Secure Borderless Enterprise Network Design · 2010. 11. 22. · © 2009, Cisco Systems, Inc. All...
Transcript of Secure Borderless Enterprise Network Design · 2010. 11. 22. · © 2009, Cisco Systems, Inc. All...
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
1
Secure Borderless Enterprise Network Design
Agenda
Borderless Network Overview
Approach OverviewApproach Overview
Internet Edge Design Overview
Enterprise Security
Enterprise IPS/IDS
Web Security
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 2
Email Security
Remote Access
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
2
Market Transitions
Mobility WorkplaceExperience Video
Mobile Devices
IT Resources
1.3 Billion new networked mobile devices in next three years
Blurring the borders:
Consumer ↔ Workforce; Employee ↔ Partner
Anyone, Anything, Anywhere,
Anytime
60% of all Cisco network traffic today is video
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 3
Anyone AnythingEmployee, Partner,Customer Communities
The New Borderless Organization
Person to Person, Person to Device,Device to DeviceDevice to Device
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 4
BorderlessExperience
AnytimeAnywhereAlways Works,Instant Access,
Instant Response
Work, Home, On the Go…
Securely, Reliably and Seamlessly
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
3
Borderless Network Questions…The 5 W’s (and 1 “H”)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 5
The Goal is Proper Strategic Alignment
Business Strategy
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 6
Technology Strategy
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
4
What Does Misalignment Look Like?
We often see in our security customers a misalignment between policy and operational realityg p y p y
ExampleThe IT security team tells us they have a policy that mandates strong passwords and reduces riskThis policy may even be used as evidence of secure operations for PCI, HIPAA, or other auditsDuring a Security Posture Assessment we find that
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 7
g ysignificant ratios of passwords (40+ percent) are weak and easily guessed
Without effective, cross-functional analysis these two data points would never meet (until it breaks)…
Our Approach
Researched Across Theaters to Define: – Customer Characteristics?– Requirements?
Designed a Blueprint– Validated Design and Product Selection– Modified Based on Feedback . . . . .
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 8
Sell Ourselves on the Design– Customer Experience Lifecycle– “Out of the Box” Experience
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
5
Organization Problems: Overview
Enterprise design addresses requirements for Organizations that: Need to provide reliable access to Internet, Email, and Cloud services
Need flexible remote-access to allow users to access content from anywhere
Need to provide partner and customer access to corporate data
Ensure that all connections adhere to the security policy
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 9
Ensure that all connections adhere to the security policy regardless of origination
Must address regulatory compliance requirements (e.g. PCI)
Need to improve employee productivity and manage risk
Target Market
Internet Edge design addresses requirements for organizations that: Have 2K-10K connected employees
Have IT workers with CCNA or equivalent experience
Need a remote access VPN solution for employees and partners
Need to secure Internet facing services
Need to filter web and email services for employees for security and policy compliance
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 10
compliance
May need high availability for corporate Internet access
Address requirements for 80% of customer to get network up and running with a solid foundation
Advanced policy development is out of scope
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
6
Design Goals
Ease of deploymentA design that could be deployed consistently across all products included in the designdesign
Flexibility and ScalabilityDesigned to grow with the organization without being redesigned
Resiliency and SecurityKeep the network operating even when unplanned outages and attacks occur on the network
Ease of management
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 11
Ease of managementConfiguring devices to be managed by a Network Management System
Advanced technology readyNetwork foundation has the required baseline network services already configured
Internet Edge Design Overview
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 12
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
7
Organization Overview
Organizations’ demand for Internet connectivity has increased steadily in the last decade
Access to Internet-based services is a fundamental requirement for conducting day-to-day activity
Email, web access, remote-access VPN, and more recently, cloud-based business services are critical functions enabling businesses to pursue their missions
The Internet connection that supports these services must be designed to enable the organization to accomplish its Internet-based business goals
Three factors define the business requirements for an organization’s Internet connection:
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 13
Value of Internet-based business activity:
Revenue realized from Internet business
Savings realized by Internet-based services
Cost of outages for Internet connection
Capital and operational expenses for implementation and maintenance of various Internet connection options
Design Considerations
Connectivity speedWhat is the expected typical throughput requirement?
A h t b t f hi h l t ffi t d?Are short bursts of high-volume traffic expected?
Address space How many public facing devices are there?
Is the IP address space owned or provided by the ISP
Availability Can outages be tolerated?
