Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 1 Cisco Security Routers Protecting your business while reducing costs Draft.

Similar presentations


Presentation on theme: "© 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 1 Cisco Security Routers Protecting your business while reducing costs Draft."— Presentation transcript:

1 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 1 Cisco Security Routers Protecting your business while reducing costs Draft 1 v1

2 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 2 Security Trends Attacks on the Rise, Cause Substantial Damage 95% of respondents detected at least 10 web site security incidents in 2005* Losses due to theft of proprietary information doubled in the past 12 months to $355K per incident* Security is the highest spending priority for CIOs 58% of CIOs expect spending increases in security over next 12 months † * CSI/FBI Security Study, 2005 † Deutsche Bank February CIO Poll, March 2005

3 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 3 IP Network Defending Business Operations E-Mail Calendar Wireless Web Application Audio Conferencing Voice Messaging Theft of Customer Data Fraud Extortion Information Harvesting Corporate Espionage Mandatory Disclosure Scams Organized Crime Blackmail IP Telephony Instant Messaging

4 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 4 C Secure Voice & Wireless Convergence of Voice and Data services Integration of Wired and Wireless B Data & Identity Protection Perimeter defense Outbreak prevention Admission control Business Services Need Continuous Connectivity, Requiring the Network to be Secure and Available Services Connectivity SecureAvailable Typical Network Requirements Secure Connectivity Encrypted VPN between sites or partners Encrypted POS Secure remote access AD Business Continuity WAN backup Network foundation protection

5 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 5 Security Integrated Into the Network “The top emerging technology trend, regardless of site type or time frame, is the integration of security features like firewall, VPN, IDS, etc into routers.” Infonetics, 2005 Cisco Security Routers All-In-One Security for the WAN VPN WAN Backup Network Admission Control Application Firewall Intrusion Prevention Network Foundation Protection Wireless IP Telephony URL Filtering

6 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 6 Cisco Security Routers— Driving Industry Growth Through Value Security integrated into the network infrastructure Extends value of network Industry leading VPN connectivity, high-performance Enables new applications Continual integration of Advanced Technologies e.g. Voice, Wireless, SSL VPN, NAC, Outbreak Prevention Future proof investment High market acceptance—millions of units deployed, fastest growing, largest network security segment Low technology adoption risk Single device to configure and manage Reduces complexity, OpEx “Worldwide VPN and Firewall growth was again driven by Cisco’s strength in hardware secure routers (up 25% this quarter)” Infonetics Research, 2005

7 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 7 Cisco Security Router Portfolio 2800 Series 1800 Series Branch Office SMBSmall Branch 3800 Series Small Office and Teleworker 800 Series INTEGRATED SERVICES ROUTERS Head Office WAN Aggregation 7600 Series 7200 Series Feature Breadth and Scale at Highest Performance Embedded Wireless, Security and Data High Density and Performance for Concurrent Services Embedded, Advanced Voice, Video, Data and Security Services Performance and Services Density

8 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 8 Cisco 7200 and 7301 Routers Enterprise Head-End and SP-Edge with Security Services Cisco 7200 Series : Up to OC3 performance with integrated services Cisco 7301 : 1RU platform with onboard GE Target : Enterprise core and Service Provider edge Diverse deployment applications: WAN aggregation, Managed Security, IBM datacenter, SAA management, Broadband aggregation, MPLS PE, and Route Reflector Modular engine options for improved performance Onboard GE, High-density Port Adapters (supported across Cisco 7000 portfolio) Hot swappable interfaces, Redundant power Cisco IOS T, S and Mainline release support Release options to meet cutting-edge enterprise features or stability as key requirements New! SA-VAM2+ Hardware acceleration for AES wide keys (192 – 256 bit) Provides >260 Mbps 3DES Up to 5000 IPSec tunnels Hardware accelerated IPPCP compression

9 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 9 Cisco Integrated Security Architecture Integrated Hardware Security Services Common Hardware Architecture Modular Design Investment Protection AIM VPN Power + 802.3af USB NME EVM HWIC GE Built-in VPN acceleration High-performance crypto offloadHigh-performance crypto offload 3DES/AES encryption3DES/AES encryption 4x faster than previous platforms4x faster than previous platforms Secure voice PVDM modulesPVDM modules Support for SRTPSupport for SRTP High-performance AIM Optional AIM-VPN PLUSOptional AIM-VPN PLUS 3DES, AES, and compression3DES, AES, and compression 10x faster than previous platforms10x faster than previous platforms USB port RemovableRemovable Secure credentialsSecure credentials

