Date post: | 05-Jul-2018 |
Category: |
Documents |
Upload: | heena-pasricha |
View: | 232 times |
Download: | 0 times |
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 1/98
1© 2001, Cisco Systems, Inc. All rights reserved.
Session Number Presentation_ID
Managed Security Services fromService Providers
Georg ina Schaefer
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 2/98
222© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
• The Managed Security Services market
• Managed firewall services
• Managed intrusion detection services• Managed VPN services
• Management
• Cisco initiatives
AgendaAgenda
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 3/98
333© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
• The Managed Security Services market
• Managed firewall services
• Managed intrusion detection services• Managed VPN services
• Management
• Cisco initiatives
AgendaAgenda
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 4/98
444© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
MSS Market PerceptionMSS Market Perception
• General interest and demand for managed servicesWAN, Hosting, ASP, Voice,…
SPs can offer 24x7x365 monitoring
Economies of scale
• Main growth for MSS amongst SME segmentLack of both financial and technical recourses
• Increases in the frequency, severity and complexityof security attacks
• Senior management realise the damage potential ofattacks
Willingness to invest more in security
Concerned about time to market
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 5/98
555© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
MSS Market RestraintsMSS Market Restraints
• Customers
Enterprises are unwilling to lose control of theirnetworks
Unproven reputation of MSSPs
Large number of SP bankruptcies
Lack of perceived need for extensive security
• Service Providers
Difficult to demonstrate quantifiable ROIDifficult to provide an SLA
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 6/98
666© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Where are the Enterprises today?Where are the Enterprises today?
• If imp lemented , security is a preventive measureFirewall, Authentication, Encryption,…
• Prevention is not enough - need detection andresponse
Time and resource consuming
• Lack of implementation usually due to complexity,the quantity of information to be processed and lackof education
• Enterprises are generally looking for partial or total
outsourcing of security servicesSMEs looks for fully outsourced simple and cheap services
Larger corporates look for partially managed high levelsecurity services – want to keep control!
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 7/98
777© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Where are the SPs today?Where are the SPs today?
• Most European SPs already provide basic securityofferings such as managed firewalls and userauthentication
• Managed security has become a catch-all expression
e.g. VPN (L2, L3, MPLS, IPSec,…)
• More comprehensive security packages arebecoming increasingly important for SPdifferentiation
MSS can involve installation and configuration but alsoupgrading and on-going reconfiguration work
An additional service can be day-to-day monitoring andresponse
• SPs are familiar with SLAs but security SLAs are only just being introduced
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 8/98
888© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Who are the MSSPs?Who are the MSSPs?
• Not only the service providers (Telcos, ISPs, ASPs)but also
Systems Integrators
Pure MSSPs
Security Vendors
• Services delivered via 1-tier or 2-tier model
• Greatest market acceptance seems to be through
established SPse.g. Deutsche Telekom, Cable & Wireless/Exodus, Energis,
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 9/98
999© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
MSS OfferingsMSS Offerings
• Access Security
Managed Firewall
Remote Access
• Data Transport Security
IP VPNs
Anti-Virus and content control
Intrusion Detection/Prevention
Public Key Infrastructure
• Service Management
• Security Consultancy
Consulting
Business Continuity
Service LevelAgreements
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 10/98
101010© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
• The Managed Security Services market
• Managed firewall services
• Managed intrusion detection services• Managed VPN services
• Management
• Cisco initiatives
AgendaAgenda
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 11/98
111111© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Managed FirewallManaged Firewall
• Most basic service and network securitymeasure
• Management and monitoring services varyconsiderably
Installation and configuration (based on policy given bycustomer)
Status and performance monitoring
Real-time analysis
Incident response proceduresPeriodic reports
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 12/98
121212© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Enterprise threatsEnterprise threats
DMZ networkDMZ network
No outgo ing connections;provides safe “meetingground” for internal and
external users.
Internal NetworkInternal NetworkMay contain private
information or critical services
External NetworkExternal NetworkMay be home to
attackers
192.168.27.3
192.168.27.1
192.168.27.129
192.168.27.131
DNS (private),Mail servers
(private), Webcontent (public)
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 13/98
131313© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
PIX Firewall: Key ApplicationsPIX Firewall: Key Applications
Internet
Corp HQ
Server Farm
ServiceProvider
Branch/Retail
PIX 506
PIX 515
Same OS regardless of
platform
Common features andMgt.
