managed security.pdf

8/15/2019 Managed Security.pdf

http://slidepdf.com/reader/full/managed-securitypdf 1/98

1© 2001, Cisco Systems, Inc. All rights reserved.

Session Number Presentation_ID

Managed Security Services fromService Providers

Georg ina Schaefer

[email protected]



222© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID

• The Managed Security Services market

• Managed firewall services

• Managed intrusion detection services• Managed VPN services

• Management

• Cisco initiatives

AgendaAgenda







• Management


AgendaAgenda




MSS Market PerceptionMSS Market Perception

• General interest and demand for managed servicesWAN, Hosting, ASP, Voice,…

SPs can offer 24x7x365 monitoring

Economies of scale

• Main growth for MSS amongst SME segmentLack of both financial and technical recourses

• Increases in the frequency, severity and complexityof security attacks

• Senior management realise the damage potential ofattacks

Willingness to invest more in security

Concerned about time to market




MSS Market RestraintsMSS Market Restraints

• Customers

Enterprises are unwilling to lose control of theirnetworks

Unproven reputation of MSSPs

Large number of SP bankruptcies

Lack of perceived need for extensive security

• Service Providers

Difficult to demonstrate quantifiable ROIDifficult to provide an SLA




Where are the Enterprises today?Where are the Enterprises today?

• If imp lemented , security is a preventive measureFirewall, Authentication, Encryption,…

• Prevention is not enough - need detection andresponse

Time and resource consuming

• Lack of implementation usually due to complexity,the quantity of information to be processed and lackof education

• Enterprises are generally looking for partial or total

outsourcing of security servicesSMEs looks for fully outsourced simple and cheap services

Larger corporates look for partially managed high levelsecurity services – want to keep control!




Where are the SPs today?Where are the SPs today?

• Most European SPs already provide basic securityofferings such as managed firewalls and userauthentication

• Managed security has become a catch-all expression

e.g. VPN (L2, L3, MPLS, IPSec,…)

• More comprehensive security packages arebecoming increasingly important for SPdifferentiation

MSS can involve installation and configuration but alsoupgrading and on-going reconfiguration work

An additional service can be day-to-day monitoring andresponse

• SPs are familiar with SLAs but security SLAs are only just being introduced




Who are the MSSPs?Who are the MSSPs?

• Not only the service providers (Telcos, ISPs, ASPs)but also

Systems Integrators

Pure MSSPs

Security Vendors

• Services delivered via 1-tier or 2-tier model

• Greatest market acceptance seems to be through

established SPse.g. Deutsche Telekom, Cable & Wireless/Exodus, Energis,




MSS OfferingsMSS Offerings

• Access Security

Managed Firewall

Remote Access

• Data Transport Security

IP VPNs

Anti-Virus and content control

Intrusion Detection/Prevention

Public Key Infrastructure

• Service Management

• Security Consultancy

Consulting

Business Continuity

Service LevelAgreements







• Management


AgendaAgenda




Managed FirewallManaged Firewall

• Most basic service and network securitymeasure

• Management and monitoring services varyconsiderably

Installation and configuration (based on policy given bycustomer)

Status and performance monitoring

Real-time analysis

Incident response proceduresPeriodic reports




Enterprise threatsEnterprise threats

DMZ networkDMZ network

No outgo ing connections;provides safe “meetingground” for internal and

external users.

Internal NetworkInternal NetworkMay contain private

information or critical services

External NetworkExternal NetworkMay be home to

attackers

192.168.27.3

192.168.27.1

192.168.27.129

192.168.27.131

DNS (private),Mail servers

(private), Webcontent (public)




PIX Firewall: Key ApplicationsPIX Firewall: Key Applications

Internet

Corp HQ

Server Farm

ServiceProvider

Branch/Retail

PIX 506

PIX 515

Same OS regardless of

platform

Common features andMgt.

SmallDivision

PIX 535

Small business/Small SatelliteOffice

Telecommuter/DayExtender

Regional Office

PIX 525

PIX 501

PIX 501




PIX Firewall Product Line OverviewPIX Firewall Product Line Overview

Model

Market

MSRP

Licensed Users

Max VPN Peers

Cleartext (Mbps)

3DES (Mbps)

ROBO

$1,695

Unlimited

25

20

16

SMB

$7,995

Unlimited

2,000*

188

63*

Enterprise

$18,495

Unlimited

2,000*

360

70*

Ent. + SP

$59,000

Unlimited

2,000*

1.7 Gbps

95*

SOHO

$595 or $1195

10 or 50

5

10

3

506E 515E-UR 525-UR 535-UR501

GigEGigE

EnabledEnabled

* Using an integrated VPN Accelerator Card (VAC)




Cisco Web Hosting Data Center DesignCisco Web Hosting Data Center Design

Unmanaged Customer Cagesfor Collocation services

WAN EdgeLayer

CoreLayer

Distribution/

AggregationLayer

Access Layer Catalyst 2900

Catalyst 3500Catalyst 4000Catalyst 5500

Catalyst 6500

SP network

Web Server Farm

Content switchesCSS-11800 & CSS-11150Cat6K

Cache / content Engine

Geographic Content SwitchGSRs

Cust. A

Cust. B

Cust. C

Shared Servers

IDS Sensor

PIX Firewalls (Shared)Security

Layer

Dedicated Servers

Catalyst 6500

PIX Firewalls(Dedicated)




