Sigurnosna rješenja za financijske institucije - cisco.com · Cisco Nexus 1000V Cisco Nexus1000V Software Based Industry’s first 3rd-party vNetwork Distributed Switch for VMware

Sigurnosna rješenja za financijske

© 2006 Cisco Systems, Inc. All rights reserved.VM_security 1

financijske institucije

Goran PetehEnterprise Systems [email protected]

Cisco Nexus 1000VCisco Nexus 1000VCisco Nexus 1000VSoftware Based� Industry’s first 3rd-party vNetwork Distributed Switch for VMware vSphere

� Built on Cisco NX-OSNexusNexus1000V1000V

VMVM VMVM VMVM VMVM

© 2009 Cisco Systems, Inc. All rights reserved.

� Compatible with all switching platforms

PolicyPolicy--Based Based VM ConnectivityVM ConnectivityPolicyPolicy--Based Based VM ConnectivityVM Connectivity

Mobility of Network & Mobility of Network & Security PropertiesSecurity PropertiesMobility of Network & Mobility of Network & Security PropertiesSecurity Properties

NonNon--DisruptiveDisruptiveOperational ModelOperational ModelNonNon--DisruptiveDisruptiveOperational ModelOperational Model

vSphere

Nexus 1000VNexus 1000V

VN-Link Brings VM Level GranularityProblems:

VMotion • VMotion may move VMs across physical ports—policy must follow • Impossible to view or apply policy to locally switched traffic

© 2009 Cisco Systems, Inc. All rights reserved. 3

VN-Link:•Extends network to the VM •Consistent services •Coordinated, coherent management

traffic• Cannot correlate traffic on physical links—from multiple VMsVLAN

101

Cisco VN-Link Switch

Cisco Nexus 1000V Architecture

vSphere

NexusNexus1000V1000VVEMVEM

vSphere vSphere

Nexus1000V VEM

NexusNexus1000V1000VVEMVEM

VMVM VMVM VMVM VMVM VMVM VMVM VMVM VMVM VMVM VMVM VMVM VMVM


Nexus 1000V VSM

vCentervCenter

Virtual Supervisor Module (VSM)Virtual Supervisor Module (VSM)�� Virtual or Physical appliance running Virtual or Physical appliance running

Cisco NXOS (supports HA)Cisco NXOS (supports HA)�� Performs management, monitoring, & Performs management, monitoring, &

configurationconfiguration�� Tight integration with VMware vCenterTight integration with VMware vCenter

Virtual Supervisor Module (VSM)Virtual Supervisor Module (VSM)�� Virtual or Physical appliance running Virtual or Physical appliance running

Cisco NXOS (supports HA)Cisco NXOS (supports HA)�� Performs management, monitoring, & Performs management, monitoring, &

configurationconfiguration�� Tight integration with VMware vCenterTight integration with VMware vCenter

Virtual Ethernet Module (VEM)Virtual Ethernet Module (VEM)�� Enables advanced networking Enables advanced networking

capability on the hypervisorcapability on the hypervisor�� Provides each VM with dedicated Provides each VM with dedicated

“switch port”“switch port”�� Collection of VEMs = 1 vNetwork Collection of VEMs = 1 vNetwork

Distributed SwitchDistributed Switch

Virtual Ethernet Module (VEM)Virtual Ethernet Module (VEM)�� Enables advanced networking Enables advanced networking

capability on the hypervisorcapability on the hypervisor�� Provides each VM with dedicated Provides each VM with dedicated

“switch port”“switch port”�� Collection of VEMs = 1 vNetwork Collection of VEMs = 1 vNetwork

Distributed SwitchDistributed Switch

Cisco Nexus 1000V InstallationCisco Nexus 1000V Installation�� ESX & ESXiESX & ESXi�� VUM & Manual InstallationVUM & Manual Installation�� VEM is installed/upgraded like an ESX VEM is installed/upgraded like an ESX

patchpatch

Cisco Nexus 1000V InstallationCisco Nexus 1000V Installation�� ESX & ESXiESX & ESXi�� VUM & Manual InstallationVUM & Manual Installation�� VEM is installed/upgraded like an ESX VEM is installed/upgraded like an ESX

patchpatch

Virtualizing the DMZMapping the Roles and Responsibilities

n1000v# show port-profile name WebServersport-profile WebProfile

description:status: enabledcapability uplink: nosystem vlans:port-group: WebProfileconfig attributes:switchport mode accessswitchport access vlan 110no shutdown

evaluated config attributes:switchport mode access


� Separation of duties for virtualization, security, and network administrators� Implement existing policies and procedures� Identical tools for physical network: Minimize miscommunication

switchport mode accessswitchport access vlan 110no shutdown

assigned interfaces:Veth10

Virtualize the DMZ� Restrict production VM access to sensitive parts of data centerSegregate Traffic To/From Web ServerProtect Management Traffic

Access Control List VMKernelVMKernelFTPFTP WWWWWWVMVM


Protect Management TrafficProtect Servers

vSphere

dcvsm(config)# ip access-list deny-vm-traffic-to-ftp-serverdcvsm(config-acl)# deny tcp host 10.10.10.10 eq ftp anydcvsm(config-acl)# permit ip any any

