We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byErika Ritchie
Modified over 2 years ago
Campus Secure Integrated Security for Higher Education
222 © 2003 Cisco Systems, Inc. All rights reserved. Education Vulnerability Curve Accelerates Global Infrastructure Impact Regional Networks Multiple Networks Individual Networks Individual Computer Target and Scope of Damage 1st Gen Boot viruses 1st Gen Boot viruses Weeks 2nd Gen Macro viruses E-mail DoS Limited hacking 2nd Gen Macro viruses E-mail DoS Limited hacking Days 3rd Gen Network DoS Blended threat (worm + virus+ trojan) Turbo worms Widespread system hacking 3rd Gen Network DoS Blended threat (worm + virus+ trojan) Turbo worms Widespread system hacking Minutes Next Gen Infrastructure hacking Flash threats Massive worm driven DDoS Damaging payload viruses and worms Next Gen Infrastructure hacking Flash threats Massive worm driven DDoS Damaging payload viruses and worms Seconds 1980s1990sTodayFuture Time from knowledge of vulnerability to release of exploit is shrinking
333 © 2003 Cisco Systems, Inc. All rights reserved. The Education Paradigm Change: A Network-Based Approach An automated security system is required to address unknown (or “Day Zero”) threats Security must be applied at multiple layers of the system to address sophisticated blended threats and defend against multiple avenues of attack All elements of the security system must be integrated to initiate a coordinated response Campus Secure addresses the top-of-mind security issues in Education
444 © 2003 Cisco Systems, Inc. All rights reserved. Higher Ed Security Strategy Evolution 1990s 2000 2002 Integrated security Routers Switches Appliances Endpoints FW + VPN + IDS…. Integrated management software Evolving advanced services Integrated security Routers Switches Appliances Endpoints FW + VPN + IDS…. Integrated management software Evolving advanced services Security appliances Enhanced router security Separate management software Security appliances Enhanced router security Separate management software Basic router security Command line interface Basic router security Command line interface 2003 End-point posture enforcement Network device protection Dynamic/Secure connectivity Dynamic communication between elements Automated threat response End-point posture enforcement Network device protection Dynamic/Secure connectivity Dynamic communication between elements Automated threat response Self-Defending Networks Self-Defending Networks 2004… Integrated Security Integrated Security Defense- In-Depth Point Products Basic Security Multiple technologies Multiple locations Multiple appliances Little/no integration Multiple technologies Multiple locations Multiple appliances Little/no integration
555 © 2003 Cisco Systems, Inc. All rights reserved. Higher Ed Security Strategy Bandwidth MgtBandwidth Mgt ServicesServices PartnershipsPartnerships SECURITY TECHNOLOGY INNOVATION SECURITY TECHNOLOGY INNOVATION CS-MARSCS-MARS ASA 5500sASA 5500s SSL VPNSSL VPN Network Anomaly DetectionNetwork Anomaly Detection INTEGRATED SECURITY Secure Connectivity CCA NAC Trust and Identity Secure Connectivity CCA NAC Trust and Identity Cisco Strategy for Education to Improve the Network’s Ability to Identify, Prevent, and Adapt to Threats SYSTEM-LEVEL SOLUTIONS Campus Secure
666 © 2003 Cisco Systems, Inc. All rights reserved. Higher Ed Security Paper – the starting point Security Blueprint for Implementing Education Network Security HE specific follow up modules: 1. ID Mgt – NAC (Perfigo) Q4 2. Adaptive Threat Defense (Portego/ASA) Q1 ‘06 3. Bandwidth Mgt Q2 ‘06 HE specific follow up modules: 1. ID Mgt – NAC (Perfigo) Q4 2. Adaptive Threat Defense (Portego/ASA) Q1 ‘06 3. Bandwidth Mgt Q2 ‘06 Posted at http://wwwin-tools.cisco.com/sales/go/education/higher
777 © 2003 Cisco Systems, Inc. All rights reserved. Self-Defending Network for Education: Controlling the Who, What, Where, When, Why and How Who—allows access to data only by authorized personnel What—prevents data from ever being stored, copied, or printed outside the secure environment Where—provides layers of protection and auditing to ensure that data is only stored in a controlled location When—users process data normally, but the data never “sleeps” outside of the secure area Why—only authorized personnel allowed to process data How—data access is restricted, authenticated, and audited by Cisco Self- Defending Network