10 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 10 Cisco ISR – Integrated Wireless Access Optimized for Secure Mobility Cisco 850 Series Cisco 870 Series Cisco 1800 Series (Fixed Configuration) Stateful Firewall and VPN 4-port 10/100 switch 802.11b/g option, single fixed antenna Higher performance Stateful Firewall, VPN, IPS, Antivirus, NAC 802.11b/g option, multiple antennas Advanced QoS features 4-port 10/100 managed switch Up to 3 VLANs Wire Speed Performance Stateful Firewall, VPN, IPS, Antivirus, NAC Integrated back up port for redundant WAN links and load balancing 802.11a and 802.11b/g option, multiple antennas 8-port 10/100 managed switch, internal power supply, optional internal POE Up to 8 VLANs Integrated Wireless Access for 1841, 2800, 3800

11 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 11 Deploy Security On Your Routers Up Front Reduce Costs, Worries Choose Cisco Security Router Bundles Proactive measure to protect your network Set up secure foundation for voice, wireless deployment Bundle discounts provide compelling ROI to buy security now versus adding later Migration programs offer credit towards Cisco and competitive equipment

12 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 12 Cisco Security Router – Solutions

13 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 13 Secure Connectivity Remote Access VPN Hardware VPN for small offices & telecommuters Software VPN for mobile users A Small Branch Branch Office Small Office & Telecommuter Corporate Office Site-to-Site VPN Network intelligence (routing, QoS, multicast) enables Voice, Video & Data Centralized cookie-cutter configuration (Easy VPN) Scalable full / partial mesh (DMVPN) Simplified PKI deployment (CA Server, USB eTokens) Remote Access VPN Full service network access with centralized policy-based management (Easy VPN) Clientless secure access (SSL VPN) High Performance VPN High performance and resiliency for larger sites Strongest encryption (hardware-accelerated AES) Secure Tunnel Internet Business Requirements Encrypted VPN connectivity between sites or partners Secure remote access Encrypted Point-of-Sale transactions High-Performance VPN For larger sites including head office aggregation Site-to-Site VPN Interconnect branch offices over IP

14 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 14 Have you reviewed on-going costs of Leased Line or Frame Relay links? Are you considering migrating to VPN? Is your business regulated by HIPPA, SOX, EU Directive 95/46? Are you planning to offer secure remote access to employees or partners? Business Requirements Analysis Many businesses are migrating for cost savings and/or broadband performance Show Case Study and ROI analysis Businesses need encryption to ensure compliance with legislation With external entities and internally between buildings or groups Select a Secure WAN bundle based on performance and services Less expensive to purchase the Cisco Secure WAN solution now, versus upgrading later Schedule a demo of appropriate VPN solutions EZ VPN, DMVPN, SSL VPN NO YES A

15 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 15 Compelling ROI for VPN Migration 1.5M (512k CIR) port speed 30 sites 10% mesh ~ 2 PVCs per site Access Charge/Site=$4,354 Management=$635 Total Branch Access=$4,989 Head End Access=$10,800 Total Cost/month (80%) = $124,384 1.5M port speed 30 sites Cost of 2811 x 29 sites=$78,800 Cost of 3845 head-end=$12,700 Total Nonrecurring Cost=$91,500 Access Charge/Site=$1,420 Management=$ 550 Total Branch Access=$1,970 Head End Access=$10,800 Total Cost per month=$67,930 Before – Frame RelayAfter – IP VPN A $56K Per Month Savings Equipment Paid Off in 2 Months

16 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 16 High Performance Security Bundles TCO Cheaper to Buy Now vs. Later CapEx savings alone $2,000 - $10,000 Additional OpEx savings (typically 10-50% price of platform) not included above A

17 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 17 Secure Connectivity Case Study— Data Encryption for Frame Relay or Leased Lines Business Problem Reduce risk of exposing customer data (e.g. credit card), avoid painful disclosure and negative publicity Real-Life Example Online retailer with WAN connectivity via Frame Relay Their Service Provider mis-provisioned a DLCI change Another company’s network overlapped into their network… Notification of Risk to Personal Data (NORPDA) mandates that all customers be notified of breach Solution Customer now encrypts all traffic over their WAN Un-encrypted traffic is denied entrance to their FR network Ensures security of customer data A

