ccmigration_09186a008033a3b4


Cisco Advanced Services

Delivering a Secure Network


The Need to Outpace and Outsmart Threats

0

5000

10000

15000

20000

25000

1988 1990 1992 1994 1996 1998 2000

Intrusions

Source: CERT, Carnegie Mellon University

Sweepers

Disabling Audits

Packet Forging/ Spoofing

Password GuessingPassword Guessing

Self-replicating Code

Self-replicating Code Password

CrackingPassword Cracking

Exploiting Known VulnerabilitiesExploiting Known Vulnerabilities

Back Doors Sniffers

Stealth Diagnostics

DDOS

Sophistication Sophistication of Hacker Toolsof Hacker Tools

Internet Worms

Technical Technical Knowledge Knowledge Required of Required of

HackerHacker


CIO and CSO Security Challenge

Budget

Cost

Applications

Pressure on Pressure on resources, security resources, security requirements, and requirements, and

budgetbudget

• Protect the business from security threats

• Improve security staff productivity

• Reduce total cost of ownership for security infrastructure

Dol

lars

Time


Network Security is Integral to Business Protection

Supply ChainManagementE-Commerce E-Learning

Workforce Optimization

Customer Care

• Protect business operations against directed attacks

• Prevent damage from worms and viruses

• Deploy consistent security policy


Cisco Services Portfolio

TechnicalSupport Services

TechnicalSupport Services

AdvancedServices

AdvancedAdvancedServicesServices

AdvisoryServices

Networked Virtual Organization

Investment Protection

Vision to Reality

Network to Application

Device to Network

Accelerate Customer SuccessAccelerate Customer Success

Speed of Migration

Investment Optimization


Value of Cisco Advanced Servicesfor Network Security

Cisco Trusted Advisor: Expertise in network Cisco Trusted Advisor: Expertise in network security assessment, architecture, design, security assessment, architecture, design,

implementation, and optimizationimplementation, and optimization

• Deep security expertise

• Leading best practices

• Specialized tools and methodology

• Large network security architecture experience

Technical Support ServicesTechnical Support Services

Advanced Services Advanced Services Network SecurityNetwork Security

Advisory Services


Cisco Advanced ServicesDelivering Business Benefits

• Assure service availability

• Improve response to disruption

• Reduce overhead of security operations

• Optimize investment in network infrastructure

• Simplify integration and standardize operations

Advanced Services

for Network Security

Plan, Design, Implement,

Operate, and Optimize ProductivityProductivity

Lower TCOLower TCO

BusinessProtectionBusinessProtection


Advanced Services for Network SecurityDelivery Capabilities

ProcessProcess• Proven, repeatable methodologies• Leading best practices across the security life cycle• Expertise in vulnerability research, identification, and resolution

ToolsTools• Specialized network security assessment tools• Award-winning Cisco Technical Assistance Center Website• Comprehensive best practices documentation

PeoplePeople• CCIE® (networking) and CCSP™ (security) certified • Large enterprise and government or military backgrounds • Advanced technology expertise (IP telephony, wireless, storage) • Advisors to the Cisco® Product Security Incident Response Team

PartnersPartners• Specialized services and technology• Integration with Cisco security technology• Global reach


