Upload
sujata-karambe
View
226
Download
0
Embed Size (px)
Citation preview
8/6/2019 Bernard Trudel Cisco NASSCOM Security (1)
1/18
The Self-Defending Network :
Distributing Security Throughout the Network
Bernie TrudelPrincipal Consultant, Security,Cisco Asia Pacific
8/6/2019 Bernard Trudel Cisco NASSCOM Security (1)
2/18
222 2004 Cisco Systems, Inc. All rights reserved.
The Network as a Strategic Asset
CustomersCustomers
PartnersPartners
SuppliersSuppliers
EmployeesEmployees
ImprovedProductivityImprovedProductivity
ReducedOperational
Costs
ReducedOperational
Costs
FinancialPerformanceFinancialPerformanceCorporateEnterprises
Small/Medium
Businesses
ServiceProviders
8/6/2019 Bernard Trudel Cisco NASSCOM Security (1)
3/18
333 2004 Cisco Systems, Inc. All rights reserved.
Security ChallengesThe Cost of Threats
Dollar Amount of Loss By Type of Attack
CSI/FBI 2003 Survey; 251 respondents
Top ThreatsTop Threats1.1. TheftTheft
2.2. DoSDoS
3.3. Viruses/WormsViruses/Worms
4.4. Insider AbuseInsider Abuse
CY2003 Total:CY2003 Total:$201.7M (US) or $380k$201.7M (US) or $380kper respondent on avg.per respondent on avg.
8/6/2019 Bernard Trudel Cisco NASSCOM Security (1)
4/18
444 2004 Cisco Systems, Inc. All rights reserved.
Security Issues for IT is India
Availability of the IT infrastructureDistributed Denial of Service
Worm Persistence and Propagation
Keeping Rogue Users out of the NetworkPhysical Port Access
Logical Port Access
Privacy of InformationInternal Theft of Information
Social Engineering: Physhing, Ad-ware, Trojans
8/6/2019 Bernard Trudel Cisco NASSCOM Security (1)
5/18
555 2004 Cisco Systems, Inc. All rights reserved.
Evolution of Security Requirements
A Collaborative Systems Approach
NEEDED NOWNEEDED NOW
ReactiveReactive Automated, ProactiveAutomated, Proactive
PASTPAST
StandaloneStandalone IntegratedMultiple LayersIntegratedMultiple Layers
Product LevelProduct Level System-level ServicesSystem-level Services
8/6/2019 Bernard Trudel Cisco NASSCOM Security (1)
6/18
666 2004 Cisco Systems, Inc. All rights reserved.
SYSTEM LEVELSYSTEM LEVELSOLUTIONSSOLUTIONS
Dynamically identify,Dynamically identify,prevent, and respondprevent, and respondto threatsto threats
Endpoint + NetworkEndpoint + Network
ADVANCEDSECURITY
TECHNOLOGIES
ADVANCEDSECURITY
TECHNOLOGIES Endpoint SecurityEndpoint Security Application FirewallApplication Firewall SSL VPNSSL VPN Network AnomalyNetwork Anomaly
INTEGRATEDSECURITY
INTEGRATEDSECURITY
Secure Connectivity Threat Defense Trust & Identity
Secure Connectivity Threat Defense Trust & Identity
An initiative to dramaticallyimprove the networks ability
toidentify, prevent, and adapt
to threats
An initiative to dramaticallyimprove the networks ability
toidentify, prevent, and adapt
to threats
Self Defending Networks
Cisco strategy todramatically improve the
networks ability toidentify, prevent, and
adapt to threats
Cisco strategy todramatically improve the
networks ability toidentify, prevent, and
adapt to threats
8/6/2019 Bernard Trudel Cisco NASSCOM Security (1)
7/18777 2004 Cisco Systems, Inc. All rights reserved.
Self-Defending against Wireless Intrusion
WLSECluster
RM
SiSi
SiSi
SiSi
Switch-Based WDSSiSi
RogueAP
RM RM
SiSiRM-Agg
CiscoWorksWLSE 2.5
1. New RF is detectedby WLAN endpoints
2. RM frames sent toPolicy Server
3. Policy Server locatesrogue AP and disablesnetwork switch port
Policy Server
8/6/2019 Bernard Trudel Cisco NASSCOM Security (1)
8/18888 2004 Cisco Systems, Inc. All rights reserved.
The Three Pillars of Security
SECURECONNECTIVITYSYSTEM
Secure Transport of Applications acrossNumerous NetworkEnvironments
TRUST & IDENTITYMANAGEMENTSYSTEM
Contextual IdentityRequired for Entitlement and Trust
THREAT DEFENSESYSTEM
Collaboration of
Security and NetworkIntelligence Servicesto Minimize Impact of Both Known andUnknown Threats
PRIVACY PROTECTION CONTROL
Central Management and Analysis
8/6/2019 Bernard Trudel Cisco NASSCOM Security (1)
9/18999 2004 Cisco Systems, Inc. All rights reserved.
Extranet
Voice
Extend the Corporate Networkto branch offices in a cost-effective manner
Branch Offices
Enhance productivity byproviding anywhere, anytimeaccess with IPSec or SSL
Mobile User
Provide multi-service access toSOHO users over securebroadband connections
Teleworker
Improve communicationsand access with partners,suppliers and customerswith IPSec or SSL
Extranets
Enhance security by ensuringprivacy of critical informationacross the data center and theentire campus
Campus
Privacy: Network ConfidentialityPrivacy: Network Confidentiality
Maintain security with newaccess technologies thatenhance productivity
Wireless
Centralized control of allsecure connections withone platform to configure,monitor and troubleshoot
Management
8/6/2019 Bernard Trudel Cisco NASSCOM Security (1)
10/18101010 2004 Cisco Systems, Inc. All rights reserved.
