Presentation ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1 ·...
Transcript of Presentation ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1 ·...
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
Logotip
sponzora
Cisco IronPort Web Security Solution
Borderless Advanced Protection - Hrvoje Dogan
3
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Agenda
1. About Cisco IronPort and Cisco Security
2. The Power for Advanced Protection
3. Cisco IronPort Web Security Appliances
4. Let’s Remove The Borders!
5. Don’t Believe What We Say – Try It Out!
4
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Bord
erle
ss
Data
Cente
r
3
Bord
erle
ss
Inte
rnet
2
Bord
erle
ss
End Z
ones
1
Cisco’s Architecture for Borderless Network Security
Policy
Corporate Border
Branch Office
Applications and Data
Corporate Office
Policy(Access Control, Acceptable Use, Malware, Data Security)4
Home Office
AttackersCoffee
ShopCustomers
Airport
Mobile
User Partners
Platform
as a Service
Infrastructure
as a ServiceX
as a ServiceSoftware
as a Service
5
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Pillar 2: Borderless Security ArrayAdvanced Scanning and Enforcement Capabilities
Access Control | Acceptable Use | Data Security |Threat Protection
Integrated into the Fabric of the Network
Access Control | Acceptable Use | Data Security |Threat Protection
Integrated into the Fabric of the Network
Cisco IronPortEmail Security
Appliance
Cisco AdaptiveSecurity Appliance
Cisco IntegratedServices Routers
Cisco IronPortWeb Security
Appliance
5
VM Software Security Module Hybrid HostedAppliance
6
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
The Power for Advanced Protection
7
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
A Seismic Shift
1. 2000-2008: IT security products look deeper
� 2009: Cisco Security products look around, respond faster
8
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Cisco Security IntelligenceOperations (SIO)Overview
Most Accurate Protection Against a Broad Range of Threats
Cisco Threat Operations Center
Cisco Threat Operations Center
Global Threat Telemetry
Dynamic Updates and
Actionable Intelligence
Adaptive Security
Appliances
Intrusion Prevention
Solution
Email Security
Appliances
Web Security
Appliances
wwwwww
Global Threat Telemetry
System
Administrators
9
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Cisco SIOKey Components
Powerful Ecosystem Enables Fast, Accurate Protection
10
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Cisco SIOCisco SensorBase
Largest Network, Highest Data Quality, Unmatched Breadth
11
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Cisco SensorBase NetworkUnmatched Visibility Into Global Threats
Most Devices
1M security devices, 10M
clients shipped per year
Core Internet routers
Cloud-based services
Largest Footprint
30% of the world’s
email traffic
200+ parameters
368GB per day sensor
feeds
Diverse Sources
Eight of the top ten ISPs
Fortune 500, Global 2000,
universities, SMBs
152 third-party feeds
First to Combine Network and Application Layer Data
12
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Spam with MaliciousAttachment
Malware Distributing Site
Web
Directed Attack
Firewall / IPS
Cisco SensorBase NetworkUnmatched Breadth
Malware Distributing Site
Directed AttackSpam with Malicious
Attachment
SensorBase Network
13
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Cisco SIOCisco Threat Operations Center (TOC)
Advanced Research and Development, Security Modeling, Experienced Analysts
14
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Cisco Threat Operation CenterAdvanced Research and Development
1. Millions in R&D investment
Threat experts and statisticians
Equipment and infrastructure
Thought leadership, prevention and best practices expertise
76 patents
2. Innovative services
IPS Global Correlation
ASA Botnet Traffic Filters
Virus Outbreak Filters
Reputation Filters (IPS, email, web, etc.)