SmallDivision
PIX 535
Small business/Small SatelliteOffice
Telecommuter/DayExtender
Regional Office
PIX 525
PIX 501
PIX 501
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 14/98
141414© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
PIX Firewall Product Line OverviewPIX Firewall Product Line Overview
Model
Market
MSRP
Licensed Users
Max VPN Peers
Cleartext (Mbps)
3DES (Mbps)
ROBO
$1,695
Unlimited
25
20
16
SMB
$7,995
Unlimited
2,000*
188
63*
Enterprise
$18,495
Unlimited
2,000*
360
70*
Ent. + SP
$59,000
Unlimited
2,000*
1.7 Gbps
95*
SOHO
$595 or $1195
10 or 50
5
10
3
506E 515E-UR 525-UR 535-UR501
GigEGigE
EnabledEnabled
* Using an integrated VPN Accelerator Card (VAC)
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 15/98
151515© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Cisco Web Hosting Data Center DesignCisco Web Hosting Data Center Design
Unmanaged Customer Cagesfor Collocation services
WAN EdgeLayer
CoreLayer
Distribution/
AggregationLayer
Access Layer Catalyst 2900
Catalyst 3500Catalyst 4000Catalyst 5500
Catalyst 6500
SP network
Web Server Farm
Content switchesCSS-11800 & CSS-11150Cat6K
Cache / content Engine
Geographic Content SwitchGSRs
Cust. A
Cust. B
Cust. C
Shared Servers
IDS Sensor
PIX Firewalls (Shared)Security
Layer
Dedicated Servers
Catalyst 6500
PIX Firewalls(Dedicated)
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 16/98
161616© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Data Center ThreatsData Center Threats
• Illegal access to servers
• Illegal access to network devices
• Denial of Service (DoS) attacks oncustomer servers
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 17/98
171717© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Data Center FirewallingData Center Firewalling
• Shared firewalls
– Enforce general policies which apply to ALL customers/serverse.g. may prevent outgoing connections, “spurious” protocols
– Limit access to network devices
– Policies modified once attacks have been detected and traced
– Work in addition to router ACLs
• Dedicated firewalls
– Policies are specific to the customers and/or servers
– ACLs may limit the effect of an attack on one set of servers – doesnot affect ALL customers
•• Firewalls not typically used to detect/trace attacksFirewalls not typically used to detect/trace attacks
• Once attacks are known, firewalls can apply ACLs
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 18/98
181818© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
New HardwareNew HardwareCat6500 Firewall Services ModuleCat6500 Firewall Services Module
• PIX 6.0 base Feature Set + some feature of 6.2• High Performance Firewall, targeted OC48 or 2.5Gbps• 1 million Concurrent connections
• 3 Million pps• 100K new connections/sec for HTTP, DNS• 100 VLANs• Supports 128K Rule Set• LAN failover active/standby (both intra/inter chassis)• Dynamic Routing i.e. RIP, OSPF• Support multiple blades in the chassis
• Supports multiple IN/OUT and DMZs• IPSec for management only• No IDS Signatures• Supported on Native IOS only• Virtual firewalls (future release)
Fabric Enabled Fabric Enabled
Industry’s leading firewallperformance!
Available now
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 19/98
191919© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Virtual Firewall ApplicationVirtual Firewall Application
Head Office
BranchOffice
MPLS-VPN
BranchOffice
BranchOffice
INTERNET
A
B
Firewall
Firewall
VPN
Head Office advertisesdefault route to VPN andforces all traffic throughfirewall
A
B
Virtual Firewall:VRF advertisesdefault to VPN
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 20/98
202020© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Shared Services ModelShared Services Model
VPN ACEVPN-A
Paris
VPN ACEVPN-A
London
VPN A
CEVPN-B
Bruxelles
VPN ACEVPN-B
Amsterdam
ERP H.323Gatekeeper
VideoServer
HostedContent
InternetGateway
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 21/98
212121© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
• MPLS VPN Global Services
Enables a Service Provider to offer a set of ‘SharedServices’ to their customers across VPNs
• By enabling Shared Services, a ServiceProvider will
- Differentiate SP from competition
- Increase services portfolio
• Issue today :
-- Overlapping private addressesOverlapping private addresses
Business driversBusiness drivers
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 22/98
222222© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
• NAT occurs
after routing, from inside-to-outside
before routing, from outside-to-inside
• NAT intercepts all traffic against theconfigured NAT translations
• An interface can be configured as being
Inside or Outside
Network Address Translation todayNetwork Address Translation today
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 23/98
232323© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
• Maintains support for all existing applications &protocols in an MPLS VPN environment
• NAT can be configured on 1 or more PE’s
providing NAT Redundancy
the ‘Shared service’ does not need to be physicallyconnected to the PE device performing NAT
• An interface is still either “inside” or “outside”
• An “outside” interface can be part of a VRF or a
regular “generic” interface• NAT will inspect all traffic routed VRF-to-VRF or VRF-
to-Global
NAT and MPLS VPN IntegrationNAT and MPLS VPN Integration
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 24/98
242424© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
• The Managed Security Services market
• Managed firewall services
• Managed intrusion detection services• Managed VPN services
• Management
• Cisco initiatives
AgendaAgenda
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 25/98
252525© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Intrusion Detection/PreventionIntrusion Detection/Prevention
• 80% of recent attacks have been performed overport 80
• In-depth examination of traffic is required toidentify attacks within legal traffic on both thenetwork and the critical hosts
• IDS services require powerful and complexmanagement (updates, tuning), monitoring andresponse procedures
• Needs 24x7 service operation - requires anautomated system
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 26/98
262626© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Denial of Service (Denial of Service (DoSDoS))The Mechanisms UsedThe Mechanisms Used
1. Cracking:
Manually, through viruses, worms (code red, nimba….)always exploiting host vulnerabilities
2. Signalling:
e.g. ICMP, management protocols
3. Flooding:
TCP SYN flood, UDP, ICMP, other IP protocols, …
Attacking a Line: big packets (bandwidth!)
Attacking a Host/Router: small packets (pps!)
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 27/98
272727© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
DetectingDetecting DoSDoS AttacksAttacks
• Customer call
• SNMP: line/CPU overload, drops
• Netflow: counting flows• Access Lists with logging
• Sniffers
• Dedicated detection devices…….
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 28/98
282828© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
TracingTracing DoSDoS AttacksAttacks
• Non-spoofed: Technically trivial (IRR)
But: Potentially tracing 100’s of sources…
• Spoofed:
Netflow:Trivial if mechanisms are installedManually: Router by router No additional impact on network
Access lists (logging):Has performance impact on most platformsMostly manual: Router by router
r e c o m
m e n d e
d
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 29/98
292929© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Router Security FeaturesRouter Security Features
• Detect DoS Attacks: SNMP, Netflow, ACLs
• Trace back packet floods: Netflow, ACLs (logging),
• Shun a source: Unicast RPF, ACLs
• Shun a destination: Null-routing, ACLs
• Limit attacking traffic: CAR, Scheduler Allocate
• And update all routers via BGP
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 30/98
303030© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
ACLsACLs with log and logwith log and log--inputinput
ACLs with logrouter_B(config)#access-list 101 permit ip any any logrouter_B#14:30:34: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 178.12.60.96(0) -> 192.168.1.1(0), 1 packet14:30:35: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 116.25.206.120(0) -> 192.168.1.1(0), 1 packet14:30:36: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 108.98.96.64(0) -> 192.168.1.1(0), 1 packet
ACLs with log-inputrouter_B(config)#access-list 101 permit ip any any log-inputrouter_B#14:17:19: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 67.90.141.3(0) (Serial0/0 *HDLC*) ->192.168.1.1(0), 1 packet14:17:21: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 105.12.73.84(0) (FastEthernet0/00006.d780.2380) -> 192.168.1.1(0), 1 packet14:17:22: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 166.159.237.65(0) (FastEthernet0/00006.d780.2380) -> 192.168.1.1(0), 1 packet
input i/f
MAC address of upstream router
Careful!CPU impact!!