18 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 18 Why AES? AES3DES Type of Algorithm Symmetric, block cipher Symmetric, feistel cipher Key Size (in bits) 128, 192, 256112 or 168 Time to Crack* 149 trillion years4.6 billion years The Secretary of Commerce approved the adoption of the AES as an official Government standard, effective May 26, 2002 US Federal Government and other large Enterprise and Servie Provider customers are migrating their 3DES IPSec to AES AES is designed to replace DES / 3DES * Assume a machine could try 255 keys per second - NIST

19 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 19 Dynamic Multipoint VPN and VoIP Auto-meshing with Dynamic Routing Reduced latency and jitter Increased scalability Improved performance Easy to deploy and maintain Hub Site 1 Site 2 Site n Dynamic (or static) public IP addresses Call Site 2 1. Ring 5. Where is 2? 2. Send 2’s public IP address 3. On-Demand Tunnel (spoke-to-spoke) 4. Dynamic, Permanent Tunnel (spoke-to-hub) Static public IP address

20 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 20 DMVPN Hub to Spoke Benefits + Simplified and Smaller Configs for Hub and Spoke + Zero touch provisioning for adding spokes to the VPN + Easily supports dynamically addressed CPEs IPSEC+GRE vs DMVPN Hub to Spoke FEATUREIPSEC+GREDMVPN All traffic must go via the hub  Easy to Deploy  Small Hub Configuration Files X  NO Hub provisioning for new spokes X  Easy Configuration of dynamically addressed CPE X 

21 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 21 DMVPN Spoke to Spoke Benefits + On demand spoke to spoke tunnels – avoids dual encrypts/decrypts + Smaller spoke CPE can participate in the virtual full mesh IPSEC+GRE vs DMVPN Spoke to Spoke Static Full Mesh vs Virtual Full Mesh FEATUREIPSEC+GREDMVPN Direct spoke to spoke tunnels  Connections to all the nodes with smaller spoke CPE X  Provisioning for adding a new node X  Scaling and support of a FULL mesh X 

22 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 22 Dynamic Multipoint VPN – Benefits Simplified configuration Spokes use a proven registration protocol to connect to the hubs, then dynamic routing builds the network topology automatically Configuration files are much smaller and easy to manage No new hub provisioning for each new spoke added – zero touch for lower admin costs and higher up-time Complete application (multicast/QoS) and authentication support Coming soon: Dynamic VPN creation between spoke routers based on user traffic

23 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 23 Central Site Cisco VPN S/W Client on PC/MAC/Unix Internet EasyVPN - Overview Remote device contacts central-site router/concentrator, and provides authentication credentials. If credentials are valid, central-site “pushes” configuration data securely to the remote device and VPN is established. Branch Office Home Office Legend:

24 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 24 EasyVPN - Benefits Simplicity Minimal configuration on branch nodes No head-end changes when adding extra devices Leverage AAA/RADIUS database for authentication of the branch device itself, as well as PCs Scalability Minimal resources used at the central site means large numbers of branch nodes can be supported at low cost. Flexibility Supported by Cisco IOS routers, ASA, PIX and VPN3000 concentrators

25 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 25 IPSec Virtual Tunnel Interface (VTI) Simplifies VPN configuration by eliminating crypto maps, ACLs, GRE Simplifies VPN design: 1:1 relationship between tunnels and sites with a dedicated logical interface More scalable alternative to GRE (Generic Router Encapsulation) for VPN tunnel creation VTI can support QoS, Multicast, and other routing functions that previously required GRE Improves VPN interoperability with other vendors 192.168.1.0/24.1 Tunnel 0.1 192.168.100.0/30.2 192.168.2.0/24.1

26 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 26 Benefits Support dynamic connections with VPNSupport dynamic connections with VPN Enable small or large deployments without user interventionEnable small or large deployments without user intervention Enforce consistent VPN Policy on all remote devicesEnforce consistent VPN Policy on all remote devices Interoperability across Cisco access and security devicesInteroperability across Cisco access and security devices No head end changes when adding extra devicesNo head end changes when adding extra devices Cisco VPN Client is the only FIPS certified client in the industry!Cisco VPN Client is the only FIPS certified client in the industry! HQ VPN functions are assigned IKE Mode Config Attributes; several parameters at once Central Site 6500 / 7600 Cisco Easy VPN Server on Central Site 6500 or 7600 VPN VPNSM Easy VPN IPSec Remote Access Dynamic Policy Push for Scalable Services Teleworker / Small Branch Office Policy Attributes Pushed Today Dynamic VPN IP Address (via Pool)Dynamic VPN IP Address (via Pool) Internal NetMaskInternal NetMask Internal DNS and WINS ServersInternal DNS and WINS Servers Split tunnel modeSplit tunnel mode New Attributes Pushed starting in IOS12.2(18)SXD Static VPN IP Address via RADIUSStatic VPN IP Address via RADIUS Idle TimeoutsIdle Timeouts Split DNSSplit DNS Max tunnels per VPN GroupMax tunnels per VPN Group VPN Group LockVPN Group Lock Personal Firewall (Are You There) CheckPersonal Firewall (Are You There) Check Include Local LANInclude Local LAN Save Password ControlSave Password Control Backup Head-End GW ListBackup Head-End GW List Per User AAA AttributesPer User AAA Attributes Mobile Workers