Data Center ThreatsData Center Threats

• Illegal access to servers

• Illegal access to network devices

• Denial of Service (DoS) attacks oncustomer servers




Data Center FirewallingData Center Firewalling

• Shared firewalls

– Enforce general policies which apply to ALL customers/serverse.g. may prevent outgoing connections, “spurious” protocols

– Limit access to network devices

– Policies modified once attacks have been detected and traced

– Work in addition to router ACLs

• Dedicated firewalls

– Policies are specific to the customers and/or servers

– ACLs may limit the effect of an attack on one set of servers – doesnot affect ALL customers

•• Firewalls not typically used to detect/trace attacksFirewalls not typically used to detect/trace attacks

• Once attacks are known, firewalls can apply ACLs




New HardwareNew HardwareCat6500 Firewall Services ModuleCat6500 Firewall Services Module

• PIX 6.0 base Feature Set + some feature of 6.2• High Performance Firewall, targeted OC48 or 2.5Gbps• 1 million Concurrent connections

• 3 Million pps• 100K new connections/sec for HTTP, DNS• 100 VLANs• Supports 128K Rule Set• LAN failover active/standby (both intra/inter chassis)• Dynamic Routing i.e. RIP, OSPF• Support multiple blades in the chassis

• Supports multiple IN/OUT and DMZs• IPSec for management only• No IDS Signatures• Supported on Native IOS only• Virtual firewalls (future release)

Fabric Enabled Fabric Enabled

Industry’s leading firewallperformance!

Available now




Virtual Firewall ApplicationVirtual Firewall Application

Head Office

BranchOffice

MPLS-VPN

BranchOffice

BranchOffice

INTERNET

A

B

Firewall

Firewall

VPN

Head Office advertisesdefault route to VPN andforces all traffic throughfirewall

A

B

Virtual Firewall:VRF advertisesdefault to VPN




Shared Services ModelShared Services Model

VPN ACEVPN-A

Paris

VPN ACEVPN-A

London

VPN A

CEVPN-B

Bruxelles

VPN ACEVPN-B

Amsterdam

ERP H.323Gatekeeper

VideoServer

HostedContent

InternetGateway




• MPLS VPN Global Services

Enables a Service Provider to offer a set of ‘SharedServices’ to their customers across VPNs

• By enabling Shared Services, a ServiceProvider will

- Differentiate SP from competition

- Increase services portfolio

• Issue today :

-- Overlapping private addressesOverlapping private addresses

Business driversBusiness drivers




• NAT occurs

after routing, from inside-to-outside

before routing, from outside-to-inside

• NAT intercepts all traffic against theconfigured NAT translations

• An interface can be configured as being

Inside or Outside

Network Address Translation todayNetwork Address Translation today




• Maintains support for all existing applications &protocols in an MPLS VPN environment

• NAT can be configured on 1 or more PE’s

providing NAT Redundancy

the ‘Shared service’ does not need to be physicallyconnected to the PE device performing NAT

• An interface is still either “inside” or “outside”

• An “outside” interface can be part of a VRF or a

regular “generic” interface• NAT will inspect all traffic routed VRF-to-VRF or VRF-

to-Global

NAT and MPLS VPN IntegrationNAT and MPLS VPN Integration







• Management


AgendaAgenda




Intrusion Detection/PreventionIntrusion Detection/Prevention

• 80% of recent attacks have been performed overport 80

• In-depth examination of traffic is required toidentify attacks within legal traffic on both thenetwork and the critical hosts

• IDS services require powerful and complexmanagement (updates, tuning), monitoring andresponse procedures

• Needs 24x7 service operation - requires anautomated system




Denial of Service (Denial of Service (DoSDoS))The Mechanisms UsedThe Mechanisms Used

1. Cracking:

Manually, through viruses, worms (code red, nimba….)always exploiting host vulnerabilities

2. Signalling:

e.g. ICMP, management protocols

3. Flooding:

TCP SYN flood, UDP, ICMP, other IP protocols, …

Attacking a Line: big packets (bandwidth!)

Attacking a Host/Router: small packets (pps!)




DetectingDetecting DoSDoS AttacksAttacks

• Customer call

• SNMP: line/CPU overload, drops

• Netflow: counting flows• Access Lists with logging

• Sniffers

• Dedicated detection devices…….




TracingTracing DoSDoS AttacksAttacks

• Non-spoofed: Technically trivial (IRR)

But: Potentially tracing 100’s of sources…

• Spoofed:

Netflow:Trivial if mechanisms are installedManually: Router by router No additional impact on network

Access lists (logging):Has performance impact on most platformsMostly manual: Router by router

r e c o m

m e n d e

d




Router Security FeaturesRouter Security Features

• Detect DoS Attacks: SNMP, Netflow, ACLs

• Trace back packet floods: Netflow, ACLs (logging),

• Shun a source: Unicast RPF, ACLs

• Shun a destination: Null-routing, ACLs

• Limit attacking traffic: CAR, Scheduler Allocate

• And update all routers via BGP




ACLsACLs with log and logwith log and log--inputinput

ACLs with logrouter_B(config)#access-list 101 permit ip any any logrouter_B#14:30:34: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 178.12.60.96(0) -> 192.168.1.1(0), 1 packet14:30:35: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 116.25.206.120(0) -> 192.168.1.1(0), 1 packet14:30:36: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 108.98.96.64(0) -> 192.168.1.1(0), 1 packet

ACLs with log-inputrouter_B(config)#access-list 101 permit ip any any log-inputrouter_B#14:17:19: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 67.90.141.3(0) (Serial0/0 *HDLC*) ->192.168.1.1(0), 1 packet14:17:21: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 105.12.73.84(0) (FastEthernet0/00006.d780.2380) -> 192.168.1.1(0), 1 packet14:17:22: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 166.159.237.65(0) (FastEthernet0/00006.d780.2380) -> 192.168.1.1(0), 1 packet

input i/f

MAC address of upstream router

Careful!CPU impact!!




i/f 1

i/f 2

i/f 3

StrictStrict uRPFuRPF CheckCheck ((UnicastUnicast Reverse Path Forwarding)Reverse Path Forwarding)

i/f 1

i/f 2

i/f 3

FIB:. . .S -> i/f 1

. . .