Increase DMZ Visibility with ERSPAN� ERSPAN allows VM traffic to be mirrored to traffic analyzer� Mirrored traffic can traverse through Layer 3 Network

Port Mirroring VMVM VMVM VMVM VMVM


3 Network� Visibility through centralized L4-7 services FirewallIntrusion Detection System

Intrusion Detection

Firewall

PCI Compliance and Nexus1000v


Monitor a High Density VM Deployment with the Nexus 1000V


� Select individual VM traffic to review� Mirror traffic for further inspection using ERSPAN� Analyze network traffic patterns and export it to a collector using NetFlow

Network AnalysisIntrusion Detection

Cisco Integrated Security Features Mitigates Network Attacks

VMVM VMVM VMVM VMVM VMVM VMVM VMVM VMVM VMVM VMVM VMVM

Rogue VM: Change/Add MAC Address

Rogue VM: Change/Add IP Address

Rogue DHCPServer

Rogue VM: Send ARP to Announce VM Location

Port Security IP Source Guard


DHCP Snooping

Dynamic ARP Inspection

VMotion

Loop Prevention without STP


Cisco VEM

VM1 VM2 VM3 VM4

Cisco VEM

VM5 VM6 VM7 VM7

Cisco VEM

VM9 VM10 VM11 VM12

��

Eth4/1 Eth4/2

X

��

��

�� !"

X

Port Profile Configuration

n1000v# show port-profile name WebProfileport-profile WebProfile

description:status: enabledcapability uplink: nosystem vlans:port-group: WebProfileconfig attributes:

Support Commands Include:

� Port management� VLAN

Support Commands Include:

� Port management� VLAN


config attributes:switchport mode accessswitchport access vlan 110no shutdown

evaluated config attributes:switchport mode accessswitchport access vlan 110no shutdown

assigned interfaces:Veth10

� PVLAN� Port-channel� ACL� Netflow� Port Security� QoS

� PVLAN� Port-channel� ACL� Netflow� Port Security� QoS

How Cisco NAC WorksTHE GOAL

NAC Manager

End user attempts to access network� Initial access is blocked� Single-sign-on or web login

AuthenticationServer

1


NAC Server gathers and assesses user/device information � Username and password� Device configuration and vulnerabilities

Noncompliant deviceor incorrect login� Access denied� Placed to quarantine for remediation

Device is compliant� Placed on “certified devices list”� Network access granted

NAC ServerNAC Manager

2

3a 3bQuarantineRole

Intranet/Network

Device ProfilingAutomate inventory collection

NAC Manager

NAC Profiler


Mac

Identify all endpointsReal time monitoring and profiling

NAC Server

AAA ServerWindows AD

Cover All Use CasesEndpoint ComplianceNetwork access only for compliant devices

Wireless ComplianceSecured network access only for compliant wireless devices

Governance Compliance802.1Q

Campus Building 1


Guest ComplianceRestricted internet access

only for guest usersVPN User ComplianceIntranet access only for compliant remote access users

Ensure user compliance to governance and risk user acceptable policies

Wireless Building 2

Conference Roomin Building 3

Internet IPSec

What is a WAF?

Web Servers

BrowserWAF devices protect web applications from specific vulnerabilities that IDS/IPS/FW do not see.

Web Application Firewalls intercept, inspect and deny/reject/allow Layer-7 traffic


Application Servers

Servers

Database Servers

WAF devices intercept all traffic bound for the web server.

WAF devices are complex devices with sophisticated features: actually, they have to be as complex as web applications

Protecting the web


DDoS protection

Cisco Anomaly Guard Module


Protected Zone 1: Web Protected

Zone 2: Name Servers

Protected Zone 3: E-Commerce Application

Cisco Traffic Anomaly Detector Module (or Cisco IDS or third- party system)

Dynamic Mitigation At Work

Cisco Anomaly Guard Module

3. Divert only target’s traffic

4. Identify and filter malicious traffic

Traffic Destined to the Target

Legitimate Traffic to

6. Non-targeted traffic flows


Protected Zone 1: Web Protected

Zone 2: Name Servers

Protected Zone 3: E-Commerce Application

Cisco Traffic Anomaly Detector Module

1. Detect

Target

2. Activate: Auto/Manual

Traffic to Target

5. Forward legitimate traffic

flowsfreely

© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 20

Security Operations/Reactions Today

Action Steps:1. Alert2. Investigate3. Mitigate

Always Too Late

21

Security Knowledge Base

Firewall IDS/IPSVPN

VulnerabilityScanners

AuthenticationServers

Router/Switch Anti-Virus

10K Win, 100s UNIX Collect Network

DiagramRead and AnalyzeTons of DataRepeat

Security Threat ManagementPassive monitoring Active (real time) monitoring

22

Network IntelligenceAttack Vector AnalysisBetter performanceAbility to mitigate or contain threats

Security Threat Management (STM)

Key Concept

Mark was hired to break into buildings.

