a unified threat defense: the need for security convergence · a unified threat defense: the need...

1© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public

A Unified Threat Defense: The Need for Security Convergence

Udom Limmeechokchai, Senior system EngineerCisco Systems

November , 2005


Agenda

• Evolving Network Security Challenges

• META Group White Paper : Unified Threat Defenses

• The Self Defending Network

• Increasing the Effectiveness of Security

• Decreasing the Cost of Securing the Network

• Summary


Evolving Network Security Challenges


• Scalability• Equipment cost• Staffing (total cost of ownership)• Integration and systems management

Simplification and Cost Reduction

Key Issues Facing Organizations

• Enablers• Application management• Performance/Optimization• Resilience

Application and Service Optimization

• Threats• Theft• Loss• Response time

Security


The Network Has EvolvedApplications Everywhere, Everyone Interconnected

FinanceERP MRP

Human Resources

Sales

Sales Automation

Customer

Departmental Applications

Available Throughout

Remote Offices

Reached Mostly by

Web/Extranet

HR Apps

Manufacturing

Partners

Teleworker

Headquarters


Evolution of Security Challenges

First Gen• Boot

viruses

Second Gen• Macro

viruses• Denial of

Service

Third Gen• Distributed

Denial of Service

• Blended threats

Next Gen• Flash

threats• Massive

“bot” driven DDoS

• Damaging payload worms

Minutes

Days

Weeks

1980s 1990s Today Future

GlobalInfrastructure

Impact

RegionalNetworks

MultipleNetworks

IndividualNetworks

IndividualComputer

Seconds

Rapidly Escalating Threat to BusinessesTarget and Scope of Damage


Security Services Silos Force Trade OffsComplementary Defenses, Limited Deployability

IPSServicesBroad Attack Detection

Granular PacketInspection

Application Control

Dynamic Response

ServicesAccess ControlServices

Packet Inspection

Protocol Validation

Accurate Enforcement

Robust Resiliency

Firewall Network AVServicesVirus Mitigation

Spyware, Adware, Malware Detection and Control

Malicious Mobile Code Mitigation

Access BreachesSession AbusePort ScansMalformed Packets

Application MisuseDoS/HackingKnown Attacks

Infected Traffic

IPSec/SSL VPNServicesSSL VPN

IPSec VPN

User-Based Security

Group-Based Management

Clustering

Tunneled TrafficLimited Protections

Multiple Discrete Services x Multiple Locations = Security Trade-Offs


What’s on the Mind of the IT Professional?

• Help! I have to respond more rapidly and proactively to changes in business conditions

• Show me how to use IT investments to go “on the offense”

• Help me with my pain:Operational complexity

Virus/worm outbreaks

Application abuse

Approaching the network in a new way can help solve these challenges


META Group White Paper: Unified Threat Defenses


Pervasive Integration


Pervasive Perimeterization


Multilayer Security


Multiservice Agents/Gateway


Unified Threat Defenses


The Self-Defending Network


What Worked in the Past Can’t Meet Today’s Threats

Needed Now

Reactive Automated, Proactive

Past

Point Products Integrated Multiple Layers

Product Support Services

Advanced Design/DeploymentServices

A Collaborative Systems Approach


Evolution of Cisco Security StrategyCisco Self-Defending Network

SDN Phase I “Integrated Security”• Making every network element a point of defense

routers, switches, appliances. endpoints• Secure connectivity (V3PN, DMVPN), threat defense, trust

and identity• Network foundation protection

SDN Phase III “Adaptive Threat Defense”• Mutual awareness among and between security services

and network intelligence• Increases security effectiveness, enables proactive response• Consolidates services, improves operations efficiency• Application recognition and inspection for secure

application delivery/optimization

SDN Phase II “Collaborative Security Systems”• Security becomes a Network-Wide System: Endpoints

+ Network + Policies• Multiple services and devices working in coordination

to thwart attacks with active management• NAC, IBNS, SWAN

• Multiplesecurity appliances

• Separate managementsoftware

PointProducts


Application Intelligence, Content Inspection,

Virus MitigationIPS and NW-AV Services

Identity, Virtualization, QoS Segmentation,

Traffic VisibilityNetwork Intelligence

Adaptive Threat Defense in Action Services Convergence Enables More Effective Security

PIX

CSA

NAC

Quarantine VLAN

Cisco Router

CSA

Cisco DDoS

CSA

CiscoRouter Catalyst

Catalyst

Identity-BasedNetworking

Cisco IPS

Access Control, Packet InspectionFirewall Services

SiSi SiSiVPN

VPN Access


Five Characteristics of a Self-Defending Network

End Point Posture Enforcement

Network Device andEnd PointProtection

Dynamic/SecureConnectivity

Dynamic CommunicationBetween Elements

Automated ThreatResponse


PIX

CSA

NAC

Quarantine VLAN

Cisco Router

CSA

VPN Access

Cisco DDoS

CSA

Cisco Router Catalyst

Catalyst

Identity-BasedNetworking

Cisco IPS

Introducing Cisco Adaptive Security AppliancesDelivering Adaptive Threat Defense and VPN Solutions