888 © 2003 Cisco Systems, Inc. All rights reserved. Cisco Network Admission Control (NAC) Cisco Network Admission Control (NAC) is Cisco-led, industry program focused on limiting damage from emerging security threats such as viruses and worms In NAC, customers can allow network access only to compliant and trusted endpoint devices (e.g. PCs, servers, PDAs) and can restrict the access of non- compliant devices Initial NAC co-sponsors include Network Associates, Symantec, and Trend Micro NAC is the first phase of the Cisco Self- Defending Network Initiative These efforts are designed to dramatically improve the ability of networks to identify, prevent, and adapt to threats
999 © 2003 Cisco Systems, Inc. All rights reserved. Campus Secure Module 1 – Materials Posted Collateral Posted on the Higher Ed website http://wwwin- tools.cisco.com/sales/go/eso/fm/education/higher_ ed/solutionshttp://wwwin- tools.cisco.com/sales/go/eso/fm/education/higher_ ed/solutions Anchored by CCA and NAC solutions to address Higher Ed’s need to secure the network edge Customized collateral for Education
10 © 2003 Cisco Systems, Inc. All rights reserved. Endpoint Security Software Anti-Virus Vendor Policy Server Security Credential Checking Cisco Network Access Device Security Policy Enforcement Cisco Policy Server Security Policy Creation Anti-Virus Policy Evaluation Anti- Virus Client Cisco Security Agent Cisco Trust Agent Cisco Network Admission Control Program: How It Works Permit Deny Quarantine Remediate + + + ++
11 © 2003 Cisco Systems, Inc. All rights reserved. Perfigo Addition to NAC Portfolio Many high profile references in Higher Ed 1,000,000+ Perfigo-powered users 140+ customers Perfigo’s Security and Control solution protects networks through enforcing security policies wherever users and their devices touch the network. These solutions promote network health and host integrity.
12 © 2003 Cisco Systems, Inc. All rights reserved. CleanMachines Solution Perfigo SmartServer Perfigo SmartManager Perfigo SmartEnforcer Centralizes management for administrators, support personnel, and operators Serves as an in-line device for network access control Optional client for device-based scanning and remediation in managed and unmanaged environments Recognizes: Users, device, and role (guest, employee, contractor) Evaluates: Identify security posture and vulnerabilities Enforces: Enforce security policies and eliminate vulnerabilities Built according to the requirements of Higher Ed customers Proven in production
13 © 2003 Cisco Systems, Inc. All rights reserved. THE GOAL Intranet/Network CleanMachines System Operation 2. User is redirected to a login page 3a. Device is non compliant or login is incorrect 3b. Device is “clean.” Machine gets on “clean list” and is granted access to network. CleanMachines validates username and password. Also performs device and network scans to assess vulnerabilities on the device. Perfigo SmartServer Perfigo SmartManager 1. End user attempts to access a web page or uses an optional client Network access is blocked until end user provides login information. Authentication Server User is denied access and assigned to a quarantine role with access to online remediation resources. Quarantine Role Perfigo SmartEnforcer (optional)
14 © 2003 Cisco Systems, Inc. All rights reserved. Perfigo Extends Cisco’s NAC Family Perfigo CleanMachines solution shipping All-in-one, bundled solution overlays existing environments Solution of choice for higher education Expand to select verticals: healthcare, retail, utilities NAC Announced November ’03 Phase 1 shipping in June ’04, router-based solution Phase 2 in progress, LAN/switch & remote access System architected solution, rich partner ecosystem and flexible APIs for 3 rd party application integration Suited for organizations requiring integration into their existing network, endpoint software, and associated operations
15 © 2003 Cisco Systems, Inc. All rights reserved. Perfigo/NAC Solution Positioning Network Scanner Client Scanner Policy Server/ Updates Built-in Remediation Shrink-wrapped solution Turnkey deployment Limited option set Specific part numbers/pricing “CleanMachines” Bundled NAC Solution Scanners Clients Policy Servers Remediation Systems Rich ecosystem: multiple partners Multiple options – 3 rd party integration Flexible APIs Infrastructure upgrade path NAC “System Architecture” Solution Non-Responsive Host API HCAP API CTA API
