Upload
securitycrunch
View
374
Download
3
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
Cybersecurity: TIO: Security Embedded in
the Network
Cyber security Landscape
Cisco Embedded Capabilities
What can your network do?
Cisco’s Turn It On Campaign
• Developed to provide best practices to customers for Cyber Security features
• 3 part Whitepaper series (1st published December 2010)
• Focused on key security features that customers already have within IOS.
• Effective features to enhance Cyber Security posture.
Embedded IOS Security features:
A word about “Turning the feature ON”
• Deployment Methodology• Performance considerations• Test, Test, Test, deploy.
Netflow and Cyber security
• A distributed sensor in the network• Anomaly, Discovery, Correlation• Security Information and Event Management
Systems (SIEMs)• Incident "live" usage - top talkers on CLI
Internet Protocol Service Level Agreement (IP-SLA) and Cyber security
• Validation of expected network performance• Proper deployment, posturing, configuration,
and placement of network related devices with respect to SLAs.
• Continuous validation of QoS policies throughout the network
• Embedded Event Manager (EEM)
Control Plane Processes (CoPP) and Cyber security
• Configured and Protected Command/Control channel for network infrastructure devices.
• Ensures access to devices to enforce security policies.
NBAR and Cybersecurity
• Classification engine that recognizes and classifies
• Guarantee bandwidth to critical applications• Limit bandwidth• P2P
Next Steps:
• Testing methodology in the lab• Cisco Services for deployment
CyberSecurity IOS Assessment & Enablement Engagement Activities
3 to 8 Days (on site) with a Cisco CyberSecurity Expert (Security Engineer level) Perform an Assessment reviewing the Cisco IOS security configurations Recommendations and actions to enable one or more of the following:
• Trust: IP-Service Level Agreements (SLA) & Control Plane Processes (CoPP) – [QoS assurance and DDOS Prevention]
• Visibility: Prevent and Detect Incidents with Cisco Netflow features - [Anomaly and Correlation – visibility]
• Resilience: Response /Recover/Report with:• Network Based Application Recognition (NBAR) – [QoS assurance and DDOS
Prevention]• Peer-To-Peer (P2P) Blocking – [blocks all P2P traffic with NBAR policy
mapping] Open discussion on other CyberSecurity customer challenges
Perf
orm
ance
and
Ser
vice
s D
ensi
ty
Cisco Router Security Portfolio
Embedded Wireless, Security, and Data
High Density and Performance for Concurrent Services
Embedded, Advanced Voice, Video, Data, and Security Services
800 Series
1800 Series
2800 Series
3800 SeriesService IntegrationScaled to Fit Every Size Branch Office
3200 Series
Rugged and Mobile Applications
Small Office and Teleworker
Medium toLarge BranchSmall Branch Medium
Branch Mobile/Rugged Branch
Cisco Router SecurityIndustry First
Leadership in Innovation
Cisco Integrated Services Router Innovations in Security Industry-leading integration of VPN, routing, and QoS:
DMVPN, GET VPN, SSL VPN, and Easy VPN Router-embedded security services: Application firewall, IPS,
and URL filtering Cisco® Router and Cisco Configuration Professional (CCP)
with one-touch lockdown and security audit Router-integrated voice and security Router-integrated wireless with advanced security Router-integrated switching; Layer 2/3 security Secure WAN backup over DSL, cable, 3G, or satellite
Only Cisco Router Security Delivers All This
CCP NetFlow IP SLARole-Based Access
Management and Instrumentation
Secure Network Solutions
Secure Voice ComplianceSecure
MobilityBusiness Continuity
Network Admission Control
Intrusion Prevention
Integrated Threat Management
Content Filtering 802.1x
Network Foundation Protection
Flexible Packet Matching
011111101010101011111101010101
Secure Connectivity
GET VPN DMVPN Easy VPN SSL VPN
Advanced FirewallAdvanced Firewall
GET VPN
Content Filtering
Cisco’s Turn It On CampaignFeature Capability Platform Value to Cyber WP
NetFlow Provides usage statistics of traffic flows traversing a given network device that
can be used for analysis.
