Documente Academic
Documente Profesional
Documente Cultură
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
Integrated .
iPod
Integrated
Mobile Phone
Web Service
Presentation_ID
Cisco Confidential
Integrated .
Firewall Service Module
Integrated
Guard/Detector Module
Presentation_ID
Cisco Confidential
Guard/Detector Module
Presentation_ID
Cisco Confidential
Internet
Router
Server Farm
Internet Router
Firewall
WAN
BB Switch
Server Farm
Backbone
Access
Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Presentation_ID
Cisco Confidential
Server Farm
Router
Internet Router
Firewall
WAN
BB Switch
Server Farm
Backbone
Access
Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
10
Server Farm
Internet Router
WAN
FWSM NAM
BB Switch
Server Farm
Backbone
Access
Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
DDoS
Presentation_ID
Cisco Confidential
12
DDoS
DDoS
Presentation_ID
Cisco Confidential
13
DDoS
DDoS
Presentation_ID
Cisco Confidential
14
DDoS ?
Presentation_ID
Cisco Confidential
15
Guard
Guard
Core Router
MVP
6
3
2
Detector
1
..
Server Network
..
Presentation_ID
Cisco Confidential
16
Guard / Detector
Out Of Path
TCP/UDP/ICMP/DNS/SIP
17
Flood Attacks
TCP, UDP, ICMP SYN Flood SYN Flood
HTTP Attacks
Connection Flood (Client attack) http errors 404 etc. http half connections http cache control attack
UDP Flood
FIN, SYNACK Flood ( , ) Ping Flood
Smurf Flood
Combined UDP/TCP/ICMP
SIP Attack
Presentation_ID
Cisco Confidential
18
Cisco Guard/Detector
ADM (Anomaly Detector Module)
Service Module Type
Physical Port
Cisco 7600 / Catalyst 6500 Static, BGP, GRE, MPLS 3Gbps Clustering 16G 512G 500 Zone 50 Zone 10
Performance
Clustering 10G
Zone Zombie
500 Zone X
X
Cisco Confidential
1msec
19
Learning Based
Spoofed, Non-Spoofed Packet TCP Attack Flag Based( Syns, Syn-acks, acks, fins, fragments) UDP Attack Random port Flood, Fragment ICMP Attack Unreachable , echo, Fragment DNS Attack HTTP Attack BGP Attack
20
150K Dynamic Filter 500 Zone 50 Zone 7GB DDRAM, 1GB Compact Flash
Spoofed, Non-Spoofed Packet TCP Attack Flag Based( Syns, Syn-acks, acks, fins, fragments) UDP Attack Random port Flood, Fragment ICMP Attack Unreachable , echo, Fragment DNS Attack HTTP Attack
SIP Attack
BGP Attack
21
Presentation_ID
Cisco Confidential
22
Presentation_ID
Cisco Confidential
23
Server Farm
Router
Internet Router
WAN
FWSM NAM
BB Switch
Server Farm
Backbone
Access
Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
IT IPv6
Cisco Confidential
25
High Performance
2.8Mpps / 1M / 100K CPS 1000 Vlan 1 Routed Mode 256 Vlan ACL 100K / NAT 256K 250 ( 3 )
L2/L3(Transparent,Routed Mode) Dynamic/ Multicast Routing OSPF,RIPv1/2, PIM Sparse Mode v2, IGMPv2, EIGRP, BGP Deep Inspection Core Internet Protocol, DB/OS Service, Multimedia/VoIP Active/Standby, Active/Active DDoS Attack - Syn Cookie , Src Rate limit
CC EAL 4+ ,
26
Cisco FWSM
A B
/ /
Presentation_ID
Cisco Confidential
27
Cisco FWSM
Network Service
D V D D D D V D
V D
V D
V D
D V
D D
D D
? ?
? ?
BGP OSPF
Static
QoS , QoS
Network Protocol
Presentation_ID
Cisco Confidential
28
Cisco FWSM /
1 vs Link
150msec
2 1
2 FWSM
1Sec Session Loss Session
3
1Sec
4 Uplink
1Sec
FWSM
Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Cisco FWSM
Presentation_ID
Cisco Confidential
30
Enterprise I /Campus
/Campus Internet
FWSM Network Campus Network Design
Appliance
, DMZ
Zone ,
DMZ DMZ
One Click , , Mgmt Overhead
Presentation_ID
Cisco Confidential
31
Enterprise II /Campus
Backbone/Dist Switch Internet
, FWSM , ,
Network Segment
Segment
FWSM
FWSM
Group A
Group B
Group C
Presentation_ID
Cisco Confidential
32
Catalyst 6500
, IPv6
33
IBM4GS3
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
34
Internet
Server Farm
Internet Router
WAN
SVR S.W
BB Switch
Server Farm
Backbone
Access
Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Contents
Application Vendor, Point Product
Presentation_ID
Cisco Confidential
36
Cisco ACE
Virtualization Role-Based
Presentation_ID 2008 Cisco Systems, Inc. All rights reserved.
