Bernard Trudel Cisco NASSCOM Security (1)

8/6/2019 Bernard Trudel Cisco NASSCOM Security (1)

1/18

The Self-Defending Network :

Distributing Security Throughout the Network

Bernie TrudelPrincipal Consultant, Security,Cisco Asia Pacific


2/18

222 2004 Cisco Systems, Inc. All rights reserved.

The Network as a Strategic Asset

CustomersCustomers

PartnersPartners

SuppliersSuppliers

EmployeesEmployees

ImprovedProductivityImprovedProductivity

ReducedOperational

Costs

ReducedOperational

Costs

FinancialPerformanceFinancialPerformanceCorporateEnterprises

Small/Medium

Businesses

ServiceProviders


3/18


Security ChallengesThe Cost of Threats

Dollar Amount of Loss By Type of Attack

CSI/FBI 2003 Survey; 251 respondents

Top ThreatsTop Threats1.1. TheftTheft

2.2. DoSDoS

3.3. Viruses/WormsViruses/Worms

4.4. Insider AbuseInsider Abuse

CY2003 Total:CY2003 Total:$201.7M (US) or $380k$201.7M (US) or $380kper respondent on avg.per respondent on avg.


4/18


Security Issues for IT is India

Availability of the IT infrastructureDistributed Denial of Service

Worm Persistence and Propagation

Keeping Rogue Users out of the NetworkPhysical Port Access

Logical Port Access

Privacy of InformationInternal Theft of Information

Social Engineering: Physhing, Ad-ware, Trojans


5/18


Evolution of Security Requirements

A Collaborative Systems Approach

NEEDED NOWNEEDED NOW

ReactiveReactive Automated, ProactiveAutomated, Proactive

PASTPAST

StandaloneStandalone IntegratedMultiple LayersIntegratedMultiple Layers

Product LevelProduct Level System-level ServicesSystem-level Services


6/18


SYSTEM LEVELSYSTEM LEVELSOLUTIONSSOLUTIONS

Dynamically identify,Dynamically identify,prevent, and respondprevent, and respondto threatsto threats

Endpoint + NetworkEndpoint + Network

ADVANCEDSECURITY

TECHNOLOGIES

ADVANCEDSECURITY

TECHNOLOGIES Endpoint SecurityEndpoint Security Application FirewallApplication Firewall SSL VPNSSL VPN Network AnomalyNetwork Anomaly

INTEGRATEDSECURITY

INTEGRATEDSECURITY

Secure Connectivity Threat Defense Trust & Identity

Secure Connectivity Threat Defense Trust & Identity

An initiative to dramaticallyimprove the networks ability

toidentify, prevent, and adapt

to threats

An initiative to dramaticallyimprove the networks ability

toidentify, prevent, and adapt

to threats

Self Defending Networks

Cisco strategy todramatically improve the

networks ability toidentify, prevent, and

adapt to threats

Cisco strategy todramatically improve the

networks ability toidentify, prevent, and

adapt to threats


7/18777 2004 Cisco Systems, Inc. All rights reserved.

Self-Defending against Wireless Intrusion

WLSECluster

RM

SiSi

SiSi

SiSi

Switch-Based WDSSiSi

RogueAP

RM RM

SiSiRM-Agg

CiscoWorksWLSE 2.5

1. New RF is detectedby WLAN endpoints

2. RM frames sent toPolicy Server

3. Policy Server locatesrogue AP and disablesnetwork switch port

Policy Server



The Three Pillars of Security

SECURECONNECTIVITYSYSTEM

Secure Transport of Applications acrossNumerous NetworkEnvironments

TRUST & IDENTITYMANAGEMENTSYSTEM

Contextual IdentityRequired for Entitlement and Trust

THREAT DEFENSESYSTEM

Collaboration of

Security and NetworkIntelligence Servicesto Minimize Impact of Both Known andUnknown Threats

PRIVACY PROTECTION CONTROL

Central Management and Analysis



Extranet

Voice

Extend the Corporate Networkto branch offices in a cost-effective manner

Branch Offices

Enhance productivity byproviding anywhere, anytimeaccess with IPSec or SSL

Mobile User

Provide multi-service access toSOHO users over securebroadband connections

Teleworker

Improve communicationsand access with partners,suppliers and customerswith IPSec or SSL

Extranets

Enhance security by ensuringprivacy of critical informationacross the data center and theentire campus

Campus

Privacy: Network ConfidentialityPrivacy: Network Confidentiality

Maintain security with newaccess technologies thatenhance productivity

Wireless

Centralized control of allsecure connections withone platform to configure,monitor and troubleshoot