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 14
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
8
Borderless Network 2k-10k Overview
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 15
Internet Edge Designs
Two design optionsInternet Edge 5k, offers a single connection to one ISP
I t t Ed 10k ff d l I t t ti i A ti /St db dInternet Edge 10k, offers dual Internet connections in Active/Standby mode
Internet Edge 5k Internet Edge 10k
Outside Switch
CiscoESA
Internet
IE Router
ISP A
Outside Switch
IE Routers
CiscoESA
ISP A ISP B
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 16
CiscoWSA
Cisco ASA5520 IPS
Collapsed Core+Distribu
tion
InternetServers
DMZ Switch
Internal Network
CiscoWSA
Internet
Servers
Cisco ASA5540 + IPS
RA VPNCisco ASA5520/40
Collapsed Core+Distrib
ution
DMZ Switch
Internal Network
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
9
Feedback from Field, Customers, and Partners for 2K-5K Users
Majority (>75%) using ~10Mbps; some up to DS3 Majority of new service is Ethernet, same as smaller customers; existing base is split between Ethernet vs. Router Handoff
Most customers that buy Internet CPE use a 3800/3900
5520 Firewall; same hardware for RA-VPNLess than half with separate RA VPN
IPSec Client is prevalent
Some SSL full tunnel & web portal for terminal services and file sharing
One-third to two-thirds host corporate web onsite; Small minority have e-commerce apps
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 17
~50% filter Site-to-Site VPN with Internet firewalls – mostly to one VPN router
Customers in domestic market are moving toward cloud-based apps
All separate switches for outside, DMZ, and inside (no VRF)
Internet Edge A (2000-5000 Users)
Medium Design
Single ISP support
Internet
IE
ISP A
g pp
Static Route to ISP
Active/Standby Firewall with RA VPN for SSL and IPsec
Web and Mail filtering
Internet DMZ for public facing i
Outside Switch
Cisco ASA
CiscoESA
IE Router
DMZ Switc
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 18
services
Connects into LAN/Campus collapsed Distribution/Core
CiscoWSA
5520 IPS
Collapsed Core+Distributi
on
Internet
Servers
Switch
Internal Network
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
10
Feedback from Field, Customers, and Partners for 5K-10K Users
~20Mbps service, some as high as 100 MbpsAlmost no customer-managed CPE
Majority of new service is Ethernet same as smaller customers; existing base is splitMajority of new service is Ethernet, same as smaller customers; existing base is split between Ethernet vs. Router Handoff
Some dual ISP (~30%), lots of desire but lacking good technical solutions
5540/50 for internet
DMZ carries some corporate web presence; not much eCommerceLots of partner connectivity
50/50 go through IE firewalls for Site-to-Site VPN
VPN i t d f fi ll d t f t k
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 19
VPN is separated from firewall and rest of network gearOperational separation for RA VPN, all separate boxes on the high end
Physically separate switches for inside, outside, and DMZ
Small but growing group using SaaS ~5-10%
The majority of organizations are using a static default to the Internet
Internet Edge B (5000-10000 Users)
Large Design
Dual ISP support (No BGP)Interne
t pp ( )
Internet Edge Routing
Active/Standby Firewall
RA VPN for SSL and IPsec (standalone)
Web and Mail filtering
Outside
Switch
IE Routers
CiscoESA
ISP A
ISP B
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 20
Server Load-Balancing
Internet DMZ for public facing services
Connection to LAN Distribution/Core
CiscoWSA
Internet
Servers
Cisco ASA5540 + IPS
RA VPNCisco ASA5520/40
Collapsed Core+Distribu
tion
DMZ Switch
Internal Network
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
11
Internet connection speeds and platforms
Number of connected users Internet connection speed2000-4500 20-50 Mbps3000-7000 35-75 Mbps6000-10000 75-150 Mbps
Platform Internet connection speed3925 Up to 100 Mbps3945 Up to 150 Mbps
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 21
3945 Up to 150 Mbps
Enterprise Security
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 22
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
12
Hardening the Edge SummaryCatalyst Integrated Security Features
00:0e:00:aa:aa:aa00:0e:00:bb:bb:bb00:0e:00:aa:aa:cc
Switch acts like a hub
DHCP ServerXEmail
ServerGateway = 10.1.1.1
MAC=A SiSi
Port Security prevents MAC flooding, port access and rogue network extension
Port Security
00:0e:00:bb:bb:ddetc132,000
Bogus MACs
“Use this IP Address !”
“DHCP Request”
DHCP DoS
“ Your email passwd is
‘joecisco’ !”
Attacker = 10.1.1.25 Victim = 10.1.1.50
“Hey, I’m 10.1.1.50 !”
