self-defending data center - cisco€¦ · switch security scenario edge classification with...

© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview

Self-Defending Data Center

Bernie Trudel

Head of Technology, Data Center

Cisco Systems, Asia Pacific

© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSDN Overview 2

Agenda

� The Evolution of Security Threats

� Cisco Self-Defending Network

� Layers of Security in the Data Center

� Next generation Security

� Securing against DDoS attacks

� Application Security

� The Benefits of a Systems Approach


Managing Risk and Compliance:A Diverse and Evolving Set of Concerns

� Downtime and service disruption

� Data loss and disclosure

� Damaged trust

� Compliance recovery


The Evolution of IntentA Shift to Financial Gain

Threats Are Becoming Increasingly Difficult to Detect and Mitigate

Thr

eat S

ever

ity

1990 1995 2000 2005

Financial:Theft and Damage

Fame:Viruses and Malware

Notoriety:Basic Intrusions and Viruses

2007 2010


A More Sophisticated Threat Environment With a Structured Network for Financial Gain

Writers Middle Men Second-Stage Abusers

First-Stage Abusers End Value

Spyware

Viruses

Trojans

Worms

Malware Writers

Internal Theft Abuse of Privilege

Information Harvesting

Machine Harvesting

Extortionist DDoS for Hire

Spammer

Phisher

Pharmer/DNS Poisoning

Identity Theft

Compromised Host and

Application

Botnet Creation

Botnet Management

Personal Information

Information Brokerage

Electronic IP Leakage

Theft

Espionage

Extortion

Commercial Sales

Fraudulent Sales

Click Fraud

Financial Fraud

Tool Writers Hacker or Direct Attack

Fame


The Evolving Security Challenge:Emergence of New Attack Types

Source: 2007 CSI Survey


The Need for a Systems Approach

Less Complexity, Improved Usability

Collaborative Operation, Increased Effectiveness

Fewer Devices, Reduced Initial and Ongoing Costs


Cisco Self-Defending Network:A Systems Approach to IT Security

Enabling EveryElement to Be a Pointof Defense and Policy

Enforcement

IntegratedProactive Security Technologies that

Automatically Prevent Threats

Adaptive

Collaboration Among the Services and

Devices Throughoutthe Network to Thwart

Attacks

Collaborative


Cisco Self-Defending Network 3.0The Future of IT Security

Integrates Advanced Network, Endpoint, Content, and

Application Security for Evolving Threats

Better Together

Protects Against Latest Threats Using Information Gathered from

Across the Global Network

Wide Traffic Inspection

Provides End-to-End IT Security Solution with Extensive Breadth of

Protection

End-to-End Solution


Securing the Data Center - Priorities

� Prevent Intrusions Layers 0 to 7

- Video Surveillance and Physical Access Control

- L2 and L3 security services – Next Generation

- L4-L5 stateful protocol inspection and Network Access Control

- L4-L7 intrusion prevention systems

- HTTP and XML Application security

� Ensure Service Availability

- DDoS protection

- Server Behavioral Protection

� Provide Data Integrity

- Network-based and storage-based encryption

- System-wide monitoring of intrusion


Physical Security: IP Video Surveillance

GATEWAY - DECODERSCAMERA GATEWAY - ENCODERS NETWORK

IP NETWORK

Unicast & Multicast

LAN & WAN

IP GATEWAYDECODERS

NETWORK

DECOMPRESS

DECODE

INTERFACE

IP GATEWAYENCODER

INTERFACE

ENCODE

COMPRESS

NETWORK

MONITOR

KEYBOARD

LAPTOPS

DESKTOPS

Operating System

STREAM MANAGER

Application

SERVICES PLATFORMS VIDEOSTORAGE VIEWING APPLICATION

IP CAMERAS

ANALOGCAMERA

RecordingFeatures

VideoAnalytics


Impact of Security Outbreak (Virus, Worm, DoS)Direct and Collateral Damage

Availability of Networking Resources impacted by the propagation of the worm

Access

Distribution

Core

InfectedSource

SiSi

SiSi

SiSiSiSi

SystemUnder Attack

Network Links Overloaded

• High Packet Loss• Mission Critical

Applications Impacted

Routers Overloaded

• High CPU• Instability

• Loss of MgmtEnd SystemsOverloaded

• High CPU• Applications

Impacted

SiSi

SiSi


Access

Distribution

Core

InfectedSource

SiSi

SiSi

SiSi SiSi

Catalyst 6500 Integrated Security Protects Network Infrastructure

SystemUnder Attack

Protect the Links

• QoS• Scavenger Class

Protect the End Systems

• Cisco Security Agent

Protect the Switches

• CEF• Rate Limiters• CoPP

Prevent the Attack

• NAC & IBNS• ACLs

Catalyst 6500 offers comprehensive hardware-based s ecurity features to protect network infrastructure