Management



Protection: Securing the Endpoint

Day Zero attacks

To a Single Agent

Reactive Patching & PatchManagement

Point product challenges

To Scheduled Maintenance

To Zero-Update ProtectionBusiness Challenge New Method Requirement

Rapidly propagating attacksevade signature recognition

Stops new unknown attacks withno signature updates to manage

Reactive products (PFW, etc.)fail to address the problem

Requires multiple agents andmanagement paradigms

Aggregates multiple securityfunctionality in one agent

Behavioral day-zero protection,firewalling and OS lockdown

Increasing # of vulnerabilitiesmakes the task of patching systems an update race without end

Wait for roll-ups and Service Packs,which come better qualified from vendor

Testing and implementation of updates

can be scheduled without undue changecontrol interruption 2003 Cisco Systems, Inc. All rights reserved.



Protection: DDoS Mitigation

RiverheadGuardBGP announcement

Target

1.Detect

2. Activate: Auto/Manual

3. Divert only targets traffi

Non-targeted servers

Riverhead Detector,Cisco IDS, Netflow

system,

Cat6k



4. Identify and filter

the malicious

RiverheadGuard

Target

Legitimatetraffic to target

5. Forward the legitimate

Protection: DDoS Mitigation (contd)

Traffic destinedto the target

Non-targeted servers

6. Non-targetedtraffic, flowsfreely

Riverhead Detector,Cisco IDS, Netflow

system,

Cat6k



Control: Rogue endpoints

BRANCH ORCAMPUS

CAMPUS

2. PC is denied access tothe corporate Net

3. Quarantine areaand remediation

Quarantine AreaQuarantine Area

Remediation

CTA

CorporateNet

1. Non-compliant endpointattempts connection

NAC

Network Admission Control

CTA Cisco Trust Agent

ACS

ACS Access Control Server

NAC



Control: Rogue endpoints (contd)

BRANCH ORCAMPUS

CAMPUS

4. Compliant endpointattempts connection

5. Security Postureis verified

6. Connection allowedby security policy

CorporateNet

NAC

ACSCTA

Network Admission Control

CTA Cisco Trust Agent

ACS Access Control Server

NAC



Cisco Integrated Security Portfolio

ADVANCED SECURITY SERVICESADVANCED SECURITY SERVICES

MANAGEMENTAND

ANALYSIS

MANAGEMENTAND

ANALYSIS

Security managementSecurity management Security policy, security event monitoring and analysisSecurity policy, security event monitoring and analysis Threat validation and investigationThreat validation and investigation Embedded deviceEmbedded device managementmanagement

COMPLETECOVERAGECOMPLETECOVERAGE Protecting Desktops, Servers and NetworksProtecting Desktops, Servers and Networks

FLEXIBLEDEPLOYMENT

FLEXIBLEDEPLOYMENT

SecurityAppliances

SecurityAppliances SwitchesSwitches RoutersRouters

SecuritySoftwareSecuritySoftware

SECURITYSERVICESSECURITYSERVICES VPN /VPN /

SSLSSLFirewallFirewall IDSIDS IdentityIdentity Behavior Behavior

SECUREINFRASTRUC-

TURE

SECUREINFRASTRUC-

TURE

Device Authentication, Port Level Security, Secureand Trusted Devices, Secure Access, Transport Security

Device Authentication, Port Level Security, Secureand Trusted Devices, Secure Access, Transport Security



Self-Defending is Good for Business

System-level Security solutions provides afoundation for increasing the immunity of theIT infrastructure to new breeds of threats.

End-to-end security ensures that privacycontrols are solid and that businessesmaintain control of their critical assets.

Long term, Security will be fundamentally integrated into the Intelligent Network andConnected Business Processes



ANYONE CAN BUILD A STOP SIGN OR EVEN ATRAFFIC LIGHT BUT IT TAKES A DIFFERENT MIND-

SET ENTIRELY TO CONCEIVE OF A CITY-WIDETRAFFIC CONTROL SYSTEM.

171717 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID

Bruce Schneier, Beyond Fear

July 2004, Cisco announced the formation of a separateTechnology Group to be headed by SVP Jayshree Ullal. This

results in more focus at developing and delivering the SDN.

July 2004, Cisco announced the formation of a separateTechnology Group to be headed by SVP Jayshree Ullal. Thisresults in more focus at developing and delivering the SDN.


18/18181818 2003 Ci S ll i h d

Documents

Bernard Trudel Cisco NASSCOM Security (1)