An Architectural Approach Is Required

Internet Data CenterInternet Data Center

• Protect the network at all points • Reduce risk by deploying diverse security

components• Ensure secure connectivity of diverse traffic

and user access

AccessManage security to support policy

AccessManage security to support policy

VPN/AccessAuthentication services

VPN/AccessAuthentication services

DistributionRestrict access and manage propagation

DistributionRestrict access and manage propagation

Remote OfficeSecure VPN connectivity and data privacy

Remote OfficeSecure VPN connectivity and data privacy

Mobile Office, TelecommuterSecure VPN connectivity

Mobile Office, TelecommuterSecure VPN connectivity

CoreSecure perimeter with firewalls

CoreSecure perimeter with firewalls

Data CenterDetect and react to intrusion

Data CenterDetect and react to intrusion

Internet

PSTN


Service Offerings Across the Security Life Cycle

Continually identify and mitigate risk

Assess and plan for a sound architecture and design

Build in scalable, adaptable, easy-to-upgrade solutions

Transparently integrate into the core network infrastructure

Security Posture Assessment

Network Security Architecture ReviewIP Telephony Security Review

Network Security Design Review

Network Security Design Development

Network Security Implementation Plan Review

Network Security Implementation Engineering

Cisco Security Agent Implementation

NAC Implementation

Riverhead Implementation

Network Security Optimization


Security Posture Assessment—Establish a Baseline

• Analyze existing security vulnerabilities

• Validate security policy and procedures

• Report unauthorized data and system access

• Provide recommendations to prevent exploitation

• Perform trending analysis over repeated SPAs


Security Posture Assessment—A Comprehensive Approach

• Baseline to identify active hosts, operating systems, and services

• Targeting to identify all network vulnerabilities

• Exploitation to manually confirm vulnerabilities

• Data intelligence and threat analysis against requirements and best practices

InternalInternalSimulated Simulated

AttackAttack

PerimeterPerimeterPenetration Penetration

TestTest

RemoteRemoteExploitationExploitation


Security Posture Assessment

InternalInternalAssessmentAssessment

ExternalExternalAssessmentAssessment

Internet

Enterprise Network

DialupDialupAssessmentAssessment

Wireless Wireless AssessmentAssessment

WAN


Security Posture Assessment—Sample Results and FindingsArchitectural weaknesses

66 Class A networks supporting 100,000 employees on the internalnetwork (for example, one Class A network supports 16,777,214 hosts)

Access control vulnerabilities

External remote access connections to critical hosts on the internal network due to an unauthorized rogue modem

Network control and auditing weaknesses

Identified 16 unknown, unauthenticated high-speed Internet connections for a large enterprise with several global divisions

Detection and response weaknesses

Five weeks of intensive attacks undetected due to lack of logging, monitoring, and employee awareness

Incomplete policy configuration

Firewall configured with no policy rules for 13 months

Use of default passwords

Standardized vendor passwords on network devices Example: all Cisco routers configured to use “cisco” as the user ID and password

Weak passwords Joe, null, or easily guessed passwords allowing access to critical or sensitive hosts

Example: Over 140,000 user ID and password pairs for an online financial institution were captured unencrypted, stored on a vulnerable host that was accessible from the Internet


Security Posture Assessment—Communicating Results

The SPA Report

• Executive SummaryMetrics for baseline studies, trending, and budget review

• Assessment AnalysisVulnerabilities discovered and data analysis

• Best Practices and Strategy

Recommendations for mitigating risk


SPA Case Study—Fortune 125 Insurance Company

RequirementsRequirements

• Protection of client financial portfolios• Compliance with GLBA requirements• No disruption of production financial systems• Working knowledge of European privacy laws

• Protection of client financial portfolios• Compliance with GLBA requirements• No disruption of production financial systems• Working knowledge of European privacy laws

• Identified employees with unauthorized access to management information

• Identified extensive external vulnerabilities• Improved skills of internal staff who participated in

war games

• Identified employees with unauthorized access to management information

• Identified extensive external vulnerabilities• Improved skills of internal staff who participated in

war games

ScopeScope

ResultsResults

• External posture assessment to identify vulnerabilities that allow outsiders to compromise client records

• Internal posture assessment to identify unauthorized employee access to sensitive information

• External posture assessment to identify vulnerabilities that allow outsiders to compromise client records

• Internal posture assessment to identify unauthorized employee access to sensitive information


• Maintain an optimized security implementation

• Ensure fast recovery in case of disruption

• Reduce operating costs of security administration

• Avoid implementation problems

• Prepare for future deployment initiatives

• Identify deviations from best practices and policy

Network Security Design Benefits


Applying Best Practices for Business Results

© 2002, Cisco Systems, Inc. All rights reserved. 34

ManagementManagement BuildingBuilding

DistributionDistribution

CoreCoreEdgeEdge

ServerServer

EE--CommerceCommerce

Corporate InternetCorporate Internet

VPN/Remote AccessVPN/Remote Access

WANWAN

ISPISP

PSTNPSTN

FR/ATMFR/ATM

CERT®


Tailoring SAFE from Cisco to Your Environment

Best Practice Security Blueprints for Implementing Integrated Network Security

Best Practice Security Blueprints for Implementing Integrated Network Security

Available Blueprints

Enterprise

Small Business

IPSec VPNs

Voice

Wireless

E-Commerce

Layer 2 Networks

UpdateUpdate

UpdateUpdate

NewNew

© 2002, Cisco Systems, Inc. All rights reserved. 34

ManagementManagement BuildingBuilding

DistributionDistribution

CoreCoreEdgeEdge

ServerServer

EE--CommerceCommerce

Corporate InternetCorporate Internet

VPN/Remote AccessVPN/Remote Access

WANWAN

ISPISP

PSTNPSTN

FR/ATMFR/ATM


Designing an End-to-End Secure Network Infrastructure

Secure the Infrastructure

Secure the Secure the InfrastructureInfrastructureCampus router and switch security

Data center system and server security

Firewall policy, placement, and design

VPN and dialup remote access

Secure WAN connections

Corporate extranet security

Monitor and Respond

Monitor and Monitor and RespondRespond

Manage and Improve

Manage and Manage and ImproveImprove

Intrusion detection policy, placement and design

Internet access monitoring

Network attack mitigation

Security and network management policy, placement and design


Network Security Design Review

• Review network security architecture and design

Perimeter security, remote access, IDS, firewalls, VPNs, e-commerce, etc.

