Presentation is loading. Please wait.

Presentation is loading. Please wait.

Campus Secure Integrated Security for Higher Education.

Similar presentations


Presentation on theme: "Campus Secure Integrated Security for Higher Education."— Presentation transcript:

1 Campus Secure Integrated Security for Higher Education

2 222 © 2003 Cisco Systems, Inc. All rights reserved. Education Vulnerability Curve Accelerates Global Infrastructure Impact Regional Networks Multiple Networks Individual Networks Individual Computer Target and Scope of Damage 1st Gen Boot viruses 1st Gen Boot viruses Weeks 2nd Gen Macro viruses E-mail DoS Limited hacking 2nd Gen Macro viruses E-mail DoS Limited hacking Days 3rd Gen Network DoS Blended threat (worm + virus+ trojan) Turbo worms Widespread system hacking 3rd Gen Network DoS Blended threat (worm + virus+ trojan) Turbo worms Widespread system hacking Minutes Next Gen Infrastructure hacking Flash threats Massive worm driven DDoS Damaging payload viruses and worms Next Gen Infrastructure hacking Flash threats Massive worm driven DDoS Damaging payload viruses and worms Seconds 1980s1990sTodayFuture Time from knowledge of vulnerability to release of exploit is shrinking

3 333 © 2003 Cisco Systems, Inc. All rights reserved. The Education Paradigm Change: A Network-Based Approach An automated security system is required to address unknown (or “Day Zero”) threats Security must be applied at multiple layers of the system to address sophisticated blended threats and defend against multiple avenues of attack All elements of the security system must be integrated to initiate a coordinated response Campus Secure addresses the top-of-mind security issues in Education

4 444 © 2003 Cisco Systems, Inc. All rights reserved. Higher Ed Security Strategy Evolution 1990s 2000 2002 Integrated security Routers Switches Appliances Endpoints FW + VPN + IDS…. Integrated management software Evolving advanced services Integrated security Routers Switches Appliances Endpoints FW + VPN + IDS…. Integrated management software Evolving advanced services Security appliances Enhanced router security Separate management software Security appliances Enhanced router security Separate management software Basic router security Command line interface Basic router security Command line interface 2003 End-point posture enforcement Network device protection Dynamic/Secure connectivity Dynamic communication between elements Automated threat response End-point posture enforcement Network device protection Dynamic/Secure connectivity Dynamic communication between elements Automated threat response Self-Defending Networks Self-Defending Networks 2004… Integrated Security Integrated Security Defense- In-Depth Point Products Basic Security Multiple technologies Multiple locations Multiple appliances Little/no integration Multiple technologies Multiple locations Multiple appliances Little/no integration

5 555 © 2003 Cisco Systems, Inc. All rights reserved. Higher Ed Security Strategy Bandwidth MgtBandwidth Mgt ServicesServices PartnershipsPartnerships SECURITY TECHNOLOGY INNOVATION SECURITY TECHNOLOGY INNOVATION CS-MARSCS-MARS ASA 5500sASA 5500s SSL VPNSSL VPN Network Anomaly DetectionNetwork Anomaly Detection INTEGRATED SECURITY Secure Connectivity CCA NAC Trust and Identity Secure Connectivity CCA NAC Trust and Identity Cisco Strategy for Education to Improve the Network’s Ability to Identify, Prevent, and Adapt to Threats SYSTEM-LEVEL SOLUTIONS Campus Secure

6 666 © 2003 Cisco Systems, Inc. All rights reserved. Higher Ed Security Paper – the starting point Security Blueprint for Implementing Education Network Security HE specific follow up modules: 1. ID Mgt – NAC (Perfigo) Q4 2. Adaptive Threat Defense (Portego/ASA) Q1 ‘06 3. Bandwidth Mgt Q2 ‘06 HE specific follow up modules: 1. ID Mgt – NAC (Perfigo) Q4 2. Adaptive Threat Defense (Portego/ASA) Q1 ‘06 3. Bandwidth Mgt Q2 ‘06 Posted at http://wwwin-tools.cisco.com/sales/go/education/higher

7 777 © 2003 Cisco Systems, Inc. All rights reserved. Self-Defending Network for Education: Controlling the Who, What, Where, When, Why and How Who—allows access to data only by authorized personnel What—prevents data from ever being stored, copied, or printed outside the secure environment Where—provides layers of protection and auditing to ensure that data is only stored in a controlled location When—users process data normally, but the data never “sleeps” outside of the secure area Why—only authorized personnel allowed to process data How—data access is restricted, authenticated, and audited by Cisco Self- Defending Network