27 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 27 Corporate Headquarters Cisco IOS PKI Certificate Server Router can now be Certificate Authority Server (CA) Eliminates complexity of installing separate PKI/CA Server Key Rollover for Certificate Renewal Allows the certificate renewal request to be made before certificate expires Easy VPN now works with PKI Certificates Can use Cisco IOS CA server for enrollment Internet Branch Office B Branch Office A Branch Office C CA Server

28 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 28 2 USB Ports: 3800, 2851, 2821, 2811, 1811, 1812, 871 1 USB Port: 2801, 1841 1.Simplified Provisioning Zero-touch Deployment 2.Distribution and Storage of VPN credentials Easy to provision and distribute encryption keys Encryption keys are securely stored and removable 3.Bulk Flash for image distribution/storage Alternative to Compact Flash deployment Available from Aladdin Integrated USB Ports (Integrated Services Routers) Support for Secure Token and FLASH Memory USB Secure Token & Flash Storage

29 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 29 Data & Identity Protection Identity & Controlled Access Network Admission Control URL Filtering Port-Level Security (802.1x) Small Branch Branch Office Small Office & Telecommuter Corporate Office Perimeter Defense Segregate network assets into trusted & untrusted zones Application-aware inspection and defense against port 80, IM, P2P misuse Outbreak Prevention Network-based protection against virus/worm/trojans and other threats Distributed protection across entire network at minimum cost Rapid response to emerging threats Controlled Access Controls who/what gets access to the network and what they can do Detects and isolates non- compliant devices B Outbreak Prevention Intrusion Prevention Distributed Threat Mitigation Incident Control Internet Business Requirements Defend against worms, viruses, trojans, hacks Enforce policy-based control to network assets Perimeter Defense Policy Firewall (L3) Transparent Firewall (L2) Application Firewall (L4-7)

30 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 30 Business Requirements Analysis Need perimeter protection against worms, viruses and trojans? Concerned with unauthorized access, security posture of laptops & PCs? Need to comply with information privacy laws e.g. SOX, HIPAA, EU Directive 95/46? Required to enforce Internet surfing policies, prevent illegal downloads? Mitigating infections at the perimeter conserves WAN bandwidth, allows faster response Companies need to protect their customer records and privacy to pass security audits URL filtering monitors and enforces surfing policies, reduces legal risks Check case study and ROI analysis NO YES B Select the right Secure WAN bundle Less expensive to purchase the Cisco Secure WAN solution now, versus upgrading later Schedule a demo of the appropriate Data & Identity Protection solutions Application firewall, IPS, DTM, NAC, URL filtering

31 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 31 Data & Identity Protection Drivers— Loss of Data, Time Type of CostCost / Time Disruption to business $93,850 – $281,550 1 – 3 days Time spent responding $5,631 – $11,262 10 – 20 man days Direct cash spent responding $9,385 – $18,770 Direct financial loss$3,754 – $7,508 Damage to reputation$9,385 – $37,540 Total cost$122,000 – $356,630 * Source: UK Study, 2004 The Total Cost of a Major Security Incident* Annual Loss from Unauthorized Access to Information B Survey Year Loss per respondent 2005$303,234 2004$51,545 2003$12,592 * Source: CSI/FBI Computer Crime and Security Surveys, Morgan Stanley Research

32 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 32 Data & Identity Protection Drivers— Legislation Sarbanes-Oxley, Section 404 Severe CEO / Corporate penalties for non-compliance Health Insurance Portability & Accountability Act (HIPAA) Affects health care Up to $250,000 in fines and 5 years in Jail – per violation Gramm-Leach-Bliley Act (GLBA) Affects financial services CIO Level Staff can be held personally liable plus penalties and class action suits Notification of Risk to Personal Data Act (NORPDA) ALL customers must be notified of breach SB1386 (California) ALL customers must be notified of breach B

