1. Next Generation Network Security Tech.
Tony Hsieh

2. Agenda
Changing nature of network security
Cisco’s SAFE Security blueprint
Cisco Security and VPN Solutions
Security Systems Integration
Conclusion

3. Changing Nature of Network Security

4. Most security devices were designed to secure networks like this
Networks Of The 90s
PSTN
Frame Relay X.25
Leased Line
Mobile User
Branch Office
Closed Network
Telecommuter
Characteristics
Isolated and trusted environments
Secure the few public WAN connections
Secure hosts with Anti-Virus
Simple closed networks.
Network security is mainly done at a few demarcation points connecting these networks to the Internet (or partners)
This edge security approach drives classic security technologies and solutions (overlay standalone FW, NIDS, content servers, and classic AAA services.
At the other end is AV software on PCs to prevent mail and attachment attacks. This is an end-point approach to security.
But business requirements are changing the paradigm, and the edge & end-point approach is having problems keeping up
Most security devices were designed to secure networks like this

5. But networks of 2000 are changing and security demands are different
Networks of the 00s
Characteristics
Distributed Internet connections to secure
Need to open up data centers for more ubiquitous access
Dramatic increase in employee mobility
Increased use of new campus technologies like WLAN & IPT that provide more network access methods
Growing damage due to viruses & worms
Today's world of networking and the Internet have formed a global IP network infrastructure—which is really a very large “network of networks”. All individual networks are now networked together and speak the same IP language – from the largest service provider network to enterprise and government networks, to smaller commercial and home networks. The world is now connected together with IP network technology, providing almost limitless opportunities for the future.
Cisco is proud of it's key role in creating this global IP network of networks. Most of the IP routers that form the backbone of this global network infrastructure are from Cisco and run Cisco IOS software—the operating system that runs this network of networks.
Cisco’s main technology goal is to make the key products necessary to operate this network of networks. Cisco provides end-to-end network solutions for all parts of the network—from the core of the Internet to the Metro network to the to the local area network and broadband access devices. (point to portions of network)
This seamless, integrated network system has been designed largely due to requests from our major enterprise and service provider customers. They feel that the all-Cisco network is far easier to manage, is more reliable, has better performance, and can provide more advanced features than a network that is cobbled together with products from many different vendors.
Since many Cisco products all run the same IOS network operating software, the all-Cisco network allows the latest networking features to be enabled throughout the network—security, quality of service, network management, and other advanced capabilities. These advanced network features can bring enormous value and make your network infrastructure a true competitive advantage for your organization.
And as we continue to migrate the voice and video networks to this global IP network, the importance of compatible equipment throughout the network becomes even more important since the data now has strict time constraints in arriving across the complete worldwide network. A voice packet can't experience any more than a 50 millisecond delay or else the voice quality will suffer. One of Cisco's highest priorities is to continually improve this quality of service (QOS) capability inside Cisco IOS software. (again, point to the network and show a voice path across the network—from enterprise to small business for instance).
But networks of 2000 are changing and security demands are different

6. Threats Are Everywhere
Internet
Worms
Packet Forging/ Spoofing
High
Stealth Diagnostics
Technical Knowledge Required
DDOS
Back Doors
Sweepers
Sophistication of Hacker Tools
Exploiting Known Vulnerabilities
Sniffers
Hijacking Sessions
Disabling Audits
Self Replicating Code
Hackers love making the news, and often do, but threats to corporate resources are everywhere. In fact, a Cisco study found that users inside the network also do significant damage, either intentionally or by accident. Here we’ve listed just a few of the many known “hacks” or threats that have emerged throughout the history of networks. As networks become more sophisticated, so do the hacker tools. In fact, today’s hackers don’t need extensive technical knowledge because these tools are readily available online along with instructions for using them. This obviously means that instead of a few, brilliant hackers threatening networks, there are many more people of average intelligence and education who can, and do, cause trouble. It’s more important than ever to make sure that networks are secure.
Password Cracking
Password Guessing
Low
1980
1990
2000

7. Typical E-business Security Challenges
Attack Scenario:
Step 1: Penetrate Perimeter
Internet
Exploit “permitted” conduits to pass attacks
Step 2: Decommission or Compromise Device
Launch buffer overflow attack to plant Trojan horse
Step 3: Escalate Privileges
Use compromised system to access internal network
Provides Perimeter Security That:
E-commerce
Servers
Blocks specific unwanted protocols
Blocks communication over specific ports
DMZ
Cannot Provide Security For:
Policy:
permit HTTP
permit FTP
permit SMTP
Malicious attacks contained within “permitted” traffic
Threats including cgi-bin attacks, buffer overflows, fragmented, or Unicode attacks
Firewalls = Access Control

8. Typical E-Business Security Challenges
Attack Scenario:
Step 1: Compromise Extranet
Attack “weak-link” in extranet chain to gain back door access to corporate network
Step 2: Compromise Remote Access
Exploit weakness in remote access or dial-up devices to gain “trusted” access
Provides Data Privacy By:
Encrypting contents of traffic
Ensuring basic authentication of user
Cannot Provide Security For:
Insider threat – 80% of attacks come from “trusted” sources
Malicious content embedded in encrypted traffic
Site-to-Site VPNs do not authenticate users or traffic
VPN = Privacy

9. Legal and Governmental Policy Issues
Organizations which operate vulnerable networks will face increasing and substantial liability
Federal legislation mandating security
Gramm-Leach-Bliley (GLB) financial services legislation
Government Information Security Reform Act
HIPAA (Health Insurance Portability Accountability Act)
For many businesses today, one of the biggest considerations for setting security policy is compliance with the law.
We don’t have to tell you that we live in a litigious society. If I’m an Internet service provider and hundreds of e-Businesses rely on me to run their Web sites with 100 percent uptime, I’m potentially liable should a hacker or a virus take down my operation. The last thing I want an attorney to discover is that I didn’t take enough precautions, or I wasn’t current, in securing my network against internal or external threat!
Similarly, if I’m running a publicly held e-Business, and a catastrophic attack seriously impairs my business, it’s entirely possible that I’ll hear from shareholders via proxy vote or lawsuit.
We’re not aware of such lawsuits yet, but experts say it’s only a matter of time.
Legal liability in such cases, is likely to depend on what prevention technologies and practices are available and on whether these technologies and practices are reasonably cost-effective to implement.
As a result, showing due diligence will mean everything from implementing technologies such as firewalls, intrusion-detection tools, content filters, traffic analyzers and virtual private networks to having best practices for continuous risk assessment and vulnerability testing. Of course, litigation isn’t the only legal consideration that e-Businesses are facing today. Lawmaker concern over the lack of Internet security, particularly where it hampers rights to privacy, is growing.
It’s a legitimate concern. Imagine doctors sharing the results of a public figure’s pregnancy or AIDs test on-line and having it intercepted midstream by a hacker who posts it to a public Web site. Or imagine your personal financial data becoming public record because of a a bank or the IRS has lax network security policies.
Now, I deliberately threw out financial services, government and healthcare examples because all of those are currently scrambling to meet federally mandated guidelines for network security and privacy.
In financial services, there is the Gramm-Leach-Blilely bill, which was passed in 1999.
The GLB Act erased long-standing antitrust laws that prohibited banks, insurance companies and securities firms from merging and sharing information with one another. The idea was that smaller firms would then be able to pursue acquisitions and/or alliances that would help drive competition against many of the larger financial institutions Included in that law were several consumer privacy protections. Namely, companies must tell their customers what sorts of data they plan to share and with whom, and then give customers a chance to opt out of that data sharing. The law requires banks to send those notices to customers by July 1, 2001.
Government is contending with the Government Information Security Reform Act, which was passed last October, and directs federal agencies to beef up security plans for their computer systems. Representatives from the General Accounting Office (GAO) and other organizations recently told Congress that, despite this legislation, federal agencies are still falling short of dealing with key security issues.
The FBI’s National Infrastructure Protection Center (NIPC), said there is a pending caseload of 1,219 government computer intrusions, including those into federal, state, local and military systems. A single case can consist of hundreds of compromised systems.
So you can see there is still a long way to go to bring government up to speed. And, by the way, there is a multi-million, or billion, dollar opportunity for Cisco here as well. (Part of the law, for example, requires that federal agencies do some kind of vulnerability testing for their sub-agencies, but few agencies have conducted true penetration tests. A clear opportunity for Cisco Secure Consulting Services).
On the healthcare side, HIPAA requires the Department of Health and Human Services to develop a set of national standards for healthcare transactions and provide assurance that the electronic transfer of confidential patient information will be as safe or safer than paper-based patient records.
Compliance with HIPAA is estimated to cost the healthcare industry $4 billion, with 56% spent on infrastructure. By the way, we estimate this represents a $1.12 billion market opportunity for Cisco, and we are moving rapidly to help healthcare customers and resellers meet the challenge of HIPAA with new programs and services. I don’t know of any other security company that’s taking the lead in this area.

