Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 1 Securing the Intelligent Information Network Mark Swantek Consulting Systems.

Published byJude Ashby Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 1 Securing the Intelligent Information Network Mark Swantek Consulting Systems."— Presentation transcript:

1 © 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 1 Securing the Intelligent Information Network Mark Swantek Consulting Systems Engineer, National Programs

2 © 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 2 Agenda  Introduction  Network Admission Control  Network Compliance Management  Q&A

3 © 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 3 Secure Network Infrastructure Security Services Integrated into the Network ADVANCED TECHNOLOGIES & SERVICES Virtualized Security Services Leverage Existing Investment Leverage Existing Investment Integrate Advanced Services Integrate Advanced Services IP NETWORK Endpoint Posture Control Dynamic DDoS Mitigation Application-Layer Inspection Behavioral-based Protection Automated Threat Response Integrate Advanced Security Services Where Needed IntegratedCollaborative Adaptive Security Point Products Security Point Products Firewall Network Anti-Virus Access Control IPSec & SSL VPN IPS

4 © 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 4 Intelligent Security Services Network Admission Control

5 © 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 5 NAC Overview  An initiative that leverages the network infrastructure to enforce security policy compliance on endpoint devices, thereby limiting their ability to spread infection such as viruses, worms, and spyware.  Ensuring policy compliance for all endpoint devices seeking network access is critical to information security.  Part of a Self-Defending Network, designed to dramatically improve the network’s ability to identify, prevent, and adapt to threats. NAC At-A-Glance

6 © 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 6 The Problem NAC Addresses Threat vectors have changed: Trusted users can be the weakest link in your network’s security While most users are authenticated, their computers (laptops, PCs, PDAs, etc.) are not checked for security policy compliance Non-compliant servers and desktops are common and difficult to detect and contain This can be complicated by: User types: employees, contractors, mission partners Device types: laptops, PDAs, desktops managed, unmanaged Access types: remote/VPN, wireless LAN, branch offices

7 © 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 7 Extranet Voice NAC helps Secure Network Ingress Points Enhance Security by Ensuring Privacy of Critical Information Across the Data Center and the Entire Campus CAMPUS Secure All Types of Traffic Including Data, Voice and Video IP COMMUNICATION Maintain Security with New Access Technologies that extend connectivity WIRELESS Extend the Network to Field Offices in a Reliable and Secure Manner FIELD OFFICES Providing Anywhere, Anytime Access with IPSec and SSL VPN Technologies DEPLOYED USER Secure Physical Assets using IP-based Access Control and Surveillance Technologies PHYSICAL SECURITY Improve Communications and Access with Mission Partners and Factories using IPSec or SSL EXTRANETS Centralized Control of All Security Aspects with one solution to Configure, Audit and Troubleshoot MANAGEMENT

8 © 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 8 Why Use The Network for Admission Control?  Every bit of data you are concerned about touches the network  Every device you are concerned about is attached to the network  Broadest possible security solution covering the largest number of networked devices can be deployed  Device posture security decisions made at the network, not on the endpoint device Ability to prevent spoofed device as “compliant” and rock-solid policy enforcement  Provides a consistent security policy to all parts of the network with the smallest footprint possible

9 © 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 9 A New Solution Is Needed identity guest access AAA employee device security Anti-spyware personal firewalls HIPS anti-virus network security IDS/IPS VPNs perimeterfirewalls X Endpoint security alone fails : Most assets have AV, but infections persist! Host based apps are easily manipulated (even unintentionally) Lag time between new viruses and anti-virus patch upgrade cycle Non-controlled assets often do not meet security requirements X Identity alone fails: Identifies user, but not device Network level access is typically controlled at network perimeter, but not on the internal network X Network security alone fails : Firewalls cannot block legitimate ports VPNs cannot block legitimate users Detection often occurs after-the-fact Difficult to implement access control if users are on the internal network

10 © 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 10 A Complimentary Solution Please enter username : device security network security Network Admission Control (NAC) is a solution that uses the network infrastructure to ensure all devices seeking network access comply with an organization’s security policy identity NAC

11 © 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 11 Intranet/ Network NAC High-Level User Flow Overview “The Network is the Control Point” 2. Authentication is passed to NAC policy server NAC validates username and password, also performs device and network scans to assess vulnerabilities on the device Device is noncompliant or login is incorrect User is denied access and assigned to a quarantine role with access to online remediation resources 3a. Quarantine Role 3b. Device is “clean” Machine is granted access to network in appropriate role based on who/what/where criteria NAC Policy Server 1. End user connects and authenticates to the network Network access is blocked until wired or wireless end user provides login information Authentication Server

12 © 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 12 NAC Means Better Criteria for Security What’s The Preferred Way To Check/Fix It? Pre-Configured Checks Customized Checks Self-Remediation or Auto-Remediation Third-Party Software Windows, Mac or Linux Laptop or Desktop or PDA Printer or Other Agency Asset What System Is It? Agency Employee Contractor Guest Unknown Who Owns It? LAN VPN WLAN WAN Where Is It Coming From? Anti-Virus, Anti-Spyware Personal Firewall Patching Tools What’s On It? Is It Running?