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 31/98
313131© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
i/f 1
i/f 2
i/f 3
StrictStrict uRPFuRPF CheckCheck ((UnicastUnicast Reverse Path Forwarding)Reverse Path Forwarding)
i/f 1
i/f 2
i/f 3
FIB:. . .S -> i/f 1
. . .
S D data
FIB:. . .S -> i/f 2
. . .
S D data
Same i/f:Forward
Other i/f:Drop
router(config-if)# ip verify unicast reverse-path
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 32/98
323232© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
i/f 1
i/f 2
i/f 3i/f 1
i/f 2
i/f 3
FIB:. . .S -> i/f x. . .
S D data
FIB:. . .. . .. . .
S D data
Any i/f:Forward
Not in FIBor route -> null0:
Drop
?
LooseLoose uRPFuRPF CheckCheck ((UnicastUnicast Reverse Path Forwarding)Reverse Path Forwarding)
router(config-if)# ip verify unicast source reachable-via any
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 33/98
333333© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Scheduler allocateScheduler allocate
• Schedules CPU time spent on processesversus packet handling
Syntax:scheduler allocate <i nt er r upt > <pr oc es ses >
<i n t er r up t > : 3000-60000 Microseconds handling networkinterrupts
<pr oces ses > : 1000-8000 Microseconds running processes
Example:router(config)#scheduler allocate 8000 8000
Very useful under heavy load!
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 34/98
343434© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Advanced Intrusion ProtectionAdvanced Intrusion Protection
•• Intrus ion Protect ion Intrus ion Protect ion provides:
Enhanced security over “classic”technologies e.g. ACLs
Advanced technology to addressthe changing threatchanging threat
Increased resiliency of e-Business systems andapplications
Effective mitigation of malicious
activity and insider threats
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 35/98
353535© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Solution BreadthSolution Breadth
SwitchSensor
SwitchSensor
Router Sensor
Router Sensor
HostSensor
HostSensor
FirewallSensor
Firewall
Sensor
MgmtMgmt
NetworkSensor NetworkSensor
IDS PortfolioIDS Portfolio
42104210 42304230 42354235 42504250
IDSM-1IDSM-1
Standard Sensor Standard Sensor Web Sensor Web Sensor
800800 17001700 26002600 36003600 7x007x00
501501 506E506E 515E515E 525525 535535
SecureCommand Line
SecureCommand Line
Web UIEmbedded Mgr
Web UIEmbedded Mgr
Enterprise MgmtVMS
Enterprise MgmtVMS
……
IDSM-2IDSM-2 IDSM-2-XLIDSM-2-XL
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 36/98
363636© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
IDSIDS--4235 Network Sensor Appliance4235 Network Sensor Appliance
• Extending Cisco’s powerfulintrusion protection line-up toperformance-consciousenterprise and service providercustomers
• Key FeaturesHigh speed performance (150Mbps)
Integrated, web-base UI
1 RU form factor
10/100/1000 Base-T copper
interface support
Advanced protection algorithms
Price: $12,500
Availability: May 2002
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 37/98
373737© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
IDSIDS--4250 Network Sensor Appliance4250 Network Sensor Appliance
• Extending Cisco’s technical andinnovation leadership with thefastest gigabit applianceoffering high performanceintrusion protection
• Key Features
Gigabit performanceIntegrated, web-base UI
1 RU form factor
Gigabit copper and fiberinterface support
Optional redundant power
supplies
Performance upgradeable
Advance protection algorithms
Price: Starting at $25,000
Availability: May 2002
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 38/98
383838© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Switch Sensor Switch Sensor Catalyst 6500 IDS Module Catalyst 6500 IDS Module
• IDSM delivers switch-integratedprotection allowing customers toleverage their network investment bydelivering security and switchingservices in a single box
• Key FeaturesNetwork-integrated protection
Interfaces directly into switchbackplane
Advanced VLAN ACLs to shape/target
trafficMonitors 802.1q and ISL traffic – multiVLANs Risk Mitigation
HiLow
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 39/98
393939© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
IDSM-1IDSM-1
Size (RU) 1 slot1 slot
Hardware Assist
Processor (MHz)
Availability
Performance (Mbps) 120120
Switch Sensor PortfolioSwitch Sensor Portfolio
CustomCustom
Yes Yes
TodayToday
IDSM-2IDSM-2
1 slot1 slot
500500
CustomCustom
NoNo
2H022H02
IDSM-2-XLIDSM-2-XL
1 slot1 slot
10001000
CustomCustom
Yes Yes
2H022H02
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 40/98
404040© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Host Sensor Host Sensor
• Industry-leading Host Sensor(Entercept), provides attack preventionagainst operating systems,applications, and critical systemresources providing unique “day zero”protection
• Key Features
Sophisticated attack protection
OS and application attacks
Buffer Overflow attacks
Web server application attacks
SSL encrypted HTTP attacks
Prevents access to server resourcesbefore any unauthorized activityoccurs Risk Mitigation
HiLow
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 41/98
414141© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
StandardServerAgent
WebServer Agent
WebServer Agent
HostConsole*
HostConsole*
Win NT 4.0Windows 2000
Solaris 2.6, 2.7, 8
Win NT 4.0Windows 2000
Solaris 2.6, 2.7, 8
Win NT 4.0
Windows 2000
Win NT 4.0
Windows 2000
Web Applications
IIS Web Svr Apache Web Svr iPlanet Web Svr
Netscape Ent Svr
IIS Web Svr Apache Web Svr iPlanet Web Svr
Netscape Ent Svr
Host Sensor PortfolioHost Sensor Portfolio
Win NT 4.0Windows 2000
Solaris 2.6, 2.7, 8
Win NT 4.0Windows 2000
Solaris 2.6, 2.7, 8
Platforms
DoSDoS Defence PartnersDefence Partners
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 42/98
424242© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
DoSDoS Defence PartnersDefence PartnersExample: RiverheadExample: Riverhead
Riverhead guard
Detection deviceCisco IDS or Riverhead detector
Once a threat is detected, only the traffic addressed to the attacked host isdiverted for treatment. Traffic addressed to other hosts remains undisturbed.
