Secure Enterprise Design: BRKSEC-2000

Secure Enterprise Design
BRKSEC-2000
BRKSEC-2000
14339_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 2
© 2008, Cisco Systems, Inc. All rights reserved. 1

14339_04_2008_c1.scr
Agenda
Basic Security Principles

Network Security Is a System
Everything Is a Potential Target and Weapon
Strive for Operational Simplicity
Security Through Obscurity Is Not Secure
Confidentiality Is Not the Same as Security
Enterprise Security Policy Design

Design Principles
Case Study/Example
Conclusion
BRKSEC-2000
Network Security Is a System
Firewall + AV ≠ Network Security

Network security is not something you can just buy
Technology will assist
Policy, Operations, and Design are more important
Network security system:

A collection of network-connected devices, technologies,
and best practices that work in complementary ways to
provide security to information assets
BRKSEC-2000

14339_04_2008_c1.scr
Cisco Self-Defending Network
Integrated Collaborative Adaptive

Enabling every Collaboration among Proactive security
element to be a point the services and technologies that
of defense and policy devices throughout automatically prevent
enforcement the network to thwart threats
attacks
BRKSEC-2000
Evolution of Security Challenges

Target and Damage
GLOBAL Seconds
Infrastructure
Impact Next Gen
REGIONAL
Networks Minutes
3rd Gen
MULTIPLE Days
Networks
Weeks 2nd Gen

INDIVIDUAL
Networks 1st Gen
INDIVIDUAL
Computer
1980s 1990s Today Future
BRKSEC-2000

14339_04_2008_c1.scr
Evolution of Security Challenges
Broad Outbreaks Targeted Attacks

Broad Scope Narrow scope
IT Burden Business Loss
User Challenges User Transparent
But… But…
Require Automated Processes Nearly invisible
User Self-reliance Little user knowledge
Productivity Impact Potential Damage

Intrusion Prevention
Anti-Virus
Behavioral Analysis
L3/L4 Firewall
App Gateway
BRKSEC-2000
Simple Real-World Example: Virus/Worm

What Devices Assist in Stopping Attacks?
IPS (host/network, anomaly/signature-based)
Antivirus (host/network)
Traditional stateful firewalls do little to stem the tide
WWW SMTP
AV
HIPS
Internal
Host AV
Internet
WAN
Stateful
Router
Firewall
Internet Campus
Network
ISP Anomaly NIPS
Router Detection
BRKSEC-2000

14339_04_2008_c1.scr
Anything Is a Potential Target or Weapon
Hosts are preferred target for worms and viruses

Large number of attacks target user hosts
Compromised hosts become launch points (botnets)
But there are other high-value alternative targets:

Infrastructure devices: routers, switches
Support services: DHCP servers, DNS servers
Endpoints: management stations, IP phones
Infrastructure: network capacity
Security devices: IDS/IPS
BRKSEC-2000
For Example
How Can a Router Be a Weapon?
Disable interfaces = DoS
Change ACLs = change access policy and DoS
Alter routing tables = change access policy and DoS
Packet generator = DoS
Serve false addresses = DoS and
Man-in-the-Middle (MitM)
Internet LAN
BRKSEC-2000

14339_04_2008_c1.scr
For Example
How Can an IDS/IPS Be a Weapon?
If shunning is implemented (not recommended):
You can spoof attack signature from root nameservers
This will cause the IDS/IPS to shun rootservers
Target will slowly lose reachability to the internet
over time
Internet LAN
BRKSEC-2000
Strive for Operational Simplicity
Network ops is critical to security system design

How will your system hold up under attack?
Do you have the tools you need to respond effectively?
Good management tools

Ensure manageability when under attack
Excellent visibility of threats
Good operational processes

Ensure late night changes won’t cripple security
Monitor tools, respond to threats
Operational simplicity helps reduce down time
BRKSEC-2000

14339_04_2008_c1.scr
Aggregation vs. Segmentation
NIPS
VPN GW
Extranet
Server
SSL FW Router Extranet
Offload Client
Which meets your

business needs?
Extranet Extranet
Server Client
Security-Enabled Switch
BRKSEC-2000
Security Through Obscurity “Isn’t”
Too many secrets is bad for security

Good crypto algorithms are secure because they are public
The only “secret” is the key itself
Security design should follow the same principles

Avoid security relying on secrets
(i.e., running insecure web servers on obscure TCP ports,
hiding your FW manufacturer, etc.)
However, don’t advertise details of your security