33 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 33 Data & Identity Protection Case Study Business Problem Compliance with government regulations Real-Life Example Infineon – Large global semiconductor Enterprise Required maximum security for Intellectual Property Solution Network security integration, low OpEx Single chassis Catalyst 6500 for VPN, Security, Routing, Switching IPSec VPN over LAN and encrypted multicast IPSec VPN Shared Port Adapter AES encryption in line with federal and government agency standards High performance data security, wireless Service Modules for Firewall, Intrusion Detection, Network Analysis, WLAN B

34 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 34 Cisco IOS IPS New Features and Engines – All Inline! Router-based IPS enables broadly-deployed worm and threat mitigation services -- even to remote branch offices String Engines enable custom matching of any string in the packet – Customize signatures for quick reaction to new threats – TCP String, UDP String, ICMP String, Trend Micro 400 worm and attack signatures added – an ever- increasing number of signatures from which to dynamically select Supports Trend Micro Signatures

35 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 35 Remote Site Corporate Headquarters How do you allow select devices in? Large Wireless Range Wireless data base server Layer 2 connectivity with Layer 3 IPS support Easily add IPS to existing networks - no IP subnet renumbering required! Support for sub-interfaces and VLAN trunks Spanning Tree Protocol support –handles PBDU packets correctly per 802.1d, not just “pass/drop” Support for mixing L2 and L3 IPS on the same router No need for IP addresses on the interfaces All standard management tools supported Supports DHCP pass through to assign DHCP addresses on opposite interfaces (bi directional) Transparent Cisco IOS IPS New! 12.4(1 st )T

36 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 36 Internet Internal Users Port 80 Web services Web enabled apps IM traffic Rich media Internet access 43% 55% 43% 98% Companies Are Opening Port 80 Attacks Enter Through Web-enabled Applications “…75% of successful attacks against Web servers are entering through applications and not at the network level.” 80 – HTTP John Pescatore, VP and Research Director, Gartner, June 2002. Source: Aug 2002 InfoWorld/Network Computing survey of IT Professionals 64% of enterprises have opened Port 80 on their firewalls for their growing web application traffic

37 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 37 Cisco IOS Firewall Advanced Application Inspection and Control HTTP Inspection Engine Delivers application level control through inspection of port 80 tunneled traffic Convergence of Cisco IOS Firewall and Inline IPS technologies Control port 80 misuse by rogue apps that hide traffic inside http to avoid scrutiny Example: Instant messaging and peer-to-peer applications such as Kazaa I am email traffic… honest! Corporate Office Server Farm I am http web traffic… honest! PayloadPort 25PayloadPort 80 Email Inspection Engine Control misuse of email protocols SMTP, ESMTP, IMAP, POP inspection engines Inspection Engines provide protocol anomaly detection services

38 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 38 - Internet Proxy Cache - URL Filtering Application Server - Pre-loaded OEM Websense and Smartfilter filtering applications - Enforces Application Use Policy - Traffic logging and reporting - Anti-Virus Gateway (ICAP) to scan, clean, and cache Web content - Integrated with Cisco IOS Firewall - Supports Websense and N2H2 Web filtering clients - Works with external Websense and N2H2 servers - Static “good” list / “bad” list URL filtering in IOS Cisco IOS URL Filtering Content Engine Network Module INTERNET IPSEC TUNNEL www.hackershomepage.com NM-CE Corporate Headquarters Branch Office Internet Integrated Content Security URL Filtering and Content Engine Network Module ULR Database NM-CE URL Database IOS FW Server X

39 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 39 Cisco IOS Virtualized Services VRF-Aware “Virtual” Firewall & IP Sec “Virtual” Interface.1 Tunnel 0.1.2.1 IPsec “Virtual” Interface VRF-Aware “Virtual” Firewall Internet Cisco IOS FW Corporate LAN Engineering Accounting VRF supports multiple independent contexts (addressing, routing and interfaces) at the branch location for separation of departments, subsidiaries, or customers VRF-Aware FW allows customers to add FW to the list of services available at the individual context level Simplified IPsec VPN configuration and design (Network-aware IPsec) Easier and scalable management, and faster deployment of IPsec technology Enhanced support for V3PN applications through Multicast, QoS and Routing support