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 23
y p g p gDHCP Snooping prevents Rogue DHCP Server attacks and DHCP starvation attacksDynamic ARP Inspection uses DHCP snooping table to prevent ARP Spoofing Attacks & MiTM attacksIP Source Guard uses DHCP snooping table to mitigate IP Spoofing, impersonation attacks & unauthorized access
00:0e:00:aa:aa:aa00:0e:00:bb:bb:bb
Only 3 MAC Addresses
Allowed on the Port: Shutdown
Port SecurityMAC Flood Protection
Port Security limits MAC flooding attack, locks down port and sends an SNMP Trap
132,000 Bogus MACs
P bl
Solution:
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 24
locks down port and sends an SNMP Trap
Port Security Actions = Protect, Restrict, Shut Down
Problem:
Hacking tools enable attackers to flood switch CAM tables with bogus MACs.
Turns VLAN into a “Hub”eliminating privacy.
Switch CAM table limit is finite number of MAC addresses.
switchport port-security switchport port-security maximum 3 switchport port-security violation shutdown switchport port-security aging time 2 switchport port-security aging type inactivity
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
13
ClientTrustedUntrusted
DHCP Snooping-EnabledDHCPREQ
DHCP SnoopingRogue DHCP Server Protection
NO!
DHCPServer
Rogue Server
Untrusted
BAD DHCP Responses:
offer, ack, nak
OK DHCP Responses:
offer, ack, nak
Global Commandsip dhcp snooping vlan 100,110,120no ip dhcp snooping information optionip dhcp snooping
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 25
By default all ports in the VLAN are untrusted
DHCP Snooping Untrusted Client
Interface Commandsno ip dhcp snooping trust (Default)ip dhcp snooping limit rate 15 (pps)
ip dhcp snooping
DHCP Snooping Trusted Serveror UplinkInterface Commandsip dhcp snooping trust
ClientTrustedUntrusted
DHCP Snooping-EnabledDHCPREQ
DHCP SnoopingRogue DHCP Server Protection
NO!
DHCPServer
Rogue Server
Untrusted
BAD DHCP Responses:
offer, ack, nak
OK DHCP Responses:
offer, ack, nak
DHCP Snooping Binding Table
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 26
Table is built by “snooping” the DHCP reply to the clientEntries stay in table until DHCP lease time expires
sh ip dhcp snooping bindingMacAddress IpAddress Lease(sec) Type VLAN Interface----------------- ------------ ---------- ------------- ---- -------------------00:22:64:88:63:6E 10.240.100.2 62960 dhcp-snooping 100 GigabitEthernet2/21
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
14
10.240.200.1MAC ASiSi
Gratuitous ARP10.240.200.3=MAC_B
Global Commandsip dhcp snooping vlan 200,210,220no ip dhcp snooping information optioni dh i
Dynamic ARP InspectionARP Spoofing Protection
10.240.200.3MAC C
10.240.200.2MAC B
Gratuitous ARP10.240.200.1=MAC_B
ip dhcp snoopingip arp inspection vlan 200,210,220ip arp inspection log-buffer entries 1024ip arp inspection log-buffer logs 1024 interval 10Interface Commandsno ip arp inspection trust (default)ip arp inspection limit rate 15 (pps)
Protects against ARP poisoning (ettercap dsnif arpspoof)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 27
Protects against ARP poisoning (ettercap, dsnif, arpspoof)
Uses the DHCP snooping binding table
Tracks MAC to IP from DHCP transactions
Rate-limits ARP requests from client ports; stop port scanning
Drop BOGUS gratuitous ARPs; stop ARP poisoning/MiTM attacks
Gateway10.240.200.1SiSi
Hey, I’m 10.240.200.3 ! Global Commands
ip dhcp snooping vlan 200,210,220i dh i i f ti ti
IP Source GuardIP Spoofing Protection
Victim10.240.200.3
Attacker10.240.200.2
no ip dhcp snooping information optionip dhcp snoopingInterface Commandsip verify source vlan dhcp-snooping
IP source guard protects against spoofed IP addresses
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 28
IP source guard protects against spoofed IP addresses
Uses the DHCP snooping binding table
Tracks IP address to port associations
Dynamically programs port ACL to drop traffic not originating from IP address assigned via DHCP
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
15
Internal Segmentation
Segment high profile areas of the network 1. IPSEC or SSH
Access to FW-
NMSEnterprise ServersCompliance Driven
Determine traffic flows
Tune policy based on business requirements
Access NMS network
2. Telnet or SSH to NMS
3. SSH or Telnet to network infrastructure devices from NMSInfrastructure devices
only accept access from
User managing infrastructure device
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 29
y pNMS Segment
Internal Network NMS Segment
Firewall - Topology Overview
Internet
ISP A
ISP B
Outside
Switch
IE Routers
CiscoESA
DMZ
A
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 30
CiscoWSA
Internet
Servers
Cisco ASA5540 + IPS
RA VPNCisco ASA5520/40
Collapsed Core+Distribu
tion
DMZ Switch
Internal Network
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
16
Organization Overview
Perimeter of the corporate network
Major threats to network performance, availability and data securityWorm, virus, and botnet infiltration Network profiling and attempts at unauthorized access attempts
Firewall security must: Protect information assets Meet the need for secure, reliably available networks Apply policy to manage employee productivityAddress regulatory compliance requirements
