Transcription
Security ArchitectureHaider Pasha, CISSPSSEM, Emerging CentralArchitectural Playshpasha@cisco.comPresentation ID 2009 Cisco Systems, Inc. All rights reserved.Cisco Confidential1
Traditional Corporate BorderPolicyCorporate BorderApplicationsand DataCorporate OfficeBranch OfficeAttackersPartnersCustomers2Presentation ID 2009 Cisco Systems, Inc. All rights reserved.Cisco Confidential
Mobility and CollaborationIs Dissolving the Internet BorderPolicyCorporate BorderApplicationsand DataCorporate OfficeBranch OfficeHome offeeShop3Presentation ID 2009 Cisco Systems, Inc. All rights reserved.Cisco Confidential
Cloud Computing Is Dissolvingthe Data Center BorderPolicyCorporate BorderPlatformas a ServiceApplicationsand DataInfrastructureas a ServiceXas a ServiceSoftwareas a ServiceCorporate OfficeBranch OfficeHome offeeShop4Presentation ID 2009 Cisco Systems, Inc. All rights reserved.Cisco Confidential
Customers Want BusinessWithout BordersPolicyCorporate BorderPlatformas a ServiceApplicationsand DataInfrastructureas a ServiceXas a ServiceSoftwareas a ServiceCorporate OfficeBranch OfficeHome offeeShop5Presentation ID 2009 Cisco Systems, Inc. All rights reserved.Cisco Confidential
Cisco’s Network Security Architecture4(Access Control, Acceptable Use, Malware, Data Security)Applicationsand DataInfrastructureas a ServiceXas a ServiceSoftwareas a Service32BorderlessEnd ZonesPlatformas a ServiceBorderlessInternetCorporate BorderBorderlessData CenterPolicyPolicy1Corporate OfficeBranch OfficeAirportHome op6Presentation ID 2009 Cisco Systems, Inc. All rights reserved.Cisco Confidential
Cisco Security Architecture For Enterprise(SAFE)Security Reference ArchitectureFree Technical Design and Implementation Guide Collaboration betweensecurity and network devices Uses network intelligence Fully tested and validated Speeds implementation Modular design Unifies security policy7Presentation ID 2009 Cisco Systems, Inc. All rights reserved.Cisco Confidential
SAFE StrategySecurity Devices VPNsSecuritySolutions Firewall Admission Control Monitoring Email Filtering Intrusion Prevention PCI Routers DLPMonitorLAN/CampusWANEdge SwitchesIsolateCorrelateDataCenter ServersPolicy andDeviceIdentifyHardenManagement lUserPartnerSitesSecured Mobility, Unified Communications, Network VirtualizationNetwork Foundation Protection8Presentation ID 2009 Cisco Systems, Inc. All rights reserved.Cisco Confidential
SAFE Security Architecture ModulesManagementWAN Internet EdgeTeleworkerSiData n ID 2009 Cisco Systems, Inc. All rights reserved.Cisco Confidential
Securing the LAN10Presentation ID 2009 Cisco Systems, Inc. All rights reserved.Cisco Confidential
Catalyst IntegratedSecurity FeaturesCampus/LANAccess Network AccessControl Threat Detection andMitigation Network FoundationProtection EnhancedAvailability andResiliencyDistributionCore Secure UnifiedCommunicationsSiSi Secure UnifiedWireless NetworkSiSi Endpoint Security Edge Protection11Presentation ID 2009 Cisco Systems, Inc. All rights reserved.Cisco Confidential
SAFE Threat ResponseyService Disruptiony Unauthorized Accessy Data Leakagey Data Disclosure and Modification y Network Abuse y Identity Theft and FraudIncreasing Visibility for the LANIdentifyMonitorLAN/port AuthenticationUser AuthenticationFirewall Deep Packet InspectionTraffic ClassificationIntrusion DetectionNetwork ManagementEvent MonitoringNetwork TelemetrySyslogCorrelateEvent Analysis and CorrelationIncreasing Control for the LANHardenNetwork Foundation ProtectionOS HardeningCISFEndpoint SecurityLink and System RedundancyIsolateVLANsNetwork Access ControlIPSFirewall Access ControlEnforceStateful Firewall Access ControlACLs, uRPF, AntispoofingDHCP SnoopingPort SecurityIntrusion PreventionQoS EnforcementNetwork Access Control12Presentation ID 2009 Cisco Systems, Inc. All rights reserved.Cisco Confidential