S D data

FIB:. . .S -> i/f 2

. . .

S D data

Same i/f:Forward

Other i/f:Drop

router(config-if)# ip verify unicast reverse-path




i/f 1

i/f 2

i/f 3i/f 1

i/f 2

i/f 3

FIB:. . .S -> i/f x. . .

S D data

FIB:. . .. . .. . .

S D data

Any i/f:Forward

Not in FIBor route -> null0:

Drop

?

LooseLoose uRPFuRPF CheckCheck ((UnicastUnicast Reverse Path Forwarding)Reverse Path Forwarding)

router(config-if)# ip verify unicast source reachable-via any




Scheduler allocateScheduler allocate

• Schedules CPU time spent on processesversus packet handling

Syntax:scheduler allocate <i nt er r upt > <pr oc es ses >

<i n t er r up t > : 3000-60000 Microseconds handling networkinterrupts

<pr oces ses > : 1000-8000 Microseconds running processes

Example:router(config)#scheduler allocate 8000 8000

Very useful under heavy load!




Advanced Intrusion ProtectionAdvanced Intrusion Protection

•• Intrus ion Protect ion Intrus ion Protect ion provides:

Enhanced security over “classic”technologies e.g. ACLs

Advanced technology to addressthe changing threatchanging threat

Increased resiliency of e-Business systems andapplications

Effective mitigation of malicious

activity and insider threats




Solution BreadthSolution Breadth

SwitchSensor

SwitchSensor

Router Sensor

Router Sensor

HostSensor

HostSensor

FirewallSensor

Firewall

Sensor

MgmtMgmt

NetworkSensor NetworkSensor

IDS PortfolioIDS Portfolio

42104210 42304230 42354235 42504250

IDSM-1IDSM-1

Standard Sensor Standard Sensor Web Sensor Web Sensor

800800 17001700 26002600 36003600 7x007x00

501501 506E506E 515E515E 525525 535535

SecureCommand Line

SecureCommand Line

Web UIEmbedded Mgr

Web UIEmbedded Mgr

Enterprise MgmtVMS

Enterprise MgmtVMS

……

IDSM-2IDSM-2 IDSM-2-XLIDSM-2-XL




IDSIDS--4235 Network Sensor Appliance4235 Network Sensor Appliance

• Extending Cisco’s powerfulintrusion protection line-up toperformance-consciousenterprise and service providercustomers

• Key FeaturesHigh speed performance (150Mbps)

Integrated, web-base UI

1 RU form factor

10/100/1000 Base-T copper

interface support

Advanced protection algorithms

Price: $12,500

Availability: May 2002




IDSIDS--4250 Network Sensor Appliance4250 Network Sensor Appliance

• Extending Cisco’s technical andinnovation leadership with thefastest gigabit applianceoffering high performanceintrusion protection

• Key Features

Gigabit performanceIntegrated, web-base UI

1 RU form factor

Gigabit copper and fiberinterface support

Optional redundant power

supplies

Performance upgradeable

Advance protection algorithms

Price: Starting at $25,000

Availability: May 2002




Switch Sensor Switch Sensor Catalyst 6500 IDS Module Catalyst 6500 IDS Module

• IDSM delivers switch-integratedprotection allowing customers toleverage their network investment bydelivering security and switchingservices in a single box

• Key FeaturesNetwork-integrated protection

Interfaces directly into switchbackplane

Advanced VLAN ACLs to shape/target

trafficMonitors 802.1q and ISL traffic – multiVLANs Risk Mitigation

HiLow




IDSM-1IDSM-1

Size (RU) 1 slot1 slot

Hardware Assist

Processor (MHz)

Availability

Performance (Mbps) 120120

Switch Sensor PortfolioSwitch Sensor Portfolio

CustomCustom

Yes Yes

TodayToday

IDSM-2IDSM-2

1 slot1 slot

500500

CustomCustom

NoNo

2H022H02

IDSM-2-XLIDSM-2-XL

1 slot1 slot

10001000

CustomCustom

Yes Yes

2H022H02




Host Sensor Host Sensor

• Industry-leading Host Sensor(Entercept), provides attack preventionagainst operating systems,applications, and critical systemresources providing unique “day zero”protection

• Key Features

Sophisticated attack protection

OS and application attacks

Buffer Overflow attacks

Web server application attacks

SSL encrypted HTTP attacks

Prevents access to server resourcesbefore any unauthorized activityoccurs Risk Mitigation

HiLow




StandardServerAgent

WebServer Agent

WebServer Agent

HostConsole*

HostConsole*

Win NT 4.0Windows 2000

Solaris 2.6, 2.7, 8


Solaris 2.6, 2.7, 8

Win NT 4.0

Windows 2000

Win NT 4.0

Windows 2000

Web Applications

IIS Web Svr Apache Web Svr iPlanet Web Svr

Netscape Ent Svr

IIS Web Svr Apache Web Svr iPlanet Web Svr

Netscape Ent Svr

Host Sensor PortfolioHost Sensor Portfolio


Solaris 2.6, 2.7, 8


Solaris 2.6, 2.7, 8

Platforms

DoSDoS Defence PartnersDefence Partners




DoSDoS Defence PartnersDefence PartnersExample: RiverheadExample: Riverhead

Riverhead guard

Detection deviceCisco IDS or Riverhead detector

Once a threat is detected, only the traffic addressed to the attacked host isdiverted for treatment. Traffic addressed to other hosts remains undisturbed.