15
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Experienced Analysts
500 analysts
European and Asian languages
1 Cisco Fellow
80+ Ph.D.s, CCIEs, CISSPs,
MSCEs
Cisco Threat Operations CenterEnsuring Accuracy and Responsiveness
Powerful Tools
Dynamic updates
Correlation and data mining
Advanced rule approval,
creation and publishing
applications24x7x365 Operations
5 threat operations center
locations around the globe
San Jose, San Bruno, Austin,
North Carolina, Shanghai
16
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Cisco SIOBroadest Enforcement Capabilities
Fast Device Scanning Engines and Granular Policy
17
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Advanced ProtectionPutting It All Together
Live
Reputation
Scores
Live
Reputation
Scores
Authored
Rule Sets
Authored
Rule Sets
New and
Updated
Signatures
New and
Updated
Signatures
Web
Reputation
Filters
Web
Reputation
FiltersAnti-SpamAnti-Spam
Reputation
Filters
Reputation
Filters
Virus
Outbreak
Filters
Virus
Outbreak
Filters
IPS Reputation
and Signature
Filters
IPS Reputation
and Signature
Filters
Firewall Botnet
Traffic Filters
Firewall Botnet
Traffic Filters
Adaptive Security
Appliances
Intrusion Prevention
Solution
Email Security
Appliances
Web Security
Appliances
Hosted Email
Services
Cisco Products and Services: High-performance, flexible enforcement points
Cisco SIO: Cloud-based intelligence to power Cisco security services
Security Filters: Industry’s most effective security features
wwwwww
Auto-Updates
Every 5 minutes
Auto-Updates
Every 5 minutesDynamic
Rule Sets
Dynamic
Rule Sets
18
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Cisco IronPort Web Security Appliances
19
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
The Challenge TodayCountervailing Forces
Globalization
Collaboration
Data Loss
Mobility
Enterprise SaaS
Threats
Acceptable Use
20
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Increasing Enterprise Web TrafficUbiquitous Path In and Out of Enterprise Networks
� Growing business web usage
HTTP is the New TCP
IMFTP
RPCVideoSOAP
� Growing tunneled apps usage
21
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Malware
Web Business Challenges
40% Productivity Lossdue to personal web use at work
Legal and Regulatory Riskof offensive content brought into the workplace
AcceptableUse Violations
Data Loss
22
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
� Global visibility required to preempt damage
� Insufficient protection leaves gaps in coverage
Risks Maturing Faster Than Expertise
� Threat proliferation increases workload and demands increased expertise
� Thin administrator resources increasingly stretched with budget tightening
Administrator Frustrations
23
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Cisco IronPort S-Series
Cisco IronPort Secure Web GatewayAddressing Business Challenges
24
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Next-Generation Secure Web GatewayConsolidation Drives Operational Efficiency
Users
After Cisco IronPort
Internet
Firewall
Users
Web Proxy and Caching
Anti-Spyware
Anti-Virus
Anti-Phishing
URL Filtering
Policy Management
Before Cisco IronPort
Cisco IronPort WSA
Internet
Firewall
25
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Cisco IronPort Web Security ApplianceA Powerful, Secure Web Gateway Solution
1. Most effective defense against web-based malware
2. Visibility and control for acceptable use and data loss
3. High performance to ensure best end-user experience
4. Integrated solution offering optimum TCO
Management and Reporting
AsyncOS for Web
Acceptable Use Policy
Malware Defense
Data Security
26
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Acceptable Use EnforcementVisibility and Control for the Web and Web Applications
Management and Reporting
AsyncOS for Web
Acceptable Use Policy
Malware Defense
Data Security
1. Enterprise-class URL filtering
2. Applications and object filtering
3. Integrated identity and authentication
27
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
The Categorized Web
20% covered by URL lists
Customer Problem
28
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
– Dynamic content
– Password protected sites
– User generated content
– Short life sites
The Categorized Web
20% covered by URL lists
The Dark Web80% of the web is uncategorized,
highly dynamic or unreachable
29
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