Protecting the Network DevicesSecure Device Access - Protecting Device AccessOOB Mgmt NetServersManagementSegmentInband, ClearInband, SecureOOB, SecureManagementUsers In-band, in the Clear(not recommended) In-band, Secure(recommended)1. Out-of-band management,(most secure)–Telnet, HTTP, FTP–SSH, SSL, IPSec,–Dedicated interfaces & Network–TFTP, SNMPv2c–SNMPv3, SFTP–Logically separate (VLAN, VRF)–Strongest security13Presentation ID 2009 Cisco Systems, Inc. All rights reserved.Cisco Confidential
Protecting the Network DevicesDevice Resiliency & Survivability Disable Unnecessary Services–Identify open ports–Disable unneeded open ports–Disable CDP on interfaces where it may pose a risk (e.g. data-onlyuser ports in the campus)–Ensure directed broadcasts are disabled on all interfaces–Disable MOP, IP redirects, and proxy ARP on access linesImplement Redundancy–Backup and redundant interfaces–Redundant processors and modulesSiSi–Active-standby, active-active failover–Topological redundancySiSi14Presentation ID 2009 Cisco Systems, Inc. All rights reserved.Cisco Confidential
Protecting the LinksQoS Trust N Agg.23Trust Boundary1. A device can be trusted if it correctly classifies packets2. For scalability, classification should be done as close to the edge as possible3. The outermost trusted devices represent the Trust Boundary4. 1 and 2 are optimal, 3 is acceptable (if access switch cannot performclassification)15Presentation ID 2009 Cisco Systems, Inc. All rights reserved.Cisco Confidential
Protecting the Control PlaneControl Plane Policing - Incoming TrafficPkts conformto controlplane servicepolicySwitch CPUApplying PolicyPre-configured System Traffic TypesIngress Control PlaneUser Configurable Traffic TypesControl pkts,and the pktsdestined toCPUForwarding ASICs1. Hardware-based mechanismsData trafficis switchedbyForwardingASICs2. Rate limit CPU bound trafficLinecardLinecard3. Protect from DoS attacks4. Control Plane Policing ensures routingstability, reachability, & packet delivery5. Filters and rate limits traffic headed toControl PlanePresentation ID 2009 Cisco Systems, Inc. All rights reserved.Cisco Confidential16
Monitoring and TelemetryNetFlow1NetFlow’s 7Key Fields1.2.3.2Inspect a packet’s 7 key fields and identify the values.If the set of key field values is unique create a flow record or cache entry.When the flow terminates export the flow to the collector.NetFlowExportPacketsNetFlow Benefits3Reporting Distributed traffic monitoring Track each data flow that appears in the network (establish baseline) Detect anomalies by analyzing traffic characteristics and deviations from baselinePresentation ID 2009 Cisco Systems, Inc. All rights reserved.Cisco Confidential17
Internal Perimeter Access Control andSecurity – NACNAC Benefits:NAMNASCCANAC Appliance Components1.NAS2.NAM3.CCAPresentation ID 2009 Cisco Systems, Inc. All rights reserved.1.Recognizes users, theirdevices, and their roles in thenetwork2.Evaluates whether machinesare compliant with securitypolicies3.Enforces security policies byblocking, and isolatingnoncompliant machines18Cisco Confidential
Internal PerimeterAccess Control and Security – CISFSwitchEmailactsGateway 10.1.1.1like aMAC AhubServerXDHCP DoS132,000“Hey,I’mBogus10.1.1.50 !”MACsPort b:bb00:0e:00:aa:aa:cc00:0e:00:bb:bb:ddetc “DHCPRequest”“Use this IPAddress !”Attacker 10.1.1.25“ Your emailpasswd is‘joecisco’ !”Victim 10.1.1.501.Port Security prevents MAC flooding, port access, rogue networkextension, and DHCP starvation attacks.2.DHCP Snooping prevents Rogue DHCP Server attacks and DHCPstarvation attacks.3.Dynamic ARP Inspection used with DHCP snooping to prevent ARPSpoofing Attacks & MiTM attacks.4.IP Source Guard uses DHCP snooping table to mitigate IP Spoofing,impersonation attacks & unauthorized access.Presentation ID 2009 Cisco Systems, Inc. All rights reserved.Cisco Confidential19