(if obscurity is low cost…use it)
Security shouldn’t be affected by publication of your security
architecture, but don’t post Visio drawings on your website
BRKSEC-2000

14339_04_2008_c1.scr
Confidentiality Is Not the Same
as Security
What is confidentiality?
Protecting information to ensure it is only disclosed to authorized audiences
What is security?
Protecting systems, resources, information from unintended and unauthorized
access or misuse
Example: encrypted e-commerce with partners and customers
E-commerce data is “protected” by SSL Encryption
Compromised endpoint attacks server through SSL connection
NIPS and Firewalls can not see attack
HIPS, PVLANs, and host security required to protect servers
SSL
Customer
Internet
E-Comm
Svr
Mail Svr
BRKSEC-2000
Agenda

Policy Design Process
Overall Lifecycle
Business Goals and Risk Analysis
Open vs. Closed Policies
Security Is Not an Add-On
Design Principles
Best Practice Designs
Case Studies
Conclusion
BRKSEC-2000

14339_04_2008_c1.scr
Overall Security Lifecycle
A Security System Is One Part of a System Lifecycle
Business needs
What does your organization
want to do with the network? Business Risk
Needs Analysis
Risk analysis
What is the risk and cost balance?
Security policy Security Policy
Define policies, standards,
guidelines to address business Policies, Guidelines, Standards
needs and risk?
Industry best practices
Industry
Use reliable, well-understood, Security
and recommended security Best
System
best practices? Practices
Security operations
Incident response, monitoring, Security Operations
maintaining, and compliance Incident Res, Monandmaint,
auditing Comply Audit
BRKSEC-2000
Formulating a Security Policy
Business Risk
Requirements Analysis
Regulatory Cost
Requirements Analysis
Security Policy
BRKSEC-2000

14339_04_2008_c1.scr
Business Goals and Risk Analysis
Effective security policies require clear understanding

of business goals and good risk analysis
Business needs often come first
Your business shouldn’t halt due to security concerns
Security should protect assets, and accommodate
business goals
Security often conflicts with ease of use and flexibility.
Risk analysis is understanding two key elements:

The cost/benefit of your security system
How attack techniques play out in your environment
BRKSEC-2000
Open vs. Closed Policies
Open policy
“Yes you can, unless explicitly denied”
Popular in communal and academic environments
Generally used by service and transport providers
Closed policy
“No you can’t, unless explicitly permitted”
Popular in enterprise and business environments
BRKSEC-2000

14339_04_2008_c1.scr
Agenda

Design Principles
General Design Principles
Mapping Technology to Security Requirements
Case Study/Example
Conclusion
BRKSEC-2000
Domains of Trust (Zones)
1stcase.com 2ndcase.com
Internal External
Internal WAN WAN Servers
Internet
External Internet
Servers
Labs
Employees VPN
VPN
Remote Remote
Access Access
Labs Employees
Domains of Trust segment communities by policy
BRKSEC-2000

14339_04_2008_c1.scr
Purpose of Domains of Trust
Risk defines policy
Importance to the business
Likelihood of being attacked
Security Domains based on like “policy”
Network segments have different trust levels
Consistent security controls within a segment
Define trust relationships between segments
Gradient of trust differentiate domains
Trust gradient may be minor or extreme
Gradient determines security measures
Choke points control trust between segments
Commonly a network firewall or access control
Domains of trust are key to good network security design
BRKSEC-2000
Sample Domains of Trust

Private Public
Production Lab
HQ Public Branch
Steep gradient =
high risk
Considerable
safeguards Lesser gradient =
Advanced Firewalling low risk
Considerable safeguards
Flow-based inspection Basic safeguards
between corporate and public
Misuse detection (IPS) Basic access control
Constant monitoring Casual monitoring
Protect data transiting
steep gradients
Communication security
Auth, confidentiality, integrity
BRKSEC-2000

14339_04_2008_c1.scr
Enterprise Security Zones—Logical
Mail DNS Finance
Internet Corporate
ISP DMZ Dev
Access Core
Web Ops
Apps
BRKSEC-2000
Enterprise Security Zones—Physical
DNS Email Finance
VLAN20 VLAN21 VLAN10
Internet Trunk Trunk Dev

VLAN11
VLAN22 VLAN12
Web Ops
Apps
BRKSEC-2000

14339_04_2008_c1.scr
Agenda

Design Principles
General Design Principles
Mapping Technology to Security Requirements
Case Study/Example
Conclusion
BRKSEC-2000
Classic Perimeter Model
Firewall/VPN
Antivirus/Antispyware
BRKSEC-2000