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 43/98
434343© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
DoSDoS Attacks: Data DiversionAttacks: Data Diversion
Data diversion:• diverts victim’s traffic transparently to the “cleaning” device• returns legitimate traffic back to the intended destination
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 44/98
444444© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
IOS Secu rity IOS Secu rity
Offers an integrated solution
Tight IOS feature integration with GRE, L2TP, routing, …
IPsec HW client FW WAN Router
Cisco IOSWAN Router
with integratedIPsec & FW &IDS & Mobile IP& WAN etc…
IDS
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 45/98
454545© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Cisco IOS Firewall BenefitsCisco IOS Firewall Benefits
• Combined with Cisco IOS software-basedtechnologies
– Positioned at the networks perimeter and aggregation points
• Enhances Cisco IOS security
• Strong security at lower cost of ownership
• Leverages investment in Cisco infrastructure
• Future enhancements include Websense/N2H2filtering, SIP/H.323 support, token authenticationetc.
Internet
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 46/98
464646© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Cisco IOS Firewall FeaturesCisco IOS Firewall Features
• Context-Based Access Control (CBAC)
– Stateful, per-application filtering
– Support for advanced protocols
(H.323, SQLnet, RealAudio and more)
• Integrated intrusion detection
• Denial of Service detection and prevention
• Per-user authentication and authorization
• Real-time alerts
• TCP/UDP transaction log
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 47/98
474747© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Cisco IOS Intrusion Detection SystemCisco IOS Intrusion Detection System
• Inline monitoring of network traffic for potential misuseor policy violations
• Matches network traffic against lists of 59 signatures,which look for patterns of misuse
• Takes action upon detection
• Future IOS IDS development committed to: – Enhance Signature support
– Dynamic signature update functionality
• Combined with Cisco IOS Firewall for 1720, 2600, 3600,7100 and 7200 router platforms
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 48/98
484848© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Newly published IDS white paper Newly published IDS white paper
“The Science of IDS Attack Identification”
• Details the different approaches torecognise an attack
• Freely accessible at:
http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/prodlit/idssa_wp.htm
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 49/98
494949© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
• The Managed Security Services market
• Managed firewall services
• Managed intrusion detection services
• Managed VPN services
• Management
• Cisco initiatives
AgendaAgenda
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 50/98
505050© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Managed VPNsManaged VPNs
• Enterprises outsource VPNs to cut costs!
• Shift towards the adoption of Layer 3 VPNs (IP based)
• MPLS-VPN is a connectivity service well suited for thisapplication and well adopted by European SPs
• Enterprises may ask for IPSec together with MPLS for thefollowing services
– Site-to-site confidentiality if they do not accept the level ofsecurity provided by MPLS or the service provider
– Secure off-net access to extend beyond their MPLSnetwork boundaries
• The key question is: is there a business case and demandfor outsourced IPSec VPNs?
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 51/98
515151© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Internet
SiteSite--toto--Site (Full Mesh) IPsec VPNSite (Full Mesh) IPsec VPN
Hub
Spoke
30.30.30.0 255.255.255.0
40.40.40.0 255.255.255.0
40.40.40.40
30.30.30.30
130.233.8.1
NTP server
Default GW
Static knownIP addresses
=IPsec tunnel
Intranet
130.233.9.42
130.233.9.44
130.233.9.43
130.233.9.41
130.233.8.2
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 52/98
525252© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Issues with siteIssues with site--toto--sitesite
• Spokes (small sites) are often connected to theInternet.
Their external Internet address changes each time theyconnect.
• IPsec uses an access-list to define what user
traffic is to be encrypted.Each time a new (sub)network is added behind a spokeor the hub the customer must change the ACL on thehub and spoke routers.
The customer must notify the SP in order to get the
IPsec ACL changed so that new destination traffic willbe encrypted!!
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 53/98
535353© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Internet
HubHub--andand--spoke IPsec VPNspoke IPsec VPN
Hub
Spoke
30.30.30.0 255.255.255.0
40.40.40.0 255.255.255.0
40.40.40.40
30.30.30.30
130.233.8.1
NTP server
Default GW
Static knownIP addresses
Intranet
=IPsec tunnel
Dynamicunknown
IP addresses
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 54/98
545454© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Issues with HubIssues with Hub--andand--SpokeSpoke
• With large Hub-and-spoke networks the size ofthe configuration on the Hub router can becomevery large, to the point that it is unusable.
• It is not known before hand which spokes willneed to talk directly with each other. Trying toconfigure IPsec on a small spoke router to havedirect connectivity with all other spoke routers inthe network is usually not feasible
F ll M h ith TED IP VPN
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 55/98
555555© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Internet
Full Mesh with TED IPsec VPNFull Mesh with TED IPsec VPN
Hub
Spoke
30.30.30.0 255.255.255.0
40.40.40.0 255.255.255.0
40.40.40.40
30.30.30.30
130.233.8.1
NTP server
Default GWStatic knownIP addresses
TED probes TED probes
TED probes
TED probes
TED probes
TED probes
=IPsec tunnel
Dynamicunknown
IP addresses
All LANs must have
routable/public IPaddresses. Otherwise
TED won’t work
I ith TEDI ith TED
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 56/98
565656© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Issues with TEDIssues with TED
• TED probes need to routable
• Is it really feasible to assume publicaddress?