Protection: Securing the Endpoint
Day Zero attacks
To a Single Agent
Reactive Patching & PatchManagement
Point product challenges
To Scheduled Maintenance
To Zero-Update ProtectionBusiness Challenge New Method Requirement
Rapidly propagating attacksevade signature recognition
Stops new unknown attacks withno signature updates to manage
Reactive products (PFW, etc.)fail to address the problem
Requires multiple agents andmanagement paradigms
Aggregates multiple securityfunctionality in one agent
Behavioral day-zero protection,firewalling and OS lockdown
Increasing # of vulnerabilitiesmakes the task of patching systems an update race without end
Wait for roll-ups and Service Packs,which come better qualified from vendor
Testing and implementation of updates
can be scheduled without undue changecontrol interruption 2003 Cisco Systems, Inc. All rights reserved.
8/6/2019 Bernard Trudel Cisco NASSCOM Security (1)
11/18111111 2004 Cisco Systems, Inc. All rights reserved.
Protection: DDoS Mitigation
RiverheadGuardBGP announcement
Target
1.Detect
2. Activate: Auto/Manual
3. Divert only targets traffi
Non-targeted servers
Riverhead Detector,Cisco IDS, Netflow
system,
Cat6k
8/6/2019 Bernard Trudel Cisco NASSCOM Security (1)
12/18121212 2004 Cisco Systems, Inc. All rights reserved.
4. Identify and filter
the malicious
RiverheadGuard
Target
Legitimatetraffic to target
5. Forward the legitimate
Protection: DDoS Mitigation (contd)
Traffic destinedto the target
Non-targeted servers
6. Non-targetedtraffic, flowsfreely
Riverhead Detector,Cisco IDS, Netflow
system,
Cat6k
8/6/2019 Bernard Trudel Cisco NASSCOM Security (1)
13/18131313 2004 Cisco Systems, Inc. All rights reserved.
Control: Rogue endpoints
BRANCH ORCAMPUS
CAMPUS
2. PC is denied access tothe corporate Net
3. Quarantine areaand remediation
Quarantine AreaQuarantine Area
Remediation
CTA
CorporateNet
1. Non-compliant endpointattempts connection
NAC
Network Admission Control
CTA Cisco Trust Agent
ACS
ACS Access Control Server
NAC
8/6/2019 Bernard Trudel Cisco NASSCOM Security (1)
14/18141414 2004 Cisco Systems, Inc. All rights reserved.
Control: Rogue endpoints (contd)
BRANCH ORCAMPUS
CAMPUS
4. Compliant endpointattempts connection
5. Security Postureis verified
6. Connection allowedby security policy
CorporateNet
NAC
ACSCTA
Network Admission Control
CTA Cisco Trust Agent
ACS Access Control Server
NAC
8/6/2019 Bernard Trudel Cisco NASSCOM Security (1)
15/18151515 2004 Cisco Systems, Inc. All rights reserved.
Cisco Integrated Security Portfolio
ADVANCED SECURITY SERVICESADVANCED SECURITY SERVICES
MANAGEMENTAND
ANALYSIS
MANAGEMENTAND
ANALYSIS
Security managementSecurity management Security policy, security event monitoring and analysisSecurity policy, security event monitoring and analysis Threat validation and investigationThreat validation and investigation Embedded deviceEmbedded device managementmanagement
COMPLETECOVERAGECOMPLETECOVERAGE Protecting Desktops, Servers and NetworksProtecting Desktops, Servers and Networks
FLEXIBLEDEPLOYMENT
FLEXIBLEDEPLOYMENT
SecurityAppliances
SecurityAppliances SwitchesSwitches RoutersRouters
SecuritySoftwareSecuritySoftware
SECURITYSERVICESSECURITYSERVICES VPN /VPN /
SSLSSLFirewallFirewall IDSIDS IdentityIdentity Behavior Behavior
SECUREINFRASTRUC-
TURE
SECUREINFRASTRUC-
TURE
Device Authentication, Port Level Security, Secureand Trusted Devices, Secure Access, Transport Security
Device Authentication, Port Level Security, Secureand Trusted Devices, Secure Access, Transport Security
8/6/2019 Bernard Trudel Cisco NASSCOM Security (1)
16/18161616 2004 Cisco Systems, Inc. All rights reserved.
Self-Defending is Good for Business
System-level Security solutions provides afoundation for increasing the immunity of theIT infrastructure to new breeds of threats.
End-to-end security ensures that privacycontrols are solid and that businessesmaintain control of their critical assets.
Long term, Security will be fundamentally integrated into the Intelligent Network andConnected Business Processes
8/6/2019 Bernard Trudel Cisco NASSCOM Security (1)
17/18171717 2004 Cisco Systems, Inc. All rights reserved.
ANYONE CAN BUILD A STOP SIGN OR EVEN ATRAFFIC LIGHT BUT IT TAKES A DIFFERENT MIND-
SET ENTIRELY TO CONCEIVE OF A CITY-WIDETRAFFIC CONTROL SYSTEM.
171717 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID
Bruce Schneier, Beyond Fear
July 2004, Cisco announced the formation of a separateTechnology Group to be headed by SVP Jayshree Ullal. This
results in more focus at developing and delivering the SDN.
July 2004, Cisco announced the formation of a separateTechnology Group to be headed by SVP Jayshree Ullal. Thisresults in more focus at developing and delivering the SDN.
8/6/2019 Bernard Trudel Cisco NASSCOM Security (1)
18/18181818 2003 Ci S ll i h d