DoSDoS Attacks: Data DiversionAttacks: Data Diversion

Data diversion:• diverts victim’s traffic transparently to the “cleaning” device• returns legitimate traffic back to the intended destination




IOS Secu rity IOS Secu rity

Offers an integrated solution

Tight IOS feature integration with GRE, L2TP, routing, …

IPsec HW client FW WAN Router

Cisco IOSWAN Router

with integratedIPsec & FW &IDS & Mobile IP& WAN etc…

IDS




Cisco IOS Firewall BenefitsCisco IOS Firewall Benefits

• Combined with Cisco IOS software-basedtechnologies

– Positioned at the networks perimeter and aggregation points

• Enhances Cisco IOS security

• Strong security at lower cost of ownership

• Leverages investment in Cisco infrastructure

• Future enhancements include Websense/N2H2filtering, SIP/H.323 support, token authenticationetc.

Internet




Cisco IOS Firewall FeaturesCisco IOS Firewall Features

• Context-Based Access Control (CBAC)

– Stateful, per-application filtering

– Support for advanced protocols

(H.323, SQLnet, RealAudio and more)

• Integrated intrusion detection

• Denial of Service detection and prevention

• Per-user authentication and authorization

• Real-time alerts

• TCP/UDP transaction log




Cisco IOS Intrusion Detection SystemCisco IOS Intrusion Detection System

• Inline monitoring of network traffic for potential misuseor policy violations

• Matches network traffic against lists of 59 signatures,which look for patterns of misuse

• Takes action upon detection

• Future IOS IDS development committed to: – Enhance Signature support

– Dynamic signature update functionality

• Combined with Cisco IOS Firewall for 1720, 2600, 3600,7100 and 7200 router platforms




Newly published IDS white paper Newly published IDS white paper

“The Science of IDS Attack Identification”

• Details the different approaches torecognise an attack

• Freely accessible at:

http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/prodlit/idssa_wp.htm






• Managed intrusion detection services

• Managed VPN services

• Management


AgendaAgenda




Managed VPNsManaged VPNs

• Enterprises outsource VPNs to cut costs!

• Shift towards the adoption of Layer 3 VPNs (IP based)

• MPLS-VPN is a connectivity service well suited for thisapplication and well adopted by European SPs

• Enterprises may ask for IPSec together with MPLS for thefollowing services

– Site-to-site confidentiality if they do not accept the level ofsecurity provided by MPLS or the service provider

– Secure off-net access to extend beyond their MPLSnetwork boundaries

• The key question is: is there a business case and demandfor outsourced IPSec VPNs?




Internet

SiteSite--toto--Site (Full Mesh) IPsec VPNSite (Full Mesh) IPsec VPN

Hub

Spoke

30.30.30.0 255.255.255.0

40.40.40.0 255.255.255.0

40.40.40.40

30.30.30.30

130.233.8.1

NTP server

Default GW

Static knownIP addresses

=IPsec tunnel

Intranet

130.233.9.42

130.233.9.44

130.233.9.43

130.233.9.41

130.233.8.2




Issues with siteIssues with site--toto--sitesite

• Spokes (small sites) are often connected to theInternet.

Their external Internet address changes each time theyconnect.

• IPsec uses an access-list to define what user

traffic is to be encrypted.Each time a new (sub)network is added behind a spokeor the hub the customer must change the ACL on thehub and spoke routers.

The customer must notify the SP in order to get the

IPsec ACL changed so that new destination traffic willbe encrypted!!




Internet

HubHub--andand--spoke IPsec VPNspoke IPsec VPN

Hub

Spoke

30.30.30.0 255.255.255.0

40.40.40.0 255.255.255.0

40.40.40.40

30.30.30.30

130.233.8.1

NTP server

Default GW

Static knownIP addresses

Intranet

=IPsec tunnel

Dynamicunknown

IP addresses




Issues with HubIssues with Hub--andand--SpokeSpoke

• With large Hub-and-spoke networks the size ofthe configuration on the Hub router can becomevery large, to the point that it is unusable.

• It is not known before hand which spokes willneed to talk directly with each other. Trying toconfigure IPsec on a small spoke router to havedirect connectivity with all other spoke routers inthe network is usually not feasible

F ll M h ith TED IP VPN




Internet

Full Mesh with TED IPsec VPNFull Mesh with TED IPsec VPN

Hub

Spoke

30.30.30.0 255.255.255.0

40.40.40.0 255.255.255.0

40.40.40.40

30.30.30.30

130.233.8.1

NTP server

Default GWStatic knownIP addresses

TED probes TED probes

TED probes

TED probes

TED probes

TED probes

=IPsec tunnel

Dynamicunknown

IP addresses

All LANs must have

routable/public IPaddresses. Otherwise

TED won’t work

I ith TEDI ith TED




Issues with TEDIssues with TED

• TED probes need to routable

• Is it really feasible to assume publicaddress?