Integrated Netflow delivers scalable monitoring and anomaly detection

SiSi

SiSi


Catalyst Integrated Security ToolkitHardening Layer 2/3

� Port security prevents MAC flooding attacks

� DHCP snooping prevents client attack on the switch and server

� Dynamic ARP Inspectionadds security to ARP using DHCP snooping table

� IP source guard adds security to IP source address using DHCP snooping table

� All features work on switchports

IP Source GuardIP Source Guard

Dynamic ARP InspectionDynamic ARP Inspection

DHCP Snooping

Port Security

IP Spoofing

ARP Spoofing or ARP Poisoning

DHCP Rogue Server for Default Gateway Interception

MAC Address Flooding

Attack Mitigated

IP Source GuardIP Source Guard

Dynamic ARP Dynamic ARP InspectionInspection

DHCP Snooping DHCP Snooping

Port SecurityPort Security

CISF Feature


Service Chaining and Virtualization

Bloomberg

ILX

NASDAQ

Reuters

NYSE

Eight Active Devices can be condensed into two

Highly Availableplatforms with stateful

redundancy andintegrated applications

Vendor RouterL2 Switch Interface

Virtual Firewall

IntrusionProtection

L3 RoutedInterface

CoreInterconnect

Data Flow

Core

Core


Switch Security ScenarioEdge classification with centralized policy enforce ment

Printer

PCs

PCsWhat the!?

Emule is broken!

Mark emule with special packet tag mutually agreed between FWSM and PISA

Catalyst 6500 with PISA

Catalyst 6500 with PISA

- FWSM policy: “drop emule”- Tagged packet recognized as emule � dropped

Catalyst 6500 with FWSM

emule


Next Generation Trusted SecurityNext Generation Trusted Security

Cisco Trusted Agents

Cisco Trusted Agents

DesktopDesktop

• Group 5 assigned• Access granted• Access blocked

Network Policy Checks

Corporate Net

Client Identified and Connected

Client Provided Trust Group

Cisco TrustSecCisco TrustSec

5

72 58

51

93

95


Cisco TrustSec – Next Gen Security

FCFC

Unified I/O

Unified I/O

FCFC

GbE

GbE

Seamless Service Interworking over a Common Unified Fabric

Unified Fabric

…while simplifying topologies, improving performance, and eliminating Spanning-Tree……and encrypting every packet on the wire with

TrustSec roles-based security…


Cisco IPS Architecture

Forensics Capture

Modular Inspection

Engines

Signature Updates

Engine Updates

Cisco Threat Intelligence

Services

Risk-based Policy

Control

Attack De-

obfuscation

On-box Correlation

Engine

Mitigation and Alarm

Virtual Sensor

Selection

IN OUT

Context Data

Network Context

Information


CSA: Behavioral Protection for Servers

Target

12

3

45

Probe

Penetrate

Persist

Propagate

Paralyze

• Ping addresses• Scan ports• Guess user accounts• Guess mail users

• Mail attachments• Buffer overflows• ActiveX controls• Network installs• Compressed messages• Guess Backdoors

• Create new files• Modify existing files• Weaken registry security settings• Install new services• Register trap doors

• Mail copy of attack• Web connection• IRC• FTP• Infect file shares

• Delete files• Modify files• Drill security hole• Crash computer• Denial of service• Steal secrets

�Rapidly Mutating�Continual signature

updates�Inaccurate�Focus on Vulnerability

�Rapidly Mutating�Continual signature

updates�Inaccurate�Focus on Vulnerability

� Most damaging� Focus on exploit�Change very slowly� Inspiration for Cisco

Security Agent solution


Systematic Intrusion Protection

VPN Access

Internet

CS- MARS

IDS

CSA CSA

CSA

CSA CSA

� Collaboration Example:• Cisco Security Agent ( CSA)• Intrusion Detection ( IDS)• Cisco Monitoring, Analysis, and Response System ( CS-MARS)


DDOS: Why traditional defenses…

• Optimized for signature based application layer detection – most sophisticated DDoS attacks are characterized by anomalous behavior in layers 3 and 4

• Cannot easily detect DDoS attacks using valid packets – require extensive manual tuning

• FW based on static policy enforcement - Most DDoS attacks today use “approved” traffic that bypass the firewall

• Lack of “anomaly detection”

• Lack of anti-spoofing capabilities –to separate good from bad traffic

Firewalls IDS


DDoS Security – Anomaly Detection

DDoS GuardBGP announcement

Target

1. Detect

2. Activate: Auto/Manual

3. Divert only target’s traffic

Non-targeted servers

Anomaly Detector, Cisco IDS, Netflow

system,…

Cat6k


4. Identify and filter the malicious

DDoS Guard

Target

Legitimate traffic to target

5. Forward the legitimate

DDoS Security – Scrub Traffic Clean

Traffic destined to the target

Non-targeted servers

6. Non-targetedtraffic, flowsfreely

Anomaly Detector, Cisco IDS, Netflow

system,…

Cat6k


75% of New Application

Attacks Focused on

Custom Applications

Custom Web ApplicationsCustomized Packaged Applications

Internal and Third-Party CodeBusiness Logic and Code

Network

OperatingSystems

DatabaseServers

OperatingSystems

ApplicationServers

OperatingSystems

WebServers

Network Firewall

IDS/IPS

Application Layer Requiring Protection

“50% of enterprises and government agencies are us ing XML, Web services or SOA.” Source: Gartner