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 31
Address regulatory compliance requirements
Firewall security policy must not interfere with access to Internet-based applications, or hinder connectivity to business partners’ data via extranet VPN connections
Technology Overview
This design employs a pair of Cisco ASA 5500s for Internet Edge firewall security
Configured for active/standby high availabilityConfigured for active/standby high availabilityConfigured in routing mode for greatest flexibilityContain NAT and firewall policy, and host IPS-SSMs
Two deployment options are discussedThe Internet-5K firewall design uses a single Internet connection,
Remote Access VPN aggregation in the same device pair that provides firewall
The Internet-10K firewall design uses a dual Internet connection for resiliency of access to the Internet
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 32
access to the Internet Remote Access VPN aggregation is implemented on a different pair of ASAs, to provide for operational flexibility
A good portion of the configuration described is common to both the Internet-5K and Internet-10K designs
Firewall sizing is based off of traffic from inside, outside, dmz and Internet
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
17
Design – Failover
Define failover interface and addresses
Tune failover poll timesFailover Interface
Use tracking in 10K design
Configure a static route for tracked item
Failover Policy
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 33
Design – Routing
If no high availability for Internet access is required (Internet-5K design), the ASAs’ physical interface is used
If resilient Internet access is required (Internet-10KInternet
Primary Secondary Probe If resilient Internet access is required (Internet 10K design), the ASAs’ outside physical interface is configured as a VLAN trunk to the outside switch
Define routes to the two Internet CPE addresses with object tracking
EIGRP is enabled on the Inside interfaceStatic Route with Tracking
IP-SLA Probes
Outside Switch
Secondary ISP Router
ISP ISP
ASAASA
PrimaryISP Router
VLAN 16172.16.0.0
VLAN 17172.17.0.0
VLAN 16&17Trunked to
ASA
Destination10.194.112.65
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 34
ASA Standby
ASA Primary
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
18
Design –DMZ
The Firewall’s DMZ (De-Militarized Zone) is a portion of the network where traffic to and from other parts of the network is tightly restricted
Physical Interface
Network services placed in a DMZ for exposure to the Internet
Typically not allowed to initiate connections to the ‘inside’ network, except for specific circumstances
Trunked Interface
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 35
Design – Address Translation
Use address-family names and object-groups
Enable names
Static NAT
Network Objects
Enable names
Configure the interface that will be used for the outside (global) addresses
Enable static translations for hosts that need to be accessed from the Internet
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 36
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
19
Design - Policy Configuration
Network security policies can be broken down into two basic categories: ‘whitelist’ policies and ‘blacklist’ policies
Blacklist
policies
Whitelist policies offer a stronger implicit security posture,
Blacklist policies offer reduced operational burden
Whitelist
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 37
Design – Monitoring and Authentication
Enable logging to a syslog server
Enable and configure SNMP
SNMP
Use AAA for authenticating users and administrators
AAA Server
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 38
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
20
SensorBase Overview
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 39
SensorBase NetworkBreadth
SpamCop, SpamHaus (SBL), NJABL, Bonded
MessageComposition
Data
Message size, attachment volume, attachment types, URLs, host names
Spam TrapsSpamCop, ISPs, customer contributions
IP Blacklists &Whitelists
( ), ,Sender
CompromisedHost Lists
Downloaded files, linking URLs, threat heuristics
Web siteComposition
Data
SORBS, OPM, DSBL
ComplaintReports
Spam, phishing, virus reports
Spamvertized URLs, phishing URLs, spyware sites
Domain Blacklists& Safelists
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 40
Global VolumeData
Over 100,000 organizations, email
traffic, web traffic
Other Data
Fortune 1000, length of sending history, location,
where the domain is hosted, how long has it
been registered, how long has the site been upFirst to combine email & web data
Over 100 email and 20 web parameters tracked
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
21
Cisco SensorBase
Threat Operations
Center
DynamicUpdates
Cisco Security Intelligence Operations
Security Infrastructure Dynamically Protects Against the Latest Threats Through:
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 41
The Most Comprehensive Vulnerability and Sender
Reputation Database
A Global Team of Security Researchers, Analysts,
and Signature Developers
Dynamic Updates and Actionable Intelligence
Cisco SensorBase Threat Operations Center Dynamic Updates
Powered by Global Correlation
What Is Reputation?Is All Reputation the Same?