TED E lTED E l




• No need to configure tunnel endpoints• ACLs determine WHICH TRAFFIC to encrypt• Ideal for MPLS VPNs - maintains “Any-to-Any” nature

Alice

Bob

X

Y

UDP traffic

must be protected.No SA => send probe

IP: A to B

I K E : A t o B ( p r o x y = X ) I K E : B t o A ( p r o x y = Y )

TED ExampleTED Example



A t ti IPS T l C tiA t ti IPS T l C ti




Automatic IPSec Tunnel CreationAutomatic IPSec Tunnel Creation

• IPSec initiates tunnels when data flows

• GRE tunnel configuration must already include the GREtunnel peer AND IPsec peer address must also be pre-configured

• Solution is NHRPNHRP is used to dynamically determine the required destinationaddress of the target spoke.

IPSec is triggered immediately for the GRE tunnel or when the GREpeer address is resolved.

There is no need to configure any crypto access-lists since thesewill be automatically derived from the GRE tunnel source anddestination addresses.

A t ti IPS T l C ti tA t ti IPS T l C ti t’’dd




Automatic IPSec Tunnel Creation contAutomatic IPSec Tunnel Creation cont’’dd

• Spoke-to-hub tunnels are up continuously.

• The hub router acts as the NHRP server and handlesNHRP requests from the source spokes.

• The two spokes then dynamically create an IPsec tunnel

between them and data can be directly transferred.• The IP next-hop address on routing table entries control

whether IP data packets will trigger the creation of a directspoke to spoke tunnel or the data packets will beforwarded via the hub router.

A timeout function will automatically tear down the tunnelafter a period of inactivity.

Easy VPNEasy VPN




Easy VPNEasy VPN

DSL

T1Cisco IOSRouter WithUnityClient

VPN3002

Gateway options:• Cisco VPN 30xx• Cisco IOS 12.2(8)T• PIX 6.0

IOSRouter

=IPsec tunnel

Advantages:

• Unity is the common languagewithin Cisco VPN environment• No separate configuration for

CPEs, treated as normal Unityclients.

Home Office

Small Office

Home Office

Single User

800,uBR900,

1700

Cisco IOSRouter With

UnityClient

800,uBR900,

1700

Cisco IOSRouter

WithUnityClient

Cisco Unity VPN Clients

C a b l e

PIX501

12.2(4)YA

12.2(4)YA

12.2(4)YA

Internet HQ

Easy VPNEasy VPN




Easy VPNEasy VPN

• The Cisco Easy VPN Remote feature allows Cisco routers,PIX firewalls, as well as hardware clients to act as remoteVPN clients.

• These devices can receive predefined security policiesand configuration parameters from the headquarters' VPNhead-end.

Minimises the VPN configuration required at the remotelocation.

• Parameters such as internal IP addresses, internal subnetmasks, DHCP server addresses, WINS server addresses,

and split-tunneling flags are all pushed to the remotedevice.

Easy VPN Clients & ServersEasy VPN Clients & Servers




Easy VPN Clients & ServersEasy VPN Clients & Servers

• Easy VPN Clients:Cisco VPN Client 3.x

Cisco VPN 3002 OS 3.x

Cisco PIX OS 6.2

Cisco IOS Easy VPN Client 12.2(10)T

• Easy VPN Servers:Cisco VPN 3000 Series OS 3.x

Cisco IOS Routers 12.2(8)TCisco PIX Firewalls OS 6.0

New HardwareNew HardwareCat6500 IPSec VPN Ser ices Mod leCat6500 IPSec VPN Services Module




Cat6500 IPSec VPN Services ModuleCat6500 IPSec VPN Services Module

• Speeds & Feeds!1.9 Gbps 3DES (Max)

1.65 Gbps 3DES (IMIX)

1.6 Gbps 3DES (300 byte pkt)

8,000 tunnels60 tunnels per second

• List Price: $35,000 US

Deployments for VPN Services ModuleDeployments for VPN Services Module




Campus2

Campus2

Deployments for VPN Services ModuleDeployments for VPN Services Module

Enables partner networks to securely connect andtransfer large amounts of data

Extranet

Provide VPN termination services on the WANaggregator router

WAN Edge

Replace old ATM and other link-layer encryption withmodern a IPSec layer 3 VPN solution

Link-Layer EncryptionReplacement

Secure LAN traffic between switches, floors, buildingand specific sensitive network applications such asiSCSI

Campus

DescriptionDescriptionDeploymentDeployment

Campus1

Campus1

Campus VPN

EnterpriseEnterpriseWAN Edge VPN

Several Deployment OptionsSeveral Deployment Options




Several Deployment OptionsSeveral Deployment Options

• Site-to-site (full mesh) IPsec VPN

• Hub–and–Spoke IPsec VPN

• Full mesh with TED IPsec VPN

• Cisco IOS Easy VPN

–Server

• 12.2(8)T

• Dynamic Multipoint VPN (Phase 2)

VPN Services Module Roadmap




VPN Services Module Roadmap

• VRF-aware IPSec

• Multi-chassis IPSecstateful failover

• 32,000 tunnels

• NAT transparency

• 7600 OSR

Support for all WANinterface bladesincluding OSMs

• Multiple blades per chassisafter FCS (7 x)

• VPN Remote Accesstermination (EasyVPN Server)

• Dynamic Multipoint VPN

• Onboard GRE for fasterrouting/multicast VPN

• Faster tunnel setup (~200t/s)

• VPN Solutions Centersupport

• Cat6500

• MSFC2/Sup2

Native IOS only,No CatOS support

• FE & GE Interface

blades• Site-to-site (full mesh)IPsec VPN

• Hub–and–Spoke IPsecVPN

• Full mesh with TEDIPsec VPN

Phase 3Phase 3Phase 2Phase 2Initial ReleaseInitial Release



68© 2001, Cisco Systems, Inc. All rights reserved.