• Events―raw messages sent to CS-MARS by the monitoring/ reporting devices• Sessions―events that are correlated by the

2 Sessions(Each Sentence == 1 Session)

23

buildings. He must assure securitypersonnel are vigilant.

are correlated by the CS-MARS across NAT boundaries• Incidents―identification of sessions to correlation rules

14 Events(Each Word = 1 Event)

1 Incident(The Whole Story)

Lab

Building

Building DistributionISP B

Enterprise Campus Enterprise Edge Service Provider Edge

Sessionization

E-CommerceEdge Distribution

Joe Smith Did Lots of Traffic at 9pm PST

Unusual Traffic Based on Baseline

24

ACSCSM

Management

Server

Core

WAN

ISP A

PSTN

Frame/ATM

CS-MARS

Corporate Internet

VPN and Remote Access

2

5

1

3

467

High Amount of IPSec Packets

Joe Smith performed a Buffer Overflow

Joe Smith performed a Buffer Overflow



Typical IncidentHost A Recon ICMPand Port Scans to Target X

Host A Buffer Overflow Attack to Target X

Y Followed by

RECON-

Followed by Port Sweep

Target X Executes Password Attack

on Target Y

25

Target X

Where X Is Vulnerableto Attack,

Target X Executes Password Attack on Target Y

X

A

Hi, They Call Me Joe

RECON-ICMP

Followed by HostA Buffer OverflowAttack to Target X

Followed by

Dashboard Needs

2,694,083 Events

26

992,511 Sessions

249 Incidents

61 High SeverityIncidents

Life of an Incident

1. Events come into the appliancefrom network devices

2. Events are parsed3. Normalized4. Sessionized/NAT correlation

27

4. Sessionized/NAT correlation5. Run against rule engine

Drop rule matched firstAll rules are checked

6. False-positive analysis7. Vulnerability Assessments

against suspected hosts

Rules: Definition

Variables and Operators allow Context Sensitive Correlation

28

Rules: Matching(Incident Detail Page)

$TARGET02 = 192.168.1.10

A Match for the First Line Gives a Value to the Variables $TARGET01 = 40.40.1.23

29

Incident Details

30

• Detailed information for each session• Reporting devices• Raw messages for the session selected

Topology and Attack VectorIt is important to visualize the information

not just see the data

31

Topology Graph Attack Diagramand

Rules: Path

192.168.1.10Step 1: 40.40.1.23

1 Sessions Can Be Graphically Displayed with Their Sequence2 Sessions

32

192.168.1.101 SessionStep 2: 40.40.1.23

Step 3: 192.168.1.10 10.1.1.103 Sessions

2

3

Rules: Attack Vector

Event:ICMP Ping Network Sweep

1

2

Graphical Representation of the Attack Vector Time Sequence

33

Event:Built/Teardown/Permitted IP Connection

3

ICMP Ping Network Sweep

Event:WWW IIS .ida Indexing Service Overflow

Rules: Mitigation

Two Possible Mitigation Points on Which We Can Act

34

Choose:1. The mitigation device2. The preferred command:

Block hostBlock connectionShun

Addressing the Twelve Requirements of PCI DSS

PCI Data Security Standard RequirementsBuild and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect data2. Do not use vendor-supplied defaults for system passwords and

other security requirements

Protect Cardholder Data

3. Protect stored data4. Encrypt transmission of cardholder data and sensitive information

across public networksMaintain a 5. Use and regularly update anti-virus software

© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialC97_469267_c1 35

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processesMaintain an Information Security Policy

12. Maintain a policy that addresses information security

PCI Solution MappingPCI ISR ASA CSA MARS WLAN IPS NAC 6500 Iron

Port CSM NCM ACE XML ACS

1 � � � � � n/a n/a � n/a � � n/a n/a2 � � n/a � � n/a n/a n/a n/a � � n/a n/a3 n/a n/a � � n/a n/a n/a n/a n/a n/a n/a n/a n/a4 � � n/a � � n/a n/a � � � � n/a n/a

Presentation_ID 36

4 � � n/a � � n/a n/a � � � � n/a n/a5 � � � � n/a n/a � n/a � n/a n/a n/a n/a6 � n/a � � n/a n/a � n/a � n/a � � n/a7 � � � � n/a n/a � � n/a � � n/a �

8 � � � � n/a n/a n/a n/a n/a � � n/a �

9 n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a10 � � � � � � n/a � n/a � � n/a �

11 � � � � � � n/a � n/a � � n/a n/a12 � � � � � � � � � � � � �

Presentation_ID 37

More Information

� Cisco Compliance informationhttp://www.cisco.com/go/compliance

� PCI Solution for Retail – DIG, Architectureshttp://www.cisco.com/web/strategy/retail/pci.html

Presentation_ID 38

� PCI Security Standards Councilhttps://www.pcisecuritystandards.org/

� VISA Cardholder Information Security Programhttp://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html

� MasterCard Site Data Protectionhttps://sdp.mastercardintl.com/


Documents

Sigurnosna rješenja za financijske institucije - cisco.com · Cisco Nexus 1000V Cisco Nexus1000V Software Based Industry’s first 3rd-party vNetwork Distributed Switch for VMware