14339_04_2008_c1.scr
Cisco ASA 5500 Series Adaptive
Security Appliances
New
• Integrated firewall, SSL/IPsec, IPS, Content Security
• Multi-processor architecture for high services
performance and investment protection New
• Flexible management options ASA 5580-40
• Simple Web-based user interface
Cisco ASA 5500 Platforms
• Numerous certifications and awards ASA 5580-20

• And much more…
ASA 5550
ASA 5540
ASA 5520
ASA 5510
ASA 5505
Branch Internet Campus Data

Teleworker
Office Edge Segmentation Center
BRKSEC-2000
Versatile Remote Application Access
SSL/VPN
AnyConnect Remote Access
Web VPN Portal Supply Partner
IPSec Branch Office
Remote Access
Site to Site
Public
Hourly Employee Internet
IPSec VPN
SSL VPN
Employee at Home
BRKSEC-2000

14339_04_2008_c1.scr
So Aren’t I Safe Already?
Firewall/VPN
BRKSEC-2000
6 Pillars to Shore Up Security
Firewall/VPN
BRKSEC-2000

14339_04_2008_c1.scr
Pillar 1
Infrastructure Security
Infrastructure Firewall/VPN
BRKSEC-2000
Common Security Threats in the LAN

Stolen Passwords username: dan
password: grades
Network
Administrator
username: dan
password: grades Unauthorized User
Unauthorized Copying Bringing Down the Network
Confidential
Plan
Unauthorized User
BRKSEC-2000

14339_04_2008_c1.scr
Infrastructure Protection Technologies
Control Plane STP root guard

Policing (CoPP)
CLI AAA
Infrastructure ACLs
SSH
Anti-spoofing
SNMPv3
RFC2827
Rate-limiters
uRPF
Dynamic ARP inspection Resource schedulers
DHCP snooping MD5 authentication
BPDU guard
BRKSEC-2000
Controlling Unauthorized
Network Expansion
Problem:
Individuals can add
unauthorized devices
to network
Solution:
Port security limits
MAC addresses
allowed on network
ports to only one
device at a time
BRKSEC-2000

14339_04_2008_c1.scr
Control Plane Policing (CoPP)
Secure routers against DoS attacks

Apply QoS to processor switched packets
Divide required protocols into priority groups
Management Routing Management
ICMP IPv6 …..
SNMP, Telnet Updates SSH, SSL
Input Output
Control Plane
to the Control from the Control
Plane Plane
Control Plane Silent Mode
Policing (Prevent Recon)
(Alleviating DoS) Processor
Switched
Packets
Output Packet
Packet Buffer
Buffer
Incoming Locally
Packets Switched Packets
CEF/FIB Lookup
BRKSEC-2000
Routing Protocol Security
Routers are prone to multiple attacks

Traffic redirection, black holes, DoS, unauthorized
prefix origination
Routers compromises can be disastrous

Hardening is critical
Prefix filtering prevents bogus advertisements

Define what routing prefixes are allowed from specific locations
Message authentication via MD5 should be done

Supported in RIPv2, OSPF, BGP, EIGRP, IS-IS
Prevents malicious and accidental attacks
BRKSEC-2000

14339_04_2008_c1.scr
Management Channel Security
OOB Mgmt Net
Servers Inband, Clear

Management
Segment Inband, Secure
OOB, Secure
Management
Users
In-band in the clear Out-of-band management
Telnet, HTTP, FTP Strongest security
TFTP, SNMPv2c Beware topology aware mngt systems
In-band secured Hybrid

SSH, SSL, IPSec, Combination of methods listed above
SNMPv3, SFTP, SCP Based on proximity, scale, device type
Always Use AAA When Possible

Protect Command and Control from Resource Starvation Attacks
BRKSEC-2000
Pillar 2
Network Identity
Firewall/VPN
Infrastructure
Identity
BRKSEC-2000

14339_04_2008_c1.scr
Identity-Based Network Services
802.1x
Answering the Questions:
Who are you?
Where are you?
How are you
connected?
What can you do?
BRKSEC-2000
Preventing Unwanted Access

Confidential
Plan
Problem:
Unauthorized users
connect to network and
Unauthorized
download confidential
User documents
Solution:
Confidential
802.1x Security Plan 802.1x with Cisco Access
Control Server (ACS)
authenticates user
Unauthorized Cisco ACS

User Server
BRKSEC-2000

14339_04_2008_c1.scr
802.1x Protocol
802.1x
EAPoL RADIUS
Host Attempt Access RADIUS/