13 © 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 13 Four Key Capabilities of NACSECURELYIDENTIFY DEVICE & USER A robust NAC solution must have all four capabilities. WHAT IT MEANS WHY IT IS IMPORTANT Uniquely identifies users and devices, and creates associations between the two Associating users with devices enables granular enforcement in policies by role or group CONFIGUREANDMANAGE Policies that are easy to create and maintain lead to better system operations and adherence Easily creates comprehensive, granular policies that map quickly to user groups and roles QUARANTINEANDREMEDIATE Quarantine critical to halt damage due to non-compliance; remediation addresses root cause problems Acts on posture assessment results, isolates device, and brings it into compliance ENFORCE CONSISTENT POLICY Enforcement at the network level provides a solid foundation for holistic security Assesses and enforces a policy across the entire network via scanning & evaluation

14 © 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 14 NAC Summary Dramatically Improves Security  Ensures both managed and unmanaged assets conform to a consistent security policy  Proactively protects against worms, viruses, spyware, and malware  Focuses operations on prevention, not reaction Ensure policy compliance  Security policy compliance enforcement at the network level  Addresses issue of unauthorized access  Assists in achieving organizational compliance Extends Existing Investments  Enhances investment in network infrastructure and vendor software Increases Enterprise Resilience  Comprehensive admission control across all access methods (LAN, WAN, VPN, wireless, etc.)  Prevents noncompliant and rogue endpoints from impacting network availability  Reduces time related to identifying and repairing non-compliant, rogue, and infected systems

15 © 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 15 Intelligent Security Services Network Compliance Management “Accelerating Operational Success”

16 © 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 16 Our community faces multi-faceted network deployment and operations challenges Compliance Intense pressure to meet a variety of compliance mandates Growth Increased demand for new services & applications Complexity Feature-rich network infrastructure Expertise Shortage of specialized skills (network expansion, VoIP, data center and critical mission applications) (intelligent information network, QoS, HA, service- oriented network applications, web services) (productivity increase requirements, scarce network expertise in NOC) (regulatory standards, agency policies, technology rules)

17 © 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 17 Network Auditor Manager Director Clients directly connect to network devices Lack of control over the network Data manually collected & reported Costly, tedious and incomplete Devices configured manually one by one Costly & error prone manual changes Tools Manager Network Architect Network Manager Security Engineers Network Engineers NOC Operators IT Staff Configuration, scripts and OS images stored on various IT workstations Lack of security & standardization This facilitates a change from manual, ad-hoc network configuration

18 © 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 18...to fully automated network configuration and change management Tools Manager Network Architect Network Manager Security Engineers Network Engineers NOC Operators IT Staff Automate complex network management tasks through multi-threaded event-driven automation engine Control and standardize across infrastructure in a central, secure location Auditor Manager Director Network Management Tools Track all activity down to the very operator keystrokes Prevent errors & enforce process through centralized point of control Network

19 © 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 19 Compliance and Mission Continuity  Network security management is essential, providing policy enforcement and provisioning capabilities  It is not a “nice-to-have” but has become a “must-have”.  Report violations and provide a detailed plan towards compliance  Makes maintaining continuous compliance possible  Improves the availability of services by controlling change to the underlying infrastructure  Security is higher because access to the network and change is controlled, tracked and audited

20 © 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 20 Objectives of Network Compliance Management Track Comprehensive configuration management Control Establish & enforce best practices Automate Automate network management Prevent Prevent problems before they occur  Complete audit trail (keystroke level)  Coverage for every device type & vendor  Eliminate cowboy changes  Adopt an operational methodology  Configuration changes  Software updates  Topology mapping  Compliance reporting  Security breaches  Compliance violations  Downtime

21 © 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 21 Implications of managing networks manually 5x more costly to meet compliance requirements when done manually 45% of network engineers’ time spent on manual network changes 80% of network budget allocated reactively to avoid network downtime 80% of outages & security incidents due to manual mis-configurations Complex, costly compliance management Labor-intensive change management Lower network availability Higher outage rates Source: 2005 EMA Survey and customer feedback

22 © 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 22 A Solution: Network Compliance Manager A highly scalable offering for centralized network compliance management Best-in-breed Network Configuration and Change Management (NCCM) real-time change detection pre-deployment validation policy enforcement Sophisticated Audit and Compliance Analysis set policy to track compliance automated generation of compliance reports Advanced Workflows model complex projects define custom approval policies Extensive Reporting network status compliance

23 © 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 23 NCM streamlines deployment and operations of large, complex network infrastructure Greatly reduces network deployment and ongoing management costs Allows strict enforcement of NOC processes & best practice standards Government standard policies - FISMA Mission/IT policies - DCID networking/technology policies, e.g., ACL, VLANs Provides unmatched visibility and operational insight into configuration change activity Controls network security security best practices threat patching vulnerability management