TED E lTED E l
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 57/98
575757© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
• No need to configure tunnel endpoints• ACLs determine WHICH TRAFFIC to encrypt• Ideal for MPLS VPNs - maintains “Any-to-Any” nature
Alice
Bob
X
Y
UDP traffic
must be protected.No SA => send probe
IP: A to B
I K E : A t o B ( p r o x y = X ) I K E : B t o A ( p r o x y = Y )
TED ExampleTED Example
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 58/98
A t ti IPS T l C tiA t ti IPS T l C ti
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 59/98
595959© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Automatic IPSec Tunnel CreationAutomatic IPSec Tunnel Creation
• IPSec initiates tunnels when data flows
• GRE tunnel configuration must already include the GREtunnel peer AND IPsec peer address must also be pre-configured
• Solution is NHRPNHRP is used to dynamically determine the required destinationaddress of the target spoke.
IPSec is triggered immediately for the GRE tunnel or when the GREpeer address is resolved.
There is no need to configure any crypto access-lists since thesewill be automatically derived from the GRE tunnel source anddestination addresses.
A t ti IPS T l C ti tA t ti IPS T l C ti t’’dd
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 60/98
606060© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Automatic IPSec Tunnel Creation contAutomatic IPSec Tunnel Creation cont’’dd
• Spoke-to-hub tunnels are up continuously.
• The hub router acts as the NHRP server and handlesNHRP requests from the source spokes.
• The two spokes then dynamically create an IPsec tunnel
between them and data can be directly transferred.• The IP next-hop address on routing table entries control
whether IP data packets will trigger the creation of a directspoke to spoke tunnel or the data packets will beforwarded via the hub router.
A timeout function will automatically tear down the tunnelafter a period of inactivity.
Easy VPNEasy VPN
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 61/98
616161© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Easy VPNEasy VPN
DSL
T1Cisco IOSRouter WithUnityClient
VPN3002
Gateway options:• Cisco VPN 30xx• Cisco IOS 12.2(8)T• PIX 6.0
IOSRouter
=IPsec tunnel
Advantages:
• Unity is the common languagewithin Cisco VPN environment• No separate configuration for
CPEs, treated as normal Unityclients.
Home Office
Small Office
Home Office
Single User
800,uBR900,
1700
Cisco IOSRouter With
UnityClient
800,uBR900,
1700
Cisco IOSRouter
WithUnityClient
Cisco Unity VPN Clients
C a b l e
PIX501
12.2(4)YA
12.2(4)YA
12.2(4)YA
Internet HQ
Easy VPNEasy VPN
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 62/98
626262© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Easy VPNEasy VPN
• The Cisco Easy VPN Remote feature allows Cisco routers,PIX firewalls, as well as hardware clients to act as remoteVPN clients.
• These devices can receive predefined security policiesand configuration parameters from the headquarters' VPNhead-end.
Minimises the VPN configuration required at the remotelocation.
• Parameters such as internal IP addresses, internal subnetmasks, DHCP server addresses, WINS server addresses,
and split-tunneling flags are all pushed to the remotedevice.
Easy VPN Clients & ServersEasy VPN Clients & Servers
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 63/98
636363© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Easy VPN Clients & ServersEasy VPN Clients & Servers
• Easy VPN Clients:Cisco VPN Client 3.x
Cisco VPN 3002 OS 3.x
Cisco PIX OS 6.2
Cisco IOS Easy VPN Client 12.2(10)T
• Easy VPN Servers:Cisco VPN 3000 Series OS 3.x
Cisco IOS Routers 12.2(8)TCisco PIX Firewalls OS 6.0
New HardwareNew HardwareCat6500 IPSec VPN Ser ices Mod leCat6500 IPSec VPN Services Module
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 64/98
646464© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Cat6500 IPSec VPN Services ModuleCat6500 IPSec VPN Services Module
• Speeds & Feeds!1.9 Gbps 3DES (Max)
1.65 Gbps 3DES (IMIX)
1.6 Gbps 3DES (300 byte pkt)
8,000 tunnels60 tunnels per second
• List Price: $35,000 US
Deployments for VPN Services ModuleDeployments for VPN Services Module
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 65/98
656565© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Campus2
Campus2
Deployments for VPN Services ModuleDeployments for VPN Services Module
Enables partner networks to securely connect andtransfer large amounts of data
Extranet
Provide VPN termination services on the WANaggregator router
WAN Edge
Replace old ATM and other link-layer encryption withmodern a IPSec layer 3 VPN solution
Link-Layer EncryptionReplacement
Secure LAN traffic between switches, floors, buildingand specific sensitive network applications such asiSCSI
Campus
DescriptionDescriptionDeploymentDeployment
Campus1
Campus1
Campus VPN
EnterpriseEnterpriseWAN Edge VPN
Several Deployment OptionsSeveral Deployment Options
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 66/98
666666© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Several Deployment OptionsSeveral Deployment Options
• Site-to-site (full mesh) IPsec VPN
• Hub–and–Spoke IPsec VPN
• Full mesh with TED IPsec VPN
• Cisco IOS Easy VPN
–Server
• 12.2(8)T
• Dynamic Multipoint VPN (Phase 2)
VPN Services Module Roadmap
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 67/98
676767© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
VPN Services Module Roadmap
• VRF-aware IPSec
• Multi-chassis IPSecstateful failover
• 32,000 tunnels
• NAT transparency
• 7600 OSR
Support for all WANinterface bladesincluding OSMs
• Multiple blades per chassisafter FCS (7 x)
• VPN Remote Accesstermination (EasyVPN Server)
• Dynamic Multipoint VPN
• Onboard GRE for fasterrouting/multicast VPN
• Faster tunnel setup (~200t/s)
• VPN Solutions Centersupport
• Cat6500
• MSFC2/Sup2
Native IOS only,No CatOS support
• FE & GE Interface
blades• Site-to-site (full mesh)IPsec VPN
• Hub–and–Spoke IPsecVPN
• Full mesh with TEDIPsec VPN
Phase 3Phase 3Phase 2Phase 2Initial ReleaseInitial Release
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 68/98
68© 2001, Cisco Systems, Inc. All rights reserved.