16 © 2003 Cisco Systems, Inc. All rights reserved. Campus Secure Module 2 – Materials to be posted Q1 ‘06 Anchored by CS-MARS and ASA 5500 solutions Addresses top-of-mind issue in education of performance/features of security platforms and the need to correlate and act quickly on security event data generated by security devices. Creates the ability to analyze security event data from non-Cisco devices. Customized collateral for Education
17 © 2003 Cisco Systems, Inc. All rights reserved. CS-MARS (Mitigation and Response System) CS-MARS transforms raw network and security data into actionable intelligence used to subvert real security incidents, as well as maintain education network compliance Network-intelligent correlation Incident validation Attack visualization Automated investigation Leveraged mitigation Compliance management High performance Low TCO
18 © 2003 Cisco Systems, Inc. All rights reserved. In-Depth Defense Complexity Log/Alert
19 © 2003 Cisco Systems, Inc. All rights reserved. Security Operations Response Reactive Steps: 1.Escalated Alert 2.Investigate 3.Coordinate 4.Mitigate Network Operations Security Operations Firewall IDS/IPS VPN Vulnerability Scanners Authentication Servers Router/Switch Anti-virus 10K Win, 100’s UNIX Collect Network Diagram Read and Analyze TONS of Data… Repeat Always Too Late
20 © 2003 Cisco Systems, Inc. All rights reserved. CS-MARS “Leveraged Mitigation” Use control capabilities within your infrastructure Layer 2/3 attack path is clearly visible Mitigation enforcement devices are identified Exact mitigation command is provided Firewall Router Switch ]
21 © 2003 Cisco Systems, Inc. All rights reserved. CS-MARS “Compliance Reports” Popular reports with customization and distribution options Queries saved as rules or reports – intuitive framework (no SQL)
22 © 2003 Cisco Systems, Inc. All rights reserved. Protego CS-MARS Advantage for Education Superior Functionality, Lowest TCO Immediate results Quick install, out-of-box use, web-based HTML console Agentless capture, embedded Oracle®, no dba necessary Supports popular network and security devices… Cisco, NetScreen, McAfee, Nokia, Extreme, Checkpoint, ISS, Enterasys, Foundstone, Snort, eEye, Windows, Solaris, Linux, Oracle, Web, Cacheflow, Cisco Netflow… Optimized performance and scalability Rapid in-line processing ~ over 10,000 EPS with all features active High capacity RAID storage, continuous NFS archive Global controller supports distributed CS-MARS management
23 © 2003 Cisco Systems, Inc. All rights reserved. Protego CS-MARS Advantage Superior Functionality, Lowest TCO Appliance convenience Complete integrated system; no additional hardware, platform, database, or agent software to purchase, install, and maintain No need to determine nodes, admins, agents or other licensing Hardened OS, roles-based admin. and secure communications Model CS-MARS 20CS-MARS 50CS-MARS 100eCS-MARS 100CS-MARS 200 CS-MARS GC Events / Sec.5001,0003,0005,00010,000na Flow / Sec.10,00025,00075,000150,000300,000na RAID Storage120GB + 240GB750GB 1TB +not RAID
24 © 2003 Cisco Systems, Inc. All rights reserved. Protego Value Proposition for Education Centrally aggregate logs… limited event reduction and correlation No network intelligence… isolated device events Basic alerts, workflow, and reports… lacks details for timely response Integrated network intelligence for superior event aggregation, reduction, and correlation Visually depicts topology, valid incidents; attack path details with layer 2 / 3 leveraged mitigation Events are dynamically NAT resolved, correlated, grouped, and validated Protego Enterprise Threat Mitigation Costly to buy, deploy, maintain Lowest TCO; immediate results, easy to use and cost-effective deployment Alternative SIM Approaches Poor performance; achieved with costly platforms and / or clustering Full correlation in excess of 10,000 EPS and 300,000 flows / sec
25 © 2003 Cisco Systems, Inc. All rights reserved. Cisco ASA 5500 Series Convergence of Robust, Market-Proven Technologies Firewall Technology Cisco PIX IPS Technology Cisco IPS VPN Technology Cisco VPN 3000 NW-AV Technology Cisco IPS, Trend AV SECURE, “CLEAN VPN” CONNECTIVITY App Inspection, Use Enforcement, Web Control Application Security Malware/Content Defense, Anomaly Detection Anti-X Defenses Malware/Content Defense, Anomaly Detection Anti-X Defenses Traffic/Admission Control, Proactive Response Containment & Control Traffic/Admission Control, Proactive Response Containment & Control Network Services Cisco Networking Adaptive Threat Defense and “Clean VPN” Market-Proven Technologies Cisco Confidential – NDA Use Only