Session Number Presentation_ID

Remote Access to VPNs

Solution OverviewSolution Overview




Solution OverviewSolution Overview

Provider Networks

CorporateCorporateIntranetIntranet

BranchBranch

OfficeOffice

AccessAccess

Remote Users/Telecommuters

IP, MPLS or L 2/3 based VPNIPSec SessionIP IP

Cable/DSL/ISDN ISP

MPLS/L2/L3Based Network

CiscoIOS

Router

VPN A

VPN B

SP Shared NetworkSP Shared Network

Customer B

Customer Ahead office

Customer C

PEPE

PEPE

PEPE

VPN C

SOHO

Local or DirectDial ISP

One or Two BoxNetwork BasedIPSec Solution

VPNSolution Center

(IPSec and MPLS)

Cisco IOS VPN Routers or

Cisco Client 3.x Customer Abranch office

PEPE

IPsec to MPLS Service ArchitectureIPsec to MPLS Service ArchitectureCisco IOS SolutionsCisco IOS Solutions




Inside the IPsec/MPLS PE Router

int MPLS int

IOSRouter

IOSRouter

DecryptedIPsec packetsget forwarded

to the globalrouting table

Based on the info inthe Global routingtable the clear text

packets areforwarded to the

right VRFs.

MPLS wrappedclear-text packetsforward to MPLS

VPNs

LIMITATION: No overlapping IP addresses between the VRFs

I P s e c

Cisco IOS SolutionsCisco IOS Solutions

int

IPsec crypto

map

Global routingtable

VRF-1

VRF-2

MPLSinterface

IPsec to MPLS Service ArchitectureIPsec to MPLS Service ArchitectureCisco IOS SolutionsCisco IOS Solutions




Inside the IPsec/MPLS PE Router

IOS Router IOS Router

GRE tunnel interfaces are

associated directly withVRFs. Clear text packets

bypass the global routing

table and are directly

forwarded to the VRF.

MPLS wrapped clear-text

packets forward to MPLS

VPNs

Ability to have overlapping IP addressLimitation: no IPsec Client support – because this requires GRE

Cisco IOS SolutionsCisco IOS Solutions

int

IPsec cryptomap

IPsec cryptomap

GRE tunnel int

GRE tunnel int

VRF-2

VRF-2

MPLSinterfaceI P

s e c / G R E

I P s e c / G R E

int MPLS int

Global routingtable

Decrypted IPsec

packets enter the

GRE tunnel interface

IPsec to MPLS Service ArchitectureIPsec to MPLS Service ArchitectureCisco IOS Solution 12.2(6Cisco IOS Solution 12.2(6thth)T)T




Inside the IPsec/MPLS

PE Router

int MPLS int

Based on the IKEauthentication, the IPsec

tunnel is directlyassociated with the VRF.

AAA server that is used inthe IPsec/IKE

authentication will informthe IOS router what is the

right VRF ID for this tunnel.Decrypted clear-text

packets get forwardeddirectly to the right VRF

thus by-passing the globalrouting table.

No limitations !!! Works for both site-to-site and client-to-concentrator type of IPsec tunnels. Per-VRF AAA supported.

Cisco IOS Solution 12.2(6C sco OS So ut o (6 )T)

int

MPLS wrappedclear-text

packets forwardto MPLS VPNs

IPsec cryptomap

VRF-2

VRF-1

MPLSInterface

Global routingtable

IOS Router IOS Router

I P s e c

Managed VPN SummaryManaged VPN Summary




g yg y

• Cisco IOS IPsec VPN implementation offerseveral solutions that have been designed withdifferent customer scenarios in mind.

• Some of the solutions target simplicity (Easy

VPN), where as others try to offer comprehensivefunctionality (Dynamic Multipoint VPN).

• Our intension is to continue developing follow-up releases for each of the solutions with addedfunctionality.

AgendaAgenda








• Management


Managing PIX, IDS and VPN routersManaging PIX, IDS and VPN routersVMS ComponentsVMS Components – – Enterprise solutionEnterprise solution




PIX

Intrusion

DetectionSensor

VPN 7100,

7200,

1700,26003600

VPNC3000 Site to SiteRemoteAccess

Partners /

Customers

IP-VPN

Internet

CiscoView &CiscoWorks2000Server (CD One)

Graphical

Web-based DeviceManagement and

Common Services

GraphicalGraphicalWebWeb--based Devicebased Device

Management andManagement andCommon ServicesCommon Services

RME/CD Two

Device

Inventory,Config &

Software Admin

DeviceDeviceInventory,Inventory,

ConfigConfig &&Software AdminSoftware Admin

VPNMonitor

IOS &VPN C3000

IOS &VPN C3000

V M S

Includes consoleand evaluation

agents

Includes console

and evaluationagents

IDS HostSensor

N e w N e w

CiscoSecure PolicyManager 3.0 (CSPM)

PIX, IDSconfiguration

PIX, IDSconfiguration

N e w N e w

VMS 2.1 DevelopmentsVMS 2.1 Developments




• Management Centers for PIX, IDS and VPNrouters

Web-based application

Setup and maintain large-scale VPN connections

Hub-and-spoke topology

Spoke-to-spoke connectivity via hub

Support of second hub for resilliance

Centralized configuration of IKE and IPsec tunnelpolicies

Translation of VPN policy into CLI commands• Support for Cat6500 blades will follow

