security fundamentals - cisco.com · sdn overview © 2007 cisco systems, inc. all rights reserved....

© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview

Security Fundamentals

Barbara FraserCorporate Consulting Engineering

© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 2

Agenda

The Challenge

The Self-Defending Network

Why Cisco Security?


The Challenge


Adoption of Technologies for Collaboration and Communication Driving Security Evolution

The Human Network at

Work

The Human Network at

Work

Reputation

Regulatory Compliance

Efficient Business

Operations

Limiting Liability


Managing Risk and ComplianceThe Potential Business Impact

Down time/service disruptionData loss/disclosureDamaged trust Compliance recovery


The Evolution of IntentA Shift to Financial Gain

Threats are becoming increasingly difficult to detect and mitigate

Thre

at S

ever

ity

1990 1995 2000 2005

FINANCIAL:Theft & Damage

FAME:Viruses and Malware

NOTORIETY:Basic Intrusions and Viruses

2007 2010


A More Sophisticated Threat Environment With a Structured Network for Financial GainWriters Middle Men Second Stage

AbusersFirst Stage

Abusers End Value

Spyware

Viruses

Trojans

Worms

Malware Writers

Internal Theft Abuse of Privilege

Information Harvesting

Machine Harvesting

Extortionist DDoS for Hire

Spammer

Phisher

Pharmer/DNS Poisioning

Identity Theft

Compromised Host and

Application

Botnet Creation

Botnet Management

Personal Information

Information Brokerage

Electronic IP Leakage

Theft

Espionage

Extortion

Commercial Sales

Fraudulent Sales

Click Fraud

Financial Fraud

Tool Writers Hacker/Direct Attack

Fame


The Evolving Security ChallengeEmergence of New Attack Types

Source: 2007 CSI Survey


IT Security – Strategic Business Enabler

Enforce policy tied to business requirements

Foster innovation initiatives

Enable offensive business moves

Reduce complexity of the overall environment

Build a competitiveadvantage

Pursue new revenue

opportunities


But, How Do We Get There?

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.


http://ca.youtube.com/watch?v=16iNk1hLJt4


The Self-Defending Network


The Challenges of Approaching Security Without an End-to-End, Systems Approach

NA

C

Firewall

NW

IPS

IPSEC

VPN

SPAM

G

ateway

Host IPS

AV

Gatew

ay

Web A

ppFirew

all

UR

L Filter

SSL VPN

Security M

gmt.

XML

Firewall

Training and StaffingPolicy Implementation

Threat IntelligenceEvent Sharing and Collaboration

Configuration and Management


The Advantages of a Systems ApproachLower Cost, Higher Efficiency, Greater Impact

Policy ImplementationConfiguration and Management

Training and Staffing

Threat IntelligenceEvent Sharing and Collaboration

Integration Into the Network Infrastructure

NA

C

Firewall

NW

IPS

IPSEC

VPN

SPAM

G

ateway

Host IPS

AV

Gatew

ay

Web A

ppFirew

all

UR

L Filter

SSL VPN

Security M

gmt.

XML

Firewall


The Need For a Systems Approach

Less complexity, improved usability

Collaborative operation, increased effectiveness

Fewer devices, reduced initial and ongoing cost


The Alternative…


Cisco Self-Defending NetworkA Systems Approach to IT Security

Enabling everyelement to be a pointof defense and policy

enforcement

IntegratedProactive security technologies that

automatically prevent threats

AdaptiveCollaboration among

the services and devices throughout

the network to thwart attacks

Collaborative


Self Defending Networks: To DatePolicy and Control Systems:

Dynamic control systems providing real-time and out-of-band analytics, focused on specific needs and drivers

Network Security:Threat Control

Controlling access to systems, and protecting users and systems from attack or compromise using deep packet inspection

Confidential CommunicationsSecurely extending network services to the mobile workforce

Trusted Client:Client Stubs for HIPS, Secure Desktop, SSL/IPSEC VPN

Secure Network Platform:Security integrated into the Network Platform

Policy and Control Systems

NetworkSecurity

Trusted Client

Secure Network Platform


Expansion of the Self Defending NetworkVersion 3.0

Policy and Control Systems

Content SecurityGenerally deployed at the Perimeter

Protecting Client Applications from Anti-X activities

Malware, URL Filtering, Spam, Phishing, Botnet discovery, etc

Application SecurityGenerally deployed in the Data Center

Protecting Server Applications from Layer 4-7 Attacks

SQL Injection, XML FW, HTTP spoofing, etc

Content Security

Application Security

Network Security

Trusted Client

Secure Network Platform


Cisco Self-Defending Network 3.0The Future of IT Security

Integrates advanced network, endpoint, content and application

security for evolving threats

Better Together

Protects against latest threats using information gathered from

across the global network

Wide Traffic Inspection

Provides end-to-end IT Security solution with unmatched breadth

of protection

End-to-End Solution


Threat Evolution Driving Need for Content and Network Security

Locked the network doors, but email and web stayed open

Network Security

Content SecurityPort 25 Port 80


Network and Content Security“Better Together”

Cisco offers a broad suite of highly integrated security solutions across all points in the network

Firewall, VPN, IDS/IPS, NAC, Security Management

IronPort expands end-to-end solution with messaging and web content security services