8 888 © 2003 Cisco Systems, Inc. All rights reserved. Cisco Network Admission Control (NAC) Cisco Network Admission Control (NAC) is Cisco-led, industry program focused on limiting damage from emerging security threats such as viruses and worms In NAC, customers can allow network access only to compliant and trusted endpoint devices (e.g. PCs, servers, PDAs) and can restrict the access of non- compliant devices Initial NAC co-sponsors include Network Associates, Symantec, and Trend Micro NAC is the first phase of the Cisco Self- Defending Network Initiative These efforts are designed to dramatically improve the ability of networks to identify, prevent, and adapt to threats

9 999 © 2003 Cisco Systems, Inc. All rights reserved. Campus Secure Module 1 – Materials Posted Collateral Posted on the Higher Ed website http://wwwin- tools.cisco.com/sales/go/eso/fm/education/higher_ ed/solutionshttp://wwwin- tools.cisco.com/sales/go/eso/fm/education/higher_ ed/solutions Anchored by CCA and NAC solutions to address Higher Ed’s need to secure the network edge Customized collateral for Education

10 10 © 2003 Cisco Systems, Inc. All rights reserved. Endpoint Security Software Anti-Virus Vendor Policy Server Security Credential Checking Cisco Network Access Device Security Policy Enforcement Cisco Policy Server Security Policy Creation Anti-Virus Policy Evaluation Anti- Virus Client Cisco Security Agent Cisco Trust Agent Cisco Network Admission Control Program: How It Works Permit Deny Quarantine Remediate + + + ++

11 11 © 2003 Cisco Systems, Inc. All rights reserved. Perfigo Addition to NAC Portfolio Many high profile references in Higher Ed 1,000,000+ Perfigo-powered users 140+ customers Perfigo’s Security and Control solution protects networks through enforcing security policies wherever users and their devices touch the network. These solutions promote network health and host integrity.

12 12 © 2003 Cisco Systems, Inc. All rights reserved. CleanMachines Solution Perfigo SmartServer Perfigo SmartManager Perfigo SmartEnforcer Centralizes management for administrators, support personnel, and operators Serves as an in-line device for network access control Optional client for device-based scanning and remediation in managed and unmanaged environments Recognizes: Users, device, and role (guest, employee, contractor) Evaluates: Identify security posture and vulnerabilities Enforces: Enforce security policies and eliminate vulnerabilities Built according to the requirements of Higher Ed customers Proven in production

13 13 © 2003 Cisco Systems, Inc. All rights reserved. THE GOAL Intranet/Network CleanMachines System Operation 2. User is redirected to a login page 3a. Device is non compliant or login is incorrect 3b. Device is “clean.” Machine gets on “clean list” and is granted access to network. CleanMachines validates username and password. Also performs device and network scans to assess vulnerabilities on the device. Perfigo SmartServer Perfigo SmartManager 1. End user attempts to access a web page or uses an optional client Network access is blocked until end user provides login information. Authentication Server User is denied access and assigned to a quarantine role with access to online remediation resources. Quarantine Role Perfigo SmartEnforcer (optional)

14 14 © 2003 Cisco Systems, Inc. All rights reserved. Perfigo Extends Cisco’s NAC Family Perfigo CleanMachines solution shipping All-in-one, bundled solution overlays existing environments Solution of choice for higher education Expand to select verticals: healthcare, retail, utilities NAC Announced November ’03 Phase 1 shipping in June ’04, router-based solution Phase 2 in progress, LAN/switch & remote access System architected solution, rich partner ecosystem and flexible APIs for 3 rd party application integration Suited for organizations requiring integration into their existing network, endpoint software, and associated operations

15 15 © 2003 Cisco Systems, Inc. All rights reserved. Perfigo/NAC Solution Positioning Network Scanner Client Scanner Policy Server/ Updates Built-in Remediation Shrink-wrapped solution Turnkey deployment Limited option set Specific part numbers/pricing “CleanMachines” Bundled NAC Solution Scanners Clients Policy Servers Remediation Systems Rich ecosystem: multiple partners Multiple options – 3 rd party integration Flexible APIs Infrastructure upgrade path NAC “System Architecture” Solution Non-Responsive Host API HCAP API CTA API

16 16 © 2003 Cisco Systems, Inc. All rights reserved. Campus Secure Module 2 – Materials to be posted Q1 ‘06 Anchored by CS-MARS and ASA 5500 solutions Addresses top-of-mind issue in education of performance/features of security platforms and the need to correlate and act quickly on security event data generated by security devices. Creates the ability to analyze security event data from non-Cisco devices. Customized collateral for Education

17 17 © 2003 Cisco Systems, Inc. All rights reserved. CS-MARS (Mitigation and Response System) CS-MARS transforms raw network and security data into actionable intelligence used to subvert real security incidents, as well as maintain education network compliance Network-intelligent correlation Incident validation Attack visualization Automated investigation Leveraged mitigation Compliance management High performance Low TCO

