1 © 2004 Cisco Systems, Inc. All rights reserved. Cisco Self Defending Network SECURING THE INTELLIGENT INFORMATION NETWORK James Jones CCIE 1550, CISSP August 2005

222 © 2005 Cisco Systems, Inc. All rights reserved. Agenda Security evolves to become a business issue Cisco’s unique architectural systems approach Security is a business enabler

333 © 2005 Cisco Systems, Inc. All rights reserved. Key Issues Facing Customers Today SECURITY Threats Theft Loss Response time APPLICATION AND SERVICE OPTIMIZATION Enablers Awareness App management Performance/optimization Resilience SIMPLIFICATION Scale Cost Staffing Integration and systems management THESE ISSUES ARE COMMON TO THE COMPUTE AND NETWORK LAYERS

444 © 2005 Cisco Systems, Inc. All rights reserved. Security Incidents on the Rise Incidents Source: CERT: Carnegie Mellon Software Engineering Institute, IDC

555 © 2005 Cisco Systems, Inc. All rights reserved. Evolution of Security Challenges GLOBAL Infrastructure Impact REGIONAL Networks MULTIPLE Networks INDIVIDUAL Networks INDIVIDUAL Computer GLOBAL Infrastructure Impact REGIONAL Networks MULTIPLE Networks INDIVIDUAL Networks INDIVIDUAL Computer Target and Scope of Damage 1980s 1990s Today Future Seconds Minutes Next Gen 2nd Gen Days 3rd Gen 1st Gen Weeks Time from Knowledge of Vulnerability to Release of Exploit is Shrinking

666 © 2005 Cisco Systems, Inc. All rights reserved. Security… Top of Mind for Business / Gov’t Top Ten Business Trends In 2004 Revenue growth * Use of information in products / services * Economic recovery Single view of customer Faster innovation Greater transparency in reporting Enterprise risk management Security / Business disruptions Operating costs / budgets Data protection and privacy 2003 Source: Gartner Top Ten Business Trends, — — — — — — Rankings: “Affects Growth of IT Industry” 2002 — — — — — — — — — — — —

777 © 2005 Cisco Systems, Inc. All rights reserved. Regulatory Compliance and the “IAC triad” Regulatory Compliance HIPPA, Graham Leach Bliley (GLB), Sarbanes Oxley (SOX), Basel II, EPA Integrity Assurance of accuracy and reliability of data and systems ensuring neither is modified in an unauthorized manner Availability Ensures the system or data is available and executes in a predictable manner with an acceptable level of performance Confidentiality Preventing unauthorized disclosure of sensitive information by ensuring that the necessary level of secrecy is in place at each junction of data processing

888 © 2005 Cisco Systems, Inc. All rights reserved. BUSINESS PROCESSES APPLICATIONS AND SERVICES NETWORKED INFRASTRUCTURE ACTIVE PARTICIPATION in application and service delivery A SYSTEMS APPROACH integrates technology layers to reduce complexity Flexible POLICY CONTROLS adapt this intelligent system to your business though business rules ACTIVE PARTICIPATION in application and service delivery A SYSTEMS APPROACH integrates technology layers to reduce complexity Flexible POLICY CONTROLS adapt this intelligent system to your business though business rules Cisco Intelligent Information Network CONNECTIVITYINTELLIGENT NETWORKINGCONNECTIVITYINTELLIGENT NETWORKING BUSINESS PROCESS OPTIMIZATION REQUIRES AN INTELLIGENT INFORMATION NETWORK CISCO NETWORK STRATEGY RESILIENTINTEGRATEDADAPTIVE

999 © 2005 Cisco Systems, Inc. All rights reserved. Value of Integrated Security System Security is no longer an option… It’s a necessity Security as an Option Security is an add-on Challenging integration Not cost-effective Cannot focus on core priority Security as INTEGRAL of a System Security is built-in Intelligent collaboration Appropriate security Direct focus on core priority

10 © 2005 Cisco Systems, Inc. All rights reserved. SYSTEM LEVEL SOLUTIONS EndpointsEndpoints NetworkNetwork ServicesServices SECURITY TECHNOLOGY INNOVATION SECURITY TECHNOLOGY INNOVATION Endpoint SecurityEndpoint Security Application FirewallApplication Firewall SSL VPNSSL VPN Network AnomalyNetwork Anomaly INTEGRATED SECURITY Secure Connectivity Threat Defense Trust & Identity Secure Connectivity Threat Defense Trust & Identity An initiative to dramatically improve the network’s ability to identify, prevent, and adapt to threats Self Defending Network Strategy Cisco strategy to dramatically improve the network’s ability to identify, prevent, and adapt to threats

11 © 2005 Cisco Systems, Inc. All rights reserved. Phases of Self Defending Network (SDN) SDN Phase I Integrated Security SDN Phase I Integrated Security SDN Phase III Adaptive Threat Defense SDN Phase III Adaptive Threat Defense SDN Phase II Collaborative Systems SDN Phase II Collaborative Systems Multiple Security Appliances Separate management software Multiple Security Appliances Separate management software Point Products “5–7 Years to Drive Architecture”