Email Security IPS
Web Security
Firewall
Reputation is the history of both the actions and qualities of a specific IP address or network. It is calculated using some of the hundreds of different types of data found in Cisco SensorBase.
For different types of devices, different parameters can mean more or less for the reputation of a device.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 42
Ex:The fact of sending spam is highly relevant to the reputation of an email device and less so to an IPS sensor.
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
22
Cisco Global CorrelationCisco SensorBase: World’s Largest Traffic-Monitoring Network
Largest Footprint | Greatest Breadth | Full Context Analysis
Cisco SensorBase
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 43
Cisco Global CorrelationExceptional Breadth
Largest Footprint | Greatest Breadth | Full Context Analysis
Email Security IPS
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 44
Web Security Firewall
Identifying a Global Botnet Requires Complete Visibility Across All Threat Vectors
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
23
Global CorrelationFull Context Analysis: Seeing the Whole Picture
Largest Footprint | Greatest Breadth | Full Context Analysis
Who? Reputation of Counterparty
What? Content
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 45
How? Propagation and Mutation Methods
Where? Geographic and Vertical Trends
Enterprise Intrusion Detection/Prevention
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 46
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
24
Understand traffic patterns and bandwidth requirements
Data Center Design Overview
IDS/IPS can be deployed at entry point network segments
Deploy in high risk areas
Syslog
SNMP
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 47
SNMP
System Admin
Other Servers
IPS/IDS Internet Edge - Topology Overview
Traffic inspected by ASA firewall policy
If denied by firewall policy traffic is dropped
Permitted traffic matching inspection policy sent to IPS module
Traffic matching reputation filter list or with a GC adjusted risk rating of 90+ i d d
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 48
is dropped
Clean traffic is sent back to ASA
VPN access policies applied if present then traffic sent forward onto network
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
25
Organization Overview
Services on the internet have become a key component to many businesses today
Need to understand key requirements:Provide internet access in a secure way while at the same time controlling access to non business related contentHave a web presence up and available for partners and clients to access basic information about the organizationManage the risk of inadvertent exposure of data or attack on the public facing dataP t t i t th t h i d b t t
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 49
Protect against threats such as worms, viruses, and botnets
IPS is complementary to a firewall and inspects the traffic that is permitted by the firewall policy for attacks
If an IPS detects an attack the offending traffic is dropped and an alert is sent
Technology Overview
This design employs Cisco Adaptive Inspection Prevention Security Service Module (AIP-SSM) modules for IPS services
The design offers se eral options based off of performance req irements of o rThe design offers several options based off of performance requirements of your organization
For BN Internet Edge 5k the ASA 5520 with AIP-SSM-20 For larger networks like Internet Edge 10k the ASA 5540 with AIP-SSM-40The Internet edge firewall and IPS throughput requirements are much higher than just the speed of the Internet connection
Internal traffic to servers in the DMZWireless guest traffic
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 50
Site-to-site VPNRemote access VPN
IPS modules rely on the ASA for high availability services
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
26
Cisco IPS 7.0 with Global CorrelationChanging Network IPS to Global IPS
CoverageTwice the effectiveness of signature-gonly IPS
AccuracyReputation analysis decreases false positives
Timeliness100 times faster than traditional signature-only methods
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 51
Harnessing the Power of Cisco Security Intelligence Operations
Results Averaged over 2-Week Period in
Prerelease Deployments
Packet Flow in Cisco IPS Version 7.0
IPS reputation filters Preprocessing
pblock access to IPs on stolen zombie networks or networks controlled entirely by malicious organizations.
IPS ReputationFilters
Signature Inspection
Anomaly Detection
GlobalCorrelation
DecisionEngine
SignatureInspection
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 52
Global Correlation inspection raises the risk rating of events when the attacker has a negative reputation, allowing those events to be blocked more confidently and more often than an event without a negative reputation.
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
27
Global Correlation Inspection:How Much Does the Risk Rating Change?
Global Correlation inspection adjusts the risk rating of events based on the reputation of the attacker and the
Reputation Effect on Risk RatingStandard Mode Reputation of Attacker
Blue Deny Packet Red Deny Attackeroriginal risk rating.
The formula used to calculate the change is complex and statistical in nature. It is also subject to change for fine-tuning (so this chart can change).