EndpointCisco Security Agent

Network Admission Control

Network & PerimeterFirewall, IPS

SSL VPN

Branch OfficeFW, IPS, VPN

Wireless Security Rogue AP, IPS

IPC Security Infrastructure,

Call Management, Applications, Endpoints

Data Center

Content Security

EMAILSecurity

Appliance

WEBSecurity

Appliance

SenderBaseInternet


75% of New Application

Attacks Focused on

Custom Apps

Custom Web ApplicationsCustomized Packaged AppsInternal and 3rd Party Code

Business Logic & Code

Network

OperatingSystems

DatabaseServers

OperatingSystems

ApplicationServers

OperatingSystems

WebServers

Network Firewall

IDS/IPS

Application Layer Becoming a Target Requiring Protection

“50% of enterprises and government agencies are using XML, Web services or SOA.” Source: Gartner

“XML accounted for 15% of internet traffic in 2005. By 2008, it is expected to account for 50%.” Source: 451 Group

“50% of enterprises and government agencies are using XML, Web services or SOA.” Source: Gartner

“XML accounted for 15% of internet traffic in 2005. By 2008, it is expected to account for 50%.” Source: 451 Group


Changing the GameEnd-to-End IT Security Solution

ACE App FirewallWeb application security

services for application front-ends

ACE XML FirewallSOA and XML inspection and

policy enforcement

IPSIntegrated network threat monitoring and analysis

VPNSecure, encrypted,

customizable remote access

ASANetwork security, firewall,

modular VPN, IPS

CSAEnd point protection for servers, desktops and

mobile workforce

NACPosture and identity

assessment for network access

IronPort C-SeriesWeb content security

URL filtering

IronPort S-SeriesEmail SPAM and virus

filtering

ASA Content Security & Control Email SPAM, virus, URL

filtering

MARSCentralized reporting, policy

and management, risk mitigation

SenderBaseGlobal threat database

reputation services

CSMSecurity management

and policy configuration


The SDN Secured Data Center

ASA

ACS

MARS

WAAS

Web Servers

ACE

CSA

CSA

CSA

ApplicationServers

Database Servers

AXG (Web Apps)

CSA

CSA

MDS w/SME

Tier 1/2/3 Storage

Tape/Off-site Backup

AXG(B2B)

CSMCSA-MCCW-LMN

Data Center Edge• Firewall & IPS• DOS Protection• App Protocol Inspection• Web Services Security• VPN termination• Email & Web Access

control

Cat6KFWSM

Web Access• Web Security• Application Security• Application Isolation• Content Inspection• SSL

Encryption/Offload• Server Hardening

Apps and Database

• XML, SOAP, AJAX Security

• XDoS Prevention• App to App Security• Server Hardening

Storage• Data Encryption

•In Motion•At Rest

• Stored Data Access Control

• Segmentation

Mgmt• Tiered Access• Monitoring &

Analysis• Role-Based

Access• AAA Access

Control

IronPort E-Mail Security

AXG (DHTML to XML)

IronPort Web Security

IronPort Web Security


Complete Lifecycle Services Portfolio

• Security Design • Incident Readiness Assessment & Design

• Security Implementation• CSA, NAC, IPS, ICS, Guard/Detector and

MARS Deployment

• Security Optimization

• Security Posture Assessment (SPA)• Security Architecture Review• Unified Communications Security Review• Security Technology Planning• Enterprise Architecture Consulting

Plan

Design

Implement

Operate

Optimize

Technology supports business objectives, sound financial decisions

Alignment of investments to requirements

Maintain network health; keep threat management current, proactive

Network stays ahead of changing user demands and corporate policies

High availability of network resources

• Security Center• Intelligent Information Services• Security Remote Management Services• Incident Response• Cisco Services for IPS


New Cisco Security Center

Vendor-neutral security threat intelligence with Cisco IPS signatures and expert mitigation techniques

IntelliShield Cyber Risk Report Podcast, analysis of current security trends

Real-time threat activity mapping, opportunities to improve network security, increase knowledge, and join the community

Latest information on Cisco security products and services

www.cisco.com/security


IntelliShield Advisory Service

Risk RatingsEach Alert graded by urgency, credibility, severity, and CVSS industry standard

Version SummaryBrief summary of the most recent Alert version

ImpactThe possible effect of an attack

DescriptionHigh level overview of Alert and strategic implications

Technical InformationTactical explanations and guidance aimed at administrators


Market Leader with Commitment to Security

Product and Technology Innovation1500+ security-focused engineers Nine acquisitions added to our solution portfolio in last two years 100+ NAC partners worked collaboratively with us to deliver an unprecedented security vision

Industry LeadershipResponsible disclosureCisco Security Center web destinationIntellishield — security intelligenceand best practice sharingActive participation in security standards bodies

“ Because the network is a strategic customer asset, the protection of its business-critical applications and resources is a top priority.”

John Chambers, Chairman & CEO, Cisco

NEW


Summary

Threat evolution requires new thinking, new approach

Network and content security – Works “better together”

Cisco SDN – Defining the future of IT security

security fundamentals - cisco.com · sdn overview © 2007 cisco systems, inc. all rights reserved....

Documents