Session Number Presentation_ID
Remote Access to VPNs
Solution OverviewSolution Overview
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 69/98
696969© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Solution OverviewSolution Overview
Provider Networks
CorporateCorporateIntranetIntranet
BranchBranch
OfficeOffice
AccessAccess
Remote Users/Telecommuters
IP, MPLS or L 2/3 based VPNIPSec SessionIP IP
Cable/DSL/ISDN ISP
MPLS/L2/L3Based Network
CiscoIOS
Router
VPN A
VPN B
SP Shared NetworkSP Shared Network
Customer B
Customer Ahead office
Customer C
PEPE
PEPE
PEPE
VPN C
SOHO
Local or DirectDial ISP
One or Two BoxNetwork BasedIPSec Solution
VPNSolution Center
(IPSec and MPLS)
Cisco IOS VPN Routers or
Cisco Client 3.x Customer Abranch office
PEPE
IPsec to MPLS Service ArchitectureIPsec to MPLS Service ArchitectureCisco IOS SolutionsCisco IOS Solutions
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 70/98
707070© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Inside the IPsec/MPLS PE Router
int MPLS int
IOSRouter
IOSRouter
DecryptedIPsec packetsget forwarded
to the globalrouting table
Based on the info inthe Global routingtable the clear text
packets areforwarded to the
right VRFs.
MPLS wrappedclear-text packetsforward to MPLS
VPNs
LIMITATION: No overlapping IP addresses between the VRFs
I P s e c
Cisco IOS SolutionsCisco IOS Solutions
int
IPsec crypto
map
Global routingtable
VRF-1
VRF-2
MPLSinterface
IPsec to MPLS Service ArchitectureIPsec to MPLS Service ArchitectureCisco IOS SolutionsCisco IOS Solutions
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 71/98
717171© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Inside the IPsec/MPLS PE Router
IOS Router IOS Router
GRE tunnel interfaces are
associated directly withVRFs. Clear text packets
bypass the global routing
table and are directly
forwarded to the VRF.
MPLS wrapped clear-text
packets forward to MPLS
VPNs
Ability to have overlapping IP addressLimitation: no IPsec Client support – because this requires GRE
Cisco IOS SolutionsCisco IOS Solutions
int
IPsec cryptomap
IPsec cryptomap
GRE tunnel int
GRE tunnel int
VRF-2
VRF-2
MPLSinterfaceI P
s e c / G R E
I P s e c / G R E
int MPLS int
Global routingtable
Decrypted IPsec
packets enter the
GRE tunnel interface
IPsec to MPLS Service ArchitectureIPsec to MPLS Service ArchitectureCisco IOS Solution 12.2(6Cisco IOS Solution 12.2(6thth)T)T
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 72/98
727272© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Inside the IPsec/MPLS
PE Router
int MPLS int
Based on the IKEauthentication, the IPsec
tunnel is directlyassociated with the VRF.
AAA server that is used inthe IPsec/IKE
authentication will informthe IOS router what is the
right VRF ID for this tunnel.Decrypted clear-text
packets get forwardeddirectly to the right VRF
thus by-passing the globalrouting table.
No limitations !!! Works for both site-to-site and client-to-concentrator type of IPsec tunnels. Per-VRF AAA supported.
Cisco IOS Solution 12.2(6C sco OS So ut o (6 )T)
int
MPLS wrappedclear-text
packets forwardto MPLS VPNs
IPsec cryptomap
VRF-2
VRF-1
MPLSInterface
Global routingtable
IOS Router IOS Router
I P s e c
Managed VPN SummaryManaged VPN Summary
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 73/98
737373© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
g yg y
• Cisco IOS IPsec VPN implementation offerseveral solutions that have been designed withdifferent customer scenarios in mind.
• Some of the solutions target simplicity (Easy
VPN), where as others try to offer comprehensivefunctionality (Dynamic Multipoint VPN).
• Our intension is to continue developing follow-up releases for each of the solutions with addedfunctionality.