10. Changing Role of Security
Required for E-Business
Communicating and doing business safely in potentially unsafe environments
Establishing a consistent, corporate-wide policy
Centralized management and control
A continuous process that requires a Defense-in-Depth
Information Security is very often described as a very complicated, very technology driven environment.
I hope that you agree, that even though (new) technologies are an important part, security is much more., It’s about people, policy and management and control, just as any of our businesses.
Technology solutions are enablers that facilitate you the task and should leave you time and money to spend on the non-technology related issues.
The biggest error IS managers in the past made is buying a firewall and feel secure, a single point product can not secure such a important and multifaceted environment as your business!

11. Solving the Problem – Security Policy and Process

12. Security Philosophy: The Security Wheel
A Continual, Multistage Process Focused on Incremental Improvement
SECURE
MANAGE
and IMPROVE
MONITOR and RESPOND
Instead, Cisco advocates what we refer to as “The Security Wheel.” Instead of looking at security as a one-time implementation, this New World “Security Wheel” approach views security as a business function in that it is a continual, multi-stage process focused on incremental improvement.
Just as with the Old World approach, clients develop a security policy (i.e. an idea of what they want and don’t want to occur on their network) and secure the network according. In the Secure phase, clients install firewalls, encryption, authentication, etc —in the physical security world, these static devices represents the locks on doors, fences, and badge readers.
Then, just as in the physical world where clients use video cameras and motion sensors inside their facility, clients need to use intrusion detection to monitor the activity that is occurring on the network. These dynamic devices often times have the ability to stop unauthorized activity as it is occurring and send details of the violation to a central console.
The Test phase of the wheel consists of vulnerability scanning and consulting which is targeted against finding ways around the network’s security devices to penetrate the network and gain unauthorized privileges. In the physical world, this is analogous to a guard patrolling the halls and grounds of a building to make sure the doors and windows are locked, the fence is not cut, etc.
Once a client has secured their network and knows what the configuration of the security devices should be; monitors the network and therefore knows what kind of attacks are confronting the network; and tests the network to find its vulnerabilities, then the client is in a position to make an educated, business decision about what do next. Most likely, that decision will be to change the configuration of a security device, thereby starting the security wheel cycle again.
By looking a security as a continual process focused on incremental improvement, users can help ensure that the security on their dynamic network is appropriate for its ever increasing demands in the face of its ever increasing threats.
TEST

13. The SAFE Security & VPN Blueprint
To address the security requirements in this dynamic, changing environment, Cisco is introducing its SAFE initiative...
Presentation_ID
© 1999, Cisco Systems, Inc. 13

14. Cisco AVVID Architecture
IP Telephony
Enterprise
Mobility
Security/VPN
Campus LAN
International Sales Offices
Multiservice WAN (Sonet, IP, ATM, Frame Relay)
Suppliers
Campus/WAN Backbone
Mainframe
Video
Conferencing
Multi-Gigabit
Ethernet
Architecture for Voice, Video
and Integrated Data
ISDN
Telecommuters
PSTN
Mobile Users
Content
Networking
Storage

15. Cisco’s Vision for Integrated Network Security
Network Integration
Embedded Transparent Network Security
Security Services Integration
Intelligent Self-Defending Networks
Network Application /Security Convergence
Business Resiliency
Endpoint Integration
Context-based Security and Networking
Integrated Network & Security Management
Scalable Systems

16. Network Security Components
Secure
Connectivity
Perimeter
Security
Security
Monitoring
Identity
Security
Management
Intrusion Detection Scanning
Policy
Firewalls
Authentication
VPN
So what are the critical network security elements that are part of the SAFE blueprint
VPN solutions for Secure Connectivity - enabling private, secure communication over the Internet - using dedicated VPN concentrators and gateways or VPN-enabled routers
Solutions for Perimeter Security – robust mechanisms to restrict network access like firewalls and access control features in routers
Solutions for Security Monitoring - real-time intrusion detection systems to protect against network attacks and misuse, and vulnerability scanning tools to proactively find security holes before hackers do
Identity solutions help identify and authenticate users and what they are permitted to do on the network;
And finally Security Management solutions - comprehensive management tools that provide the glue for all of these critical security elements and enable enforcement and monitoring of your security policy
LET’S TAKE A CLOSER LOOK AND SEE HOW SOME OF THESE SOLUTIONS ADDRESS E-BUSINESS CHALLENGES
Internet

17. Cisco SAFE: Architectural Framework for Integrated Network Security
Application & Services Integration
Risk Mitigation Hi
Low
SAFE Provides a Defense-in-Depth Approach to Security Services
SAFE Enables Integration of Security Services into the Network Infrastructure
SAFE Integrates Security with Intelligent “Network” Services
SAFE is Delivered though Appliances and Integrated Security within Routers & Switches
SAFE Expanded to Include Catalyst 6500 Series
Identity Services
Perimeter Security
Extended
Secure Connectivity
Intrusion Detection & Protection
Security Management & Monitoring
Network Infrastructure
NEW

18. Management Building Distribution Core Edge Server E-Commerce
Corporate Internet
VPN/Remote Access
WAN
ISP
PSTN
FR/ATM
That’s`why we created the SAFE blueprint for Secure E-Business
To show you how to build Security into Cisco AVVID networks
The foundation of the SAFE blueprint is understanding the security threats and responses appropriate for each functional area in the network
And figuring out how to meet these requirements with
Performance, Scalability, and Resiliency
The unique aspect of this blueprint is that it is Lab Tested and fully documented – with specific design and configuration guidelines for each element – including both Cisco products and those of our Security Partners in our Avvid Ecosystem.

19. SAFE Example Corporate Internet Module
Focused Layer 4–7 Analysis
Host IDS for local attack mitigation
SMTP Content Inspection
Cisco Secure IDS Appliance
Public Web Servers
Cisco IOS Router
Spoof Mitigation
DDoS Rate-Limiting
Basic Filtering
To Edge Distribution Module
Stateful Packet Filtering
Basic Layer 7 Filtering
Host DoS Mitigation
To ISP Module
One of the modules that ACME.com should include is the “Corporate Internet” module. This module provides two main functions: 1) it enables internal users to access the Internet, and 2) it allows Internet users access to information on the public Web servers (in the “DMZ”).
The design of this Cisco SAFE module incorporates many critical security elements:
First, there is a pair of Cisco Secure PIX Firewalls in the center of the diagram. These firewalls are deployed in a stateful failover mode, and they protect the public web servers, inspect traffic, restrict traffic from the DMZ to the internal network, and provide NAT services for users on the internal network, among other duties.
On the right hand side, two Cisco IOS Routers provide basic filtering with ACLs, and they are backed up by two Cisco Secure IDS appliances to protect against network-based attacks. Cisco also suggests that ACME work with its ISPs to ensure they are providing rate limiting to mitigate Distributed Denial of Service (DDOS) attacks that would choke the bandwidth of the ISP connection.
A Cisco Secure IDS appliance is deployed in the DMZ to detect any attacks that could have possibly gotten through the firewall (typically application level attacks against a specific service or a password attack). On each of the Web servers in the DMZ, ACME should employ host-based intrusion detection to monitor for any rogue activity on the servers. An IDS appliance is also deployed on the inside interface of the firewall for defense-in-depth (possible firewall change/mis-configuration, highly sophisticated attack, etc.)
In the content inspection area at the bottom of the diagram, ACME should deploy URL filtering to inspect outbound traffic for unauthorized Web requests.
Cisco Secure PIX
Firewall
Broad Layer 4–7 Analysis
Content
Inspection
Servers
Inspect Outbound Traffic for unauthorized URLs
To VPN / Remote Access Module

20. SAFE Example Attack Mitigation Roles for Remote Sites
Authenticate Remote Site
Terminate IPSec
Personal Firewall and Virus Scanning for Local Attack Mitigation
Authenticate Remote Site
Terminate IPSec
ISP
Broadband Access Device
Stateful Packet Filtering
Basic Layer 7 Filtering
Host DoS Mitigation
Authenticate Remote Site
Terminate IPSec
Broadband Access Device
Optional
VPN Software Client w/ Personal Firewall
Home Office Firewall w/VPN
Hardware VPN Client
Router w/ firewall & VPN
Stateful Packet Filtering
Basic Layer 7 Filtering
Host DoS Mitigation
Authenticate Remote Site
Terminate IPSec
Software
Access
Option
Remote Site
Firewall Option
Hardware VPN Client Option
Remote Site
Router Option
Virus Scanning for Local Attack Mitigation
Personal Firewall and Virus Scanning for Local Attack Mitigation
Virus Scanning for Local Attack Mitigation

21. Attack Mitigation Roles for Standard LEAP WLAN Design
Virus Scanning
LEAP Authentication
WEP Enhancements
Inter-Subnet Filtering
RFC 2827 Filtering
Wireless Computer with LEAP
DHCP/RADIUS
Servers
DHCP/RADIUS
Servers
Access Point with LEAP
LEAP Authentication
WEP Enhancements
LEAP Authentication
Dynamic WEP Key
Generation