37
Content Switching
6.5Mpps / 4M / 348K CPS 4000 Vlan/Probe ACL 256K / NAT 1M Virtual Context 250( 5 )
SLB
Adaptive response, Least loaded, Least bandwidth, Least connections, Round-robin, Hash address, Hash cookie, Hash header, Hash URL
Role Based Access Control / Checkpoint Reflexive ACL, TCP/IP normalization, DDoS
50%
20%
20%
10%
A
ACE
39
Presentation_ID
Cisco Confidential
Context Admin
Mgmt Console
ANM
/
Presentation_ID 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
40
Cisco ACE
Presentation_ID
Cisco Confidential
41
Application
Cisco Confidential
Role-Based Access Control Config GUI/CLI Programmatic configuration XML Programing API
Presentation_ID
Cisco Confidential
43
Server
44
Context #5
Context #4
Context #3
Context #2
Context #1
Front network
N-Tire App
Web App DB
Web
App
DB
Mgmt Overhed -
Resource Limitation
45
/
Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
16 Gbps/6.5Mpps 4M
348K CPS
SSL 4Gbps/10K TPS
L2/L3
TCP
Presentation_ID
Cisco Confidential
46
Presentation_ID
Cisco Confidential
47
VPN
DataCenter
Data Center
Branch
Presentation_ID
Cisco Confidential
48
Server Farm
Internet Router
WAN
SVR S.W
BB Switch
Server Farm
Backbone
Access
Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
High Performance
Scalability Security
Advanced IPSec DES, 3DES, ASE(128, 192, 256 bit Key) Pre-Encryption QoS Aggregate Shaper , LLQ sVTI IPv6 Encryption Engine Sharing VRF Aware IPSec WS-SSC-600 SCC multicast egress buffer
Presentation_ID
Cisco Confidential
51
Presentation_ID
Cisco Confidential
52
10 VSPA
Presentation_ID
Cisco Confidential
53
Presentation_ID
Cisco Confidential
54
- , , App
- Interface, Device
Presentation_ID
Cisco Confidential
55
Presentation_ID
Cisco Confidential
56
NAM Module
Server Farm
Internet Router
WAN
SVR S.W
BB Switch
Server Farm
Backbone
Access
Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Cisco NAM
Network NAM Module
2GB RAM
Easy Deploy&Use
Real Time / Historical Application Monitoring Response Time Monitoring Packet Capture/Decoding Video, VoIP, QoS Monitoring SCCP, RTP/RTCP, MGCP, SIP Host , Application , Conversation Vlan Traffic URL , Application
Threshold, Alarm
58
Cisco NAM
Traffic Overview
Port Application
Traffic
Presentation_ID
Cisco Confidential
59
Cisco NAM
Traffic Overview - Voice
Voice Monitoring
Packet loss report Jitter report Active Call Call report
Phone
Protocol - SCCP, H.323, MGCP, SIP, RTP streams
Monitoring
RMON1 and 2
Application Response-Time (ART) Call
Manager
Presentation_ID
Cisco Confidential
60
Cisco NAM
Traffic Overview - Voice
Presentation_ID
Cisco Confidential
61
Cisco NAM
NAM
NAM
NAM Latency
Server Latency
Network Flight Time = Total Time Server Latency Total Time
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Presentation_ID
62
Cisco NAM
Traffic Overview Packet
Presentation_ID
Cisco Confidential
63
Cisco NAM
VPN-B VRF
VPN-A VRF
B A
NAM
A B
VPN-A VRF
VPN-B VRF
B
VPN-B VRF VPN-A VRF
VRF
VC Label,VC,VRF In/Out Pkt,bps
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Presentation_ID
64
Cisco NAM
Presentation_ID
Cisco Confidential
65
Catalyst 6500
VACL
Presentation_ID
Cisco Confidential
66
Presentation_ID
Cisco Confidential
67
Presentation_ID
Cisco Confidential
68