Distributed SecurityInfrastructure Protection & MonitoringInfrastructure Protection & Monitoring1.QoS Trust BoundaryAccess2.Scavenger Class3.Secure Management4.NBARDistSiSi5.NetFlow6.Control Plane Policing7.Network Time ProtocolCoreSiSi8.ACS9.Cisco MARS10.SyslogMngt20Presentation ID 2009 Cisco Systems, Inc. All rights reserved.Cisco Confidential
Securing the Internet Edge21Presentation ID 2009 Cisco Systems, Inc. All rights reserved.Cisco Confidential
Enterprise Internet EdgeService BreakdownDMZ - Network ServicesApplication Segment Public facing services FTP, DNS, NTP etc. Internet access for campus and branch usersCorporate InternetAccess Web browsing, email & other common internetservices, web and email security Teleworker access to corporate resourcesFirewall BasedTeleworker Internet access via headquarters firewall Basic IP telephony service Internet backup for branchesBranch Office WANBackup Access to corporate resources Web browsing, email & other common internetservices22Presentation ID 2009 Cisco Systems, Inc. All rights reserved.Cisco Confidential
Internet EdgeCorporate Access/DMZHTTP-ServicesE-mailDNSBranchesw/ Voice ewayInternetBackupRemote Access VPNEdgeCoreISP AInternetISP ASiISP BSiCVO terminationSiISP BRemoteClientSi23Presentation ID 2009 Cisco Systems, Inc. All rights reserved.Cisco Confidential
Firewall Design Considerations Firewall Security DesignConsiderationsInternetSP1SP2FirewallsDMZ– Firewall rules to implementnetwork security– Integrating Email and WebSecurity Appliance withfirewall– Configuring andimplementingInfrastructure Security– Implementing anddesigning a secure publicfacing DMZ– Enabling features foroptimum monitoring andmanagementData Center, Corporate Network24Presentation ID 2009 Cisco Systems, Inc. All rights reserved.Cisco Confidential
Firewall DesignPublic ternetWeb TrafficCorporateNetworkRemote UserEmail TrafficEmailSecurityAppliance25Presentation ID 2009 Cisco Systems, Inc. All rights reserved.Cisco Confidential
IPS at the Internet Edge1.FW in active/standbystateful .IPS selection basedon STP3.Requires STP tuning4.Required bandwidthsatisfied with singleIPS and FWSiCoreSiSi26Presentation ID 2009 Cisco Systems, Inc. All rights reserved.Cisco Confidential
Remote AccessPartners / ConsultantsControlled access to specificresources and applicationsClient-based SSL or IPSec VPNClientless SSL VPNMobile WorkersEasy access to corporatenetwork resourcesPublicInternetClientless SSL VPNASA 5500Client-based SSL or IPSec VPNRoamersDay Extenders / Home OfficeSeamless access to applicationsfrom unmanaged endpointsDay extenders and mobile employees requireconsistent LAN-like, full-network access, to corporateresources and applications27Presentation ID 2009 Cisco Systems, Inc. All rights reserved.Cisco Confidential
Web Appliance (IronPort example)Consolidated Web GatewayInternetInternetFirewallFirewallWeb Proxy & CachingAnti-SpywareIronPortL4 TrafficConsolidated tPolicy FiltersIronPort WebSecurity ApplianceLower TCOHigher AccuracyURL FilteringPolicy ManagementUsersUsers28Presentation ID 2009 Cisco Systems, Inc. All rights reserved.Cisco Confidential
Securing the Data Center29Presentation ID 2009 Cisco Systems, Inc. All rights reserved.Cisco Confidential
Data Center Today:End-to-End ArchitectureEnterprise and DC EdgeOperationsSaaS Gateway in WSA Access Control for Software as a Service Appsw wwWSAFirewallASA 5500 Coarse Inbound FilteringCSMSecurity Services LayerFirewall Enforce Per-zone segmentation of servers Virtual Contexts enable scaleASA 5500or FWSMIPS Threat mitigation and Hypervisor protectionsIPSZone 1Secure Server Access LayerZone 2Zone 3Network Segmentation Per zone, enforced in Services LayerNexus 1000vVirtual Access Layer Visibility Flow visibility in the vSwitchLayer 2 Security Consistent protections in virtual and physical switch30Presentation ID 2009 Cisco Systems, Inc. All rights reserved.Cisco Confidential