26 © 2003 Cisco Systems, Inc. All rights reserved. Competing with Cisco ASA 5520 Product Comparison – Compete with Netscreen in Higher Ed Cisco Confidential – Internal Use Only FeaturesASA 5520 ASA 5520 + AIP-SSM-10 NetScreen 204NetScreen 208 List Price $7,995$12,495$10,000$14,000 Max Firewall Throughput450 Mbps 400 Mbps550 Mbps Max Concurrent Threat Mitigation Throughput (Firewall+Anti-X) (225+ Mbps with AIP-SSM-10, once added) 225+ Mbps! 180 Mbps Max IPSec VPN Throughput225 Mbps 200 Mbps Maximum Connections130,000 128,000 S2S and IPSec RA VPN Peers300 ► 750 1,000 (Basic RA VPN) WebVPN Connections 300 ► 750! NONE! VPN Clustering / Load Bal. YES! NO! High AvailabilityA/A and A/S Interfaces 4 x 10/100/1000, 1 x 10/100 4 x 10/1008 x 10/100 Security ContextsUp to 10 NONE! VLANs Supported25 32 1.3x - 2x Perf! Full IPS! Better Price/Perf! IPSec + WebVPN! GE in Base Sys! Context supt! Cisco Advantages 208 204 Cisco ASA 5520
27 © 2003 Cisco Systems, Inc. All rights reserved. Competing with Cisco ASA 5540 Medium to Large School Product Comparison NetScreen 500 FeaturesASA 5540 ASA 5540 + AIP-SSM-20 NetScreen 500 NetScreen 500 with 4GE List Price $16,995$24,995$28,500$43,500!!!!!!! Max Firewall Throughput650 Mbps 700 Mbps Max Concurrent Threat Mitigation Throughput (Firewall+Anti-X) (450 Mbps with AIP-SSM-20, once added) 450 Mbps! 200 Mbps Max IPSec VPN Throughput325 Mbps 225 Mbps Maximum Connections280,000 250,000 S2S and IPSec RA VPN Peers 500 ► 2,000 ► 5,000 10,000 (Basic RA VPN) WebVPN Connections 500 ► 1,250 ► 2,500! NONE! VPN Clustering / Load Bal. YES! NO! High AvailabilityA/A and A/S Interfaces 4 x 10/100/1000, 1 x 10/100 4 x 10/100 4 x 10/100/1000, 2 x 10/100 Security ContextsUp to 50 Up to 25 VLANs Supported100 Cisco ASA 5540 Cisco Confidential – Internal Use Only 2.3x Performance! Full IPS! No Contest! IPSec + WebVPN! GE in Base Sys! 2x Contexts! Cisco Advantages
28 © 2003 Cisco Systems, Inc. All rights reserved. Cisco Adaptive Security Device Manager (ASDM) v5.0 Robust Firewall Management and Monitoring Cisco Confidential – Internal Use Only Cisco ASDM v5.0 delivers robust firewall management and monitoring of a Cisco ASA appliance Supports full configuration of: - Access control lists - Network and service object groups - Inspection Engines - NAT/PAT - AAA and more Supports monitoring of: - Syslog (real-time) - Connections - Throughput & more! © 2004 Cisco Systems, Inc. All rights reserved. ASA 5500 Intro 28
29 © 2003 Cisco Systems, Inc. All rights reserved. Cisco Adaptive Security Device Manager v5.0 Comprehensive VPN Management and Monitoring Cisco Confidential – Internal Use Only Cisco ASDM v5.0 delivers comprehensive remote access and site-to-site VPN management and monitoring of a single Cisco ASA appliance Supports full configuration of: - WebVPN - IPSec RA groups - S2S tunnels - AAA, DHCP, & more! Supports monitoring of: - Uptime, bytes xfered, by tunnel - VPN usage trends © 2004 Cisco Systems, Inc. All rights reserved. ASA 5500 Intro 29
30 © 2003 Cisco Systems, Inc. All rights reserved. Consolidation of All Security Event Data Consolidated Security DataSecure Campus CS-MARS/ASA5500 Self Defending Campus VPNFirewallSSLIDS Campus Core Security Modules Large Dept. ASA 5500 Large Dept. ASA 5500 Remote Campus ASA 5500 Research Network ASA 5500 IDS/IPSVPNAAA Servers Router/Switch Win, Unix Logs
31 © 2003 Cisco Systems, Inc. All rights reserved. Why Cisco for Security? Cisco is uniquely positioned to execute, design and deliver the Self Defending Network Most complete suite of offerings that can enable a truly INSTITUTION WIDE security strategy Unique endpoint protection for desktops and critical servers with CSA and intelligent management of the endpoints with NAC Automated prevention and remediation mechanisms throughout the network
32 © 2003 Cisco Systems, Inc. All rights reserved. “ANYONE CAN BUILD A STOP SIGN – OR EVEN A TRAFFIC LIGHT – BUT IT TAKES A DIFFERENT MIND-SET ENTIRELY TO CONCEIVE OF A CITY-WIDE TRAFFIC CONTROL SYSTEM.” 32 Bruce Schneier Founder and CTO of Counterpane In closing..