AAA Server
RADIUS
LAN Credential
Connectivity Assessment
Established Performed
Apply Policy to Port

Request Credentials
Send Credentials Forward Credentials to ACS Server
Accept/Reject Authentication Result
Policy Instructions
(Dynamic VLAN)
Authenticate Client to Auth Server via Extensible Authentication Protocol (EAP)

Switch is Intermediary, but aware of conversation
BRKSEC-2000
Pillar 3
Posture Assessment
Firewall/VPN
Infrastructure
Posture
Identity
BRKSEC-2000

14339_04_2008_c1.scr
Posture Assessment
Before Allowing Access, NAC
Recognize
Recognize
User, device, role
Enforce
Evaluate
Identify vulnerabilities
Enforce
Evaluate
Quarantine and Remediate
before network access
BRKSEC-2000
Posture Assessment Use Cases
Managed LAN Unmanaged/

Users Guest LAN Users
Customer
Business
Issues
Wireless LAN VPN/Remote/

Users WAN Users
BRKSEC-2000

14339_04_2008_c1.scr
Posture Assessment Design
Client Traffic inline before

posture assessment
Traffic Inline or
Out-of-band after
Potential traffic controls:
Filters
Bandwidth
VLAD retag per role
User time-outs
Hubs, Access Points,

Unsupported Switches
BRKSEC-2000
NAC Deployment Flexibility

Border
Router Intranet
Firewall
NAC Appliance
NAC Appliance Routed or
Bridged Central Bridged Central
Deployment Switch Deployment
Switch
Core
NAC Appliance
Edge Deployment
Authentication
NAC Appliance Server
BRKSEC-2000
14339_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public Manager 48

14339_04_2008_c1.scr
Pillar 4
Management
Management
Posture
Identity
BRKSEC-2000
Cisco Security Management Suite
Configuration Monitoring
Identity Analysis
Auditing Mitigation
BRKSEC-2000

14339_04_2008_c1.scr
Identity Analysis
Auditing Mitigation
BRKSEC-2000
Cisco Security Manager

Manage Cisco security device configurations
Routers, ASA, FWSM, PIX, IPS
Multiple views into devices and policies
Device, Policy, Topology
Delivers policy scalability with security service management
FW, VPN, IPS management with comprehensive security
platform controls
Power tools
FlexConfig, Config diff viewer, Rule analysis, ACL hit counts
Flexible architecture for unique provisioning capabilities
Designed to support new and evolving security technologies
Integration with other value-add components
Syslog correlation with CS-MARS
BRKSEC-2000
Role-based access control (RBAC) with Cisco \ACS

14339_04_2008_c1.scr
CSM: Device/Policy/Topology Views
BRKSEC-2000
Identity Analysis
Auditing Mitigation
BRKSEC-2000

14339_04_2008_c1.scr
CS-MARS
Capture multiple sources of data…
BRKSEC-2000
CS-MARS
Feed into Correlation Engine…
BRKSEC-2000

14339_04_2008_c1.scr
Critical Data Reduction
2,694,083 Events
992,511 Sessions
249 Incidents
61 High Severity
Incidents
Tremendous Data Reduction
BRKSEC-2000
NetFlow Telemetry
Cisco Cisco and Partners Partners
Network Planning
Accounting/Billing
Router: Collector:
• Cache creation • Collection
• Data export • Filtering
• Aggregation • Aggregation
Applications:
• Storage
• File system management Data Presentation
BRKSEC-2000

14339_04_2008_c1.scr
Identity Analysis
Auditing Mitigation
BRKSEC-2000
Access Control System (ACS)
Key Scenarios
Device Administration
Remote Access
Wireless and 802.1x CiscoWorks
Compliance Features
ACS AD/LDAP
Authentication policy
(e.g. require complex
password)
Authorization enforcement Posture/Audit
(e.g. network access, device

command authorization)
Audit logging
BRKSEC-2000

14339_04_2008_c1.scr
Pillar 5
Intrusion Detection/Protection
Management
Posture
Identity
IPS
BRKSEC-2000
Network IPS
BRKSEC-2000

14339_04_2008_c1.scr
Network-Based IDS: The Sensor
Network Link to the

Management Console
IP Address
Passive Interface
No IP Address
Monitoring the Network
Data Capture
Data Flow
BRKSEC-2000
Network-Based IPS: The Sensor
Network Link to the

Management Console
Management Interface
IP Address
Data Flow
Transparent Interfaces
No IP Address
BRKSEC-2000

