation of updates can be scheduled
without undue change control interruption


CSA enables
fewer

updates to endpoints in a proactive and
scheduled fashion …..which means a lower TCO per server

Gartner estimates that it can cost organizations up to $300 per server per
patch.
-

Information Week, Attacks Averted, Feb 3, 2003


© 2003, Cisco Systems, Inc. All rights reserved.

27

27

27


8426_07_2003_Richardson_c11

Cisco’s Security Value Proposition

Cisco has always recognized that security threats require true
solutions approach, and is demonstrating industry leadership in
vision, collaboration and investment.


Industry support of Cisco’s Self Defending Network Initiative and
Network Admission Control will result in the network making
intelligent admission, defense and policy compliance decisions


Cisco will help customers extend infrastructure investments by
increasing the security capabilities of all LAN and WAN access
devices.


Cisco Security Agent is a great first step in providing defense
and policy enforcement capabilities.



© 2003, Cisco Systems, Inc. All rights reserved.

28

28

28


8426_07_2003_Richardson_c11


Thank you for your time and
consideration