Example: An event is triggered with RR = 85 and an attacker reputation of 5; the sensor raises the risk
-1 -2 -3 -4 -5 -6 -7 -8 -9 -10
Initial 80 80 87 92 95 98 99 100 100 100 100Risk 81 81 87 92 96 98 100 100 100 100 100Rating 82 82 88 93 96 98 100 100 100 100 100
83 83 88 93 96 99 100 100 100 100 10084 84 89 94 97 99 100 100 100 100 10085 85 90 94 97 99 100 100 100 100 10086 86 90 94 97 99 100 100 100 100 10087 87 91 95 98 100 100 100 100 100 10088 88 91 95 98 100 100 100 100 100 10089 89 92 96 98 100 100 100 100 100 10090 90 92 96 99 100 100 100 100 100 10091 91 93 97 99 100 100 100 100 100 10092 92 93 97 99 100 100 100 100 100 100
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 53
of –5; the sensor raises the risk rating to 99 and, in Standard mode, applies the Deny Packet action due to reputation. Note that this event would not have been blocked on a sensor without Global Correlation.
93 93 94 97 100 100 100 100 100 100 10094 94 95 98 100 100 100 100 100 100 10095 95 95 98 100 100 100 100 100 100 10096 96 96 99 100 100 100 100 100 100 10097 97 97 99 100 100 100 100 100 100 10098 98 98 100 100 100 100 100 100 100 10099 99 99 100 100 100 100 100 100 100 100100 100 100 100 100 100 100 100 100 100 100
IPS Reputation FiltersBlocking the Worst Traffic
Some networks on the Internet are owned wholly by malicious organizations
...
58.65.232.0/21
58.83.8.0/22
58.83.12.0/22
62.122.32.0/21 by malicious organizations or are hijacked zombie networks
Reputation filters block access to these networks like an ACL
Individual IP addresses do not go on this list because
...
IPS ReputationFilters
Signature Inspection
Gl b l D i i
SignatureInspection
Preprocessing
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 54
of things they do (an IP address does not go from –1 to –9 to being put on this list)
Anomaly Detection
GlobalCorrelation
DecisionEngine
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
28
1. New attacker hits the IPS
2 Attacker without a reputation
Local Inspection Will Always Matter Example 1: Unknown Attacker
2. Attacker without a reputation
3. Signatures or anomaly detection identify activity
4. The attack is handled according to the security policy implemented on the sensor (deny if risk rating reaches threshold)
5. Information about the attacker is sent back to Cisco Security I t lli O ti (SIO) t
IPS ReputationFilters
Signature Inspection
A l
GlobalCorrelation
DecisionEngine
SignatureInspection
Preprocessing
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 55
yIntelligence Operations (SIO) to track the attacker’s reputation (if configured)
Cisco SIO
Cisco IPS
AnomalyDetection
Global Correlation InspectionExample 2: Suspicious Attacker
1. Suspicious attacker attacks
2 Attacker has medium reputation
Identified Through Local Inspection, Denied Due to Global Correlation
2. Attacker has medium reputation
3. Signatures identify suspicious activity and give this attacker a medium risk rating
4. Global Correlation adds context of attacker reputation to risk rating
5. Decision engine blocks attack
IPS ReputationFilters
Signature Inspection
A l
GlobalCorrelation
DecisionEngine
SignatureInspection
Preprocessing
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 56
6. Information on new reputation is sent back to Cisco SIO
Cisco SIO
Cisco IPS
AnomalyDetection
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
29
Global Correlation Network Participation:“My Sensor Is Sending Data Back to Cisco?”
Event data is parsed into reputation update data on the sensor and buffered for transmission to Cisco
Cisco SIO
transmission to Cisco SensorBase
Every 10 minutes, on average, network participation data is sent to Cisco over HTTPS
This data does not include private addresses
Network participation
Internet
Sensor Connects to Cisco SensorBase
over HTTPS to Report Attack Data
HTTPS://208.90.57.73
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 57
p pimproves overall security as well as your own by adding attacker data specific to your site.
Cisco IPS
Global Correlation Network Participation“What Is My Sensor Sending to Cisco?”
Network participation is entirely voluntary and on an opt-in basis (turned off by default)by default)
No actual packet content data is ever sent
Partial participation sends attacker IP, port, signature ID and risk rating, some protocol attributes, and summary IPS performance
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 58
summary IPS performance data
Full mode adds victim IP and port
Private IP addresses are removed before sending
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
30
Design - General
Set up basic networking such as IP address, gateway, DNS, and access
Network Setup
gateway, DNS, and access lists to allow remote access to the GUI
Main Configuration Screen
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 59
Add Global PolicyDecision must be made for sensor mode
–Inline (IPS)
–Promiscuous (IDS)
Inspection Mode
Create a global policy to capture traffic from the ASA
Traffic Allocation
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 60
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
31
IPS rules
IPS is configured to drop traffic
Rules Overrides Screen
drop traffic
Policy can be changed based upon business requirements
Rules Risk Category
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 61
Enterprise Web Security
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 62
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
32
WSA - Topology Overview
User Community
Distribution Layer
Internet
CiscoW b S it
Internet Edge Firewall/IPS
RemoteAccess VPN
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 63
Web Security Appliance
Organization Overview
Web access is a requirement for many modern organizations’ day-to-day functions. A challenge exists to maintain an organization’s collective web access while minimizing unacceptable or risky useminimizing unacceptable or risky use. A solution is needed to control policy-based web access to ensure employees work effectively, and assure personal web activity will not waste band-width, affect productivity, or expose the organization to undue risk.