14339_04_2008_c1.scr
Distributed IPS Solutions
Signature Updates
Central Signature
File Management Cisco IPS
Appliance
Corporate
Office
WAN
Regional Office
Branch Office
Telecommuter Small Satellite Office
BRKSEC-2000
Accurate Prevention Technologies

Risk Rating Provides Threat Context
Event How urgent is Decision support

Severity the threat? balances attack urgency
+ with business risk
Signature How prone to
Fidelity false positive?
Attack
+
Is attack relevant to
Relevancy host being attacked?
+
Asset Value How critical is this
of Target destination host?
RISK Drives
Mitigation
RATING Policy
BRKSEC-2000

14339_04_2008_c1.scr
Accurate Prevention Technologies
Meta Event Generator Delivers Advanced Correlation
On-box correlation allows adaptation to new threats in
real-time without user intervention
Risk Rating Links lower risk

A + B + C + D = WORM! DROP events into a high risk
Event D-
Worm meta-event, triggering
High
Stopped! prevention actions
Models attack
Event A
Event B
Event D Behavior by
Medium
Correlating:
Event type
Event C
Low Time span
Time: 0 2 4 6 8 10
BRKSEC-2000
Host Based IPS
BRKSEC-2000

14339_04_2008_c1.scr
Behavioral Host Intrusion Prevention
Intercept OS calls
Invokes allow/deny
response
Monitor system calls:
File system
Network
Registry
Execution
“Zero Update” architecture
BRKSEC-2000
Malicious Behavior
• Ping addresses 0Rapidly mutating
• Scan ports 0Continual
• Guess passwords signature
• Guess mail users updates
• Mail attachments 0Inaccurate
• Buffer overflows
Probe • ActiveX controls
1 • Network installs
• Compressed messages
2 Penetrate • Backdoors
Target 3 Persist • Create new files
• Modify existing files
4 Propagate • Weaken registry
5 • Mail copy of attack security settings
Paralyze • Install new services
• Web connection
• IRC • Register trap doors
• Delete files • FTP
• Modify files • Infect file shares
• Drill security hole 0Most damaging
• Crash computer
• Denial of service
9 Changes very slowly
• Steal secrets 9 Inspiration for the
CSA solution
BRKSEC-2000

14339_04_2008_c1.scr
CSA in Action: Protection Against Zotob
and Variants (B through G)
TCP/445 via
Null session
Buffer Overflow
against uPNP service
Executable in System folder

Modifies registry and HOSTS
Downloads files via TFTP
Connects to IRC
Starts Command shell for FTP, TFTP 1171

300 threads scan for other systems to infect
Deletes registry keys and files

Terminates processes
BRKSEC-2000
Pillar 6
Application Security
Firewall/VPN
Infrastructure
Management
Application
Posture
Identity
IPS
BRKSEC-2000

14339_04_2008_c1.scr
IronPort Perimeter Security Appliances
Internet
IronPort
SenderBase
EMAIL WEB
Security Security
Appliance Appliance
Security
MANAGEMENT
Appliance
BRKSEC-2000
IronPort SenderBase®
Data Makes the Difference
150 Parameters
Threat Prevention in Realtime
• Complaint Reports
• Spam Traps
• Message
Composition Data
• Global Volume Data
• URL Lists SenderBase Data Analysis/ SenderBase
Data Security Modeling Reputation Scores
• Compromised
Host Lists -10 to +10
• Web Crawlers
• IP Blacklists
& Whitelists
• Additional Data
BRKSEC-2000

14339_04_2008_c1.scr
IronPort Reputation Filters Stop
80% of Hostile Mail at the Door…
Known good
is delivered
Reputation Anti-Spam Suspicious is

Filtering Engine throttled &
spam filtered
Incoming Mail
Good, Bad, and “Grey” Known bad is
or Unknown Email deleted/tagged
IronPort uses identity and reputation to apply policy

Sophisticated response to sophisticated threats
BRKSEC-2000
Web Traffic: Clear and Present Risks

The Circle of Risk
Malware & 35-40% of Web usage is

AUP violations non-business related
(Source: IDC Research)
Web
Traffic
75%+ of enterprises infected

with spyware & malware
(Source: IDC Research)
BRKSEC-2000

14339_04_2008_c1.scr
Web Traffic
The Long Tail Gets Longer
“Big Head + Long Tail”