12 © 2005 Cisco Systems, Inc. All rights reserved. VPN Concentrator Cisco Firewall Cisco IDS Sensors Security Technology Leadership Best-of-Breed Security Security Technology Leadership Best-of-Breed Security Cisco IOS VPN Networking Technology Leadership 20 Years of Routing & Switching Expertise Networking Technology Leadership 20 Years of Routing & Switching Expertise Cisco ISR Cisco Catalyst Network Infrastructure Protection Trust & Identity Secure Connectivity Integrated Security Protect the network infrastructure from attacks Control Plane Policing, NBAR, AutoSecure Leverage the network to intelligently protect Endpoints NAC, 802.1x Secure and scalable network connectivity Secure Voice (sRTP, V3PN), DMVPN, MPLS & IPSec Threat Defense Prevent and respond to network attacks and threats such as worms Intrusion Prevention, Netflow, App Firewall, OPS Securing the IP Fabric with Integrated Security

13 © 2005 Cisco Systems, Inc. All rights reserved. NAC – First Collaborative Security System Desktop a)Access Granted b)Access Denied c)Quarantine Remediation Authentication and policy check of client Quarantine VLAN Remediation Corporate Net Client attempts connection And more to come…. NAC Framework

14 © 2005 Cisco Systems, Inc. All rights reserved. Current NAC Program Participants ANTI VIRUSREMEDIATION CLIENT SECURITY

15 © 2005 Cisco Systems, Inc. All rights reserved. Adaptive Threat Defense in Action Products, Services and Architecture Example PIX CSA NAC Quarantine VLAN Cisco Router CSA VPN Access VPN Cisco DDoS CSA Cisco Router Catalyst Identity-Based Networking Cisco IPS App Inspection, Use Enforcement, Web Control Application Security Malware/Content Defense, Anomaly Detection Anti-X Defenses Malware/Content Defense, Anomaly Detection Anti-X Defenses Traffic/Admission Control, Proactive Response Containment & Control Traffic/Admission Control, Proactive Response Containment & Control

16 © 2005 Cisco Systems, Inc. All rights reserved. VoIP Security Test Hardened for VOIP Security in the Wiring Closet Call Manager’s Applications Servers PSTN Catalyst 4500 Security Used Concurrently Dynamic ARP Inspection IP Source Guard DHCP Snooping Port Security VACL Policing Cisco IP Network Data VLAN Voice VLAN Data Center VLAN Attack Point Miercom Hacker Assault Team unable to disrupt Cisco VoIP STOPPED at the edge by a Catalyst 4500 … Miercom Quote- “ Cisco achieved the highest rating of the vendors tested. Cisco’s overall score, an A- on Miercom’s VoIP-Security Rating Scale, has set the high bar that other IP-telephony vendors will now endeavor to reach”

17 © 2005 Cisco Systems, Inc. All rights reserved. Integrated Systems Equals Greater Value AND Decreased Costs FOUNDATION TECHNOLOGIES Reduce OPEX by 30-40% -- investment protection SECURE IP COMMUNICATIONS SECURE WIRELESS Lower Implementation Costs and TCO -- simpler to deploy and manage Secure, Integrated, intelligent systems Trusted and protected business applications, legislative compliance Trusted and protected business applications, legislative compliance SELF-DEFENDING NETWORK More effective communication and collaboration through application and infrastructure integration Wireline and wireless equivalence – ubiquitous secure connectivity 29% savings through OPEX reduction, training, support, integration Sage Research, % savings -- simpler, management, integration, operations Sage Research, 2003 NASDAQ internal study, 2004

18 © 2004 Cisco Systems, Inc. All rights reserved.

19 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Security Management Directions Device Mgrs Security Manager (VMS NG) Security Auditor M.A.R.S. - Today auditing highly manual and costly - Cisco offers auditing with predefined best practice policies - Solution for monitoring and mitigation - Visualize attack paths - Uses control capabilities within infrastructure to eliminate attacks - Quickest way to setup a device - Configures all device parameters - Ships with device - Solution for configuring routers, appliances, switches and endpoints - Applies policy at multiple layers - broadest coverage in the industry Provision Monitor Analysis Respond

20 © 2005 Cisco Systems, Inc. All rights reserved. WIRELESS Security A complete security solution includes threat defense capabilities such as rogue AP detection; secure connectivity through support for strong encryption; and trust and identity features, to enable only those with permission to access the network Application Aware Fast Secure L3 roaming for latency-sensitive applications (through WLSM) WIRELESS MANAGEMENT IP COMMUNICATIONS SECURITY Integration Through A Systems Architecture

21 © 2005 Cisco Systems, Inc. All rights reserved. IP COMMUNICATIONS Security Comprehensive approach to securing applications and media leveraging infrastructure in the first true system approach Complete Applications Portfolio Integrated suite of collaboration, call control voice mail and voice and video conferencing applications Voice Aware Network System approach enables appropriate QoS, High Availability WIRELESS MANAGEMENT IP COMMUNICATIONS SECURITY Integration Through A Systems Architecture

22 © 2005 Cisco Systems, Inc. All rights reserved. Security Architecture… Designed in at PRD Self Defending, Adaptive ROUTING / SWITCHING SERVICE PROVIDER ADVANCED TECHNOLOGIES IP TELEPHONY SECURITY WIRELESS OPTICAL STORAGE NETWORKED HOME SECURITY and SERVICES