URL Keyword Analysis
www.casinoonthe.net/Gambling
Introducing Cisco IronPort Web Usage ControlsA Spotlight for the Dark Web
1. Industry-leading URL database efficacy• 65 categories
• Updated every 5 minutes
• Powered by Cisco SIO
2. Real-time Dynamic Content Analysis Engine accurately identifies over 90% of Dark Web content in commonly blocked categories
Uncategorized
Dynamic Content Analysis Engine
GamblingAnalyze Site Content
URL Lookup in Database
www.sportsbook.com/Gambling
URL Database
Uncategorized
30
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Dynamic Content Analysis (DCA) EngineIdentifies 90% of Objectionable Dark Web Content
Stops 50% more objectionable content*
*Source: Cisco SIO, based on data from customer production traffic
31
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Cisco IronPort Web Usage ControlsLeading Efficacy, Rich Controls, Comprehensive Visibility
32
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Application Visibility and Control
• Provide visibility and policy control over web traffic based on the application in use
• Block some applications based on URL category as well
“No streaming video from sports sites”
• Provide deeper visibility and control into rich apps using HTTP as transport
• Add-on to Cisco IronPort Web Usage Controls
33
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
AVC Supported Applications
Supported application types will include:
• HTTP Instant Messenger
AOL, Google, Yahoo, MSN, etc
Web-embedded and client tunneling via HTTP
• External Proxies
Greatly improved “Filter Avoidance” URL category
Detect tools like phpproxy, cgiproxy, etc
• Streaming Media
Windows Media, QuickTime, Flash (YouTube), etc
• Many more to come via signature updates!
34
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
AVC: Bandwidth Control for Streaming Media
In addition to block/allow, additional controls for streaming media include:
• Per-user limits to enforce AUP
• Aggregate limits to control congestion, ensure availability for applications
• Enforced as a throttle, not a quota
• Available bandwidth shared between streams
35
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Softwareas a Service
Web Application Control
1. Native control for HTTP, HTTP(s), FTP applications
2. Selective decryption of SSL traffic for security and policy
3. Policy enforcement for applications tunneled over HTTP—FTP, IM, video
4. Application traversal using policy-based HTTP CONNECT
Tunneled Applications
HTTP
Collaboration
ftp://ftp.funet.fi/pub/
36
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Integrated Identity and AuthenticationUser-Specific Acceptable Use and Data Security Policies
� Authentication against LDAP servers
� Transparent, single sign-on (SSO) authentication against Active Directory
� Multi-realm sequencing
� Multi-domain authentication
� Guest policies
� Re-Auth and Failed Auth policies
Define Acceptable Use and Data Security Policies using Rich Identity Constructs
NTLM/Active
Directory
37
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Malware DefenseMultiple layers for Malware and Spyware Protection
Management and Reporting
AsyncOS for Web
Acceptable Use Policy
MalwareDefense
Data Security
1. Malware landscape
2. Multi-layered malware defense
3. Network layer phone-home prevention
4. Reputation filtering and signature scanning
38
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Multi-Layered Malware DefenseProtection Against Today’s Threats
� Detects malicious botnet traffic across all ports
� Blocks 70 percent of known and unknown malware traffic at connection time
� Blocks malware based on deep content analysis
39
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Detecting Existing ClientInfectionsPreventing “Phone-Home” Traffic
� Cisco IronPort Layer 4 Traffic Monitor
Scans all traffic, all ports, all protocols
Detects malware bypassing Port 80
Prevents botnet traffic
� Powerful anti-malware data
Automatically updated rules
Real-time rule generation using “Dynamic Discovery”
Internet
Users
Network Layer Analysis
Cisco IronPort S-Series
Packet and Header Inspection
Layer 4 Traffic Monitor
40
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Web Reputation FiltersPredictive, Real-Time Threat Prevention
URL Blacklists
URL Whitelists
Dynamic IP Addresses
Bot Networks
URL Behavior
Global Volume Data
Domain Registrar Information
Compromised Host List