24 © 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 24 Security Management  Maintain comprehensive config change history archive for security audits  Monitor and enforce compliance with security standards  Create security compliance policies (regex pattern match on firewall configs) and check if firewall configs are in compliance with applied security policies  Provide role-based access control and lockdown to devices and their configurations  Provision configuration changes on firewall devices  Maintain an up to the keystroke level audit trail of changes made on firewall devices  Maintain a history of changes made to ACLs  Easily deploy ACL changes

25 © 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 25 Another Tool in the Solution: Configuration Assurance Solution Automated network and security compliance audit and analysis  Uniquely features a full topological view of the production security, network and routing infrastructure -Including Cisco PIX, FWSM, ASA, and ISR devices -Support of config file and binary import Network and security auditing; pinpoint violations and vulnerabilities -Validate configurations, protocols and connectivity against 500+ network and security rules -Assess security compliance and network resiliency under normal, threat, and failure conditions -Analyze access requirements and restrictions; simulate unauthorized flows; pinpoint misconfigured nodes that block valid connectivity, including routing and switching protocols; identify IP addressing problems; validate route maps and ACLs –Report and trend compliance against internal IT policies, regulatory mandates, and industry best practices such as NSA, NIST 800-53, PCI, and others –Compares the results of successive network audits to identify recurring network problems

26 © 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 26 Security Compliance Audit… Daily or Change-Triggered Network & Security Devices CAS 1 2 Network Model 1… Automated data import into CAS The network is modeled representing the production infrastructure 2… Automated Configuration Audit Analyze and validate network level consistency by executing rules that audit the network as a system checking security vulnerabilities, IP addressing, route maps and attributes (e.g. QoS), regulatory compliance, and a wide variety of switching and routing protocols Notification of critical results are sent to the administrator 3… Automated Reporting Compliance Remediation Trending Network Analysis Network Analysis Reports Compliance Reports FISMA NSA NIST 800-53 Cisco SAFE Security Vulnerability Network Resiliency Configuration Trends Routing Analytics And much more… Network Design 3 Conduct audits with same frequency as changes are made Watch for configuration changes that are inconsistent with security policies to ensure… Regulatory compliance Network-wide security & resiliency

27 © 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 27 Summary  Cisco PACE delivers a safer change management environment: -Baselines network topology and configuration -Identifies network security and configuration issues -Recommends actions for resolution  Re-enforces network security, complementing Cisco’s security management suite  Enables users to accelerate deployment, maintain resiliency, and reduce risk

28 © 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 28 Q and A  Mark Swantek  mswantek@cisco.com mswantek@cisco.com  720-875-1250

29 © 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 29

Download ppt "© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicPresentation_ID 1 Securing the Intelligent Information Network Mark Swantek Consulting Systems."

Similar presentations

Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011.

Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011.
Introducing New Additions to ProSafe Advanced Smart Switch Family: GS724TR and GS748TR (ProSafe 24 and 48-port Gigabit Smart Switches with Static Routing)

Introducing New Additions to ProSafe Advanced Smart Switch Family: GS724TR and GS748TR (ProSafe 24 and 48-port Gigabit Smart Switches with Static Routing)
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Www.cleo.com Steve Jordan Director. Industry Solutions 05/05/14 Managing Chaos: Data Movement in 2014.

Steve Jordan Director. Industry Solutions 05/05/14 Managing Chaos: Data Movement in 2014.
Managed Infrastructure. 2 ©2015 EarthLink. All rights reserved. IT resources are under pressure… is it time to rethink the IT staffing model? Sources:

Managed Infrastructure. 2 ©2015 EarthLink. All rights reserved. IT resources are under pressure… is it time to rethink the IT staffing model? Sources:
Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.

Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.
Validata Release Coordinator Accelerated application delivery through automated end-to-end release management.

Validata Release Coordinator Accelerated application delivery through automated end-to-end release management.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, 2009 05/30/2009.

WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
Information Security in Real Business

Information Security in Real Business
Wireless Network Security

Wireless Network Security
Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S09761197.

Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S
© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.

© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.
© 2003, Cisco Systems, Inc. All rights reserved. 111 8426_07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.

© 2003, Cisco Systems, Inc. All rights reserved _07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.
All Rights Reserved © Alcatel-Lucent 2010 1 | Dynamic Enterprise Tour – Safe NAC Solution | 2010 Protect your information with intelligent Network Access.

All Rights Reserved © Alcatel-Lucent | Dynamic Enterprise Tour – Safe NAC Solution | 2010 Protect your information with intelligent Network Access.
Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.

Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.
Network Topology. Cisco 2921 Integrated Services Router Security Embedded hardware-accelerated VPN encryption Secure collaborative communications with.

Network Topology. Cisco 2921 Integrated Services Router Security Embedded hardware-accelerated VPN encryption Secure collaborative communications with.
Wireless Network Security. Access Networks Core Networks The Current Internet: Connectivity and Processing Transit Net Private Peering NAP Public Peering.

Wireless Network Security. Access Networks Core Networks The Current Internet: Connectivity and Processing Transit Net Private Peering NAP Public Peering.
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,

CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Similar presentations

Ads by Google