• ~110 Million sites
• ~10–12 Billion Web Pages
50%
Predictable traffic, • Growing at 35–40% annually
well known domains
Traffic Volume
50%
Growing fast,
Big harbors spyware
Head
& malware
Long Tail
# of Sites
BRKSEC-2000
IronPort S-Series
Addressing the Entire Spectrum of Web Traffic
Solution:
AUP URL Filtering
Traffic Volume
Solution:
IronPort Web Reputation Filters
Big Signature-based Anti-Malware
Head Protection
Long Tail
# of Sites
BRKSEC-2000

14339_04_2008_c1.scr
Closing the Application-Network Gap
Deploy
Service Virtualization
Mainframe Connectivity
Application Infrastructure
Secure
XML Firewall and DoS
Access Control Integration
Problem Diagnosis/SLA
Management
Rich Enterprise Policy Mgt
Scale
Application Aware Load Balancing
Bandwidth Compression
XML Processing Offload
Network Infrastructure
Simplify, Secure and Scale Web Services Deployment

BRKSEC-2000
Firewall/VPN
Infrastructure
Management
Application
Posture
Identity
IPS
BRKSEC-2000

14339_04_2008_c1.scr
Agenda

Design Principles
Internet Edge
Campus
Data Center
Case Study/Example
Conclusion
BRKSEC-2000
Enterprise Network
End Points
Si Si Si Si Si Si
Si Si
Si Si
Si Si
Si Si
WAN Data Center Internet
BRKSEC-2000

14339_04_2008_c1.scr
What Needs to Be Applied?
Access control and identity:

At trust domain perimeters
In front of endpoints or resources
Threat detection and mitigation:
Throughout the network and in front of key high-value assets
Infrastructure protection:
On all infrastructure devices
Application security:
In front of key high-value application resources
Security management:
Throughout the network, to all devices
BRKSEC-2000
Agenda

Design Principles
Internet Edge
Campus
Data Center
Case Study/Example
Conclusion
BRKSEC-2000

14339_04_2008_c1.scr
Enterprise Internet Edge
VPN
ASA5500
Dist
Firewall
Firewall Services Module
ASA5500
DMZ IOS Firewall
Firewall/VPN
Infrastructure
Management
Application
Posture
Identity
IPS
Internet
BRKSEC-2000 Antivirus/Antispyware

Infrastructure
SNMP v3 – All
Dist
AAA – All
CoPP – All
SSH – All
DMZ RFC2827 – All
IGP/EGP MD5 – All
Firewall/VPN
Infrastructure
Management
Application
Posture
Identity
IPS
Internet

14339_04_2008_c1.scr
Posture
NAC appliance
Dist
Identity
AAA
VPN
Proxy Authentication
DMZ
Firewall/VPN
Infrastructure
Management
Application
Posture
Identity
IPS
Internet

Management
SDEE
Dist
NetFlow
Syslog – All
SNMPv3 – All
DMZ SSH – All
Firewall/VPN
Infrastructure
Management
Application
Posture
Identity
IPS
Internet

14339_04_2008_c1.scr
IPS
IPS 4200
Dist
Integrated IPS
CSA
DMZ
Firewall/VPN
Infrastructure
Management
Application
Posture
Identity
IPS
Internet

Application
Ironport C Series
Dist
Ironport S Series
Ace XML Gateway
DMZ
Firewall/VPN
Infrastructure
Management
Application
Posture
Identity
IPS
Internet

14339_04_2008_c1.scr
Agenda

Design Principles
Internet Edge
Campus
Data Center
Case Study/Example
Conclusion
BRKSEC-2000
Enterprise Campus Network

Firewall
Access
ACLs
Firewall Services Module
Si Si
Dist
Core Firewall/VPN
Si Si
Infrastructure
Management
Application
Posture
Identity
IPS
Mngt

14339_04_2008_c1.scr
Infrastructure
L2 security features
Access
AAA – All
SSH – All
SNMP v3 – All
Dist
Si Si
CoPP
uRPF
IGP/EGP MD5
Core Firewall/VPN
Si Si
Infrastructure
Management
Application
Posture
Identity
IPS
Mngt

Identity
Access
802.1x
NAC Appliance
Posture
Si Si
NAC Appliance
Dist
Core Firewall/VPN
Si Si
Infrastructure
Management
Application
Posture
Identity
IPS
Mngt

14339_04_2008_c1.scr
Management
Access
Syslog – All
Netflow – All
SNMPv3 – All
Si Si
MARS
Dist
CSM
NAC Manager
Core Firewall/VPN
Si Si
Infrastructure
Management
Application
Posture
Identity
IPS
Mngt

IPS
Access
CSA
IPS 4200
Si Si
Dist
Core Firewall/VPN
Si Si
Infrastructure
Management
Application
Posture
Identity
IPS
Mngt

