1© 2002, Cisco Systems, Inc. All rights reserved.

Cisco IP Solution CenterScalable Security Management

www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.

Challenges Managing Scalable Security Deployments

www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.

Security Management Scope in the 90’s Network Silos & Point Protection Security Solution

FINANCEFINANCEERP

MANUFACTURINGMANUFACTURING

MRP

HRHRHR Apps

PARTNERSPARTNERS

CUSTOMERCUSTOMER

Reached mostly by phone/fax

Individual applicationsCreated/used by individual

departments

Headquarters Remote offices

Lease Line

ISDN

Lease Line

PSTNAnti Virus Application

Anti Virus Application

Anti Virus Application

Anti Virus Application

NAT Protection

Intrusion Detection

www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.

Security Management Scope Today Connected Networks & Complex Security Technologies

FINANCEFINANCE

ERP MRP

HRHR

SALESSALES

Sales Automation

CUSTOMERCUSTOMER

Departmental applications

available throughout

Headquarters

REMOTE OFFICE

Reached mostly by Web/Extranet

HR apps

MANUFACTURINGMANUFACTURING

PARTNERSPARTNERS

TELEWORKERTELEWORKER

•VPN

•VPN

•VPN

•VPN

•VPN

•VPN•VPN

•VPN •VPN

•VPN

•firewall

•Fire Wall

•Fire Wall

•Fire Wall

•Fire Wall

•Fire Wall

•IDS•IDS

•IDS

www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.

Complex Security Policy Management

Centralized definition of network wide security policiesIntegrated management of VPN, FW, NAT and QOS policiesGlobal modification of security policiesReal time policy auditOn going policy monitoring and alerting

High Level Security Policies

VPN Encryption Policy

FW policy rules

•Real Time Security Rules Verification

•Dynamic Access Point Policy Mgmt

access-list outside icmp

access-list outside permit

access-list outside permit

access-list outside permit

access-list outside permit

access-list outside permit

access-list outside gre host

access-list outside ah host

access-list outside permit ah

www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.

Scalable And Cost Efficient Deployment

Management of hundreds of thousands of security access pointsMass deployment of security policiesMove of devices, addition of new devicesSimultaneous multiple client access

• Fro

nt

En

d S

cal

abil

ity

• Bac

k E

nd

Sca

l ab

ilit

y

www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.

Role Based Access Control

Different service view into the same networkDifferent administration role with different access privilegesSupport of multiple portioning, multiple groups and end usersPhysical/logical inventory, internal/external access management

Technical Support Design Team

Distributors

Deployment ForceExternal Customers

Internal Users Suppliers

Sales Force

PartnersTelecommuters

www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.

Cisco Scalable Security Management Solution

Cisco IP Solution Center Security Management

www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.

Cisco IP Solution Center Integrated IP Service Life Cycle Management

www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.

Cisco IP Solution Center (ISC) Security Management Solution

Security Policy DefinitionISC:SM provides policy based securityservice design tool allowing users to efficiently design security policies for Firewall, NAT, IDS or IPsec VPN services

Configuration & ProvisioningISC: SM analyze current network configuration, dynamically generate the security device configurations and manage the large scale security deployment

Security Policy AuditISC: SM delivers high volume security policy auditing capability to ensure the policy integrity

Security AlarmISC:SM provides comprehensive Security soft alarm management featurealong with partner’s security alarmmanagement capability

Vulnerability Assessment ISC:SM enables customers to proactively secure their IT Infrastructure through our VA partners automated real-time security risk analysis tool

Reporting ISC:Security Management provides tunnel report,VPN testing report along withSIM partner’s security eventanalysis report

ISC: MSS

Security Policy Definition

Configuration& Provisioning

VulnerabilityAssessment

Security Policy Audit

Security Alarm

Reporting

www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.

Cisco IP Solution CenterIntegrated System Design

Centralized system resource management

Integrated resource pool

Inventory management

Topology tool

Device view

Device Group

Internal/External Customer

Provider view

Logical Partitioning

Work flow control

Monitoring

Scheduling

Open interface

www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.

Cisco IP Solution CenterRole Based Access Control Model

Technical Support

Design Team

Distributors

External Customers

Internal Users

Sales Force

•IP Solution Center

www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.

Cisco IP Solution CenterScalable System Architecture

Web Browser

(X)HTM LXM LXSLTApplet

ClientApplication

ClientTier

InterfaceTier

ControlTier

DistributionTier

Web Server

Servlet JSP

Orbix 2000OR

XML/SOAP

TIBCOEventBus

Repository API (JDBC)

Scheduler

M asterWatchdog

R BACU ser Access

C ontro l& Logging

Task M anager

DeviceRepository

Service Model

Repository

CollectionRepository

TaskRepository

RelationalDatabase

Collection Server

C ollectionTasks

TelnetG atew ay

Server

D ataAggregator

W atchdog

D ata Storage M anager

W ebServer

Processing Server

ProvisioningAuditing

Tasks

Tem plateEngine

O therTasks

W atchdog Task Log

W ebServer

C NS SPEPolicyStore

•Scalable Front End •Scalable Back End

www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.