Majority of IOS Routers and Switches as well as the ASA.
Provides network telemetry that greatly increases your cybersecurity visability
1
NBAR Cisco’s NBAR is a powerful classification engine that recognizes and classifies a
wide variety of applications. NBAR ensures performance for mission-critical applications by intelligently classifying applications, providing
absolute priority and a guaranteed amount of bandwidth. In addition,
NBAR limits the bandwidth consumed by less critical applications.
IOS Routing & Switching Platforms In a Denial of Service (DoS) or Distributed Denial of Service (DDoS) attack someone is trying to overwhelm your network capacity, which in effect prevents your
mission-critical applications from functioning. By turning on NBAR, an attack is mitigated because critical applications have priority over the traffic generated by the attack. Critical applications continue to send traffic, while NBAR drops selective packets to avoid congestion.
This limits the amount of traffic your network will dedicate to the attacker’s request for data. By setting up
NBAR you further mitigate the ability of a DoS/DDoS attack to be successful on Day 0.
1
CoPP The Control Plane Policing feature allows you to configure a QoS filter that
manages the traffic flow of control plane packets to protect the control
plane of Cisco IOS routers and switches.
IOS Routing & Switching Platforms CoPP protects against reconnaissance and Denial-of-Service (DoS) attacks. By turning on this feature, you can maintain packet forwarding and protocol states
despite an attack or heavy traffic load on the router or switch.
1
IP-SLA/QOS IP SLA can be used as a verification toolset to ensure proper deployment,
posturing, configuration, and placement of network related devices
with respect to SLAs.
Majority of IOS Routers and Switches as well as the ASA.
IP SLA provides the capability to continually verify reachability and performance level of a mission critical
application during a cyber security DDOS attack.
1
OER: Application Aware Routing: PBR
The OER Application-Aware Routing: PBR feature introduces the capability to optimize traffic based on portions of an
IP packet, other than the destination address.
IOS Routing & Switching Platforms The OER Application-Aware Routing: PBR feature allows the user to route application traffic based on
information other that desitnation ip address. This allows the administrator to ensure that mission critical applications remain available during a network attack.
3
IOS FW Feature Set: Router Initiated traffic
This feature allows any traffic initiate by the router to be included in the IOS FW
state table, thus ACLs are no longer needed for this type of traffic.
IOS Routing Platforms This allows simplification of router ACL configurations since baseline traffic such as NTP are not inspected via
the FW Feature set.
3
Layer 2 Security Various features that protect the network infrastructure from Layer 2 attacks against services such as ARP,
DHCP, and VLANs.
IOS Switching Platforms These features protect network assets as well as proect the network from DOS as well as man in the middle
attacks.
2
Cisco Router Security Certifications
cisco.com/go/securitycert
FIPS Common Criteria
140-2,Level 2 IPSec (EAL4) Firewall
(EAL4)
Cisco® 870 ISR
Cisco 1800 ISR
Cisco 2800 ISR
Cisco 3800 ISR
Cisco 7200 VAM2+
Cisco 7200 VSA ---
Cisco 7301 VAM2+
Cisco 7600 IPSec VPN SPA ---
Catalyst 6500 IPSec VPN SPA ---
Cisco 7600
Integrated Threat Control Overview
Branch Office
Small Office and Telecommuter
Corporate Office
Internet
Access branch office has secure Internet access and no need for additional devices
Solution controls worms, viruses, and spyware right at the remote site; conserves WAN bandwidth
Solution protects the router itself from hacking and DoS attacks
Branch Office
Illegal Surfing
Malware Prevention• Integrated IPS for
distributed defense and rapid response
• Control of wired and wireless user access and noncompliant devices
Content Security• Advanced Layer
3–7 firewall• P2P and IM control• Reputation based
content filtering
Router Protection• Automated router lockdown• Router availability during DoS
Hacker
Worms Choking
WAN
011111101010101011111101010101
Industry-Certified Security Embedded Within the Network