“XML accounted for 15% of internet traffic in 2005. By 2008, it is expected to account for 50%.” Source: 451 Group

“50% of enterprises and government agencies are us ing XML, Web services or SOA.” Source: Gartner

“XML accounted for 15% of internet traffic in 2005. By 2008, it is expected to account for 50%.” Source: 451 Group


ServersAnd

Applications

Data Center

Industry’s Highest Performance Data Center Security :16Gbps, 1M NAT, 256K ACL Entries

� Protect from XML vulnerabilities

� Maintain message integrity and confidentiality

XML Firewall

Application Security: The Last Line Of Defense

Network Attack

XML Attack

Application Attack

DATACENTER FIREWALLAPPLICATION FIREWALL

XML FIREWALL

Cisco ACE

BLO

CK

ED

BLO

CK

ED

Datacenter Firewall

� Secure from Protocol and Denial of Service attacks

� Encrypt Critical Content

Application Firewall

� Protect from both known and unknown threats

� Protect against “Day Zero” attacks

BLO

CK

ED


Ironport’s Content Security Story

MANAGEMENTController

Internet

SenderBase(the common

security database)

CONTENTSECURITY

GATEWAYS

LAN

Block incoming threats:•Spam, Phishing/Fraud•Viruses, Trojans, Worms•Spyware, Adware•Unauthorized Access

Block incoming threats:•Spam, Phishing/Fraud•Viruses, Trojans, Worms•Spyware, Adware•Unauthorized Access

Enforce policy:• Acceptable Use• Regulatory Compliance• Intellectual Property• Encryption

Enforce policy:• Acceptable Use• Regulatory Compliance• Intellectual Property• Encryption

Centralize admin:• Per-user policy• Per-user reporting• Quarantine• Archiving

Centralize admin:• Per-user policy• Per-user reporting• Quarantine• Archiving

Mail Server

Mail Server

EMAILSecurity Appliance

WEB / IM / SIPSecurity Appliance

End User Client

End User Client


The Challenges of Approaching Security Without an End-to-End, Systems Approach

NA

C

Firew

all

Netw

ork IPS

IPsec V

PN

Spam

G

ateway

Host IP

S

AV

Gatew

ay

Web

ApplicationF

irewall

UR

L Filter

SS

L VP

N

Security

Manage-m

ent

XM

L Firew

all

Training and Staffing

Policy Implementation

Threat Intelligence

Event Sharing and Collaboration

Configuration and Management


The Advantages of a Systems Approach:Lower Cost, Higher Efficiency, Greater Effect

Policy Implementation

Configuration and Management

Training and Staffing

Threat Intelligence

Event Sharing and Collaboration

Integration Into the Network Infrastructure

NA

C

Firew

all

Netw

ork IPS

IPsec V

PN

Spam

G

ateway

Host IP

S

AV

Gatew

ay

Web

ApplicationF

irewall

UR

L Filter

SS

L VP

N

Security

Manage-m

ent

XM

L F

irewall


Self-Defending Network in the Data Center

Cisco ASA

ACS

Cisco Security MARS

Cisco® WAAS

Web Servers

Cisco ACE

Cisco Security Agent



ApplicationServers

Database Servers

AXG (Web Applications)



Cisco MDS with SME

Tier 1/2/3 Storage

Tape/Offsite Backup

AXG(B2B)

CSMCisco Security Agent-MC

CW-LMN

Data-Center Edge• Firewall and IPS• DoS protection• Application protocol

inspection• Web Services security• VPN termination• E-mail and Web access

control

Cisco Catalyst 6000FWSM

Web Access• Web security• Application security• Application isolation• Content inspection• SSL encryption and

offload• Server hardening

Applications and Database

• XML, SOAP, and AJAX security

• DoS prevention• Application-to-

application security• Server hardening

Storage• Data encryption

o In motiono At rest

• Stored data access control

• Segmentation

Management• Tiered access• Monitoring

and analysis• Role-based

access• AAA access

control

Cisco IronPort E-Mail Security

AXG (DHTML to XML)

Cisco IronPort Web Security

Cisco IronPort Web Security


Market Leader with Commitment to Security

� Product and technology innovation1500+ security-focused engineers

Nine acquisitions added to our solution portfolio in last two years

100+ NAC partners worked collaboratively with us to deliver an unprecedented security vision

� Industry leadershipCritical Infrastructure Assurance Group

Responsible disclosure

Cisco® Security Center Web destination

IntelliShield: Security intelligenceand best-practice sharing

“ Because the network is a strategic customer asset, the protection of its business-critical applications and resources is a top priority.”

John Chambers, Chairman snd CEO, Cisco

New


Summary

� Threat evolution requires new thinking, new approach

� Network and content security – SDN evolution

� Cisco TrustSec brings a new paradigm to DC security

� Cisco is committed to defending the Data Center

self-defending data center - cisco€¦ · switch security scenario edge classification with...

Documents