Cisco IP Solution CenterSecurity Management Overview

DeviceInventory

CustomerInventory

LogicalNetworkTopology

ServiceData Store

Service Relationship

RBAC Data Store

PIXIOS VPN3K

Site to Site VPN Remote Access VPN EZVPN DMVPN

Firewall NAT IDS(IOS) Network Based IPsec

IOS device driver

VPN3k device driver

Pix device driver

Technology abstraction layer

Policy based security management framework

Technology abstraction allows for multi-type (ie. IOS, PIXs, VPN3K) Cisco device support

New device support requires only development of new device adapter

Cross linked models in a single store allow for Integration of technologies

Open XML/HTTP interfaces allow for security ISV partner integration

CNS: Config engine allows for zero touch security mgmt

ISC: Security Mgmt

Integrated VPN, FW, IDS(IOS) and NAT Mgmt

www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.

Cisco IP Solution Center Integrated VPN Management

Site-to-Site VPN EZVPN, DMVPN,

Network Based IPsec VPN topologies:

Hub-and-spoke, full mesh, and partial mesh

Automatic generation of unique pre-shared keys

Templates for certificate enrollment

Provisioning routing protocols over GRE tunnels: OSPF, EIGRP, RIP

Remote Access VPN VPN Reporting and

MonitoringVPN connectivity test report

VPN policy audit report VPN SLA report via SAA CNM views

www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.

Cisco IP Solution Center Firewall Management

Policy-based firewall management

Common firewall policy for multi-type (ie. IOS, PIXs, VPN3K) Cisco device support

Hierarchical policies High-level policy rules:

Support for both filter rules and inspect rules

URL Filtering Authentication Proxy:

http, https, ftp, telnet Inheritance in device

containment hierarchy CNM views for

customer policy

Can be used as an independent service or in conjunction with another service such as IPsec VPN, QoS, MPLS VPN…etc

•IP Solution Center

www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.

Cisco IP Solution Center Quality of Service Control

Policy Associated with QoS Service Classes

Implemented using MQC & non-MQC commands – Rate Limiting

All classes contained in the DiffServ architecture are supported (DSCP - 64 classes, IP Prec - 8 classes)

Default Policy shall support 3 classes – VoIP, Business-Data, & Best-Effort

Link-level QoS policy

www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.

Cisco IP Solution Center Enabled Network-Based IPsecA Solution To The N Square Limitation

ProviderNetworks

CorporateCorporateIntranetIntranet

BranchBranchOfficeOffice AccessAccess

Remote Users/ Telecommuters

IP, MPLS or Layer 2 based VPNIPsec SessionIP IP

Cable/DSL/ISDN ISP

MPLS/Layer 2Based Network

CiscoIOS

Router

VPN A

VPN B

SP Shared NetworkSP Shared Network

Customer B

Customer Ahead office

Customer C

PEPE

PEPE

PEPE

VPN C

SOHO

Local or Direct Dial ISP

One or Two Box Network Based IPsec Solution

Cisco IP Solution Cetner: SM Hybrid VPN - IPSec To MPLS

Cisco IOS VPN Routers or Cisco Client 3.x Customer A

branch office

PEPE

www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.

Cisco IP Solution CenterNAT Management Tool

Support for multi-type (ie. IOS, PIXs, VPN3K) Cisco device support

Support for static translation: Network based, Host based or Port based

Support for dynamic translation: Standard or PAT

Support for overlapping address space

Can be used as an independent utility or in conjunction with another technology such as IPsec VPN

Other Integrated Security Management Tools

Cisco IP Solution CenterCERT Management Tool

Templates for cert enrollment on one or more routers

Verify presence of the root cert & device cert for a given trust point’s cert chain

Verify re-enrollment of certifications according to the auto-enroll percentage parameter

Summary report indicating cert enrollment status or expiration status on desired VPN routers

Routine verification or certification update

www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.

Self Managed Large Scale Security DeploymentTruck Roll Saving, Plug & Play

InternetInternet

IP Solution Center + Cisco CNS

IP Solution Center + Cisco CNS

Cisco CNS

•HQ

Branch n

Branch 1

Branch 2

•Cisco CNS

Cisco CNS

Cisco CNS

1. 1. Cisco ship out the router directly to customer end site

2. with bootstrap configuration

3. Upon connectivity device events IP Solution Center via Cisco CNS4. IP Solution Center dynamically configure the security device

5. Each device informs ISC of success deployment Complex security policy deployed

6. Periodic security policy audit

1. 2. Define security policy

www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.

CiscoPoweredNetwork

CiscoPoweredNetwork

Self Managed Large Scale Security DeploymentTCO Analysis – Cisco IP Solution Center Solution

EquipmentNetwork

60%

EquipmentNetwork

60%

Operations(OSS & Staff)

40%

Operations(OSS & Staff)

40%

IP Security TCO

• Multi-disciplined expertise required (VPN, Firewall, NAT, QoS…)

• Heavy applications duplicate effort and investment

• Can’t hire and train enough people to manage the deployment and changes of security policies

• ISC: manages the complexity of security technologies

• Efficient security policy audit to guarantee the security integrity

• Self managed zero touch deployment environment

Operations(OSS & Staff)Operations(OSS & Staff)

OP

EX

OP

EX

Operations(OSS & Staff)Operations(OSS & Staff)

OP

EXOperations

(OSS & Staff)Operations(OSS & Staff)

OP

EX

Operations(OSS & Staff)Operations(OSS & Staff)

OP

EX

Cisco ISC - Reduced Op TCO

www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.

Cisco IP Solution CenterSummary

• Single Application for VPN, Firewall, NAT, QoS and IDS (IOS) for heterogenous platforms

• Integrated policy-based management

• Scalable 4-tier architecture

• Industry leading VPN feature set support

• L2, L3 and VPN topology views

• Intelligent provisioning and auditing engine

• Open interfaces

www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.

787878© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID