security fundamentals - cisco.com · sdn overview © 2007 cisco systems, inc. all rights reserved....
TRANSCRIPT
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview
Security Fundamentals
Barbara FraserCorporate Consulting Engineering
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 2
Agenda
The Challenge
The Self-Defending Network
Why Cisco Security?
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 3
The Challenge
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 4
Adoption of Technologies for Collaboration and Communication Driving Security Evolution
The Human Network at
Work
The Human Network at
Work
Reputation
Regulatory Compliance
Efficient Business
Operations
Limiting Liability
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 5
Managing Risk and ComplianceThe Potential Business Impact
Down time/service disruptionData loss/disclosureDamaged trust Compliance recovery
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 6
The Evolution of IntentA Shift to Financial Gain
Threats are becoming increasingly difficult to detect and mitigate
Thre
at S
ever
ity
1990 1995 2000 2005
FINANCIAL:Theft & Damage
FAME:Viruses and Malware
NOTORIETY:Basic Intrusions and Viruses
2007 2010
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 7
A More Sophisticated Threat Environment With a Structured Network for Financial GainWriters Middle Men Second Stage
AbusersFirst Stage
Abusers End Value
Spyware
Viruses
Trojans
Worms
Malware Writers
Internal Theft Abuse of Privilege
Information Harvesting
Machine Harvesting
Extortionist DDoS for Hire
Spammer
Phisher
Pharmer/DNS Poisioning
Identity Theft
Compromised Host and
Application
Botnet Creation
Botnet Management
Personal Information
Information Brokerage
Electronic IP Leakage
Theft
Espionage
Extortion
Commercial Sales
Fraudulent Sales
Click Fraud
Financial Fraud
Tool Writers Hacker/Direct Attack
Fame
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 8
The Evolving Security ChallengeEmergence of New Attack Types
Source: 2007 CSI Survey
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 9
IT Security – Strategic Business Enabler
Enforce policy tied to business requirements
Foster innovation initiatives
Enable offensive business moves
Reduce complexity of the overall environment
Build a competitiveadvantage
Pursue new revenue
opportunities
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 10
But, How Do We Get There?
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 11
http://ca.youtube.com/watch?v=16iNk1hLJt4
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 12
The Self-Defending Network
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 13
The Challenges of Approaching Security Without an End-to-End, Systems Approach
NA
C
Firewall
NW
IPS
IPSEC
VPN
SPAM
G
ateway
Host IPS
AV
Gatew
ay
Web A
ppFirew
all
UR
L Filter
SSL VPN
Security M
gmt.
XML
Firewall
Training and StaffingPolicy Implementation
Threat IntelligenceEvent Sharing and Collaboration
Configuration and Management
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 14
The Advantages of a Systems ApproachLower Cost, Higher Efficiency, Greater Impact
Policy ImplementationConfiguration and Management
Training and Staffing
Threat IntelligenceEvent Sharing and Collaboration
Integration Into the Network Infrastructure
NA
C
Firewall
NW
IPS
IPSEC
VPN
SPAM
G
ateway
Host IPS
AV
Gatew
ay
Web A
ppFirew
all
UR
L Filter
SSL VPN
Security M
gmt.
XML
Firewall
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 15
The Need For a Systems Approach
Less complexity, improved usability
Collaborative operation, increased effectiveness
Fewer devices, reduced initial and ongoing cost
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 16
The Alternative…
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 17
Cisco Self-Defending NetworkA Systems Approach to IT Security
Enabling everyelement to be a pointof defense and policy
enforcement
IntegratedProactive security technologies that
automatically prevent threats
AdaptiveCollaboration among
the services and devices throughout
the network to thwart attacks
Collaborative
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 18
Self Defending Networks: To DatePolicy and Control Systems:
Dynamic control systems providing real-time and out-of-band analytics, focused on specific needs and drivers
Network Security:Threat Control
Controlling access to systems, and protecting users and systems from attack or compromise using deep packet inspection
Confidential CommunicationsSecurely extending network services to the mobile workforce
Trusted Client:Client Stubs for HIPS, Secure Desktop, SSL/IPSEC VPN
Secure Network Platform:Security integrated into the Network Platform
Policy and Control Systems
NetworkSecurity
Trusted Client
Secure Network Platform
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 19
Expansion of the Self Defending NetworkVersion 3.0
Policy and Control Systems
Content SecurityGenerally deployed at the Perimeter
Protecting Client Applications from Anti-X activities
Malware, URL Filtering, Spam, Phishing, Botnet discovery, etc
Application SecurityGenerally deployed in the Data Center
Protecting Server Applications from Layer 4-7 Attacks
SQL Injection, XML FW, HTTP spoofing, etc
Content Security
Application Security
Network Security
Trusted Client
Secure Network Platform
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 20
Cisco Self-Defending Network 3.0The Future of IT Security
Integrates advanced network, endpoint, content and application
security for evolving threats
Better Together
Protects against latest threats using information gathered from
across the global network
Wide Traffic Inspection
Provides end-to-end IT Security solution with unmatched breadth
of protection
End-to-End Solution
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 21
Threat Evolution Driving Need for Content and Network Security
Locked the network doors, but email and web stayed open
Network Security
Content SecurityPort 25 Port 80
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 22
Network and Content Security“Better Together”
Cisco offers a broad suite of highly integrated security solutions across all points in the network
Firewall, VPN, IDS/IPS, NAC, Security Management
IronPort expands end-to-end solution with messaging and web content security services
EndpointCisco Security Agent
Network Admission Control
Network & PerimeterFirewall, IPS
SSL VPN
Branch OfficeFW, IPS, VPN
Wireless Security Rogue AP, IPS
IPC Security Infrastructure,
Call Management, Applications, Endpoints
Data Center
Content Security
EMAILSecurity
Appliance
WEBSecurity
Appliance
SenderBaseInternet
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 23
75% of New Application
Attacks Focused on
Custom Apps
Custom Web ApplicationsCustomized Packaged AppsInternal and 3rd Party Code
Business Logic & Code
Network
OperatingSystems
DatabaseServers
OperatingSystems
ApplicationServers
OperatingSystems
WebServers
Network Firewall
IDS/IPS
Application Layer Becoming a Target Requiring Protection
“50% of enterprises and government agencies are using XML, Web services or SOA.” Source: Gartner
“XML accounted for 15% of internet traffic in 2005. By 2008, it is expected to account for 50%.” Source: 451 Group
“50% of enterprises and government agencies are using XML, Web services or SOA.” Source: Gartner
“XML accounted for 15% of internet traffic in 2005. By 2008, it is expected to account for 50%.” Source: 451 Group
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 24
Changing the GameEnd-to-End IT Security Solution
ACE App FirewallWeb application security
services for application front-ends
ACE XML FirewallSOA and XML inspection and
policy enforcement
IPSIntegrated network threat monitoring and analysis
VPNSecure, encrypted,
customizable remote access
ASANetwork security, firewall,
modular VPN, IPS
CSAEnd point protection for servers, desktops and
mobile workforce
NACPosture and identity
assessment for network access
IronPort C-SeriesWeb content security
URL filtering
IronPort S-SeriesEmail SPAM and virus
filtering
ASA Content Security & Control Email SPAM, virus, URL
filtering
MARSCentralized reporting, policy
and management, risk mitigation
SenderBaseGlobal threat database
reputation services
CSMSecurity management
and policy configuration
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 25
The SDN Secured Data Center
ASA
ACS
MARS
WAAS
Web Servers
ACE
CSA
CSA
CSA
ApplicationServers
Database Servers
AXG (Web Apps)
CSA
CSA
MDS w/SME
Tier 1/2/3 Storage
Tape/Off-site Backup
AXG(B2B)
CSMCSA-MCCW-LMN
Data Center Edge• Firewall & IPS• DOS Protection• App Protocol Inspection• Web Services Security• VPN termination• Email & Web Access
control
Cat6KFWSM
Web Access• Web Security• Application Security• Application Isolation• Content Inspection• SSL
Encryption/Offload• Server Hardening
Apps and Database
• XML, SOAP, AJAX Security
• XDoS Prevention• App to App Security• Server Hardening
Storage• Data Encryption
•In Motion•At Rest
• Stored Data Access Control
• Segmentation
Mgmt• Tiered Access• Monitoring &
Analysis• Role-Based
Access• AAA Access
Control
IronPort E-Mail Security
AXG (DHTML to XML)
IronPort Web Security
IronPort Web Security
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 26
Complete Lifecycle Services Portfolio
• Security Design • Incident Readiness Assessment & Design
• Security Implementation• CSA, NAC, IPS, ICS, Guard/Detector and
MARS Deployment
• Security Optimization
• Security Posture Assessment (SPA)• Security Architecture Review• Unified Communications Security Review• Security Technology Planning• Enterprise Architecture Consulting
Plan
Design
Implement
Operate
Optimize
Technology supports business objectives, sound financial decisions
Alignment of investments to requirements
Maintain network health; keep threat management current, proactive
Network stays ahead of changing user demands and corporate policies
High availability of network resources
• Security Center• Intelligent Information Services• Security Remote Management Services• Incident Response• Cisco Services for IPS
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 27
New Cisco Security Center
Vendor-neutral security threat intelligence with Cisco IPS signatures and expert mitigation techniques
IntelliShield Cyber Risk Report Podcast, analysis of current security trends
Real-time threat activity mapping, opportunities to improve network security, increase knowledge, and join the community
Latest information on Cisco security products and services
www.cisco.com/security
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 28
IntelliShield Advisory Service
Risk RatingsEach Alert graded by urgency, credibility, severity, and CVSS industry standard
Version SummaryBrief summary of the most recent Alert version
ImpactThe possible effect of an attack
DescriptionHigh level overview of Alert and strategic implications
Technical InformationTactical explanations and guidance aimed at administrators
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 29
Market Leader with Commitment to Security
Product and Technology Innovation1500+ security-focused engineers Nine acquisitions added to our solution portfolio in last two years 100+ NAC partners worked collaboratively with us to deliver an unprecedented security vision
Industry LeadershipResponsible disclosureCisco Security Center web destinationIntellishield — security intelligenceand best practice sharingActive participation in security standards bodies
“ Because the network is a strategic customer asset, the protection of its business-critical applications and resources is a top priority.”
John Chambers, Chairman & CEO, Cisco
NEW
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 30
Summary
Threat evolution requires new thinking, new approach
Network and content security – Works “better together”
Cisco SDN – Defining the future of IT security
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 31