22. Attack Mitigation Roles for Standard VPN WLAN Design
Authenticate Remote VPN Gateway
Terminate IPSec
Personal Firewall for Local Attack Mitigation
RFC2827 Filtering
Inter-Subnet Filtering
Wireless Computer with VPN Client
Two-Factor Authentication
DHCP/RADIUS/OTP
Servers
Access Point
VPN Concentrator
Authenticate Remote Users
Terminate IPsec
Packet Filtering

23. Large Enterprise LEAP WLAN Design
Wireless Computer with Cisco LEAP
Wireless Computer with Cisco LEAP
Edge
Distribution
Module To
eCommerce
Module
Building
Module
Building
Distribution
Module To
Corporate
Internet
Module
Ingress filtering limited to IKE and ESP protocols
Tunnels terminated in front of FW
Dedicated link for clear text traffic between IPSec device and FW
Core
Module
To VPN/
Remote
Access
Module
Server
Module
To WAN
Module
RADIUS
Server
DHCP
Server

24. Large Enterprise VPN WLAN Design
Wireless Computer with VPN Client
Wireless Computer with VPN Client
VPN Concentrator Cluster To
E-Commerce
Module
Building
Module
Edge
Distribution
Module
Building
Distribution
Module To
Corporate
Internet
Module
Ingress filtering limited to IKE and ESP protocols
Tunnels terminated in front of FW
Dedicated link for clear text traffic between IPSec device and FW
Core
Module
To VPN/
Remote-Access
Module
Server
Module
To WAN
Module
RADIUS
Server
DHCP
Server

25. Cisco Security and VPN Solutions
In addition to introducing the Cisco SAFE framework, Cisco is also announcing several new products and security ecosystem enhancements.
Presentation_ID
© 1999, Cisco Systems, Inc. 25

26. Cisco Security Solutions
Secure
Connectivity
Perimeter
Security
Intrusion
Protection
Identity
Security
Management
Intrusion Detection Scanning
Policy
VPN
Firewalls
Authentication
Cisco is addressing each of these key security components with specific products and technologies.
Whereas other companies provide pieces of the puzzle, Cisco is the only leading security company offering a complete solution as opposed to point products.
This is a key differentiator for us. To be honest, not everyone has bought off on the concept that you want a one-stop shop for all of your network security needs. But it seems to be working for us, as I’ll discuss shortly.
At this point, it’s important to note that there are specific products or technologies that address each of these key network security components…..VPN products for secure connectivity, firewall technology for perimeter security, intrusion detection scanning software and appliances for security monitoring, and so on.
Won’t go into detail, but want to note a few things:
VPN solutions includes firewalls, concentrators and routers (industry’s most comprehensive portfolio)
Also have a comprehensive firewall offering with PIX and Cisco IOS Firewall.
Based on our numbers, we believe this we’ve held market leadership in firewalls for about a year now, and we’re just starting to see analyst reports coming out to validate that fact. I’ll come back to this point shortly.
So what are the key security components of a Cisco SAFE network? Cisco provides many of the critical elements including solutions for:
Secure Connectivity - these solutions enable private, secure connectivity in public environments, and include dedicated VPN gateways and concentrators and the tunneling and encryption mechanisms in routers and firewalls
Perimeter Security - these solutions restrict access to network resources, and include Access Control Lists (ACLs) and firewalls
Security Monitoring - these solutions provide additional security capabilities, including real-time intrusion detection systems to protect against network attacks and misuse, and vulnerability scanning tools to proactively find security holes before hackers do
Identity - these solutions help identify users and what they are permitted to do on the network; solutions in this area include authentication systems, AAA servers, PKI solutions, smart cards, etc.
Security Management - a robust management infrastructure provides the glue for the elements above, and includes the requisite device and policy management mechanisms for the key security elements in the network
Management Applications
Server-Based Services Software
Appliance Overlay Solutions
Router Integrated Solutions

27. Cisco Security Solutions
Secure
Connectivity
Perimeter
Security
Intrusion
Protection
Identity
Security
Management
Intrusion Detection Scanning
Policy
VPN
Firewalls
Authentication
Cisco VPN Concentrators
Cisco PIX™ Firewalls
Cisco PIX™ Firewalls
Cisco IDS Appliances
Cisco Access Control Server
Cisco Works—VPN Mgmt Solution
Cisco Secure Policy Manager
Web Device Managers
Cisco IOS VPN
Cisco IOS Firewall
Cisco IOS IDS

28. Catalyst 6500 Series Delivering Integrated Network Security
NEW
Catalyst 6500 Series Delivering Integrated Network Security
Identity
Services
Secure AAA with TACACS & RADIUS
802.1x Authentication
DHCP Interface Tracker
Dynamic VLANs
Perimeter
Security
Wire rate L2/3/4 ACLs, Protocol Filtering
Port Security
Unicast RPF Check
Multi-Gigabit Firewall
Secure
Connectivity
Secure Shell, Port Security, PVLAN
Multi-Gigabit IPsec VPN
Gigabit SSL Acceleration
Intrusion Detection & Protection
Integrated Intrusion Detection System (IDS)
2nd Generation Gigabit IDS (Q4CY02)
Security Mgmt. & Monitoring
Gigabit Network Analysis & Monitoring
Catalyst Device Manager (Firewall, VPN, SSL, NAM) (Q1FY03)
Cisco Mgmt Center for Global Security Policy Mgmt (Q2FY03)
Risk Mitigation Hi
Low

29. Secure Connectivity: Virtual Private Network Solutions
In addition to introducing the Cisco SAFE framework, Cisco is also announcing several new products and security ecosystem enhancements.
Presentation_ID
© 1999, Cisco Systems, Inc. 29

30. Benefits of VPNs Flexibility Network Cost Scalability Security
Extend network to remote users
Enable extranet connectivity to business partners
Ability to set up and restructure networks quickly
Dedicated bandwidth and dial up cost savings
Delivers cost effective remote site bandwidth for new applications
Reduced WAN and dial infrastructure expenditures
Leverages and extends classic WAN to more remote and external users
Improved geographic coverage
Simplified WAN operations
Security
Encryption/Confidentiality - Authentication - Integrity

31. VPN Types and Applications
Alternative To
Benefits
Remote Access VPN
Remote Dial Connectivity
Direct Dial
ISDN
Ubiquitous Access
Lower Cost
Site-to-Site VPN
Branch Office Connectivity
Leased Line
Frame Relay
ATM
Extend Connectivity
Increased Bandwidth
Extranet VPN
Biz-to-Biz Connectivity
Fax
EDI
Mail
Timing
Evolution away from Dial
Next generation of WAN infrastructure
Enables E-commerce efficiencies

32. Secure Connectivity: Remote Access VPNs
In addition to introducing the Cisco SAFE framework, Cisco is also announcing several new products and security ecosystem enhancements.
Presentation_ID
© 1999, Cisco Systems, Inc. 32

33. Work Happens Everywhere Increasing Need for Transparent Corporate Connectivity
On the Road (hotels, airports, convention centers)
280 million business trips a year
Productivity decline away from office >60–65%
At Home (teleworking)
137 million telecommuters by 2003
40% of U.S. telecommuters from large or mid-size firms
At Work (branch offices, business partners)
E-business requires agile networks
Branch offices should go where the talent is
Remote working--in home offices, on the road, at remote offices--is one of the ways enterprises are looking to reduce costs and increase productivity. The statistics bear this out…
Whether it’s people working on the road or working from home, getting remote access to the network is often a necessity.
Look at the productivity decline when workers are on the road away from the office…over 60 percent! And no wonder, logon speeds are painfully slow, and connections are often difficult to configure…
Even at the office, people are often moving around campus -- some moving from building to building -- some people spend long hours in conference rooms. Others may be on the factory floor or in a distribution center. In all of these locations, being able to access the corporate network in timely fashion can often dramatically increase productivity.
Transition: Given these facts, the urgency to increase productivity drive down costs, and stay competitive, an interesting paradox has developed that begs a question every corporation should be asking...
Sources: On the Road (TIA Travel Poll, 11/99); At Home (Gartner 2001, Cahners Instat 5/01); At Work (Wharton Center for Applied Research)

34. Cisco 3000 VPN Concentrator Cisco ACS RADIUS Server
Mobility on the Road
Coffee Shop
Enterprise Network
3rd Party Broadband Roaming/ Settlement/ Billing Service
Cisco PIX Firewall
Aironet 350 Access Point
Cisco Router
T1/T3
Cisco 3000 VPN Concentrator T1
Cisco ACS RADIUS Server
Internet
Cisco Router
T1/T3
Airport
T1/T3
Catalyst 3524-PWR XL
Hotel
Aironet 350 Access Point
Building Broadband Services Manager (BBSM)
Cisco 2600/ 1700 Router
Cisco 2600/ 1700 Router
Cisco BBSM
Cisco essentially glues together its switching, routing and access products with its wired and wireless technologies to provide an end-to-end mobility infrastructure that’s secure, highly available and that supports QoS in all its key components.
For On the Road, business professionals who are in public access hotspots use of a VPN client combined with multi-tiered wireless security and radius authenticating ensures secure access to corporate and Internet accounts via a variety of smart devices including laptops and PDAs. Layer 3 routers and switches—deployed in redundant designs ensure the hot spots backless network is always up and running at high speed for the SPs and Cisco venue partners who deliver public access services using Cisco solutions
Back at the enterprise, VPN tunnel termination concentrators, RADIUS server and PIX firewalls assure security of the enterprise’s perimeter
Ecosystem partners add to the richness of the solution by offering additional services to enterprise customers—such as broadband roaming and integrated billing (and to SPs they provide settlement services that extend SPs footprints then revenue sharing across hot spots)
PBX
Catalyst 3550 XL
Concourse Fiber Run
Meeting Rooms
POTS Splitter
Catalyst 3524-PWR XL
Catalyst 2900 LRE-XL
Aironet 350 Access Point
Aironet Series 350 NIC and VPN 3000 Client S/W on Laptops and PDAs
Hotel Rooms
Cisco 575 LRE CPE

35. VPN Client Connectivity
PIX 6.0
Cisco’s VPN Client can terminate on all of our VPN platforms!
PIX
VPN 3.0
VPN 3000
IOS 12.2(8)T
IOS
Benefits:
Little client side configuration
Server side pushes policy to any authenticated clients

36. Mobile Users VPN Client v3.5 PDA Client v1.1
Platforms: Windows 95 OSR2, 98, ME, NT4, 2000, XP
New Platforms: Linux (August), Solaris (December – v3.5), MacOS X (December – v3.5)
New Features (v3.1): Entrust Entelligence support, Personal firewall enforcement (Zone Alarm & BlackICE)
New Features (v3.5): IPSec/TCP, NT password expiration, Integrated stateful firewall, smart-card support
Supported on: VPN 3000 Concentrators, PIX Firewalls, IOS Routers (2002Q1)
PDA Client v1.1
Platforms: PalmOS v3.5 and WinCE v3.0 Devices: Palm III, V & Vx, Casio Cassiopeia, Compaq iPAQ & Aero, Handspring Prism & Platinum, HP Jornada, NEC MobilePro and Vadem Clio
Download:

37. Push VPN Policy with Cisco Easy VPN
VPN functions are assigned IKE Mode Config Attributes; several parameters may be pushed at once
Central Site
Teleworker / Small Branch Office HQ
SBO
Internet
Cisco 1700
Cisco Easy VPN Server on Central Site Gateways with security policy repository (Cisco CVPN 3000, Cisco IOS Router, Cisco PIX Firewall)
Mobile Workers
Attributes
Internal IP Address
Internal NetMask
Internal DNS Server
Internal WINS Server
Split tunnel allowed when VPN tunnel is up (remote site traffic goes in the clear)

38. Easy VPN: Remotes act like VPN HW client
Servers
Easy VPN allows any Cisco ‘hub’ VPN device to manage any Cisco ‘spoke’ VPN device
Easy VPN – Dynamic Policy Management
PIX 501
PIX 515
VPN 3005
PIX 506
IPSec VPN
VPN 3015
VPN 3002
806
7400
1700
7200
SOHO 71
2600 / 3600
Pass thru VPN only
VPN client

39. Secure Connectivity: Site to Site VPNs
In addition to introducing the Cisco SAFE framework, Cisco is also announcing several new products and security ecosystem enhancements.
Presentation_ID
© 1999, Cisco Systems, Inc. 39

40. Security and VPN Message
Deliver comprehensive network security services and connectivity
Full integration into the network infrastructure
Flexible, adaptive deployments
Seamless converged networks

41. Cisco VPN Enabled Routers
Replaces and augments private networks that use: leased lines, frame relays, ATMs
Connects remote, branch office and central sites
Enables customers to avoid exorbitant 800 number costs as well as modem technology
Implement at the WAN edge

42. Cisco Site-to-Site VPN Solutions Scalability for Every Site
Cisco 7100 & 7200 Series
7100 for dedicated VPN head-end
7200 for hybrid private WAN + VPN connectivity
Cisco 1700 Series
VPN-optimized router connecting remote offices at T1/E1 speeds
Remote
Office
Main Office
Regional
Office
Internet
Cisco 2600 & 3600 Series
VPN-optimized routers connecting branch and regional offices at nxT1/E1 speeds
Cisco 800 & 900 Series
VPN-optimized routers for ISDN, DSL, and cable connectivity
Small Office/
Home Office

43. Site-to-Site VPN Scalability and Features Summary
Up to 140 Mbps 3DES throughput and 3000 tunnels
Network Resiliency
Dynamic Route Recovery - using routing protocols through IPsec secured GRE tunnels
Dynamic Tunnel Recovery - using IPSec (IKE) Keep-Alives
Perimeter Security
Cisco IOS Firewall – excellent for remote office single device solutions
Bandwidth Optimization and QoS
Application aware bandwidth allocation, queuing, policing, traffic shaping
Ensures quality of latency sensitive traffic
Deployment Flexibility
Interface flexibility for combined WAN+VPN or behind-edge VPN
Use as standalone VPN device or integrated multi-function device
Summary of points made throughout the presentation.

44. Cisco 7400 Series VPN Router Standard Components
VPN Acceleration Module (VAM) for 140 Mbps 3DES encryption performance
Embedded route processor and 128 MB memory (upgradeable to 512 MB)
Saving of $6,500 [
Price: $18,500
Availability: May 2002
1 RU
Single AC Power
Base configuration includes IOS IPSec 3DES software and VPN Device Manager web-based management
Use embedded dual RJ-45 10/100 Fast Ethernet -or- dual Gigabit Ethernet for behind WAN-edge VPN connectivity

45. Voice and Video Enabled VPN – V3PN
VPN Tunnels
Remote Workers
Main
Office
LAN
Remote
Office
LAN
VPN
WAN
VPN IP IP
PSTN
PSTN
Connect offices using site-to-site VPNs, use the VPN to transport IP Telephony traffic
Provide remote access VPN connectivity to telecommuters and remote workers, extend the PBX to them using the VPN

46. Phase I: Secured Site-to-Site Multi-Service VPN
Delivering voice and video over an IPSec VPN requires more than just encrypting RTP packets
Cisco IOS VPN Routers provide:
Reliable voice quality in network congestion
QoS that interoperates with IPSec
Voice-centric QoS – basic queuing alone does not ensure voice and video quality
Scalable support for low latency network topologies
Latency requirements drive hierarchical and meshed networks

47. Phase I: Secured Site-to-Site Multi-Service VPN, cont’d
Building a voice and video enabled IPSec VPN requires more than just connecting boxes
End-to-End V3PN deployment model ensures:
Interoperable network infrastructure and architecture from end-to-end
Overarching deployment model for VPN and converged IP network design
Ensuring all equipment in the network interoperates to support secure delivery of toll-quality voice/video
Resiliency at all points in the network
Telephony and VPN resiliency at all sites
New “Cisco Powered Network” designation for V3PN
Ensures quality for enterprises, High value service for service providers

48. Secured Site-to-Site Multi-Service VPN Platform Components
VPN Device – Cisco IOS VPN Routers
Performs encryption, tunneling, QoS for encrypted traffic, routing for resiliency
IP Phone – Cisco IP Phone 7900
IP phone handset, Ethernet powered, QoS marking at the phone
Main
Office
LAN
VPN IP
VPN
PIX
Voice Gatekeeper – Cisco CallManager
Performs call setup, teardown, and manages reachability for IP Phones. Host IDS protects against attacks.
Firewall – PIX Firewall
Statefully inspects Cisco IP Telephony and Video streams
Remote
Office IP
Remote Office Gateway – Cisco IOS Routers
Single box solution for VPN, voice/video, WAN, firewall, and IP Phone connectivity. Provides SRST voice resiliency.

49. Case Study Electronic Trading Group - NY
Before: Private Frame Relay
After: V3PN NY NY
Frame Relay
Service Provider
Branch Offices
Branch Offices
Speaks for itself.
23 sites – $38k per month
1 month site installation time
23 sites – $24k per month
2 week site installation time 28

50. Cisco Internal V3PN Deployment
QoS Enabled SP
San Jose
VPN Tunnel CM CM VM VM
Field Offices
SJ SP’s
Cisco
Private IP WAN
Cisco is using V3PN for its own remote and home office connectivity. CM
QoS enabled
SP’s VM
SJ Teleworker’s
RTP SP’s
RTP
RTP Teleworker’s

51. Perimeter Security: Firewall Solutions
In addition to introducing the Cisco SAFE framework, Cisco is also announcing several new products and security ecosystem enhancements.
Presentation_ID
© 1999, Cisco Systems, Inc. 51

52. Cisco Firewall Family Investment Protection Reliability Performance
Software Based
Appliance Based
Module Based
PIX 501
800, 900, 1400, 1600,
1700, 2500, 2600,
3600, 7100, 7200, 7500, 7600 Routers
PIX 506E
PIX 515E
PIX 525
Catalyst 5000 RSM
Catalyst 6500 MSFC2
Cisco’s family of PIX Firewalls delivers excellent price-performance in stackable and rackable form factors for wiring closet. Included in the family are inexpensive standalone firewalls and modular, flexible chassis systems that offer extensive scalability, reliabiilty, and value-added features that address multiple aspects of network security.
PIX 535
Catalyst 6500 & Cisco 7600
Investment
Protection
Reliability
Performance

53. Cisco Secure Firewall Solutions - PIX and Cisco IOS
All traffic from inside to outside and vice-versa must pass through the firewall
Only authorized traffic is allowed
Cisco IOS firewall
Embedded software solution
Provides Firewalling and IDS
Cisco Secure PIX firewall
Dedicated firewall appliance
High-performance
Scalable
Fault-tolerant

54. PDM 2.0 Main Menu

55. Simply More Secure Industry Toughest EAL-4 Certification
PIX is the only widely adopted firewall with EAL-4 certification, based on the NSA “Orange Book” TCSEC and European/Australian ITSEC standards. Recognized in 14 countries today. Nokia has no EAL certification and Check Point has EAL-2 Certification.
FIPS-140 Certification
PIX has FIP-140 certification, an extremely important certification for Federal government. Netscreen does not have FIPS-140 certification
Integrated IDS Signatures
PIX has over 50 inline integrated IDS signatures. Nokia has less than five.
Specialized Secure Operating System
PIX runs on a security specialized, closed operating system. Nokia runs on a hardened BSDI UNIX operating system but make no mistake, this appliance is still running an OS, still has a hard drive, and is still prone to secure integrity issues from the UNIX OS

56. Intrusion Protection Primer
The purpose of today’s discussion is to cover the Security Monitoring technology set.

57. Defense-In-Depth: A Layer Solution
Host-
Focused Technology
Application level encryption protection
Policy enforcement (resource control)
Web application protection
Buffer overflow
Distributed Denial-of-service detection
Network attack & reconnaissance detection
Instrumentation
Misuse of resources (host-only)
Efficiency based on placement
Network-
Focused
Technology
1 + 1 = 3

58. Anomaly vs. Signature Detection
Anomaly detection: Define normal, authorized activity, and consider everything else to be potential malicious
Misuse/signature detection: Explicitly define what activity should be considered malicious
Cisco has identified the pros & cons and uses both technologies in our IPS offerings

59. Pervasive Protection IDS Everywhere
Solution Breadth
Network
Sensor
4210
4220
4230
4235
4250 …
Switch
Sensor
IDSM-1 …
Host
Sensor
Standard Sensor
Web Sensor
Router
Sensor
1700
2600
3xxx
7xxx
Firewall
Sensor
501
506E
515E
525
535
Secure
Command Line
Web UI
Embedded Mgr
Enterprise Mgmt
VMS
Mgmt

60. Host Sensor
Comprehensive protection for the server OS and server applications utilizing call interception techniques
Sophisticated attack protection
OS and application attacks
Buffer Overflow attacks
Web server application attacks
SSL encrypted HTTP attacks
Prevents access to server resources before any unauthorized activity occurs
Low Hi
Risk Mitigation

61. How it Works: Graphical Representation
Shielding technology is used to provide a protective envelope around the Web server, ensuring the integrity of the Web server, its applications and files, including customers' valuable data.
This shielding technology enables IDS Host to protect Web servers from both known and unknown attacks.
Host based IDS installs close to the Operating System and intercepts System and API Calls. By comparing them with known exploit behavior, it can reject them before the OS processes them in case of malicious intent.
IDS Host is a kernel-level security technology; however, it is important to understand that it does not modify the OS kernel in any way. It intercepts System and API calls, understands their parameters and context, evaluates them in real-time against malicious behavior, and then lets them proceed to be processed by the OS, or rejects them.
All exploits need to use OS resources in order to achieve anything. Therefore, the System Call/API Call interface is the logical place to reside in order to have a complete view and understanding of a machine’s processing environment. Also, in order to be proactive vs. reactive, a protection system needs to reside at that level if it wants to have the capability to prevent hacks in real-time. “OS protection” refers to specific (point) signatures that deal with specific exploits and hacking tools, generic signatures that deal with whole classes of intrusions (such as buffer overflow exploits), and resource protection signatures that deal with locking down (hardening) security-related resources of the Operating System (such as registry keys, files, etc).
On the application level, IDS Host implements two specific layers of protection for the IIS and Apache Web servers. First of all, the engine offering HTTP protection looks at the incoming HTTP stream and determines whether requests try to exploit known vulnerabilities of the Web server (such as directory traversal, illegal code execution, etc). If a malicious request is encountered, it is discarded before it ever reaches the Web server for processing. This is analogous to the behavior at the OS level: if a malicious System Call and API call is encountered, it is discarded before it reaches the OS kernel for processing. It is important to understand that this HTTP protection also works if the stream is encoded with SSL – both firewalls and IDS are ‘blind’ in that case.
Then, second, Shielding prevents malicious users from tampering with any resources of the Web Server (modifying config files, stopping the service or daemon, etc), or from misusing the Web server process for any non-sanctioned action.

62. Router Sensor IOS-IDS
Router and switch-integrated intrusion detection technology targeted at lower risk environments
Software: IOS 12.0(5)T+
Platforms: 1700, 2600, 3xxx, 7xxx routers, RSM, MSFC
Signatures: 59
Response: drop and reset
Low Hi
Risk Mitigation

63. Firewall Sensor Pix Firewall IDS
Firewall integrated intrusion detection technology targeted at lower risk environments
Software: PIX v5.2+
Platforms: 501, 506, 506E, 515, 515E, 520, 525, 535
Signatures: 57 (since 6.0)
Syslog alarming
Response: drop and reset
Low Hi
Risk Mitigation

64. IDS Device Manager Integrated, Web-Based Management
New
IDS Device Manager Integrated, Web-Based Management
Leveraging Cisco’s Internet Management, three-tiered strategy. Delivering easy, web-based IDS management providing enhance tuning and signature support.
Key Features
Device embedded
Secure management via SSL
Custom, secure web server
Wizards-based UI
Common UI framework with CiscoWorks
What it do for the customer
Turn-key
Upgradeability
Price/performance
Solving specific problems
Huge issue they are struggling with
Price: $0 (Incl. with
sensor software)
Availability: April 2002

65. IDS Event Manager Advanced Threat Management
New
IDS Event Manager Advanced Threat Management
Enabling customers to collect and correlate network event data, providing rapid, advanced threat mitigation capabilities
Key Features
Graphical and tabular event analysis
Customizable views and filters
Time-based trending
Underlying MySQL database
Support for up to three devices
What it do for the customer
Turn-key
Upgradeability
Price/performance
Solving specific problems
Huge issue they are struggling with
Price: $0 (Incl. with
sensor software)
Availability: April 2002

66. Cisco Network IPS Sensor Key Benefits
Features a Network Security Database of every alarm including severity, description, and CVE index
Bi-Weekly updates of alarm signatures
Signature & Anomaly based Intrusion detection using a significant number of micro engines
Protocol decode of application layer based packets
De-obfuscation to protect against unicode attacks such as whisker v1.4
Fragmentation Re-Assembly
TCP Stream Re-Assembly – Closely maintains session states
Deploy Anywhere : No licensing based on IP address

67. Pervasive Protection Breadth of Offering Breadth of Protection
Network appliance sensor
Switch sensor
Host sensor
Firewall sensor
Router sensor
Breadth of Scale
Remote Office to Enterprise to Service Provider
Up to Gigabit speeds
Breadth of Protection
Signature and anomaly algorithms
Known and unknown attack protection
OS, Service, and application protection
Breadth of Management
Enterprise scale management and monitoring
Web-based, embedded device management
Secure command line

68. Typical IDS Architecture
Management console
Real-time event display
Event database
Sensor configuration
Sensor
Packet signature analysis
Generate alarms
Response/ countermeasures
Management Console
Component Communications
Cisco Secure IDS has two, primary components -- the IDS Sensor and the IDS Director
The Sensor is the packet analysis engine or the brains of the system. It monitors all packets moving across the network. When it sees signatures of known attack profiles, it generates an alarm that is transmitted to the Director console noting that there’s an attack under way or that there’s been an event that’s worthy of further review. At the same moment, the Sensor takes action to respond to the attack either terminating the session or adding an access control list to lock out the intruder.
The Director is the prime alarm display. It’s responsible for displaying alarm events in real time, configuring remotely distributed sensors and distributing attack signatures to these sensors. So, from one centralized location, you can monitor and configure sensors all over the world and funnel all the information in to a central location for complete network visibility.
Also noted in this slide is the interoperability with a number of different devices -- the ability to receive sys-log input from a Cisco router and send that information up to the IDS Director. This happens, typically, when there’s been a policy violation on the network and using the Director capabilities, the event can be examined and analyzed..
In addition, CS Integrated Software, that includes IDS functionality has the ability to send up intrusion detection events and alarms to the Director console as well.
NIDS Sensor
Production
Network Segment
HIDS Sensor