14339_04_2008_c1.scr
Agenda

Design Principles
Internet Edge
Campus
Data Center
Case Study/Example
Conclusion
BRKSEC-2000
Enterprise Datacenter Network

Firewall
Si Si Firewall Services Module
Core
ACLs
WAAS
ACE
Agg
Firewall/VPN
Core
Infrastructure
Access
Management
Application
Posture
Identity
IPS

14339_04_2008_c1.scr
Infrastructure
Si Si CoPP
Core uRPF
IGP/EGP MD5
AAA – All
SNMP v3 – All
Agg SSH – All
L2 security features
Firewall/VPN
Core
Infrastructure
Access
Management
Application
Posture
Identity
IPS

Management
Si Si NetFlow
Core
Syslog – All
SNMPv3 – All
MARS
Agg
Firewall/VPN
Core
Infrastructure
Access
Management
Application
Posture
Identity
IPS

14339_04_2008_c1.scr
IPS
Si Si IPS 4200
Core
CSA
Agg
Firewall/VPN
Core
Infrastructure
Access
Management
Application
Posture
Identity
IPS

Application
Si Si Ace XML Gateway
Core
Agg
Firewall/VPN
Core
Infrastructure
Access
Management
Application
Posture
Identity
IPS

14339_04_2008_c1.scr
Agenda

Design Principles
Case Studies/Examples
Educational Environment Campus
Financial Environment Campus
Manufacturing Environment Campus
Conclusion
BRKSEC-2000
Campus Case Study: Educational

NAC Role
Assignment
Little control of endpoint posture
Must provide access to various
L2 platforms
Core
Access Security Must control rogue network devices
ACLs Firewall/VPN
FWSM
Infrastructure
Dist IPSM Identity
MD5
NetFlow, Posture
Syslog, Management
SNMPv3
IPS
Core Firewall/VPN
Si Si
Infrastructure
Management
Application
Posture
Identity
IPS

14339_04_2008_c1.scr
Campus Case Study: Financial
NAC Role/
CSA
Posture
Full control of endpoint posture
L2 Mixed endpoint platforms
Security
Core
Access Regulatory concerns
ACLs
Firewall/VPN
FWSM
Infrastructure
Dist IPSM
MD5 Identity
NetFlow,
Syslog, Posture
SNMPv3 Management
Core IPS Firewall/VPN
Si Si
Infrastructure
Management
Application
Posture
Identity
IPS
Campus Case Study: Manufacturing

NAC Role/
Profiler
Full control of endpoint posture
L2 Support “dumb” endpoints (e.g..
Security manufacturing equipment/robots)
Core
Access
Mixed endpoint platforms
NAC
Appliance ACLs
FWSM Firewall/VPN
Infrastructure
Dist IPSM
MD5 Identity
NetFlow,
Syslog, Posture
SNMPv3
Management
Core IPS Firewall/VPN
Si Si
Infrastructure
Management
Application
Posture
Identity
IPS

14339_04_2008_c1.scr
Conclusion
Summary
Network security is a system
Must incorporate business needs, security policy, best
practices, risk analysis
Food for thought

Sample designs are a useful start, but every network is unique
New technologies may enhance security, but best practices
take time to develop
Thoroughly understand the problems
Fully understand how available tools work
Apply the tools as necessary
BRKSEC-2000
Related Sessions
Identity and Access Control
SEC-2005 Deploying 802.1X
SEC-2007 Deploying Cisco IOS Security
SEC-2020 Firewall Design and Deployment
SEC-2041 Deploying Cisco Network Admission Control Appliance
Infrastructure Protection
SEC-2002 Understanding and Preventing Layer 2 Attacks
SEC-2101 Service Provider and Large Network Core Infrastructure Best Practices
SEC-2105 Router Security Strategies: Securing IP Network Traffic Planes
Threat Detection and Mitigation
SEC-2030 Deploying Network-Based Intrusion Prevention Systems
SEC-2031 Understanding Host-Based Threat Mitigation Techniques
Security Management
SEC-2006 Inside the Perimeter: 6 Steps to Improving your Security Monitoring
SEC-2009 Cisco Security Manager (CSM) and CS-MARS Integration and Deployment
SEC-3009 Operational firewall and IPS management using CSM and MARS
BRKSEC-2000

14339_04_2008_c1.scr
Q and A
BRKSEC-2000
Recommended Reading
Continue your Cisco Live

learning experience with further
reading from Cisco Press
Check the Recommended
Reading flyer for suggested
books
Available Onsite at the Cisco Company Store