33 © 2003 Cisco Systems, Inc. All rights reserved.
© 2003, Cisco Systems, Inc. All rights reserved _07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.
1 © 2005 Cisco Systems, Inc. All rights reserved. CISCO SECURITY MONITORING, ANALYSIS & RESPONSE SYSTEM.
1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.
1 Network Admission Control to WLAN at WIT Presented by: Aidan McGrath B.Sc. M.A.
All Rights Reserved © Alcatel-Lucent | Dynamic Enterprise Tour – Safe NAC Solution | 2010 Protect your information with intelligent Network Access.
000000_1 Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
Introducing Kerio Control Unified Threat Management Solution Release date: June 1, 2010 Kerio Technologies, Inc.
1 CISCO SAFE: VALIDATED SECURITY REFERENCE ARCHITECTURE What It Is Business Transformation Top Questions To Ask To Initiate The Sale Where It Fits KEY.
Security = Top Business Issue
Copyright © 2008 Juniper Networks, Inc. 1 Juniper Networks Access Control Solutions Delivering Comprehensive and Manageable Network Access Control Solutions.
Unified Logs and Reporting for Hybrid Centralized Management
Dell Connected Security Solutions Simplify & unify.
Information Security in Real Business
© 2008 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED,
A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
MIGRATION FROM SCREENOS TO JUNOS based firewall
Get Full Protection on Microsoft Azure with Symantec™ Endpoint Protection 12.1 MICROSOFT AZURE ISV PROFILE: SYMANTEC Symantec™ Endpoint Protection is an.
Bucharest, July 31, 2012 | Bitdefender 2012 Cloud Security for Endpoints Customer Presentation.
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
1 © 2003, Cisco Systems, Inc. All rights reserved. Cisco Integrated Security: Building The Self-Defending Network Bogdan Constantinescu Area Manager Romania.
Centralizing and Analyzing Security Events: Deploying Security Information Management Systems Lynn Ray Towson University Copyright Lynn Ray, This.
BMC Software confidential. BMC Performance Manager Will Brown.
Introducing Quick Heal Endpoint Security 5.3. “Quick Heal Endpoint Security 5.3 is designed to provide simple, intuitive centralized management and control.
One Platform, One Solution: eToken TMS 5.1 Customer Presentation November 2009.
Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S
Pg 1 of 25 AGI IP-Based Network Solutions Phil Flores Major Account Manager – Cisco Systems, inc.
Vantage Report 3.0 Product Sales Guide
SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics SAFE Blueprint Overview Achieving the Balance Defining Customer Expectations Design.
RSA Security Validating Users and Devices to Protect Network Assets Endpoint Solutions for Cisco Environments.
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. PCI Compliance & Technology.
The Real Deal With SIM/SEM The Promise of Security Information / Event Management Scott Sidel Sr. Security Manager Computer Sciences Corp.
Wireless Network Security. Access Networks Core Networks The Current Internet: Connectivity and Processing Transit Net Private Peering NAP Public Peering.
Website Hardening HUIT IT Security | Sep
Introducing Quick Heal Endpoint Security 5.2. “Quick Heal Endpoint Security 5.2 is designed to provide simple, intuitive centralized management and control.
Agency Introduction to DDM Dell Desktop Manager (DDM) Implementation.
Network security Product Group 2 McAfee Network Security Platform.
Module 14: Configuring Server Security Compliance
1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.
IS3220 Information Technology Infrastructure Security
1 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Self Defending Network SECURING THE INTELLIGENT INFORMATION NETWORK James Jones CCIE 1550, CISSP.
Hosting Websites and Web Applications with Microsoft ® SQL Server ® 2008.
PURE SECURITY Check Point UTM-1 Luděk Hrdina Marketing Manager, Eastern Europe Check Point Software Technologies Kongres bezpečnosti sítí 11. dubna 2007,
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security Network Perimeter Security Intrusion Detection and Prevention.
1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.
1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.
© 2017 SlidePlayer.com Inc. All rights reserved.