Real-Time Cloud Analysis
Network Owners
Known Threat URLs
200+ Parameters
SensorBaseNetwork
SecurityModeling
Web ReputationScores (WBRS)
-10 to +10
Web Reputation Filters
Cisco Security Intelligence Operations
41
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Protection For a Dynamic Web 2.0 WorldVisibility Beyond the Initial Threat
1. Web pages are made up of objects coming from different sources
2. Objects can be images, executables, JavaScript…
Trusted Web SiteClient PCWeb servers not affiliated with the trusted web site (e.g. ad servers)
Web Reputation Filters Scan each object, not just the initial request
� Compromised websites often grab malicious objects from external sources
� Security means looking at each object individually, not just the initial request
42
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Cisco IronPort DVS EngineDynamic Vectoring and Streaming
1. Accelerated signature scanning
Parallel scans
Stream scanning
2. Multiple integrated verdict engines
McAfee and Webroot
3. Automated updates
4. Decrypt and scan SSL traffic
Selectively, based on category and reputation
Dynamic Vectoring and Streaming
43
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Complete Data SecuritySimplicity and Choice
Management and Reporting
AsyncOS for Web
Acceptable Use Policy
Malware Defense
Data Security
1. Data security imperative and reality
2. Simple on-box data security
3. Advanced off-box data security
44
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Data SecurityOn-box Common Sense Security
1.Content metadata inspection, along with visibility and forensics
2.Allow , block, log
Based on file metadata, URL category, user and web reputation
3.Multi-protocol
HTTP(s), FTP, HTTP tunneled
Internet
www.mypartner.com
www.malwarrior.com
Allow, Block, Log
Users
45
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Common Sense PoliciesSimple Approach for Avoiding Web Data Breaches
John Smith, Finance
FiscalPlan.xls
Webmail.com
HTTPS
(Encrypted)
John Smith, Finance
FiscalPlan.xls
Taxfirm.com
HTTPS
(Encrypted)
Jane Doe,Sales
CustomerList.doc
Personal-site.com,-9 Reputation score
FTP
46
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Non-Human Initiated Data Breaches Critical Data Security Element
Block data loss from malicious phone-home activity
Prevent data-stealing malware from entering the network
Gozi Trojan
� Installs via PDF attachment
� Encrypts itself to evade detection
� Steals data from SSL streams Sinowal Trojan
� Over 500,000 bank accounts compromised
� Suspected ties to Russian Business Network
Trojan.PWS.ChromeInject.B
� Installs via Firefox plug-in
� Captures e-banking credentials
47
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Let’s Remove The Borders
48
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
AnyConnect Secure MobilityAnytime, Anywhere Secure Access
Cisco Security Enforcement Array (SEA)
Cisco
AnyConnect 2.5
Always-on, location-aware, extremely lightweight,
invisible to user
Supported on all major devices and OS
1 2 3Powerful Enforcement
Engines
High Performance
Application and Identity Aware
Hybrid Hosted Delivery
Policy
Abstracted from enforcement layer
Acceptable Use, Access Control, Data Security, Anti-
Malware
49
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
AnyConnect Secure Mobility
1. Delivered as combined solution across Cisco Security product line
S-Series, ASA, and AnyConnect
2. Full WSA functionality available to mobile users
3. Policy controls and reporting on WSA can distinguish between local and mobile users
4. Single sign-on from AnyConnect to WSA
5. Widest variety of client platforms
Securing Web access in the Borderless Network
50
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Cisco Secure Web GatewayIndustry’s Highest-Performance Integrated Solution
Multi-layered malware defense
Web reputation filters
Accelerated signature scanning (DVS
engine)
Prevent botnets and malware bypassing
Port 80 (L4TM)
Integrated authentication
and SSO
Enterprise-classURL filtering
Applications and object filtering
Web usage visibility and tracking
On-box simpledata security
Off-box interoperability with third-party DLP
Prevent malware-initiated data breaches
(L4TM)
ControlSecure Prevent
51
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
52
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
53
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID