Security Update Partner Update - 26.03.2007 Reijo Mäkipää Cisco Systems Finland Partner Update 260307 / R.Makipaa © 2007 Cisco Systems, Inc All rights reserved Cisco Self-Defending Network A systems approach leveraging the Network Advanced Technologies and Services Integrate Advanced Services Automated Threat Response Virtualized Security Services Behavioral-Based Protection Endpoint Posture Control Dynamic DDoS Mitigation Application-Layer Inspection Security Point IPSec and SSL VPN IPS Integrate Advanced Security Services Where Needed Products Leverage Existing Investment Partner Update 260307 / R.Makipaa Firewall Access Control Integrated Collaborative Network Antivirus Adaptive IP Network © 2007 Cisco Systems, Inc All rights reserved Self-Defending Network Defined Efficient security management, control, and response Technologies and security services to • Mitigate the effects of outbreaks • Protect critical assets • Ensure privacy • Security as an integral, fundamental network capability • Embedded security leverages network investment Partner Update 260307 / R.Makipaa Operational Control Confidential Communications Secure Transactions THREAT CONTROL Secure Network Platform © 2007 Cisco Systems, Inc All rights reserved The New Reality of Security Information Security Physical Security NETWORK IS THE PLATFORM People Partner Update 260307 / R.Makipaa Regulations © 2007 Cisco Systems, Inc All rights reserved Cisco and Assa Abloy - solution Cisco Door Gateway Cisco Layer Switch Cisco IP Network Microsoft Active Directory Cisco Access Control Manager AAA Server Oracle Server Assa Abloy Hi-O Enabled Door Partner Update 260307 / R.Makipaa © 2007 Cisco Systems, Inc All rights reserved Threat Control and Containment New features announced on 6.2.2007 Partner Update 260307 / R.Makipaa © 2007 Cisco Systems, Inc All rights reserved Collaborative Systems Enabling Unparalleled Security 360º Visibility and Protection Delivering Comprehensive and Proactive Network Defense Policy Management CS Manager 3.1 Threat Management CS MARS Simplified Control Streamlining Policy and Threat Management Across the Network Cisco Security Agent 5.2 Endpoint Security Business Resiliency IPS 6.0 and Cisco IOS® IPS ASA 8.0 Network Infrastructure Ensuring the Enterprise’s Operations Availability January – March 2007 Partner Update 260307 / R.Makipaa © 2007 Cisco Systems, Inc All rights reserved Reducing the Gray Area GOOD: Allow RELEVANT: Pass and Log SUSPICIOUS: Pass and Alarm BAD: Block NAC Traffic Shaping IPS Event Management & Correlation IPS, Anti-X, DDoS, Firewall Relevant: Pass and Log Suspicious: Pass and Alarm BAD: Block Automation Enablement Highly Manual Partner Update 260307 / R.Makipaa GOOD: Allow © 2007 Cisco Systems, Inc All rights reserved Comprehensive Threat Protection Integrated Multi-vector protections at all points in the Network, and Desktop and Server Endpoints Cisco Security Agent (CSA) Cisco ISR Routers CSA Day Zero Endpoint Protection Cisco ASA 5500 Adaptive Security Appliance Internet Branch Protection Converged Perimeter Protection Catalyst Service Modules IPS4200 Series Intranet Integrated Data Center Protection Cross-solution Feedback Linkages Common Policy Management Multi-vendor Event Correlation Attack path identification Passive/Active Fingerprinting CSA-IPS Collaboration* Partner Update 260307 / R.Makipaa Cisco ICS CSA Server Protection Monitoring, Correlation, and Response Identify and Control Outbreaks Adaptive Collaborative • • • • • • CS-MARS • Anomaly Detection with In-Production Learning • Network Behavioral Analysis • On-device & Network Event Correlation • Real-time Security Posture Adjustment • Dynamic Signature Sets & Recognition • Rapid Response © 2007 Cisco Systems, Inc All rights reserved NAC Appliance Partner Update 260307 / R.Makipaa © 2007 Cisco Systems, Inc All rights reserved 10 Cisco 7200 VPN Services Adapter (VSA) Up to 7.5X performance improvement: VSA and NPE-G2 Performance and scalability to fill OC-3 aggregation WAN pipe IPSec hardware acceleration module Increased performance to support large-scale IPSec aggregation architectures Cisco IOS® Software Secure VPN Connectivity: Easy VPN, V3PN, DMVPN, 3DES, AES (128, 192, and 256 bit key encryption) Multi-Virtual Route Forwarding (Multi-VRF) to connect central site to branches with segmentation IPSec Virtual Tunnel Interface (VTI) for simplified VPN design and configuration NEW! Requires: NPE-G2 Availability: Sept 06 VSA Utilizes I/O Slot and Frees Up Valuable Bandwidth and Slot Real Estate for Other Connectivity Needs Partner Update 260307 / R.Makipaa © 2007 Cisco Systems, Inc All rights reserved 75 IPSec VPN SPA for the XR12000 Status: EC, Scheduled IOS-XR 3.4 (Oct, 2006) ƒ Form Factor – Architecture based on 6500/7600 VPN SPA – Hosted by SIP-401 / SIP-501 / SIP-601 ƒ Performance – 2.4Gbps aggregate throughput per SPA – Up to 20 VPN SPA (12416): 48Gbps – Average Tunnel Setup Rate: 100 / second (16K) IPSEC-VPN-2G-2 – DES / 3DES / AES • Interface: SVI ƒ Scalability – 16,000 Tunnels per chassis / SPA – No crypto map support – 750 SVIs per SIP – 2,200 SVIs per chassis – Multiple remote users terminating in a single SVI • Enhanced Quality-of-Service ƒ High Availability – Intra-Chassis Stateful Failover – SSO/NSF Support Partner Update 260307 / R.Makipaa – SVI QoS consistent w/ sub-intf QoS – Crypto SPA protection – QoS for group of tunnels © 2007 Cisco Systems, Inc All rights reserved 76 Application Control Engine (ACE) Application Velocity System (AVS) Partner Update 260307 / R.Makipaa © 2007 Cisco Systems, Inc All rights reserved 79 What is ACE ? – New product line in the Cisco ANS portfolio – A Catalyst 6500 Service Module 4Gbps, 8Gbps, 16Gbps throughput – Integrated • Content Switching / Server Load Balancing • SSL Offload • Data Center Security – Industry’s highest performance! – Maximum scalability! – Innovations like Application Infrastructure Control with Role-Based Access Control (RBAC) – Integrated with the industry’s leading enterprise-class switch – the Catalyst 6500 Partner Update 260307 / R.Makipaa © 2007 Cisco Systems, Inc All rights reserved 80 Data center security? What exactly are those DC security features? ƒ ‘Deny any’ default stance; stateful ACL behavior; several packet-level checks (normalizer, TCP csum) ƒ inspection engines: • FTP – like PIX/ASA 7.0 • DNS – similar to DNSGuard • RTSP over TCP – parses SETUP messages • ICMP – stateful • HTTP ƒ HTTP inspection: high performance, more intuitive configuration than on PIX/ASA Partner Update 260307 / R.Makipaa © 2007 Cisco Systems, Inc All rights reserved 81 How significantly more powerful? ƒ Regular expressions can be applied to any part of HTTP packets up to 64KB • Headers • URI • Body ƒ Custom header definitions can be created ƒ URL canonicalization on by default ƒ Performed on dedicated network processor cores Partner Update 260307 / R.Makipaa © 2007 Cisco Systems, Inc All rights reserved 82 What is AVS again? ƒ AVS 6.0 is Cisco’s only true Web Application Firewall (WAF) ƒ Stops attacks that are relevant today How many times have you heard the words XSS, data leak, identity theft, online fraud lately? ƒ Can’t trust client-side input validation ƒ No time/money/knowledge to fix millions of custom HTTP-based applications ƒ Take a look at Webscarab and Suru, you will get customers’ interest! Partner Update 260307 / R.Makipaa © 2007 Cisco Systems, Inc All rights reserved 85 Programmable IP Services Accelerator (PISA) Partner Update 260307 / R.Makipaa © 2007 Cisco Systems, Inc All rights reserved 86 PISA: What is it? Q1CY07 (8x1GE) Q2CY07 (2x10GE) ƒ Two new Catalyst 6500 Sup32 SKUs (8x1GE; 2x10GE) NTE $35K and $40K Integrated MSFC for Full L3 functionality ƒ Two new hardware-accelerated features: Flexible Packet Matching NBAR – including ‘smells-like’ protocol discovery!! ƒ Target performance: 2Gbps ƒ Must be configured on routed interface (VLAN interface or routed port) – requires routed access campus design You send whatever you want to PISA using an ACL! ƒ Unicast IPv4 only Partner Update 260307 / R.Makipaa © 2007 Cisco Systems, Inc All rights reserved 87 FPM Flexible Packet Matching Partner Update 260307 / R.Makipaa © 2007 Cisco Systems, Inc All rights reserved 88 Flexible Packet Matching Configuration Slammer Filter Stack class defines IP – UDP protocol stack class-map type stack match-all ip-udp match field ip protocol eq 17 next udp class-map type access-control match-all slammer match field udp dport eq 1434 match field ip length eq 0x194 match start ip version offset 224 size eq 0x04011010 policy-map type access-control udp-policy class slammer drop Defines traffic pattern: UDP dst port eq 1434 - 4B string pattern 0x04011010 at 224B offset from IP header Drop all packets matching class slammer Actions supported include drop, permit, log and ICMP response policy-map type access-control policy-slammer class ip-udp service-policy udp-policy Apply the slammer policy to the ip-udp stack service-policy type access-control input policy-slammer Apply input/output servicepolicy on per interface basis Partner Update 260307 / R.Makipaa © 2007 Cisco Systems, Inc All rights reserved 89 NBAR Network Based Application Recognition Partner Update 260307 / R.Makipaa © 2007 Cisco Systems, Inc All rights reserved 90 NBAR Network Based Application Recognition Partner Update 260307 / R.Makipaa © 2007 Cisco Systems, Inc All rights reserved 91 Protocols detected using heuristics ƒ PISA can automatically “smell-like” these protocols if they run over any given ports: edonkey http kazaa2 rtp rtcp winmx Partner Update 260307 / R.Makipaa © 2007 Cisco Systems, Inc All rights reserved 92 Partner Update 260307 / R.Makipaa © 2007 Cisco Systems, Inc All rights reserved 93 ... Inc All rights reserved The New Reality of Security Information Security Physical Security NETWORK IS THE PLATFORM People Partner Update 260307 / R .Makipaa Regulations © 2007 Cisco Systems, Inc... Hotfixes/AV Checks Auto-updates to pre-configured Hotfix and oneCare AV checks Windows Update via windowsupdate.com Redirect to windowsupdate.com for remediation Windows Update via WSUS Ability... Decision Framework Gartner October 2006 Partner Update 260307 / R .Makipaa © 2007 Cisco Systems, Inc All rights reserved 11 Partner Update 260307 / R .Makipaa © 2007 Cisco Systems, Inc All rights