BRKSEC-2000

14339_04_2008_c1.scr
Complete Your Online
Session Evaluation
Give us your feedback and you could win Don’t forget to activate
fabulous prizes. Winners announced daily. your Cisco Live virtual
account for access to
Receive 20 Passport points for each session all session material
evaluation you complete. on-demand and return
for our live virtual event
Complete your session evaluation online now in October 2008.
(open a browser through our wireless network Go to the Collaboration
to access our portal) or visit one of the Internet Zone in World of
stations throughout the Convention Center. Solutions or visit
www.cisco-live.com.
BRKSEC-2000
BRKSEC-2000

14339_04_2008_c1.scr

Secure Enterprise Design: BRKSEC-2000

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Secure Enterprise Design: BRKSEC-2000

Încărcat de

Drepturi de autor:

Formate disponibile

Secure Enterprise Design

© 2008, Cisco Systems, Inc. All rights reserved. 1

 Basic Security Principles

 Enterprise Security Policy Design

Network Security Is a System

 Firewall + AV ≠ Network Security

 Network security system:

© 2008, Cisco Systems, Inc. All rights reserved. 2

Integrated Collaborative Adaptive

Evolution of Security Challenges

Weeks 2nd Gen

© 2008, Cisco Systems, Inc. All rights reserved. 3

Broad Outbreaks Targeted Attacks

Productivity Impact Potential Damage

Simple Real-World Example: Virus/Worm

Traditional stateful firewalls do little to stem the tide

© 2008, Cisco Systems, Inc. All rights reserved. 4

 Hosts are preferred target for worms and viruses

 But there are other high-value alternative targets:

© 2008, Cisco Systems, Inc. All rights reserved. 5

Strive for Operational Simplicity

 Network ops is critical to security system design

 Good management tools

 Good operational processes

 Operational simplicity helps reduce down time

© 2008, Cisco Systems, Inc. All rights reserved. 6

Which meets your

Security Through Obscurity “Isn’t”

 Too many secrets is bad for security

 Security design should follow the same principles

 However, don’t advertise details of your security

© 2008, Cisco Systems, Inc. All rights reserved. 7

 Basic Security Principles

© 2008, Cisco Systems, Inc. All rights reserved. 8

Formulating a Security Policy

© 2008, Cisco Systems, Inc. All rights reserved. 9

 Effective security policies require clear understanding

 Risk analysis is understanding two key elements:

Open vs. Closed Policies

© 2008, Cisco Systems, Inc. All rights reserved. 10

 Basic Security Principles

Domains of Trust (Zones)

Domains of Trust segment communities by policy

© 2008, Cisco Systems, Inc. All rights reserved. 11

Sample Domains of Trust

© 2008, Cisco Systems, Inc. All rights reserved. 12

Mail DNS Finance

Enterprise Security Zones—Physical

DNS Email Finance

VLAN20 VLAN21 VLAN10

Internet Trunk Trunk Dev

© 2008, Cisco Systems, Inc. All rights reserved. 13

 Basic Security Principles

Classic Perimeter Model

© 2008, Cisco Systems, Inc. All rights reserved. 14

• Numerous certifications and awards ASA 5580-20

Branch Internet Campus Data

Versatile Remote Application Access

 IPSec Branch Office

© 2008, Cisco Systems, Inc. All rights reserved. 15

6 Pillars to Shore Up Security

© 2008, Cisco Systems, Inc. All rights reserved. 16

Basic Security Principles

Enterprise Security Policy Design

Firewall + AV ≠ Network Security

Network security system:

Hosts are preferred target for worms and viruses

But there are other high-value alternative targets:

Network ops is critical to security system design

Good management tools

Good operational processes

Operational simplicity helps reduce down time

Too many secrets is bad for security

Security design should follow the same principles

However, don’t advertise details of your security

Basic Security Principles

Effective security policies require clear understanding

Risk analysis is understanding two key elements:

Basic Security Principles

Basic Security Principles

IPSec Branch Office

Control Plane STP root guard

Secure routers against DoS attacks

Routers are prone to multiple attacks

Routers compromises can be disastrous

Prefix filtering prevents bogus advertisements

Message authentication via MD5 should be done

In-band secured Hybrid

Client Traffic inline before

Hubs, Access Points,

Capture multiple sources of data…

Feed into Correlation Engine…

Risk Rating Links lower risk

“Zero Update” architecture

Reputation Anti-Spam Suspicious is

IronPort uses identity and reputation to apply policy