18 18 © 2003 Cisco Systems, Inc. All rights reserved. In-Depth Defense Complexity                                                   Log/Alert

19 19 © 2003 Cisco Systems, Inc. All rights reserved. Security Operations Response Reactive Steps: 1.Escalated Alert 2.Investigate 3.Coordinate 4.Mitigate Network Operations Security Operations Firewall IDS/IPS VPN Vulnerability Scanners Authentication Servers Router/Switch Anti-virus 10K Win, 100’s UNIX Collect Network Diagram Read and Analyze TONS of Data… Repeat Always Too Late

20 20 © 2003 Cisco Systems, Inc. All rights reserved. CS-MARS “Leveraged Mitigation” Use control capabilities within your infrastructure Layer 2/3 attack path is clearly visible Mitigation enforcement devices are identified Exact mitigation command is provided Firewall Router Switch ]

21 21 © 2003 Cisco Systems, Inc. All rights reserved. CS-MARS “Compliance Reports” Popular reports with customization and distribution options Queries saved as rules or reports – intuitive framework (no SQL)

22 22 © 2003 Cisco Systems, Inc. All rights reserved. Protego CS-MARS Advantage for Education Superior Functionality, Lowest TCO Immediate results Quick install, out-of-box use, web-based HTML console Agentless capture, embedded Oracle®, no dba necessary Supports popular network and security devices… Cisco, NetScreen, McAfee, Nokia, Extreme, Checkpoint, ISS, Enterasys, Foundstone, Snort, eEye, Windows, Solaris, Linux, Oracle, Web, Cacheflow, Cisco Netflow… Optimized performance and scalability Rapid in-line processing ~ over 10,000 EPS with all features active High capacity RAID storage, continuous NFS archive Global controller supports distributed CS-MARS management

23 23 © 2003 Cisco Systems, Inc. All rights reserved. Protego CS-MARS Advantage Superior Functionality, Lowest TCO Appliance convenience Complete integrated system; no additional hardware, platform, database, or agent software to purchase, install, and maintain No need to determine nodes, admins, agents or other licensing Hardened OS, roles-based admin. and secure communications Model CS-MARS 20CS-MARS 50CS-MARS 100eCS-MARS 100CS-MARS 200 CS-MARS GC Events / Sec.5001,0003,0005,00010,000na Flow / Sec.10,00025,00075,000150,000300,000na RAID Storage120GB + 240GB750GB 1TB +not RAID

24 24 © 2003 Cisco Systems, Inc. All rights reserved. Protego Value Proposition for Education Centrally aggregate logs… limited event reduction and correlation No network intelligence… isolated device events Basic alerts, workflow, and reports… lacks details for timely response Integrated network intelligence for superior event aggregation, reduction, and correlation Visually depicts topology, valid incidents; attack path details with layer 2 / 3 leveraged mitigation Events are dynamically NAT resolved, correlated, grouped, and validated Protego Enterprise Threat Mitigation Costly to buy, deploy, maintain Lowest TCO; immediate results, easy to use and cost-effective deployment Alternative SIM Approaches Poor performance; achieved with costly platforms and / or clustering Full correlation in excess of 10,000 EPS and 300,000 flows / sec

25 25 © 2003 Cisco Systems, Inc. All rights reserved. Cisco ASA 5500 Series Convergence of Robust, Market-Proven Technologies Firewall Technology Cisco PIX IPS Technology Cisco IPS VPN Technology Cisco VPN 3000 NW-AV Technology Cisco IPS, Trend AV SECURE, “CLEAN VPN” CONNECTIVITY App Inspection, Use Enforcement, Web Control Application Security Malware/Content Defense, Anomaly Detection Anti-X Defenses Malware/Content Defense, Anomaly Detection Anti-X Defenses Traffic/Admission Control, Proactive Response Containment & Control Traffic/Admission Control, Proactive Response Containment & Control Network Services Cisco Networking Adaptive Threat Defense and “Clean VPN” Market-Proven Technologies Cisco Confidential – NDA Use Only