Auto Update Server Auto Update Server




• Introduces new push / pull paradigm for remotemanagement of Cisco PIX Firewalls

• Works in conjunction with PIX MC

• Flexible, secure remote management interfaceSupports both configuration and software updates

Scalable push / pull model for updating

Lightweight XML over HTTPS implementation

All management traffic authenticated and encrypted

HTTPSHTTPS--Based CLI AccessBased CLI Access




• HTTPS server interface on PIX requires User ID /Password authentication

Authentication database can be locally stored on PIX oron AAA (RADIUS/TACACS+) server

• Examples of HTTPS GET command

https://user:[email protected]/exec/show%20ver

Will provide “show ver” output via HTTPS response

https://user:[email protected]/exec/show%20config

Will provide “show config” output via HTTPS response

Auto Update OverviewAuto Update Overview




• Security overviewAll management traffic encrypted using SSL (3DES/DES)

PIX authenticated using either User ID/PW or X.509 cert

Auto Update Server optionally authenticated via X.509 cert

• Envisioned as pullpull--basedbased solution for scalabilityPIX automatically polls Auto Update Server on regular basis

At power-up of PIX Firewall

At administrator defined interval

Upon change of outside interface IP addressAuto Update Server can send message to PIX and force apull at any time (push)



MSSP Management Product OverviewMSSP Management Product Overview




SP IP VPN OSS: Security SolutionThird Party BSS Apps and SP Customer Legacy Apps BML

ELPIX/IOS

FW VPN5K VPN3K IOS

router ID S

SML

^

|

|

V

NML

^

|

|

V

EML

CIC

SLA

Concord

Visual Net.Portal

Digiquant

Pre-integrated

Apps

for an

enhanced OSS

Fault Mgmt Perf Mgmt Billing

FW Mgmt

Solsoft NP

Security

Event

Analysis &

Reporting

NetForensics

Security Mgmt

IPsec/MPLS VPN service

provisioning

Cisco

VPN Solutions

Center

IP VPN OSS in a box

SP starter kit

VPN SLAmeasurement& reporting

VPN UsageMeasurement &

reporting

IPsec/MPLS VPN serviceauditing

IOS/PIX firewall

provisioning

IPsec/MPLS VPNQoS

configuration

Embedded Device Configuration

Non-Cisco(FW, VPN, PKI)

IDS Mgt

CSPM

CORBA API

VPNM = IP-VPN Network Management SolutionValue Proposition




VPNM is Cisco’s out-of-the-box, pre-integrated, pre-

tested, fully automated, carrier-grade Internet OSS

solution that enables Service Providers to efficiently

and economically manage the deployment of IP VPN

services and monitor their continuous, fault-free/fault-recovered performance.

Topology

VPN ManagementVPN Management




IP VPN OSS-in-a-box - MSSP starter kit

Carrier Class IP VPN OSS

Widely deployed(~100 SP WW)

Supports fastest growing VPN TechnologiesIPSec, MPLS or both!, L2oMPLS

Management support for every Cisco Security VPNPlatform

VPN3K, PIX, IOS + Broadband platforms

Multi-tiered non-recurring licensing model

Multi-vendor management support planned

Cisco VPN Solution Center

p gyViews

PerformanceMonitoring &Reporting

VPN Views& Inventory

Service Auditing

Provisioning



VPNM Version 1.2VPNM Version 1.2




Cisco Routers

Network

VPN Solution Center

Repository

(VPN Inventory)

C O R B A

B r i d g e

M P L S

A P I

I P s e c A

P I

VPNSC Tibco bus

Cisco VPNPolicy

Manager

D a t a S o u r c e A d a p t

o r

Event

Broker

VPNviews

MPLScache

CIC Info MediatorRTTRAPD

M P L S

P o l i c y

I P s e c

P o l i c y

IPseccache

CIC Info Server

CIC Info MediatorMTTRAPD

IPsec CPEMPLS PE,CE

CIC Info MediatorTibco rdv

Events tagged for VPN correlation

C-NOTE

Keep Alive

NodePolling

SNMP Traps- MPLS VPN MIB- IPsec Flow Monitor MIB- MIB II

- ALTIGA-Hardware-Stats MIB- SEP-Stats MIB

IOS Syslog Messages- Managed MPLS CE int and sub-int- CRYPTO

IOS Syslog Messages

SNMP Traps

New Features in VPNM 1.2New Features in VPNM 1.2




• Integration of C-NOTE• Provides IOS syslog / SNMP mediation

• Triggers keep alive node polling

• Service Assurance Capabilities (IPsec & MPLS VPN):• Automated monitoring of IPsec SNMP traps for IKE and data tunnels between IPsec-

compliant CE/CPE (IOS and VPN 3K) devices as defined in the IPsec Flow Monitor MIB

• Automated monitoring of CRYPTO IOS syslog messages for encryption fault detection atIPsec-compliant CE/CPE devices

• Automated monitoring of SNMP traps for link status on secured interface of IPsec-compliantCE/CPE devices as defined in the MIB II

• Automated monitoring of MPLS VPN SNMP traps for PE routers as defined in the MPLSVPN MIB

• Keep alive node polling for MPLS PE, Managed MPLS CE, and IPsec CE/CPE

• LinkStateChange fault for Managed MPLS CE and IPsec CE/CPE

• VPN-aware fault & alarm management for events at the subinterface level (e.g., Frame