AgendaAgenda
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 74/98
747474© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
• The Managed Security Services market
• Managed firewall services
• Managed intrusion detection services
• Managed VPN services
• Management
• Cisco initiatives
Managing PIX, IDS and VPN routersManaging PIX, IDS and VPN routersVMS ComponentsVMS Components – – Enterprise solutionEnterprise solution
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 75/98
757575© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
PIX
Intrusion
DetectionSensor
VPN 7100,
7200,
1700,26003600
VPNC3000 Site to SiteRemoteAccess
Partners /
Customers
IP-VPN
Internet
CiscoView &CiscoWorks2000Server (CD One)
Graphical
Web-based DeviceManagement and
Common Services
GraphicalGraphicalWebWeb--based Devicebased Device
Management andManagement andCommon ServicesCommon Services
RME/CD Two
Device
Inventory,Config &
Software Admin
DeviceDeviceInventory,Inventory,
ConfigConfig &&Software AdminSoftware Admin
VPNMonitor
IOS &VPN C3000
IOS &VPN C3000
V M S
Includes consoleand evaluation
agents
Includes console
and evaluationagents
IDS HostSensor
N e w N e w
CiscoSecure PolicyManager 3.0 (CSPM)
PIX, IDSconfiguration
PIX, IDSconfiguration
N e w N e w
VMS 2.1 DevelopmentsVMS 2.1 Developments
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 76/98
767676© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
• Management Centers for PIX, IDS and VPNrouters
Web-based application
Setup and maintain large-scale VPN connections
Hub-and-spoke topology
Spoke-to-spoke connectivity via hub
Support of second hub for resilliance
Centralized configuration of IKE and IPsec tunnelpolicies
Translation of VPN policy into CLI commands• Support for Cat6500 blades will follow
Auto Update Server Auto Update Server
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 77/98
777777© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
• Introduces new push / pull paradigm for remotemanagement of Cisco PIX Firewalls
• Works in conjunction with PIX MC
• Flexible, secure remote management interfaceSupports both configuration and software updates
Scalable push / pull model for updating
Lightweight XML over HTTPS implementation
All management traffic authenticated and encrypted
HTTPSHTTPS--Based CLI AccessBased CLI Access
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 78/98
787878© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
• HTTPS server interface on PIX requires User ID /Password authentication
Authentication database can be locally stored on PIX oron AAA (RADIUS/TACACS+) server
• Examples of HTTPS GET command
https://user:[email protected]/exec/show%20ver
Will provide “show ver” output via HTTPS response
https://user:[email protected]/exec/show%20config
Will provide “show config” output via HTTPS response
Auto Update OverviewAuto Update Overview
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 79/98
797979© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
• Security overviewAll management traffic encrypted using SSL (3DES/DES)
PIX authenticated using either User ID/PW or X.509 cert
Auto Update Server optionally authenticated via X.509 cert
• Envisioned as pullpull--basedbased solution for scalabilityPIX automatically polls Auto Update Server on regular basis
At power-up of PIX Firewall
At administrator defined interval
Upon change of outside interface IP addressAuto Update Server can send message to PIX and force apull at any time (push)
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 80/98
MSSP Management Product OverviewMSSP Management Product Overview
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 81/98
818181© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
SP IP VPN OSS: Security SolutionThird Party BSS Apps and SP Customer Legacy Apps BML
ELPIX/IOS
FW VPN5K VPN3K IOS
router ID S
SML
^
|
|
V
NML
^
|
|
V
EML
CIC
SLA
Concord
Visual Net.Portal
Digiquant
Pre-integrated
Apps
for an
enhanced OSS
Fault Mgmt Perf Mgmt Billing
FW Mgmt
Solsoft NP
Security
Event
Analysis &
Reporting
NetForensics
Security Mgmt
IPsec/MPLS VPN service
provisioning
Cisco
VPN Solutions
Center
IP VPN OSS in a box
SP starter kit
VPN SLAmeasurement& reporting
VPN UsageMeasurement &
reporting
IPsec/MPLS VPN serviceauditing
IOS/PIX firewall
provisioning
IPsec/MPLS VPNQoS
configuration
Embedded Device Configuration
Non-Cisco(FW, VPN, PKI)
IDS Mgt
CSPM
CORBA API
VPNM = IP-VPN Network Management SolutionValue Proposition
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 82/98
828282© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
VPNM is Cisco’s out-of-the-box, pre-integrated, pre-
tested, fully automated, carrier-grade Internet OSS
solution that enables Service Providers to efficiently
and economically manage the deployment of IP VPN
services and monitor their continuous, fault-free/fault-recovered performance.
Topology
VPN ManagementVPN Management
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 83/98
838383© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
IP VPN OSS-in-a-box - MSSP starter kit
Carrier Class IP VPN OSS
Widely deployed(~100 SP WW)
Supports fastest growing VPN TechnologiesIPSec, MPLS or both!, L2oMPLS
Management support for every Cisco Security VPNPlatform
VPN3K, PIX, IOS + Broadband platforms
Multi-tiered non-recurring licensing model
Multi-vendor management support planned
Cisco VPN Solution Center
p gyViews
PerformanceMonitoring &Reporting
VPN Views& Inventory
Service Auditing
Provisioning
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 84/98
VPNM Version 1.2VPNM Version 1.2
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 85/98
858585© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Cisco Routers
Network
VPN Solution Center
Repository
(VPN Inventory)
C O R B A
B r i d g e
M P L S
A P I
I P s e c A
P I
VPNSC Tibco bus
Cisco VPNPolicy
Manager
D a t a S o u r c e A d a p t
o r
Event
Broker
VPNviews
MPLScache
CIC Info MediatorRTTRAPD
M P L S
P o l i c y
I P s e c
P o l i c y
IPseccache
CIC Info Server
CIC Info MediatorMTTRAPD
IPsec CPEMPLS PE,CE
CIC Info MediatorTibco rdv
Events tagged for VPN correlation
C-NOTE
Keep Alive
NodePolling
SNMP Traps- MPLS VPN MIB- IPsec Flow Monitor MIB- MIB II
- ALTIGA-Hardware-Stats MIB- SEP-Stats MIB
IOS Syslog Messages- Managed MPLS CE int and sub-int- CRYPTO
IOS Syslog Messages
SNMP Traps
New Features in VPNM 1.2New Features in VPNM 1.2
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 86/98
868686© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
• Integration of C-NOTE• Provides IOS syslog / SNMP mediation
• Triggers keep alive node polling
• Service Assurance Capabilities (IPsec & MPLS VPN):• Automated monitoring of IPsec SNMP traps for IKE and data tunnels between IPsec-
compliant CE/CPE (IOS and VPN 3K) devices as defined in the IPsec Flow Monitor MIB
• Automated monitoring of CRYPTO IOS syslog messages for encryption fault detection atIPsec-compliant CE/CPE devices
• Automated monitoring of SNMP traps for link status on secured interface of IPsec-compliantCE/CPE devices as defined in the MIB II
• Automated monitoring of MPLS VPN SNMP traps for PE routers as defined in the MPLSVPN MIB
• Keep alive node polling for MPLS PE, Managed MPLS CE, and IPsec CE/CPE
• LinkStateChange fault for Managed MPLS CE and IPsec CE/CPE
• VPN-aware fault & alarm management for events at the subinterface level (e.g., Frame
Relay PVC, ATM VCI/VPI)• VPNSC Audit Failure Integration (Tibco bus processing of VPNSC published events)
• SA Agent as a VPN Site Poller and for VPN SLA Monitoring
Firewall ManagementFirewall Management
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 87/98
878787© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Firewall Management Center under VMS
or
SolSoft NP: Visual Security Policy Management Solution
Simplifies the deployment and policy management of switches,routers, firewalls, and VPNs
Policy import, design, audit, generation & distribution
High scalability – up thousands of devices – release X.0 (Q4,01)
Multi-Product (Switches, routers, firewalls, VPN)
Multi-Vendor (Check Point, Cisco, Nokia, Nortel…)
Multi-Platform (AIX, HP-UX, Linux, Solaris, Windows)
If you can draw it … … you can deploy it
IDS ManagementIDS Management
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 88/98
888888© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
VMS - IDSGUI-based IDS Provis ionin g
Uniform & consistent configuration
Configuration wizards
Define, distribute, enforce & auditpolicy
Sensor and Cat Line Card
Update signatures
New installation configurations
Policy rollback
Secur i ty m oni tor ing and event
analysis - FW, IDS, ACLCollects security event data
Correlation of data from multipleevents and devices
Reveals more urgent threats fromthousands of events
Real-time event notification
Forensic analysis
Reduces staf f , expert ise and co strequi red to staf f & scale SOC
ISP
Network
ISP NOC
Customer
Network
Monitoring &Event Analysis
IDSConfiguration
Intrusion Detection Management
Event AnalysisEvent Analysis
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 89/98
898989© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Security Event Analysis• Aggregate log data and alerts from firewalls,
IDS, VPNs, etc.