• Identify architecture and design vulnerabilities

• Prioritize security requirements for network devices

• Recommend improvements to topology, components, functions, and features

• Recommend tools for managing network security


Network Security Design Development

• Identify and analyze network infrastructure vulnerabilities

• Define network security topology, components, and functions

Perimeter security, remote access, IDS, firewalls, VPNs, e-commerce, etc.

• Specify hardware and software requirements

• Develop sample configurations for protocols, policy, and features

• Recommend tools for managing network security


Network Security Design Development Methodology

Customer InputCustomer Input

Network Services and Business Process

Network Device Configuration

Network Topology, Design, Inventory

Security Policy, Goals and Requirements

• Understand security business goals, objectives, and requirements

• Identify threats to critical assets• Map security requirements to

network architecture • Define security topology,

components, and functions• Deliver impact analysis of new

requirements • Provide preliminary and final gap

analysis • Deliver architecture/design

document with network diagrams

Cisco MethodologyCisco Methodology


Corp HQ

Data Center & Internal Firewalls

Internet Access

ASP

Server Farm Firewalls

Regional Office

Internal Firewalls

Internet Access

Telecommuter

Home Access

Small Business/Branch Office

Internal Firewalls

Perimeter Security Architecture and Design

InternetInternet

ServiceProvider Sample Firewall Policy Checklist

As restrictive and simple as possible

Authorization process for firewall changes

Governed by separation of duties for approval and workflow

Combines firewall tools to balance policy with throughput requirements

Audit log for firewall administration

Robust back-out and configuration management

Test frequently with penetration tests and policy audits


User Authentication and Authorization Design

PSTNAuthenticate Remote Site

Terminate IPSec

Authenticate Remote Site

Terminate IPSec

Focused Layer 4–7 Analysis


Allow only IPSec TrafficAllow only

IPSec Traffic

Broad Layer 4–7 AnalysisBroad Layer 4–7 Analysis

Stateful Packet Filtering Basic Layer 7 Filtering


Authenticate Users Terminate IPSec


Authenticate Users Terminate

Analog Dial


Analog Dial

Remote Access VPN

Traditional Dial Access Servers

Site-to-Site VPN


PSTNAuthenticate Remote Site

Terminate IPSec

Authenticate Remote Site

Terminate IPSec



Allow only IPSec TrafficAllow only

IPSec Traffic

Broad Layer 4–7 AnalysisBroad Layer 4–7 Analysis






Analog Dial


Analog Dial

Remote Access VPN

Traditional Dial Access Servers

Site-to-Site VPN

Individual user authentication Strong authentication using OTP or certificatesNo split tunneling to limit attacksTriple DES unless prevented by export lawsIngress filtering limited to IKE and ESP protocols

Tunnels terminated in front of firewall

Identification and accreditation of all dialup servicesIndividual accountabilityStrong authentication for remote users

User access logging

Termination of network links on firewalled DMZsEncryption of access from the InternetStrong authentication for access from the internetLimit communication session to authorized hosts and services

VPN Dialup Corporate Extranet

User Authentication and Authorization—Sample Best Practices


Intrusion Detection Architecture and Design

NASDMZ Servers

Data Center

Users

InternetCorporate

Office

Business Partner

Intranet/Internal Intranet/Internal IDSIDSProtects data centers and critical assets from internal threats

Internet IDSInternet IDSComplements firewall and VPN by monitoring traffic for malicious activity

Extranet IDSExtranet IDSMonitors partner traffic where “trust”is implied but not assured

Remote Access Remote Access IDSIDSHardens perimeter control by monitoring remote users

Sample IDS Best PracticesTest different intrusion profiles and alert/response methods