Secure Borderless Data Center:Tomorrow’s ArchitectureCloud Services Security LayerEnterprise- or Cloud-ProvidedASAVirtualContextVirtualFW Security for applications in the CloudCloud EdgeASA 5500with IPSProtecting the Cloud Provider NetworkEnterprise and Data Center EdgeOperationsw wwSaaS Gateway - In WSAWSAFirewall—Coarse FilteringCSMAAA & PolicySecurity Services LayerFirewall and IPS Identity-based policiesASA 5500with IPS Service chaining connects physical to virtualSecure Virtual Access LayerNexus1000vTrust Zones viaTrustSecASA SwitchModules:Catalyst andNexusVirtualFWVirtual Layer 2 through 7 Security Nexus 1000v and virtual firewall platform31Presentation ID 2009 Cisco Systems, Inc. All rights reserved.Cisco Confidential
Real World Customer ExampleData Center Module FeaturesFiber ChannelStorage ArrayFC, FICONFabric AMAN/WANFCIPFabric BCisco NexusiSCSIFC, FICONDMZ-2FRONT-ENDWEB SERVERSAPPLICATIONSERVERSDATABASESERVERSCatalyst 6513Catalyst MVFW1FWSMGlobal SiteSelectorGSS 4492Presentation IDManagement Servers1. NAC Manager2. Security Manager3. Security MARS4. Call Manager/Cisco Unity5. Cisco ACSGlobal SiteSelectorGSS 4492 2009 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialLayer 3 Switches in High Availability ModeFirewall Services Module (FWSM) to protect against Layer 2 to Layer 7attacksFWSM set in Virtual Firewall Mode. VFW1 to protect ManagementServers and VFW2 to protect Data Center ServersNetwork Intrusion Detection/Prevention for MonitoringApplication Control Engine (ACE) used for Load Balancing, SSLOffloading, and Layer 7 Deep inspectionACE Module to be used for all Front-End Web and Application serverSSL Offloading and Load Balancing (after Layer 7 Firewall)Traffic flow moves from Yellow, to Blue, to Orange VLANsPrivate VLAN design to be implemented within each Server farm tosegment against DOS/DDOS and Network attacks.Cisco Security Agent to be used on each server to protect against DayZero attacks like Worms/viruses and DOS/DDOS attacks.NAC Appliance Manager for network wide policy enforcementCisco Security Manager to manage security devicesCisco Security MARS for event correlation, Dynamic Threat Mitigation,and Incident LoggingCisco Call Manager/Unity for Voice ServicesCisco Access Control Server for AAA and TACACS servicesFCIP Server backup with Disaster Recovery and Backup SiteDHCP Snooping, IP Source Guard, Dynamic ARP Inspection, PortSecurity & Advanced Security via ACLCatalyst Rate Limiting for Blasting Worm Protection/RemediationOptimized Routing ProtocolsMulticast Subsecond ConvergenceFirst Hop Redundancy ProtocolsSpanning Tree, EtherChannel/GigEChannel with Core switches inCampus ModuleSupervisor/Power Supply Redundancy Etc.HSRP for redundant gateway servicePath Diversity DocumentationLayer 3 Switching utilizing IGPLoad balancing & Fast convergenceProvide first-hop redundancyProtects the Core from High Density PeeringAggregates the Access Layer elementsPolicy Enforcement QoS, ToS, IP PrecedenceEfficient handling of multicastsNetwork Trust or Policy BoundaryDual active links to Core switches in Campus ModuleWire-Rate Application-Aware using ACE and FWSMIOS-Based Intelligent Network Services in SupervisorTraffic Detection/Classification using NETFLOWIP Multicast SupportAdmission control & Traffic PolicingAdvanced Security via Access Control ListsLoad Balancing & Fast convergenceScalable High-Speed servicesNo unnecessary features3210 Gigabit ScalabilityNormal Operations: 20*C (68* F)
SAFE ResourcesCisco SAFE and Design .com/en/US/docs/solutions/Enterprise/Security/SAFE RG/SAFE rg.htmlCisco Design Zone:http://www.cisco.com/go/cvdCisco Security Lifecycle Cisco’s Security ation ID 2009 Cisco Systems, Inc. All rights reserved.Cisco Confidential
34Presentation ID 2009 Cisco Systems, Inc. All rights reserved.Cisco Confidential
Security - NAC 1.Recognizes users, their devices, and their roles in the network 2.Evaluates whether machines are compliant with security policies 3.Enforces security policies by blocking, and isolating noncompliant machines NAC Benefits: NAM NAS NAC Appliance Components 1. NAS 2. NAM 3. CCA CCA