• Process/correlate data from thousands ofevents
• Quickly ‘root-out’ actual, urgent threats
Faster true attack identification
Reduce false positives
• Scalability (number customers/devices)
• Maintain quality and cost of operation
Partners:Product: NetForensics
SLA ManagementSLA Management
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 90/98
909090© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
I T UT MNm o d el
ELEMENTS
ELEMENT
MANAGEMENT
NETWORK
MANAGEMENT
SERVICEMANAGEMENT
BUSINESSMANAGEMENT
FAUL
TS
CONF
IG
ACC
OUN
TING
PER
FOR
MANC
E
SEC
UR
IT
Y
IP-VPN
Solutions
Dial/PPP
Solutions
xDSL
Solutions
The Cube
Concord e Health Suite
End-to-end fault, performance & availability
Pre-integration – faster time-to market
VPNSC, CIC, Wan Mgr, NetFlow, Service
Assurance Agent
Supports over 60 Cisco devicesRouters & Switches, VPN Concentrators,
Gateways, Firewalls & more
Service differentiation
SLA reports by VPN, customer, or Class ofService (CoS)
Proactive SLA Violation NotificationReduce paybacks, irate customers
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 91/98
AgendaAgenda
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 92/98
929292© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
• The Managed Security Services market
• Managed firewall services
• Managed intrusion detection services
• Managed VPN services• Management
• Cisco initiatives
MSSP ProgramsMSSP Programs
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 93/98
939393© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
AVVID Partner Program
Security and VPN Solutions
Product and Technology Partners
– Complementary, interoperable Enterprise products
Services Partners
– Best-in-class, Security-focused, tier-3 service providers
– Monitoring and Management”: alarm & incident tracking and network-
wide device administration
Cisco Powered Networks
Managed Security Services – Management and monitoring services – base on Cisco’s VPN, FW, IDS
– Complements the CPN VPN Services designation; typically tier-1 &tier-2 service providers
MSSP ProgramsMSSP Programs
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 94/98
949494© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
JumpStart Program for CPNsAssist SPs to define & launch new services
On-line information & planning toolkit (JOLT)
Consultant support
Proven methodology
Accelerate time-to-market
Joint marketing program planning & execution forrevenue generation
Lead generation
Sales Training
New Managed VPN & Security Support program
Current Programs
Dedicated Internet Acc ess, DSL,
IP Fax, Remo te Acces s,
Dedicated VPN, Web Hosting,Voice Over IP, Unif ied
Communications , Cable,
Broadb and Wireless Access,
ASP/AIP
MSSP ProgramsMSSP Programs
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 95/98
959595© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Cisco Programs Impact MSSP SalesTrust & credibility via Cisco brand association
– Assurance of quality services
– Assurance of quality products
– Impact of Cisco SAFE and AVVID marketing
Introduction to Cisco Customer-base
Designed to direct Cisco customers to MSSP Partners
– Co-marketing resources
– Participation in Industry-leading marketing and seminarprograms
AgendaAgenda
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 96/98
969696© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
• The Managed Security Services market
• Managed firewall services
• Managed intrusion detection services
• Managed VPN services
• Management
• Cisco initiatives
• More Information
References (Cisco - public)
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 97/98
979797© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
Product Security:• Cisco’s Product Vulnerabilities; A page that every engineer MUST know!!!
[http://www.cisco.com/warp/public/707/advisory.html]• Security Reference Information: Various white papers on DoS attacks and how
to defeat them [http://www.cisco.com/warp/public/707/ref.html]
ISP Essentials:
• Technical tips for ISPs every ISP should know[http://www.cisco.com/public/cons/isp/]
SAFE Blueprint• The SAFE Blueprint is a flexible, dynamic blueprint for security and VPN
networks, including actual network designs
[http://www.cisco.com/warp/public/779/largeent/issues/security/safe.html]
Security Vulnerability Management inCisco
8/15/2019 Managed Security.pdf
http://slidepdf.com/reader/full/managed-securitypdf 98/98
989898© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID
• Overview:http://www.cisco.com/warp/public/707/sec_incident_response.shtml
• Reporting Security Problems:[email protected] (emergencies) or Tel +1 877 228 7302 or +1 408 525 6532
[email protected] (non-emergencies)
• Keeping Informed:www.cisco.com/warp/public/770 : Field Notices concerning security
[email protected]: To receive announcements.(subscribe: Sent mail to "[email protected]", with the single line inbody "subscribe cust-security-announce“)
[email protected] : To discuss with other customers aboutsecurity related problems. (subscribe as above)