40 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 40 Corporate Headquarters Support for 802.1x Authentication New 4 & 9 Port EtherSwitch HWIC and current 16 and 36 Port NM all Support 802.1x AND Power over Ethernet (POE) All new router Ethernet ports also support 802.1x Survivable Remote User Authentication 802.1x Identity Authentication Support Network 802.1x Identity Enforcement Router Branch Router with 802.1x Branch Router with 4 Port EtherSwitch AAA Server NM-ESW 16 and 36 ports of 10/100 Ethernet HWIC-ESW 4 and 9 port Hi-Speed WAN Interface Card

41 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 41 The 3800, 2800, and 1800 Security Bundles ship with NAC capability Supports multiple AV vendors & Cisco Security Agent Restricts network access by noncompliant devices NAC Solution: Leverages the network to intelligently enforce access privileges based on endpoint security posture Limits network access to compliant, trusted endpoints Focused on limiting damage from viruses and worms Policy (AAA) Server Vendor Server Hosts Attempting Network Access Credentials RADIUS Credentials Access Rights Notification Comply? Enforcement Cisco Trust Agent Policy Server Decision Points 3800, 2800, 1800, or 800 Router 3800, 2800, 1800, or 800 Router Coalition of market-leading vendors Network Admission Control (NAC) Delivering Collaborative Security Systems www.cisco.com/go/nac

42 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 42 Secure Voice and Wireless Secure Voice Business ready voice: local call processing & audio conferencing (CCME) High-performance encrypted voice and video (V3PN) Security for voice and data applications (Policy Firewall) Reduced TCO (Toll-bypass, network/equipment consolidation) Secure Wireless Extensive wireless security (.1x, WPA, EAP-TLS, TKIP) Integrated wired/wireless (VLANs, QoS) Reduced infrastructure cost (inline power EtherSwitch) POS Registers Employee Mobility Guest Access IP Video IP Phone Secure Wireless Dual-band wireless (802.11 a, b/g) Public wireless hotspot Secure Voice Integrated IP-PBX and PSTN gateway Voice, video & data over VPN Internet PSTN C Business Requirements Security & convergence of Voice and Data services Security & integration of Wired and Wireless

43 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 43 Increased ROI with Secure Voice – Example No. IP Telephony Users2432 TRUNKS FXS68 FXO1012 CCME/SRST License3648 CUE (Voice Mail/AA)1824 Conferencing/Transcoding4/46/6 Typical Router for Data17602611 Platform Needed with IPT37253745 Price of Base Chassis$8500$12,000 Price per Seat (for Chassis)$354$372 Integrated Service Router 28112821 Price of V3PN Bundle $2,495$3,895 Price per Seat (for Chassis) $103$121 Before – 17XX & 26XX After – 2800 ISR C } Same Requirements CapEx Reduced 3x OpEx Reduced Due to Single Box Solution

44 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 44 Secure Voice (V 3 PN) Bundles TCO Cheaper to Buy Now vs. Later V 3 PN Bundles include: Router, AIM-VPNII PLUS, DSPs Cisco IOS Advanced IP Services Feature Set Cisco Call Manager Express, Voice Mail (Optional) C

45 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 45 The ROI of Wireless 20012003 End-User Average Network Connection Time 1¾ Hours More per Day 3½ Hours per Day Average Daily Time Savings 70 Minutes90 Minutes End-User Productivity+23%+27% Value of Time Saved per Employee $7K$14K Source: NOP World Technology, Sep 2001 and 2003 The Business Benefits: 2003 NOP Study Shows Rise in Productivity from 2001 Study C

46 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 46 Are you considering IP Communication applications at your campus or branch office? Do you need Wireless Access for employees, guests, customers? Do you plan to reduce telecom costs by consolidating voice and WAN links? Business Requirements Analysis Many businesses are implementing IP Telephony and Wireless services for cost savings and improved productivity Check Case Study and ROI analysis Existing investment in voice and WLAN equipment could be further leveraged through consolidation of separate networks onto ISRs For voice, consider V3PN bundles— high application performance & resiliency Less expensive to purchase Secure WAN bundle now, versus upgrading later Schedule a demo of Secure Voice & Wireless solutions NO YES C

47 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 47 Secure Voice Case Study Business Problem Secure voice & data for remote sites Real-Life Example ePlus – Financial solutions & enterprise software Needed to unify dispersed nationwide workforce Solution Voice functions integrated into Cisco ISRs Replaced 35 disparate phone systems Now employees reach co-workers anywhere with four-digit extension Connectivity costs cut by $840K per year by migrating from Frame Relay to DMVPN Future video conferencing, content caching, intrusion prevention and NAC services Quick business expansion – cookie-cutter deployment, phones for new sites up in 2 hours C “ The Cisco ISRs allow us to centralize everything into a router. By the time we have completed our deployment, we will have doubled …our organization, while reducing maintenance and circuit costs.” Chris Fairbanks, Principal Network Architect, ePlus Inc.