As part of a company’s corporate security policy, decisions will need to be made about acceptable use
As the monetary gain for malicious activities on the Internet has grown and developed, the number of ways vectors used to effect these malicious and or illegal activities has grown and become more sophisticated
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 64
activities has grown and become more sophisticated.
Likely the top threat that exists in the Internet today is that of malicious Internet servers (mostly web) being used to host content that then attacks innocent users browsers as they view the content.
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
33
Web Business Challenges
Acceptable Use Violations
Data L
MalwareI f iChallenges
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 65
Loss InfectionsChallenges
The Dark Web80% of the web is uncategorized, highly dynamic or unreachable by
web crawlers– Botnets– Dynamic content– Password protected sites
Malware
– User generated content– Short life sites
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 66
The Known Web20% covered by URL lists Acceptable Use Violations
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
34
Malware Threats & the Dark Web
300%
350%
2008 Volume Ratio Change(Malware Blocks Relative to All Requests)
300% yearly volume increase in
0%
50%
100%
150%
200%
250%
01‐Jan‐08 01‐Mar‐08 01‐May‐08 01‐Jul‐08 01‐Sep‐08 01‐Nov‐08
300% yearly volume increase in 2008
Exploits and iframes up 1,731%
4,995% increase in data theft trojans in two years
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 67
Botnets on the ProwlZeus and Clampi: Botnets that steal online account credentials with a focus on bank accounts
Zeus Trojan is estimated to have infected 3.6 million computers as of October 2009The newer Clampi Trojan is estimated to have infected hundreds of thousands of computers
Technology Overview
The Cisco ASA redirects HTTP and HTTPS connections using the Web Cache Control Protocol (WCCP) to the WSA.
Determine how web traffic will be sent to the WSA – Explicit or Transparent modeDetermine how web traffic will be sent to the WSA Explicit or Transparent mode
Determine what type of physical topology will be used
Most common method is to combine management and proxy services onto the management interface
Internet
Cisco
1. User initiates web request2. ASA Firewall redirects request to
Cisco WSA3. WSA checks request, replies with
denial if request violates policy4 5
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 68
User Community
Cisco WSA
Cisco ASA
q p y4. WSA initiates new connection to the
Web if request is acceptable5. Web Server replies with content which
is sent to WSA6. WSA checks content for objectionable
material and forwards content to originating user if no issues are encountered
1Campus
2
3
4 5
6
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
35
Deployment - General
Initial Setup Options
System Update(s) and Feature Keys
Log Subscriptions
Web Usage Controls
Logging
Custom URL Categories
Access Policies
Web Reputation and Anti-Malware
Optional Deployment: WCCP
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 69
Optional Deployment: WCCP Custom URL Category Filtering
Deployment – Basic Continued
Web Reputation and Anti-Malware
Optional Deployment: WCCP
Access Policies – Reputation and Anti-Malware
ASA WWCP
WSA WCCP
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 70
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
36
Deployment - HTTPS
Enable HTTPS proxy connections
Generate a certificate for the WSA to use on the client side of the proxy connectionconnection
Configure what the WSA is supposed to do when the server it is connecting to has an invalid certificate
HTTPS Proxy Settings
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 71
Deployment – HTTPS Continued
Create new custom URL categories
Apply categories to the decryption polic
Decryption Policies Custom Categories
policy
Decryption Policies URL Categories
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 72
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
37
Deployment - Authentication
Determine type of authentication
LDAP/NTLM
NTLM Realm
LDAP/NTLM
Determine subnets not to authentication
Subnet Policy
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 73
Deployment – Authentication Continued
Determine client applications not to authentication
Agent Policy
Enable authentication
Global Authentication
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 74
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
38
Deployment – Error Pages
Common expected client messages
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 75
Enterprise Email Security
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 76
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
39
ESA - Topology Overview
Internet
ESA on DMZ
ASA
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 77
Inside Network
Organization Overview
There are two major problems with email in networks todayFloods of unsolicited and unwanted emails (spam) Large numbers of emails use phishing
Email is a critical business service - can be as important as telephone service
Solutions for this problem include hosted services that provide filtering as part of the email solution or network solutions that are installed in front of a local email server
The goal of the solution is to filter out positively identified spam and quarantine or discard emails sent from untrusted or potentially hostile locations
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 78
locations.