Relay PVC, ATM VCI/VPI)• VPNSC Audit Failure Integration (Tibco bus processing of VPNSC published events)

• SA Agent as a VPN Site Poller and for VPN SLA Monitoring

Firewall ManagementFirewall Management




Firewall Management Center under VMS

or

SolSoft NP: Visual Security Policy Management Solution

Simplifies the deployment and policy management of switches,routers, firewalls, and VPNs

Policy import, design, audit, generation & distribution

High scalability – up thousands of devices – release X.0 (Q4,01)

Multi-Product (Switches, routers, firewalls, VPN)

Multi-Vendor (Check Point, Cisco, Nokia, Nortel…)

Multi-Platform (AIX, HP-UX, Linux, Solaris, Windows)

If you can draw it … … you can deploy it

IDS ManagementIDS Management




VMS - IDSGUI-based IDS Provis ionin g

Uniform & consistent configuration

Configuration wizards

Define, distribute, enforce & auditpolicy

Sensor and Cat Line Card

Update signatures

New installation configurations

Policy rollback

Secur i ty m oni tor ing and event

analysis - FW, IDS, ACLCollects security event data

Correlation of data from multipleevents and devices

Reveals more urgent threats fromthousands of events

Real-time event notification

Forensic analysis

Reduces staf f , expert ise and co strequi red to staf f & scale SOC

ISP

Network

ISP NOC

Customer

Network

Monitoring &Event Analysis

IDSConfiguration

Intrusion Detection Management

Event AnalysisEvent Analysis




Security Event Analysis• Aggregate log data and alerts from firewalls,

IDS, VPNs, etc.

• Process/correlate data from thousands ofevents

• Quickly ‘root-out’ actual, urgent threats

Faster true attack identification

Reduce false positives

• Scalability (number customers/devices)

• Maintain quality and cost of operation

Partners:Product: NetForensics

SLA ManagementSLA Management




I T UT MNm o d el

ELEMENTS

ELEMENT

MANAGEMENT

NETWORK

MANAGEMENT

SERVICEMANAGEMENT

BUSINESSMANAGEMENT

FAUL

TS

CONF

IG

ACC

OUN

TING

PER

FOR

MANC

E

SEC

UR

IT

Y

IP-VPN

Solutions

Dial/PPP

Solutions

xDSL

Solutions

The Cube

Concord e Health Suite

End-to-end fault, performance & availability

Pre-integration – faster time-to market

VPNSC, CIC, Wan Mgr, NetFlow, Service

Assurance Agent

Supports over 60 Cisco devicesRouters & Switches, VPN Concentrators,

Gateways, Firewalls & more

Service differentiation

SLA reports by VPN, customer, or Class ofService (CoS)

Proactive SLA Violation NotificationReduce paybacks, irate customers



AgendaAgenda







• Managed VPN services• Management


MSSP ProgramsMSSP Programs




AVVID Partner Program

Security and VPN Solutions

Product and Technology Partners

– Complementary, interoperable Enterprise products

Services Partners

– Best-in-class, Security-focused, tier-3 service providers

– Monitoring and Management”: alarm & incident tracking and network-

wide device administration

Cisco Powered Networks

Managed Security Services – Management and monitoring services – base on Cisco’s VPN, FW, IDS

– Complements the CPN VPN Services designation; typically tier-1 &tier-2 service providers





JumpStart Program for CPNsAssist SPs to define & launch new services

On-line information & planning toolkit (JOLT)

Consultant support

Proven methodology

Accelerate time-to-market

Joint marketing program planning & execution forrevenue generation

Lead generation

Sales Training

New Managed VPN & Security Support program

Current Programs

Dedicated Internet Acc ess, DSL,

IP Fax, Remo te Acces s,

Dedicated VPN, Web Hosting,Voice Over IP, Unif ied

Communications , Cable,

Broadb and Wireless Access,

ASP/AIP





Cisco Programs Impact MSSP SalesTrust & credibility via Cisco brand association

– Assurance of quality services

– Assurance of quality products

– Impact of Cisco SAFE and AVVID marketing

Introduction to Cisco Customer-base

Designed to direct Cisco customers to MSSP Partners

– Co-marketing resources

– Participation in Industry-leading marketing and seminarprograms

AgendaAgenda








• Management


• More Information

References (Cisco - public)




Product Security:• Cisco’s Product Vulnerabilities; A page that every engineer MUST know!!!

[http://www.cisco.com/warp/public/707/advisory.html]• Security Reference Information: Various white papers on DoS attacks and how

to defeat them [http://www.cisco.com/warp/public/707/ref.html]

ISP Essentials:

• Technical tips for ISPs every ISP should know[http://www.cisco.com/public/cons/isp/]

SAFE Blueprint• The SAFE Blueprint is a flexible, dynamic blueprint for security and VPN

networks, including actual network designs

[http://www.cisco.com/warp/public/779/largeent/issues/security/safe.html]

Security Vulnerability Management inCisco




• Overview:http://www.cisco.com/warp/public/707/sec_incident_response.shtml

• Reporting Security Problems:[email protected] (emergencies) or Tel +1 877 228 7302 or +1 408 525 6532

[email protected] (non-emergencies)

• Keeping Informed:www.cisco.com/warp/public/770 : Field Notices concerning security

[email protected]: To receive announcements.(subscribe: Sent mail to "[email protected]", with the single line inbody "subscribe cust-security-announce“)

[email protected] : To discuss with other customers aboutsecurity related problems. (subscribe as above)

managed security.pdf

Documents