69. Typical Response Actions
TCP resets
IP session logging
“Shunning/blocking”
Configurable on a per signature basis

70. Blocking/Shunning with a Router
Attacker
Deny
Internet
Inside
Write the ACL
Detect the attack
Detect attack on sniffing interface
Configure ACL on management interface

71. Deployment Best Practices
Business
Partner
Internet Protection (NIDS)
Augments FW and VPN by Monitoring Traffic for Malicious Activity
Extranet Protection (NIDS)
Monitors Partner Traffic Where “Trust” is Implied But Not Assured
Users
Corporate Office
Data Center
Internet
Tell your customers that they should deploy IPS wherever they feel the most risk. Suggest places such as internet gateways, business partner connections, and data centers.
NAS
Intranet/Internal Protection (NIDS/HIDS)
Protects Data Centers and Critical Systems from Internal Threats
Remote Access Protection (NIDS)
Hardens Perimeter Control by Monitoring Remote Users
Server Farm Protection (NIDS/HIDS)
Protects e-Business Servers from Attack and Compromise
e-Business
Servers

72. Sensors on Outside or Inside?
DMZ
Inside
Attacker
Internet
Sensor on Outside
Sees everything including traffic blocked by firewall
Can’t tell what is denied or permitted by firewall
Tools like Stick can generate lots of “noise”
Monitors both DMZ and inside traffic
Sensors on Inside
Sees only traffic permitted by the firewall
You know you need to respond
Need sensor on each internal leg off firewall
Allows traffic entering a compromised machine on a particular port (I.E. TCP/25-SMTP) to be redirected to a different machine on a different port (I.E. TCP/23-Telnet)
Allows an attacker to exploit trust relationships to circumvent the firewall for all hosts once he controls one host.
Root kit based install allows the redirection process, files, and connections to be hidden.
1. Need a compromised system from which I can gain access to another system
2. Host A is compromised and is attacking host B. C
Can be fixed by proper trust model implemented by the firewall
Tool is Netcap.com

73. Identity: Access Control Solutions
In addition to introducing the Cisco SAFE framework, Cisco is also announcing several new products and security ecosystem enhancements.
Presentation_ID
© 1999, Cisco Systems, Inc. 73

74. Identity—Authentication, Authorization, and Accounting (AAA)
Tool for controlling network and system access
Authentication
Verifies identity— who are you?
Authorization
Configures integrity— what are you permitted to do?
Accounting
Assists with audit— what did you do? 1 2 3 4 5 6 7 9 8 3 6 9 1 4 7 2 5 8
Cisco believes that AAA is an effective tool for deploying and maintaining a valid security policy. At Cisco, we define Identity as the accurate and positive verification of our users and devices within the network. We think about identity as not just who you are when you log in, but also in terms of the traditional AAA services: authentication, authorizations on the network and auditing to keep track of where you go in the network.
At a high level, the goal is unified user control in the network, be able to recognize users, the time and location from which they’re coming to the network. In addition, we want to be able to verify identities using digital mechanisms. We want to be able to maintain authorization through policy on a per-user basis, enterprise wide. Lastly, we want to keep a record of the behaviors and actions of users -- what they’re doing in the network, where they’re going in the network, what configurations and changes they’re making. In summary:
Authentication is to provide exact end user verification. I need to know exactly who this person is, and how they prove it to me
Authorization is the second step. Now that I know who you are, what can you do. I need to assign IP addresses, provide routes, block access to certain resources. All the things I can do to a local user, I should be able to control with a remote user.
Accounting is the last step. I need to create an accurate record of the transactions of this user. How long were they connected? How much data did they FTP? What was the cause of there disconnection. This allows me to not only bill my customers accurately, but understand my user base.

75. Identity/Authentication
Unified control of user identity for the Enterprise
3000 VPN Concentrators, Cisco IOS Routers, PIX Firewalls
Cisco Secure ACS
OTP Server
Hard & Soft Tokens
Internet
VPN Clients
Firewall
Router
Remote Offices
Certificate Authority
The most scalable method of authenticating IPsec is to use certificates. The Simple Certificate Enrollment Protocol (SCEP) enrolls public keys with Certificate Authority (CA). The CA creates a certificate using the x.509 standard that verifies the identity of participants in encryption. The CA then signs the digital certificate containing the device’s public key. A certificate is equivalent to an ID card and peers use certificates for authentication.
Using certificates involves RSA digital signatures; Rivest, Shamir and Adelman Signatures (RSA) are a public-key cryptographic system used for authentication.
IKE on the Cisco router or PIX Firewall uses a Diffie-Hellman (DH) exchange to determine secret keys on each IPsec peer used by encryption algorithms. The DH exchange can be authenticated with RSA signatures or pre-shared keys.
RSA can also be used for public key encryption within the IKE protocol, but the way that IKE actually establishes a shared secret between two distinct parties is by using a DH public key exchange.
DH is a public-key cryptography protocol. It allows two parties to establish a shared secret key used by encryption algorithms (DES, MD5 for example) over an insecure communications channel. DH is used within IKE to establish session keys. 768-bit and 1024-bit DH groups are supported in the Cisco routers and PIX Firewall. The 1024-bit group is more secure.
Many protocols require authentication verification before providing authorization and access rights to the user or device. TACACS+ and RADIUS are examples of such protocols often used in dial-in environments.
The SCEP was once known as the Cisco Enrollment Protocol.
Authentication Methods:
Passwords
One Time Passwords
RADIUS
TACACS
Identity/Authentication
Public Key Infrastructure
Digital Certificates (x.509)
Certificate Authorities
SCEP
Public Key Exchange
RSA DH

76. ACS + Aironet Wireless: EAP-based Login
0. Laptop Power-On; client
uses to associate with nearest AP
1. Wireless client initiates 802.1x user login to AP with EAPOL-Start packet
Win32, ODBC, LDAP(v3.0)
External Datastore
Windows Domain
3. AP initiates RADIUS-Access- Request with RADIUS Server
Cisco Secure ACS
4. RADIUS server sends login challenge
Wireless AP
5. Client logins in with username/pwd; AP sends challenge response, server challenge to RADIUS
RADIUS
6.a RADIUS server looks up user record either kept locally or via NT/AD domains, ODBC datastores
6.b RADIUS server uses credentials to generate dynamic, unique session key; Sends response to client via AP, including session key
Corp Network
Wireless Desktops
7. LEAP client authenticates server by comparing session key derived locally with
keys returned from AP; Only valid RADIUS server with access to same user
credentials will match x access allowed.
Secure connectivity with mutual, client & server authentication, dynamic session key distribution,
& protections against man-in-the-middle attacks

77. Management: Security and VPN Management Solutions
In addition to introducing the Cisco SAFE framework, Cisco is also announcing several new products and security ecosystem enhancements.
Presentation_ID
© 1999, Cisco Systems, Inc. 77

78. What is VPN/Security Mgmt Solution(VMS)?
Integral part of SAFE blueprint
Flagship solution for VPN & Security Management
One stop for configuring, monitoring, and troubleshooting:
VPN
Firewall
Network-based IDS
Host-based IDS
For Detailed Information:

79. New in CW VMS 2.1 VPN/Security Management Solution Management Center
PIX Firewalls
VPN Routers
VPN 3000 Concentrators
IDS Sensors
Monitoring Center
Security Monitor
This shows how the MCs look within the CiscoWorks dashboard. The MCs can be run standalone or on an integrated basis.

80. Management Center for PIX Firewalls
Supports all PIX platforms
Scaleable Auto Update technology
Group based settings
Device hierarchy and grouping
Advanced mandatory and defaults feature
Superior inheritance model
Work-Flow for sec ops and net ops
PIX MC supports the look and feel of the Cisco PDM
PIX MC is designed to support the scalability of thousands of firewalls
Device groups are integral to the PIX MC. Device groups allows admin privileges per a group of firewalls. Device groups also allows common rules or rule inheritance. Rule inheritance greatly simplifies the configuration of large security networks.
Auto Update technology is a new market leading features that is introduced in PIX v6.2. Auto Update allows remote firewalls to dynamically register an IP address and periodically poll the management station for config and OS updates.
PIX MC features a web GUI and can share a common server and desktop launch point with other Cisco security applications.

