1. © 2003, Cisco Systems, Inc. All rights reserved. 111 8426_07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission Control February 5, 2004 Tempe, Arizona Security Strategy Update Self Defending Network Initiative Network Admission Control February 5, 2004 Tempe, Arizona

2. © 2003, Cisco Systems, Inc. All rights reserved. 222 8426_07_2003_Richardson_c11 Security Paradigm is Changing The burden on StateNet’s members to secure all aspects of the network and business is rapidly growing heavier -Assessing Security Risks -Defining & Authoring Security Policy -Designing & Implementing Security Infrastructure -Enforcement of Security Policy Self Defending Network Initiative (SDNI) will result in the network making intelligent admission and defense decisions while helping to enforce security policy compliance. The burden on StateNet’s members to secure all aspects of the network and business is rapidly growing heavier -Assessing Security Risks -Defining & Authoring Security Policy -Designing & Implementing Security Infrastructure -Enforcement of Security Policy Self Defending Network Initiative (SDNI) will result in the network making intelligent admission and defense decisions while helping to enforce security policy compliance.

3. © 2003, Cisco Systems, Inc. All rights reserved. 333 8426_07_2003_Richardson_c11 Threat Evolution Global Infrastructure Impact Regional Networks Multiple Networks Individual Networks Individual Computer Global Infrastructure Impact Regional Networks Multiple Networks Individual Networks Individual Computer Target and Scope of Damage 1st Gen Boot viruses 1st Gen Boot viruses Weeks 2nd Gen Macro viruses Email DoS Limited hacking 2nd Gen Macro viruses Email DoS Limited hacking Days Point Products Days Point Products 3rd Gen Network DoS Blended threat (worm + virus+ trojan) Turbo worms Widespread system hacking 3rd Gen Network DoS Blended threat (worm + virus+ trojan) Turbo worms Widespread system hacking Minutes Integrated Security Minutes Integrated Security Next Gen Infrastructure hacking Flash threats Massive worm driven DDoS Damaging payload viruses and worms Next Gen Infrastructure hacking Flash threats Massive worm driven DDoS Damaging payload viruses and worms Seconds Self Defending Network Seconds Self Defending Network 1980s 1990s Today Future

4. © 2003, Cisco Systems, Inc. All rights reserved. 444 8426_07_2003_Richardson_c11 Cisco’s Security Vision INDUSTRY COLLABORATION INTEGRATED SECURITY SYSTEM LEVEL SOLUTION Secure Connectivity Threat Defense Trust and Identity Network Admission Control Program Dynamically identify, prevent, and respond to threats End-to-End Multi-phased initiative to dramatically improve the network’s ability to identify, prevent, and adapt to threats

5. © 2003, Cisco Systems, Inc. All rights reserved. 555 8426_07_2003_Richardson_c11 Cisco Network Admission Control (NAC) Cisco Network Admission Control (NAC) is Cisco-led, industry program focused on limiting damage from emerging security threats such as viruses and worms NAC is a significant step forward in security policy compliance and enforcement In NAC, customers can allow network access only to compliant and trusted endpoint devices (e.g. PCs, servers, PDAs) and can restrict the access of non-compliant devices Initial NAC co-sponsors include Network Associates, Symantec, and Trend Micro NAC is the first phase of the Cisco Self-Defending Network Initiative These efforts are designed to dramatically improve the ability of networks to identify, prevent, and adapt to threats

6. © 2003, Cisco Systems, Inc. All rights reserved. 666 8426_07_2003_Richardson_c11 Cisco NAC Solution Overview NAC Solution: Leverage the network to intelligently enforce access privileges based on endpoint security posture. The Cisco network helps force corporate security compliance. Validates all endpoints/hosts Ubiquitous solution for all connection methods Quarantine & remediation services Leverages customer investments in Cisco network and AV solutions Deployment scalability NAC Characteristics: Cisco Secure ACS Policy (AAA) Svr AV Vendor Svr Endpoint Attempting Network Access Network Access Devices Policy Server Decision Points Credentials RADIUS Credentials Access Rights Notification Cisco Trust Agent Comply? Enforcement NAC enforces the security policies as defined on the ACS by the user. It does not author the policies.