26 26 © 2003 Cisco Systems, Inc. All rights reserved. Competing with Cisco ASA 5520 Product Comparison – Compete with Netscreen in Higher Ed Cisco Confidential – Internal Use Only FeaturesASA 5520 ASA 5520 + AIP-SSM-10 NetScreen 204NetScreen 208 List Price $7,995$12,495$10,000$14,000 Max Firewall Throughput450 Mbps 400 Mbps550 Mbps Max Concurrent Threat Mitigation Throughput (Firewall+Anti-X) (225+ Mbps with AIP-SSM-10, once added) 225+ Mbps! 180 Mbps Max IPSec VPN Throughput225 Mbps 200 Mbps Maximum Connections130,000 128,000 S2S and IPSec RA VPN Peers300 ► 750 1,000 (Basic RA VPN) WebVPN Connections 300 ► 750! NONE! VPN Clustering / Load Bal. YES! NO! High AvailabilityA/A and A/S Interfaces 4 x 10/100/1000, 1 x 10/100 4 x 10/1008 x 10/100 Security ContextsUp to 10 NONE! VLANs Supported25 32 1.3x - 2x Perf! Full IPS! Better Price/Perf! IPSec + WebVPN! GE in Base Sys! Context supt! Cisco Advantages 208 204 Cisco ASA 5520

27 27 © 2003 Cisco Systems, Inc. All rights reserved. Competing with Cisco ASA 5540 Medium to Large School Product Comparison NetScreen 500 FeaturesASA 5540 ASA 5540 + AIP-SSM-20 NetScreen 500 NetScreen 500 with 4GE List Price $16,995$24,995$28,500$43,500!!!!!!! Max Firewall Throughput650 Mbps 700 Mbps Max Concurrent Threat Mitigation Throughput (Firewall+Anti-X) (450 Mbps with AIP-SSM-20, once added) 450 Mbps! 200 Mbps Max IPSec VPN Throughput325 Mbps 225 Mbps Maximum Connections280,000 250,000 S2S and IPSec RA VPN Peers 500 ► 2,000 ► 5,000 10,000 (Basic RA VPN) WebVPN Connections 500 ► 1,250 ► 2,500! NONE! VPN Clustering / Load Bal. YES! NO! High AvailabilityA/A and A/S Interfaces 4 x 10/100/1000, 1 x 10/100 4 x 10/100 4 x 10/100/1000, 2 x 10/100 Security ContextsUp to 50 Up to 25 VLANs Supported100 Cisco ASA 5540 Cisco Confidential – Internal Use Only 2.3x Performance! Full IPS! No Contest! IPSec + WebVPN! GE in Base Sys! 2x Contexts! Cisco Advantages

28 28 © 2003 Cisco Systems, Inc. All rights reserved. Cisco Adaptive Security Device Manager (ASDM) v5.0 Robust Firewall Management and Monitoring Cisco Confidential – Internal Use Only Cisco ASDM v5.0 delivers robust firewall management and monitoring of a Cisco ASA appliance Supports full configuration of: - Access control lists - Network and service object groups - Inspection Engines - NAT/PAT - AAA and more Supports monitoring of: - Syslog (real-time) - Connections - Throughput & more! © 2004 Cisco Systems, Inc. All rights reserved. ASA 5500 Intro 28

29 29 © 2003 Cisco Systems, Inc. All rights reserved. Cisco Adaptive Security Device Manager v5.0 Comprehensive VPN Management and Monitoring Cisco Confidential – Internal Use Only Cisco ASDM v5.0 delivers comprehensive remote access and site-to-site VPN management and monitoring of a single Cisco ASA appliance Supports full configuration of: - WebVPN - IPSec RA groups - S2S tunnels - AAA, DHCP, & more! Supports monitoring of: - Uptime, bytes xfered, by tunnel - VPN usage trends © 2004 Cisco Systems, Inc. All rights reserved. ASA 5500 Intro 29

30 30 © 2003 Cisco Systems, Inc. All rights reserved. Consolidation of All Security Event Data Consolidated Security DataSecure Campus CS-MARS/ASA5500 Self Defending Campus VPNFirewallSSLIDS Campus Core Security Modules Large Dept. ASA 5500 Large Dept. ASA 5500 Remote Campus ASA 5500 Research Network ASA 5500 IDS/IPSVPNAAA Servers Router/Switch Win, Unix Logs

31 31 © 2003 Cisco Systems, Inc. All rights reserved. Why Cisco for Security? Cisco is uniquely positioned to execute, design and deliver the Self Defending Network Most complete suite of offerings that can enable a truly INSTITUTION WIDE security strategy Unique endpoint protection for desktops and critical servers with CSA and intelligent management of the endpoints with NAC Automated prevention and remediation mechanisms throughout the network

32 32 © 2003 Cisco Systems, Inc. All rights reserved. “ANYONE CAN BUILD A STOP SIGN – OR EVEN A TRAFFIC LIGHT – BUT IT TAKES A DIFFERENT MIND-SET ENTIRELY TO CONCEIVE OF A CITY-WIDE TRAFFIC CONTROL SYSTEM.” 32 Bruce Schneier Founder and CTO of Counterpane In closing..

33 33 © 2003 Cisco Systems, Inc. All rights reserved.


Download ppt "Campus Secure Integrated Security for Higher Education."

Similar presentations


Ads by Google