48 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 48 3 V 3 PN: Secured Site-to-Site Multi-Service VPN Based on GRE/IPSec Cisco IOS VPN Routers provide: Reliable voice quality in network congestion Voice-centric QoS w/ IPSec– basic queuing alone does not ensure voice and video quality Support for multicast voice and video applications IPSec can break multicast IP Telephony and Video applications Resiliency at all points in the network Telephony and VPN resiliency at all sites 3Cisco Powered Network “IP VPN-Multiservice” designation for V 3 PN Ensures quality for enterprises Delivering voice and video over an IPSec VPN requires more than just encrypting RTP packets

49 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 49 Business Continuity Small Branch Branch Office Small Office & Telecommuter Corporate Office WAN Backup Seamless recovery from link failures Stateful head-end failover minimizes application interruption Independent remote site telephony operation during disasters (SRST) Network Foundation Protection Device availability Control Plane Protection, AutoSecure, rate limiting Secure management access SSL, SSHv2 for CLI SDM for web-based Security incident analysis Syslog, NetFlow, IP Source Tracker D Internet WAN Backup Backup VPN over Broadband (DSL, Cable) or Dial (PSTN, ISDN) Head-end redundancy Survivable remote telephony Network Foundation Protection DDoS protection Secure remote management Forensics Business Requirements Uninterrupted operation of business-critical applications Network must stay up in the face of attacks & disasters

50 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 50 Business Requirements Analysis Do you have a disaster recovery plan that includes your business critical network services? Are you considering using IP VPN as a backup for Frame Relay / Leased Lines? Do you have a plan to protect your network infrastructure from DDoS attacks, or targeted attacks? Network downtime due to natural or man-made disasters impacts uninterrupted access to mission- critical applications Many businesses use IP VPN as a backup – flexible and cost-effective If you are migrating to Broadband (xDSL), leverage existing Dial/ISDN links for Dial backup Check Case Study and ROI analysis NO YES D Select the right Secure WAN bundle based on performance and services Less expensive to purchase the Cisco Secure WAN solution now, versus upgrading later Schedule a demo of appropriate Business Continutity solutions Dial backup, Stateful failover, SRST, CPP, AutoSecure, SDM

51 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 51 Business Continuity Drivers— Industry Averages for Costs of Downtime Cost of downtime $205 per employee hour More than just revenue impacted Impaired performance Damaged reputation Employee frustration Cost of downtime $205 per employee hour More than just revenue impacted Impaired performance Damaged reputation Employee frustration $205$1,010,536Average $107$668,586Transportation $244$1,107,274Retail $370$1,202,444Insurance $1,079$1,495,134Financial institution $134$1,610,654Manufacturing $186$2,066,245Telecommunications $569$2,817,846Energy Revenue/ Employee- Hour Industry Sector Revenue/ Hour Source: META Group, April 2004 D

52 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 52 Business Continuity Case Study Backup for Frame Relay Using VPN Business Problem Business continuity through VPN backup for WAN Real-Life Example Network Appliance – Unified storage solutions Rapid growth – Adding new offices, moving several large locations Needed flexibility and security to use connectivity options available at each site Solution Field offices have direct WAN and ISP connections If WAN link goes down, traffic re-routed to hub sites over the ISP link ISRs provide single solution for T1/E1, DSL, Cable and DS3 Scales incrementally – can deploy multiple DS-3 links to each router without having to replace the router itself Built-in Security and QoS D

53 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 53 Network Foundation Protection (NFP) Secure Business Must be Built on a Secure Fabric Infrastructure Control Performance Protection Network Lockdown Cisco Network Foundation Protection System-Wide Protection Protect traffic through device Proactively mitigate against network attacks Device Protection Lock down the network device and protect services Device remains operational even under attack Hardened Devices Connected to Deliver System-Wide Security www.cisco.com/go/nfp

54 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 54 Control Plane Policing Netflow monitoring Out-of-band management Network-based Application Recognition (NBAR) Role-based CLI Access Corporate Headquarters Internet Router Branch VPN Router Netflow Collector or NAM Protects access to control plane, even during DDoS attacks. Monitors packets, increases infrastructure reliability, and availability Helps identify worms and other attacks by tracking Layer 4-7 applications and protocols Provides early warning while visibility on traffic flows help you optimize network availability Ensures access despite DoS attacks, or congestion Provides partitioned, non-hierarchical, access to CLI commands for secure, logical separation of router users (eg. NetOps and SecOps) NFP - Maintaining Network Availability During DDoS Attacks

