end-point protection for servers & desktops - cisco · complete endpoint security defends...

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1

End-point Protection for Servers & Desktops

Ricky Elias

Security Architect

Advanced Technology (Security)

[email protected]


Cisco Security Agent Comprehensive, “Always Vigilant” Endpoint Security

� Single Integrated Client, Simplified Management

� Protection against persistent and evolving threats

• Prevent loss of sensitive information

• Enforce appropriate use policies

• Enhance security through network collaboration

• Address corporate and regulatory compliance mandates

� Empower IT to address Business risks

� Enforce policies and protect business critical assets

� Decrease IT administrative burden

� Reduce expenses

Business Benefits:

CSA


Intercepting Actions on the Endpoint

� Application calls to the operating system are intercepted in real-time

� Dynamic decisions are made to allow/deny actions

� “Zero Update”architecture –means you don’t need a new signature to stop the next attack

FileInterceptor

Application

Real-Time

Decision

NetworkInterceptor

ConfigurationInterceptor

Rules Engine

Execution Space

Interceptor

Correlation Engine

StateRules andPolicies

Allow Deny


Cisco Security AgentAlways Vigilant Comprehensive Endpoint Security

“Zero Update”Protection Stops Malicious Mobile Code, Worms, Rootkits, Day-Zero and Targeted Attacks


Complete Endpoint Security

Defends endpoints against sophisticated day zero attacks

Enhances the Cisco Self Defending Network

AntivirusAntivirus

AntispywareAntispyware

FirewallFirewall

Intrusion Intrusion PreventionPrevention

Threat Threat VisibilityVisibility

De

vic

e C

on

trol

Ap

plica

tio

n C

on

tro

l

Anti BotnetAnti Botnet


Zero-Day Attack Prevention

� CSA has a proven track record of stopping brand new exploits, botnets, targeted attacks, worms, and viruses over past 7 years:

2001 – Code Red, Nimda (all 5 exploits), Pentagone (Gonner)

2002 – Sircam, Debploit, SQL Snake, Bugbear,

2003 – SQL Slammer, So Big, Blaster/Welchia, Fizzer

2004 – MyDoom, Bagle, Sasser, JPEG browser exploit (MS04-028), RPC-DCOM exploit (MS03-039), Buffer Overflow in Workstation service (MS03-049)

2005 – Internet Explorer Command Execution Vulnerability, Zotob

2006 – USB Hacksaw, IE VML exploit, WMF, IE Textrange, RDS Dataspace

2007 – Rinbot, Storm Trojan, Big Yellow, Word(MS07-014), MS ANI 0Day, MS DNS 0Day

No signatures, reconfiguration or binary updates required


� ClamAV virus scanning engine packaged with CSA, as single installable agent

� Protects Windows desktops & servers at no additional cost

accurately identifies malware

prevents malware execution

quarantines or deletes malware

� CSA Management Center manages agent policies, signature updates

� Provides a true single agent - single console endpoint security solution

Integrated Agentwith ClamAV™ Open Source Antivirus

All other trademarks mentioned in this document are the property of their respective owners.


Source: Shadowserver.org wild testing

� ClamAV is widely deployed on UNIX/Linux e-mail servers

Scrubs e-mail traffic for malware

Protects millions of Windows desktops

Database contains over 200,000 unique signatures

Integrated Agentwith Clam Antivirus

Shadowserver Foundation independent research: ClamAV™ has high degree of malware detection accuracy.

All other trademarks mentioned in this document are the property of their respective owners.



Corporate

Acceptable Use

Regulatory

Compliance (PCI)


Acceptable Usage Policies

� Some types of user behavior is not malicious but has potential exploitation risks

Music sharing via Peer-to-Peer (p2p) applications

Instant messaging using non-corporate IM servers

Access to sensitive data

Removable media usage: USB memory, multimedia devices

Use of unauthorized applications, or unauthorized versions of apps

� Prebuilt Acceptable Usage Policies offer easy way to influence “good” user behavior


Policy Control – Application Trust Levels

� CSA monitors & controls all applications and processes

� Trust Levels offer flexible, easy to manage control

White List : Trusted Business Apps (permissive controls)

Grey List: Permitted Applications (more restrictive controls)

Black List: Undesired Applications (block use)