81. Monitoring Center for Security Security Monitor
Unified viewing of events for:
Cisco IDS
PIX syslog, IOS syslog
IDS Host Sensor
User defined rules for event correlation
Flexible notification options
On-demand and scheduled reports
Flexible reporting by top incidents, by IP address, by time, by signature, by event, etc.
This is the second application included in the product. Most organizations are suffering from information overload, resulting from:
· Too many security consoles
· Too many security events to read
· Difficult to see the big picture
The function of the Monitoring Center is to address some of these issues and to provide a unified application to capture, store, view, correlate and report on events from:
1. Cisco IDS appliances
2. Cisco IDS blades
3. IDS Host Sensor
4. PIX syslog
5. IOS IDS syslog
Main features of the product are:
1. Based on the award winning viewer from CSPM but with a web interface. Easily slice and dice data by moving columns.
Comments from the press include:
“The CSPM event viewer is simple by design, powerful...able to sort and sift through thousands of events in seconds...also able to do some interesting visual coordination...we could easily pinpoint attackers that were hitting both networks”
Network Computing Annual IDS Review - August 2001
“CSPM supports the best event management along with a highly intuitive, logically designed interface that was a breeze to use.”
Network World Fusion, October 2001
2. Perform event correlation
Create user-defined rules for establishing relationships between events (correlate by type of event, by time, across sensors, across source addresses, etc). This helps to identify attacks, which may not be apparent from a single event.
The user can define thresholds and time periods when a rule should be triggered
If a rule is triggered, the user has flexible notification options to send an or automatically execute a script.
3. Reporting
· Web based wizard for creating flexible reports
· On-demand and scheduled reports
· Reports by top incidents, by IP address, by time, by signature, by event, etc.
· Send reports by

82. Security Systems Integration

83. Enabling Flexible and Adaptive Deployments

84. Port Security (MAC Lock Down)
MAC “A”
Facility to lock down
a specific device by
its MAC address
Should a device with
the wrong MAC connect
to the switch, the port
will be disabled
MAC “B”

85. Port Security Options Port Security Actions on a 2950G Port f0/4
Port SHUTS down
immediately
Port
f0/4
Security Violation trap is
sent but port is active
After port reaches MAC
Limit, unknown packets
dropped
Port Security Actions on a 4000/6500 (CATOS)
Port SHUTS down
Permanently (default)
Drops packets
from insecure host
Port
5/1
Port SHUTS down for
a defined period of time

86. IP Permit Lists Prevents Unauthorized Telnet and SNMP access to switch
Does not AFFECT outbound Telnet, Ping, Traceroute or FTP,
Telnet
IP address
“A”
Permit IP ADDR “A”
Deny IP ADDR “B”
Telnet
IP address
“B”

87. Private VLAN’s X
Community VLAN A
Community VLAN B
Isolated VLAN C
Promiscuous Port
…Private VLAN’s allows the creation of “sub-VLAN’s” within a primary VLAN. These “sub-VLAN’s” known as community VLAN’s and Isolated VLAN’s restrict the movement of traffic while allowing the use of the same subnet address space. Communication outside of the “sub-VLAN” Can only take place via the promiscuous port…

88. DHCP Interface Tracker (Option 82)
Tracks where a user is physically connected on a network
by providing both switch and port ID to a DHCP Server.

89. IEEE 802.1x (Network Authentication)
… Means to authenticate every
network user accessing the switch.
Authentication must be performed
prior to allowing any flow of traffic from the host to be forwarded
by the switch …

90. IEEE 802.1x Supported Clients …
OFFICIALLY
(By Microsoft)
UN-OFFICIALLY
(MeetingHouse Inc.)
… There are a number of
802.1x supplicant clients that
are available for a number
of platforms other than Microsoft
Windows XP …
Meeting House Data Communications

91. VLAN Access Control Lists (VACL)
… Similar in operation to a RACL but controls movement of traffic
within a VLAN. This adds the capability of permitting or denying
traffic sourced and destined within the SAME subnet …

92. Hardware Security Services Modules

93. Advancing Integrated Network Security Services with the Catalyst 6500
NEW
Advancing Integrated Network Security Services with the Catalyst 6500
PIX Firewall
VPN3000 & IOS VPN
Integrating security into the network infrastructure
Enabling high performance, scalable, highly available network security services and connectivity
Supporting flexible and adaptive network security deployments
Delivering secure AVVID & Integrated Datacenter services
Leveraging Best-of-Breed Security with Industry Leading Switching/Routing Technologies
Cisco IDS

94. Announcing New Security Service Modules for the Catalyst 6500 Series
Convergence (AVVID) Voice, Video & Data over IP
Intrusion
Detection
PSTN
10 GbE
Switching
Network Analysis
Integrated
Multi-Gbps VPN
Integrated
5Gbps Firewall
WAN / MAN
Secure Converged
Services Platform
T1 to Oc48c SONET
Channelized & CWDM
Integrated Gbps
Network Analysis & Monitoring
Fast / Gigabit Ethernet Uplinks
Integrated Secure Content (SSL) Acceleration
WAN / MAN
L4-7
Multi-Gigabit Content Switching
WDM / IP + Optical / IP/FC

95. Integrated Security Benefits
Integration with the Switch/Router and its features
No need to build another layer on top of your infrastructure for security – network security is part of the infrastructure
Integration among all services blades to enable new network security applications
Secured Campus (VPN + FW + IDS)
Secured Edge (VPN + FW + IDS)
Secured Content (SSL + CSM)
SP Edge Customer Services (VPN+FW)
Data Center Security (FW + VPN)
Web Hosting & eCommerce (SSL)
Network Monitoring (NAM)

96. Introducing Multi-Gigabit Firewall Module for Catalyst 6500 Series
NEW
Introducing Multi-Gigabit Firewall Module for Catalyst 6500 Series
High Performance, Network Processor Based Firewall Module for Increased Perimeter, Extranet, Campus & Datacenter Security
Scales beyond Cisco PIX Family of Security Appliances
3Mpps Packet Processing Performance (PPS) per Module
100,000 New Connections per Second (CPS) per Module
1000,000 Concurrent Sessions per Second (CSPS) per Module
5Gbps Throughput per Module
Per-VLAN Security Policy
Active / Standby Failover for Mission-Critical Environment
Integrated Layer 3 Routing
Up to 4 Modules supported per Catalyst 6500 System at FCS
12Mpps, 400K CPS, 4M CSPS, 20Gbps Throughput
- Deployed Standalone as a Catalyst 6500 Scalable Security System
Orderable September, 2002

97. Hardware Architecture
FIXUPS
SIP
SKINNY
SQL*Net
RTSP
NetBios
RPC
Session
Management
ACL Table
AAA Table
Routing Table
NAT Table
Session
Lookup
Session Lookup
NAT and TCP Fixup
Crossbar Fabric
Catalyst Bus

98. Introducing Gigabit IPsec VPN Module for Catalyst 6500 Series
Shipping
Introducing Gigabit IPsec VPN Module for Catalyst 6500 Series
High-Speed, Infrastructure Integrated VPN Service secures connectivity within Campus, Site-to-Site and Datacenter environments
1.9Gbps 3DES Throughput per Module
Up to 8000 Concurrent Tunnels per Module
60 Tunnels per Second per Module
Failover Capability
Support for Converged Services Across VPN (Voice, Video, Data)
Benefits include scalability of VPN services with the network, adaptability to different security requirements improved utilization of network infrastructure, leverage public IP infrastructure for reduced operational costs and TCO
Orderable Now!

99. Catalyst 6500 IPsec VPN Applications
Campus VPN
WAN Edge VPN
Campus1
Campus 2
Enterprise
Deployment
Description
Campus
Secure LAN traffic between switches, floors, building and specific sensitive network applications such as iSCSI
WAN Edge
Provide VPN termination services on the WAN aggregator router
Link-Layer Encryption Replacement
Replace old ATM and other link-layer encryption with modern a IPSec layer 3 VPN solution
Extranet
Enables partner networks to securely connect and transfer large amounts of data

100. Introducing High Performance SSL Service Module for Catalyst 6500 Series
NEW
High Performance SSL Acceleration for Efficient Content Distribution & Switching of Secure Web Traffic
4000 New Connections Per Second per Module
60,000 Concurrent Connections per Second per Module
400 Mbps Bulk Encryption Capabilities per Module
Centralized Key & Certificate Storage & Management
Multi-Module Support
Active / Standby Failover for Mission-Critical Environments
Deploy in the Internet & Corporate Datacenter environments
Increases Data Center Resource Utilization
Improves Efficiency of Content Delivery to Web & Application Servers
Improves Utilizationof Web & Application Servers to Realize Higher Performance
Reduce Capital Expenditure
Increase Customer Satisfaction & Revenue Dollars
Orderable September, 2002

101. Network Topology with SSL blade
Virtual
Server
Real
Server
Cleartext
Traffic
SSL Services Module and
SLB engine in Catalyst 6500
Encrypted
Traffic
Clients

102. Introducing Gigabit Network Analysis Module for Catalyst 6500 Series
NEW
Introducing Gigabit Network Analysis Module for Catalyst 6500 Series
2nd Generation Gigabit Network Analysis Module for full traffic monitoring & trouble-shooting of Networks
Standards Based Monitoring (RMON2 & Extensions)
Embedded Web Based Traffic Analysis
Integration with CiscoWorks
Visibility into Traffic Anomalies for Proactive Network Security
Identifying and tracking Anomalous Protocol Usage & Traffic Flows
Detecting Misbehaving Hosts, Devices & Applications
Examine Application traffic in real-time to track deviations from security policies
Application-Level visibility integrated into network enables troubleshooting Network Based Services such as VOIP, QOS
NAM-2 Available in September, 2002