55 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 55 Summary

56 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 56 C Secure Voice & Wireless Convergence of Voice and Data services Integration of Wired and Wireless B Data & Identity Protection Perimeter defense Outbreak prevention Admission control Secure Connectivity Encrypted VPN connectivity between sites or partners Secure remote access for telecommuters AD Business Continuity WAN backup Network foundation protection Cisco Security Routers Solving Enterprise Network Security Needs Cisco Security Router VPN WAN Backup Network Admission Control Application Firewall Intrusion Prevention Network Foundation Protection Wireless IP Telephony URL Filtering

57 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 57 Summary Cisco Security Routers give you defense-in-depth network protection Invest in Security Bundles now Gain migration credit for existing equipment www.cisco.com/go/routersecurity

58 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 58

59 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 59 Secure WAN Bundles Summary Cisco 800 – 3800 Routers Solution Sets Baseline Security Bundles (-SEC) High Performance Bundles (-HSEC) Secure Voice Bundles (-V3PN) Secure Wireless Bundles (W-AG) Secure Connectivity Site-to-Site VPN Remote Access VPN High-Performance VPN Data and Identity Protection Perimeter Defense Outbreak Prevention Network Admission Control Secure Voice and Wireless Voice Gateway, Call Manager Express Wireless Business Continuity WAN Backup Network Foundation Protection A B D C

60 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 60 Secure WAN Bundles Summary Cisco 7xxx Routers Solution Sets 7200 High Performance VPN Bundles 7301 High Performance VPN Bundles 7600 High Performance VPN Bundles Secure Connectivity Site-to-Site VPN Remote Access VPN WebVPNSM (Optional) High-Performance VPN Data & Identity Protection Perimeter Defense FWSM (Optional) Outbreak Prevention IDSM2 (Optional) Network Admission Control Secure Voice & Wireless Voice Gateway, Call Manager Express Optional upgrade? — Business Continuity WAN Backup Network Foundation Protection A B D C

61 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 61 Award-Winning ISRs Product of the Year! Network Computing 2005 Well Connected Awards Product of the Year—Cisco Systems 2800 and 3800 Series “…Cisco's new 3800 Series ISRs are products to "DIE" for this year… designed with security and voice over IP, firewall, QoS, intrusion detection and call processing all without compromising performance.” Network Magazine 2005 Innovations Awards Network Hardware Product Breakthrough Cisco Systems Integrated Services Routers “The combination of routing, switching, firewalling, NAT, intrusion prevention, (NAC), and encryption capabilities, coupled with its ability to provide a host of telephony services and voice mail, makes the ISR our choice … ” CRN 2005 Channel Champions Award in Routing and Switching “For partners, the introduction of Cisco’s Integrated Services Router platform … has been significant. “…very few vendors …are offering solutions that fundamentally change the way companies do business,” (Ron Temske of Localis) said. “But Cisco does.” Interop Tokyo 2005 Best of Show – Cisco Systems 1812JW “1812 JW integrates various security features -- such as firewall, VPN, IPS-- into one box, with excellent cost performance. Designed to have the required features and price to meet Japanese users’ needs, we see Cisco Japan's efforts and commitment to capture Japan market.”

62 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 62 Cisco Security Management Suite Solution for configuring routers, appliances, switches and endpoints Quickest way to setup a device Configures all device parameters Ships with device Integrated Device Manager (SDM) Quickest way to setup a device Wizards to configure FW, IPS, VPN, QoS and Wireless Ships with device Cisco Security MARS Cisco Security MARS Solution for monitoring and mitigation Uses control capabilities within infrastructure to eliminate attacks Visualizes attack paths Cisco Security Auditor Today auditing highly manual and costly Automated solution to audit against predefined best practice policies Identifies violations and provides recommendations Cisco Security Auditor Cisco Security Auditor Today auditing highly manual and costly Automated solution to audit against predefined best practice policies Identifies violations and provides recommendations Cisco Security Manager Cisco Security Manager New solution for configuring routers, appliances, switches New user centered design New levels of scalability


Download ppt "© 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID 1 Cisco Security Routers Protecting your business while reducing costs Draft."

Similar presentations


Ads by Google