VPN

The Cisco ASA 5500 Series

App Inspection, Use Enforcement,

Web ControlApplication Security

Malware/Content Defense, Anomaly

DetectionAnti-X Defenses

Traffic/Admission Control, Proactive ResponseContainment and

Control


Increasing the Effectiveness of Security


Converged Adaptive Threat Defense and Flexible VPN ServicesApplication Security, Worm/Virus Mitigation,

Malware Protection and Threat-Protected VPN

Introducing Cisco Adaptive Security AppliancesDelivering Adaptive Threat Defense and VPN Solutions

Minimize Deployment and Operations CostsPlatform Standardization, Unified Management,

Network Awareness

Technology Extensibility to Address New Threats Purpose-Built Adaptive Identification and Mitigation Architecture Enables

Unprecedented Extensibility and Policy Control

The Cisco ASA 5500 Series


Cisco Adaptive Security Appliances SeriesConvergence of Robust, Market-Proven Technologies

Firewall TechnologyCisco PIX

IPS TechnologyCisco IPS

NW-AV TechnologyCisco IPS + Trend NAV

VPN TechnologyCisco VPN 3000

Network IntelligenceCisco Network

Services

App Inspection, UseEnforcement, Web Control

Application Security

Malware/Content Defense,Anomaly Detection

Anti-X Defenses

Traffic/Admission Control,Proactive Response

Network Containment and Control

Secure ConnectivityIPSec and SSL VPN

Market-ProvenTechnologies

Adaptive Threat Defense,Secure Connectivity


Public Internet

Access Scenarios:Site-to-Site Connectivity

Managed DesktopEmployee Desktop

Kiosk AccessFull or Limited Network Access

Partner Access

VPN Services for Any Deployment ScenarioRobust IPSec and SSL VPN Services with Threat Prevention

Provides Secure Access for Any User from Any Location from a Single Device and Management Infrastructure

ASA 5500Account ManagerMobile User

Branch OfficeSite-to-Site

Employee at HomeUnmanaged Desktop

Supply PartnerExtranet

Converged IPSec, WebVPN, Firewall, IPS:

Inspect/Control VPN Sessions Single RA VPN Device Infrastructure

Unified User ManagementUniform Resiliency and Load Balancing

QoS for Site-to-Site Traffic


Public Internet

High Performance Threat MitigationServices Convergence Enables Thorough Protection

ASA 5500

Outbreak Prevention:Virus Detection

Dynamic Outbreak Updates

Comprehensive Analysis:De-obfuscation

Application Layer InspectionProtocol Anomaly Detection

Heuristic AnalysisTraffic Normalization

Accurate Enforcement:Real-Time Correlation

Risk RatingAttack Drop

Session Removal and Resets

Worms

Viruses

Spyware

Hackers

W32.Tomorrow’s-Threat

Leverages Depth of Anti-X Defense Features to Stop Malicious Worms, Viruses and More…and Without a Performance Loss!


Decreasing the Cost ofSecuring the Network

27© 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 272727

Cisco Adaptive Security Device Manager (ASDM) v5.0Dashboard Provides At-a-Glance View of System Status

• Dashboard providesinstant status of itemssuch as:

- Software versionsinstalled

- Interface status andthroughput

- Platform uptime

- Security Contexts

- Real-time syslogviewer (last ten)

- Powerful searchcapabilities

- And more!


Cisco Adaptive Security Device Manager (ASDM) v5.0Robust Firewall Management and Monitoring

• Cisco ASDM v5.0delivers robustfirewall managementand monitoring of aCisco ASA appliance

• Supports full configuration of:

- Access control lists- Network and service

object groups- Inspection Engines- NAT/PAT- AAA and more

• Supports monitoring of:- Syslog (real-time)- Connections- Throughput & more!

© 2004 Cisco Systems, Inc. All rights reserved.ASA 5500 Intro 282828


Cisco Adaptive Security Device Manager v5.0Comprehensive VPN Management and Monitoring

• Cisco ASDM v5.0delivers comprehensiveremote access andsite-to-site VPNmanagement andmonitoring of a singleCisco ASA appliance


- WebVPN- IPSec RA groups- S2S tunnels- AAA, DHCP, & more!

• Supports monitoring of:

- Uptime, bytes xfered,by tunnel

- VPN usage trends



Cisco Adaptive Security Device Manager v5.0Extensive IPS Management and Monitoring

• Cisco ASDM v5.0delivers extensiveIPS management andmonitoring of a singleCisco ASA appliance


- Engines- Signatures- Threat Risk Rating- IPS Actions- And more!

• Supports monitoring of:

- Events- Diagnostic reports- Sensor statistics



Summary


Benefits

• Protects from broadest range of threatswith comprehensive suite of services

• Delivers excellent value through integration of multiple deployment-proven, best-of-breed security and networking services

• Decreases ops costs by standardizing on one platform—customizable for numerous deployment scenarios

• Increases security effectiveness through services consolidation

• Delivers high concurrent services performance through unique, extensible multi-processor architecture

• Part of a greater whole—self-defendingnetworks


Take Advantage of Unified Threat Defenses and Self Defending Networks Today!

• To learn more about this excitingnew product family or aboutCisco Self Defending Networks:

– Visit us at www.cisco.com/go/asa orwww.cisco.com/go/sdn

– Contact your Cisco account teamor Cisco partner to arrange a demo

• Thank you for your time today!

a unified threat defense: the need for security convergence · a unified threat defense: the need...

Documents