103. Introducing Gigabit IDS Module for Catalyst 6500 Series
Q4CY02
Introducing Gigabit IDS Module for Catalyst 6500 Series
Switch-integrated, 1Gbps performance, intrusion protection module delivering a high-value security service in the core and distribution network fabric device
Designed specifically to address switched environments by integrating the IDS functionality directly into the switch and taking traffic directly from the switch backplane
No impact on switch performance
Full-featured network attack protection, extensive signature coverage, supports 1000 new flows per second, simultaneous monitoring of multiple VLANs
Availability Late Q4 CY2002
Fabric Enabled

104. Data Capture Targets traffic on back-plane using VACL, Capture
Handles 802.1q and “trunk” traffic
Monitors multiple VLANs
Filters traffic based on extended ACL syntax w/ “capture” bit
Supports multiple blades per chassis
Does not require span sessions
Switch Module Scenario
Module(s) receive copy of packet from switch back-plane

105. Integrated Datacenter Services with Catalyst 6500 Security & L4-7 Services
Supervisor Engine 2 / MSFC 2
Full Layer 3 Internet Routing
Richest Suite of L2 Functionality
High Performance Forwarding
Intelligent Network Layer Services
Firewall Service Module for Protecting Datacenter Access
Content Switching Module for High bandwidth Load Balancing
SSL Service Module for improving secure content switching performance and server utlization
NAM Service for monitoring network traffic
Firewall Module
SSL Module
NAM
CSM

106. Catalyst 6500 Series Integrating Comprehensive Network Security
Firewall System
Full Internet Routing (BGP, MPLS)
Intelligent Switching
Integrated Firewall
Firewall
Available Slot
3 Slot Chassis
VPN System
Full Routing
Full Switching
Integrated VPN
Integrated IDS
VPN
Available Slot
3 Slot Chassis
Datacenter System
Full Routing
Full Switching
Integrated Services
SSL
CSM
Firewall
Dense Chassis
w/ LAN Connectivity

107. Deployment Scenarios

108. Securing Vendor/Partner Extranets with Catalyst 6500 Firewall Service
Bloomberg
ILX
NASDAQ
Bear Stearns
Visa
Campus Core
A Vendor/Partner Extranet currently takes eight active networking devices under the Enterprise’s Management.

109. Securing Vendor/Partner Extranets with Catalyst 6500 Security Solutions
Bloomberg
Multiple active devices can be consolidated into a high-performance, highly integrated Catalyst 6500 system with high-availability and integrated security services
Campus Core
ILX
NASDAQ
Bear Stearns
Visa
Data Flow
Vendor Router
L2 Switch
Interface
Firewall
Intrusion
Detection
L3 Routed
Interface
Core
Interconnect
Core

110. Traditional Enterprise Datacenter Solution
Core
Core Routers
WAN Interfaces
Full BGP Routing
Catalyst 6500 Switches
High availability
Density of Interfaces
High PErformance Forwarding
CSS Server Load Balancers
L4-7 HTTP Inspection
PIX Firewall
Secure the Mission Critical Backend Services
The cross connect scenario delivers additional resiliency; however, it only works in a L3 Router/L3 Switch configuration.
The web servers, in a dual homed environment will use a primary/failover NIC scenario. This way a single switch failure will prevent a 50% web server outage.
The second series of switches can either be physically disparate, or can be a VLAN, creating a logical separation. Backend databases might be GE.
Route redistribution enable faster convergence by not having to always propagate 75,000 routes around.

111. Secure Integrated Enterprise Datacenter Solution
Campus Core
Data Flow
Campus Core
Routed Interface
Firewall
CSM
SSL
Servers
Backend Servers
Core

112. High Performance Content Switching Content Transformation
Securing Integrated Internet Datacenter Services With Catalyst 6500 Series
Content Caching
Content Services Management
Internet
Intranet
Extranet
Reverse Proxy Caching
Static content request redirection
Virtualization of L4-7 Content Services
L4-L7 Content Services Activation
L2-L7 Fault & Performance Monitoring
Role & Domain based Access
Customized Views/Reports
Content
Engine
Enterprise Office
Here, we are examining the data center -- and the application of Cisco Content Networking solutions within an organization’s core e-business site.
We have systems and services that provide support for:
Content Switching -- Advanced traffic management for servers and applications within the data center. Here, Cisco content switches such as the Cisco CSS and Series and the CSM for Catalyst 6500 provide such critical services as local and global server load balancing; request direction via URLs, cookies, and HTTP header information; e-transaction assurance; automated session recovery; and special request handling. All of these services are aimed at providing for the best possible user experience, while optimizing the resources required to provide for this best experience.
- Content Acceleration – Reverse proxy caching with in the data center. Here, Cisco Content Engines work in conjunction with the Cisco content switches to provide for caching services from a central content-serving site. This can save valuable origin server resources as users request static content -- content that can be more cost-effectively downloaded from a cache rather than an origin server. Cisco content switches are able to automate the caching of this static content and redirect static content requests to the best cache – rather than server.
Content Transformation -- Automated on-demand content transformation, often used to service requests from mobile devices. Here, the Cisco content switch would transparently route mobile requests to the Content Transformation Engine (CTE). The CTE would then fetch the requested content and properly format the content before sending it back to the user. This is all handled within the network -- No changes need to be made to the servers, the application, or the content itself. And no special servers or content needs to be maintained for these special requests. The content-aware network determines that the content needs reformatting, does the reformatting, and finally, delivers the right content to the user.
Content Site Security – Maintaining site and transaction integrity is a critical success factor for online services. Cisco content networking products provide for enhanced security for online sites – ranging from Denial of Service protection to firewall load balancing to SSL acceleration for individual secured transactions.
Content Services Management – Sophisticated, yet straightforward e-business infrastructure management. Each of the Cisco Content Networking systems applied to the data center offer strong element management capabilities. This allows the implementation of distinct content services without adding undue complexity to data center support. In addition, Cisco’s Hosting Solution Engine (HSE) provides monitoring support for the entire network -- both for core and content networking devices. In addition, it is able to present its management information in customized views for administrators wanting different perspectives on website conditions. Here, the network manager, server administrator, and content czar can be provided their own unique view into data center and website operations.
Cisco Content
Engine
High Performance Content Switching
Router
Hosting
Solutions
Engine (HSE)
High-performance, High-availability, Integrated Load Balancing of Firewalls, Web Servers, Caches, VPN and other network devices
User, content and transaction prioritization
Site overload protection
Catalyst 6500 Datacenter
Services Switch
Branch Router
Intranet
Extranet
Server
VPN Router
Content Site Security
WEB
Servers
Server DB
Servers
Server
High Performance, Integrated Firewall Provides Secure Access to Datacenter Resources and Protects from DOS Attacks
High Performance Integrated SSL traffic accelerator ensures efficient switching of secure HTTP content
Content Transformation
CTE
Transform to requesting device format “on the fly”
Content formatting rules for ready roll-out
Content Distribution Manager
APP
Servers

113. Catalyst 6500 Network Analysis Applications
Unusual Traffic Patterns? Who’s using the bandwidth?
Core
Which applications are misbehaving? Who is using them?
Data Center
Issues with critical clients or IP phones? ?
NAM
NAM
NAM
NAM
Access

114. Conclusion

115. Why Cisco for Security?
No one knows your network or the Internet better
Compatibility with the installed Cisco base (80% of the Internet)
$$ savings from a single-vendor solution
Excellent quality, standards-based development, and certified products
Key partnerships and industry leadership
Market-leading solutions, services, and support
Cisco is the right choice to provide your security and management tools.
Not only are the products world class, but compatibility, single vendor savings and one point support benefits make Cisco the right choice.
Security has evolved over the last two years from a niche market to a big company market. Small niche players can no longer devote the resources needed to be successful, and corporations can no longer trust security to a company that may not be in existence a year from now.

116. Cisco Security Solutions Summary
Catalyst 6500
High Performance,
Switch Integrated
Security Solutions
Firewall
SSL
NAM
VPN
IDS
Integrated
Security
Solutions
800
1700
2600
3600
3700
7xxx
Site-2-Site
VPN/FW Routers
501
506E
515E
525
535
PIX Firewall/VPN
Appliances
Secure Content Service
Switching Systems
CSS11500
Series
CSS 11000
Secure Content Accelerator
Catalyst 6500
Sensors
Catalyst 6500 IDSM-1 (120 Mbps)
Host
Sensors
Standard Sensor
Web Sensor
Intrusion
Detection
Systems
Network
Sensors
4210 (45 Mbps)
4235 (200 Mbps)
4250 (500 Mbps)
Router
Sensors
800
1700
2600
3xxx
7xxx
PIX Firewall
Sensors
501
506E
515E
525
535
Remote
Access VPN
VPN 3002
VPN 3005
VPN 3015
VPN 3030
VPN 3060
VPN 3080

117. More Information www.cisco.com/go/security www.cisco.com/go/safe
Cisco is the right choice to provide your security and management tools.
Not only are the products world class, but compatibility, single vendor savings and one point support benefits make Cisco the right choice.
Security has evolved over the last two years from a niche market to a big company market. Small niche players can no longer devote the resources needed to be successful, and corporations can no longer trust security to a company that may not be in existence a year from now.

118. VPN_RemoteAccess
© 2001, Cisco Systems, Inc.
118