Anti-virus (AV) scanning is applied to emails and attachments from all servers to remove known malware.
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
40
Technology Overview
Acts as a Mail Transfer Agent (MTA)
Can be deployed with a single physical interface
Uses reputation-based and context-based filters
Uses Virus Outbreak Filters and AVinterface
1) Sender sends email [email protected]
Internet DNS Server
2) What is IP for CompanyXMail Server (MX and Arecord DNS lookup)?
3) IP address for CompanyXemail is a.b.c.d (Cisco CSeries appliance atCompany X)4) Send the
Uses Virus Outbreak Filters and AV signatures to fight viruses
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 79
Cisco Email Security Appliance
Internet DNS Server
5) After inspection, theemail is sent to the central Email Server
Email Server
6) Employee retrievescleaned email
Deployment - General
Configure system settingsInterfaces/DNS
Network Setup
Hostname/PasswordMessage Security
Message Security
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 80
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
41
Deployment - Policy
Default policy is generally used to get started
Bounce Verification
Enable Anti-Spam configured to drop
Enable Bounce Verification
Anti-Spam
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 81
Enterprise Remote Access
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 82
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
42
Remote Access Topology Overview
InternetISP A ISP B
3560G/ 3750G
3945/ ASR1002
DMZ Switch
Cisco ASA5540 + IPS
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 83
InternetServers
6500 Core
RA VPN3750G
Distribution
Organization Overview
Many Internet-connected businesses need to offer connectivity to their data network resources for mobile users.
Employees, contractors, and partners may need to access the network when traveling or working from home or from other off-site locations.
The remote-access connectivity should support a wide variety of endpoint devices and provide seamless access to networked data resources.
The remote-access connectivity should support authentication and li l h i i h h b i ’ h i i
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 84
policy control that integrates with the business’s authentication resources.
This connectivity should also use cryptographic security to prevent the revelation of sensitive data to unauthorized parties who accidentally or intentionally intercept the data.
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
43
Technology Overview
The Cisco ASA supports IPsec, web portal, and full tunnel SSL VPNs for client-based remote access and IPsec for hardware client or site-to-site VPN.and IPsec for hardware client or site to site VPN.
IPsec VPN requires the user to have client software installed
SSL access is more flexible and is likely to be accessible from more locations than IPsec
The Smart Business Architecture Borderless Network for Enterprise offers two different remote-access VPN designs:
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 85
Remote-Access VPN integrated with firewall Cisco ASA pair for Internet-5K design. Remote-Access VPN deployed on a pair of stand-alone Cisco ASA for the Internet-10K design.
Deployment - General
VPN Pools
Group policy VPN PoolGroup policy
AD user/group setup
G P li C fi
AD User Attributes
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 86
Group Policy Config
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
44
Deployment - Authentication
AAA
LDAP Mapping
AAA Config
LDAP Mapping
Group Policy
NAT Exemption
LDAP Mapping
Group Policy Profile
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 87
Design – IPsec
Site-to-Site
Client
Group Policy Config
Client
IPsec policies
Client Config IPsec Crypto Maps
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 88
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
45
Design - AnyConnect
Upload Client Image
Global Webvpn Configuration
SSL Client Upload
G oba eb p Co gu at o
SSL Configuration
Client Configuration
SSL VPN Client Page
Group Policy Config
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 89
Summary - Organization
Business demands are changing - Access from anyone, anything, anywhere, anytime
Understand business requirements and security policies – Remember the 5 W’s 1 H
Organizations need to provide users access to Internet services (email and web)
Users need access to services inside the organization from remote locations
Organizations need to provide controlled access to data and/or services for the public, partners, and customers
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 90
Organizations need to improve employee productivity by controlling Internet web access to work related locations
Organizations need to manage security risk associated with Internet connectivity
For more information please visit http://www.cisco.com/go/sba
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
46
Summary - Technology
Firewalls deployed on Internet edge and key internal segments using a “White list” or “Black list” policy
IPS/IDS should be deployed in high risk areas - Internet, Internal module entry/exit points
Web security provides protection from malicious sites and helps to enforce the Acceptable Use Policy
Email security provides protection against non-business email use and helps to mitigate threats (spam, phishing etc.)
Remote Access provides different ways to access the internal corporate network
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 91
network
For more information please visit http://www.cisco.com/go/sba
Questions & Comments
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 92
© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
47