7. © 2003, Cisco Systems, Inc. All rights reserved. 777 8426_07_2003_Richardson_c11 Cisco Network Admission Control (NAC) Endpoints attempting Network Access AV Vendor Policy Server Security Credential Checking Cisco Network Access Device Security Policy Enforcement Cisco Secure ACS Policy/ AAA RADIUS Server Security Policy Creation AV Policy Evaluation Cisco Network Admission Control Anti- Virus client Cisco Security Agent Cisco Trust Agent NAC is not yet shipping. The Cisco Business Unit is still determining how we will license and charge for NAC on the access devices. It is expected the end-point Trust Agent will be free. Permit, deny, quarantine, restrict

8. © 2003, Cisco Systems, Inc. All rights reserved. 888 8426_07_2003_Richardson_c11 Phase 1 Deployment Scenarios Router-Based compliance enforcement Main Office Branch Office Lab Data Center AAA & AV Svrs VPN Edge Extranet Edge Users Partner Private WAN Partner WAN VPN Edge Internet Edge Internet Branch office compliance Focus first on less trusted/managed offices Extranet compliance Partner hosts are patched and comply Internet compliance Ensure hosts are hardened prior to browsing Lab compliance Production network access only for compliant devices Data center protection Devices accessing protected servers must comply

9. © 2003, Cisco Systems, Inc. All rights reserved. 999 8426_07_2003_Richardson_c11 NAC Schedule ( best efforts to accelerate ) Phase 1 Q2 CY04 Phase 1 Q2 CY04 Phase 2 2HCY04 Phase 2 2HCY04 Network Devices IOS Routers 17xx – 72xx Cisco Trust Agent Support Industry Partners Device Communications Phase 3 TBD Phase 3 TBD Windows NT, 2000, XP AV Vendors Layer 3 EAP/UDP Switches Wireless Access Points Windows 2003 Red Hat Linux Solaris OS Vendors Mgmt Vendors Layer 2 EAP/802.1x Security Devices VPN Concentrators IP Phones Cisco Appliances MAC OS, HPUX, AIX Broad Vendor Support HTTP/SSL? VPN Management System (VMS) will configure the NAC settings across access devices in masse. Secure Information Management System (SIMS) will be the management tool for reporting and monitoring. A “SIMS Lite” is being considered for small to medium customers. There are third party management software companies writing to NAC, so there will be options

10. © 2003, Cisco Systems, Inc. All rights reserved. 10 8426_07_2003_Richardson_c11 Cisco Integrated Security Portfolio ADVANCED SECURITY SERVICES MANAGEMENT AND ANALYSIS MANAGEMENT AND ANALYSIS Centralized security managementCentralized security management Security policy, security event monitoring and analysisSecurity policy, security event monitoring and analysis Threat validation and investigationThreat validation and investigation Embedded devicemanagementEmbedded device management COMPLETE COVERAGE Protecting Desktops, Servers and Networks FLEXIBLE DEPLOYMENT Security Appliances Security Appliances Switches Routers Security Software Security Software SECURITY SERVICES VPN / SSL FirewallIDSIdentityBehavior SECURE INFRASTRUC- TURE SECURE INFRASTRUC- TURE Device Authentication, Port Level Security, Secure and Trusted Devices, Secure Access, Transport Security Device Authentication, Port Level Security, Secure and Trusted Devices, Secure Access, Transport Security

11. © 2003, Cisco Systems, Inc. All rights reserved. 11 8426_07_2003_Richardson_c11 Summary Statement Industry collaboration in support of Cisco’s Self Defending Network Initiative will result in the network making intelligent admission and defense decisions while helping to enforce security policy compliance. Thank you for your time.