Determine location and interoperability with network management consoles

Tune for the environment to manage false alarms

Test a combination of HIDS and NIDS positioning

Test frequently with penetration tests and policy audits


Data Center Network Security Design

N-Tier Applications

Mainframe OperationsIP

Communications

Front End Network

IP Layer 2/3

DB ServersDB Servers

Application ServersApplication Servers

Web ServersWeb Servers

Data CenterData Center

Data InterceptionUnprotected Assets

Data InterceptionUnprotected Assets

Information TheftInformation TheftDenial of Service

Unauthorized Entry Denial of Service

Unauthorized Entry Sample Data Center Security Best Practices

Endpoint protection of hosts, servers and desktops

Network-based intrusion detection for threat monitoring, analysis and prevention

Firewalls for filtering traffic

VPNs for secure communications between data centers

Identity servers for strong authentication

Management and monitoring of security devices, services and network activity


Architecture and Design Case Study—U.S. Government Institution

RequirementsRequirements

• Provided design recommendations prior to a major infrastructure upgrade

• Customer implemented firewall and VPN design in less time, with less costly redesign

• Provided design recommendations prior to a major infrastructure upgrade

• Customer implemented firewall and VPN design in less time, with less costly redesign

ScopeScope

ResultsResults

• Firewall and IPSec VPN design and configuration review for conformance with SAFE from Cisco®

• Security Design Review to identify nonconformance with security policy and Cisco best practices

• Firewall and IPSec VPN design and configuration review for conformance with SAFE from Cisco®

• Security Design Review to identify nonconformance with security policy and Cisco best practices

• Provide security architecture and design recommendations based on national security policy

• Augment limited in-house expertise• Identify vulnerabilities on a classified network

• Provide security architecture and design recommendations based on national security policy

• Augment limited in-house expertise• Identify vulnerabilities on a classified network


Network Security Implementation Plan Review

• Understand the objectives, scope, and constraints of the deployment

• Analyze requirements for solution deployment, integration and management

• Review implementation plans including tasks, milestones, resources and schedule

• Analyze network staging, test, and installation plans, including topology, configurations, test scripts, and acceptance criteria

• Analyze and recommend hardware and software changes


Network Security Implementation Engineering

• Analyze solution test, installation, and integration strategy

• Develop implementation plan including tasks, milestones, and schedule

• Develop network staging plan including topology, configurations, test scripts, and acceptance criteria

• Analyze and recommend hardware and software changes

• Provide custom installation, configuration, testing, tuning and integration

• Deliver hands-on education and remote deployment support


Cisco Security Agent Implementation Service

Continually improve intrusion prevention solution

Assess and plan for a sound CSA architecture and design

Build scalable, adaptable, easy-to-upgrade CSA solutions

Integrate CSA into the network infrastructure and application environment

Develop Deployment Strategy and Plan

Identify Requirements and Deliver a Design Specification

Deliver Limited Deployment With Custom Policies that Meet Solution Requirements

Provide Ongoing Support for Enterprise Deployment


NAC Implementation Service

Continually improve network admission control solution

Plan for a sound NAC architecture and design

Build scalable, adaptable, easy-to-upgrade NAC solution

Integrate NAC into the network infrastructure

Assess network operations and infrastructure to determine NAC readiness. Install and test a limited deployment.

Deliver NAC design specification detailing topology, device configurations, HW/SW upgrades, and management.

Develop a deployment plan and provide onsite installation of a corporate-wide implementation.

Provide ongoing/periodic consultation to optimize NAC for reliability, efficiency and scalability.


Network Security Optimization

• Define criteria for network security optimization

• Collect and analyze data for trends and exceptions

• Review network security component placement and configuration

• Provide recommendations for network and security component tuning

• Deliver impact analysis of new software, features and configuration

• Analyze and notify staff of network security advisories


Cisco Services DeliveringCustomer Satisfaction

World Class Partners

Advisory Services

Technical Support ServicesTechnical Support Services

Advanced Services Advanced Services Network SecurityNetwork Security

Advisory Services


Cisco Advanced Services Deliver a Secure Network

Lower TCOOptimize investment

in secure network infrastructure

Lower TCOLower TCOOptimize investment

in secure network infrastructure

ProductivitySimplify and

standardize operations

ProductivityProductivitySimplify and

standardize operations

Customer BenefitsCustomer BenefitsDelivered Uniquely by Cisco®Delivered Uniquely by Cisco®

SecureCorporate Network

SecureCorporate Network

Kno

wle

dge

Tran

sfer

Kno

wle

dge

Tran

sferPeoplePeople

ProcessProcess

ToolsTools

PartnersPartners Bes

t Pra

ctic

esB

est P

ract

ices

Business ProtectionReduce risk to

business assets

Business ProtectionBusiness ProtectionReduce risk to

business assets

ccmigration_09186a008033a3b4

Technology

Transcript of ccmigration_09186a008033a3b4