� Provides robust security without sacrificing ease of management & deployment


Regulatory ComplianceBenefits for PCI Compliance

� Provides compliance solution for 9 out of 12 PCI requirements

� Predefined PCI Policies offer ease of management & audit

26 Rule Modules, 150 rules

� Validated by Cybertrust (official PCI auditor)

� Runs on Servers, Point-Of-Sale terminals, desktops and laptops

� CSA can be customized for other compliance mandates

http://www.cisco.com/go/retail


PCI Compliance & CSA Benefits

PCI Data Security Standard Requirements

Percentage of

Assessment Failures*

Build and Maintain a Secure Network

1. Install & maintain a firewall configuration to protect data 66%

2. Do not use vendor-supplied defaults for system passwords and other security parameters 62%

Protect Cardholder Data 3. Protect stored data 79%

4. Encrypt transmission of cardholder data and sensitive information across public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software

6. Develop and maintain secure systems and applications 56%

Implement Strong Access Control Measures

7. Restrict access to data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data 71%

11. Regularly test security systems and processes 74%

Maintain an Information Security Policy

12. Maintain a policy that addresses information security60%

*Source: VeriSign


Predefined CSA PCI Policies



Identify and Control Sensitive

Information


Data Loss Prevention Management ProcessVisibility and Control for Sensitive Information

� Classification

� Credit card, Social Security #s

� Intellectual property definitions

� Reporting

� Track the location and usage of sensitive data

� Enhanced user education

� Query user and audit

� Updated enforcement controls

� Block printing

� Flexible clipboard control

� NAC quarantine

Discover

Educate

Enforce

Monitor


Identify Sensitive Data – Content or Context

File Content – certain data patterns are recognized

File Context – data written by certain applications is known to be sensitive


Removable Media Controls

� Controls for USB drives, CD, iPod

� Monitor usage

� Confidential file controls

� Authorized user controls

� Location-based controls

Consolidated

event reporting

End user Business

Justification for audits



NAC

NIPS

Wireless

Traffic Marking

Event Correlation

Data Loss Prevention


Leveraging the Value of Existing NetworkIncreases Network Device Security Effectiveness

PER-APPLICATION QoS

Optimize network performance

EnhanceNetwork

Value

WIRELESS POLICY CONTROLS

Increases security & network bandwidth utilization efficiency

NAC POLICY VERIFICATION

Ensure host security and health

NAC Policy for DLP hosts

INFORM NIPS OF HOSTILE HOSTS

Stop attacks in the network before they reach other hosts


Inform NIPS of Hostile Hosts

1. Hacker scans internal servers for vulnerabilities

3. All connection attempts by the hacker to CSA protected devices are dynamically blocked

4. CSA collaborating with Cisco IPS is able to dynamically elevate the Risk Rating threshold for attacks coming from the hacker

2. Global Correlation is invoked and the CSAMC updates all the CSA agents with threat information

CSA MC

Servers

Desktops


DesktopDesktop

DSCP Marking by Application or OSDSCP Marking by Application or OS

Per-Application QoS

Example: CSA and QoS

Internet Explorer

BitTorrent

Cisco IP Communicator

FTP Client

DSCP Marking by CSA

DSCP Marking by CSA

Default

AF11

EF

Default

AF11

Default

EF

AF11

�Class-Based Weighted Fair Queuing (CB-WFQ)

�Low-Latency Queuing (LLQ)

�Class-Based Weighted Fair Queuing (CB-WFQ)

�Low-Latency Queuing (LLQ)

AF11: 50% (CB-WFQ)EF: 15% (LLQ)Default: 10% (CB-WFQ)

AF11: 50% (CB-WFQ)EF: 15% (LLQ)Default: 10% (CB-WFQ)

� “Bad” software can mark packets to:

� Get a better service from the network

� To perform an attack (e.g. flooding with EF-marked packets can cause DoS for IP telephony)

� Use CSA to remark packets according to QoS design


Wireless Policy Control

� Disable communication over wireless NIC when wired is active

� Prevent wireless to wireless connections (ad-hoc) & non-corporate SSID association

� Require VPN connection when out of the office, ensure corporate network protections are not bypassed

� Per-application QoS prioritization, optimize network bandwidth



Corporate

Acceptable Use

Regulatory

Compliance (PCI) POS Protection

Laptop – DesktopProtection

Server Protection

end-point protection for servers & desktops - cisco · complete endpoint security defends...

Documents