Self-Defending Networks

Cisco Integrated Security

Jim Lord
Advanced Technologies - Security
October, 2004

5491_06_2002_c1 © 2001, Cisco Systems, Inc. All rights reserved. 1

 Business Drivers

5491_06_2002_c1 © 2001, Cisco Systems, Inc. All rights reserved. 2

 Today’s Organizational Challenges

 Due to continued economic challenges

organizations and employees need to be more
productive.
 More and more employees need to work and
communicate while mobile and not infect the
company with viruses. (counter productive)
 Organizations need to better defend against
threats, vulnerabilities, events and adopt a
defense-in-depth strategy.
 Organizations need to maximize return on
investment of their limited IT budgets to
improve productivity, mobility, and secure the
assets of the business.

5491_06_2002_c1 © 2001, Cisco Systems, Inc. All rights reserved. 3

 New forces are redefining business.

• Global markets
• Networked Virtual Organization
• Internet
• Security
• ROI
• Fastest routes to Market

5491_06_2002_c1 © 2001, Cisco Systems, Inc. All rights reserved. 4

 Data, audio, video, and presence …
are becoming inter-dependent.

5491_06_2002_c1 © 2001, Cisco Systems, Inc. All rights reserved. 5

 Sources of Pain - Cost

1.) Smarter attacks propagate

2.) Managing different products
3.) Patching OS is time consuming
4.) Assets are at risk
5.) React to events
6.) Hope it doesn’t happen to us

5491_06_2002_c1 © 2001, Cisco Systems, Inc. All rights reserved. 6

 Sources of Pain - Time

1.) Employees are idle when infected-

2.) Employees catch and spread viruses- work
against IT
3.) Too much time spent on managing separate
products
4.) Tech staff spends too much time handling
end user problems
5.)Recovery to steady-state is now the
challenge!
5491_06_2002_c1 © 2001, Cisco Systems, Inc. All rights reserved. 7
 Threat Capabilities
New
Packet Forging/
Spoofing Internet
High Stealth Diagnostics
Worms
DDOS
Back Sweepers Sophistication
Doors
Sniffers of Hacker
Exploiting Known
Vulnerabilities Hijacking Tools
Sessions
Disabling
Audits
Self Replicating
Code
Password Technical
Cracking
Knowledge
Password
Required
Guessing

Low 1980 1990 2000

5491_06_2002_c1 © 2001, Cisco Systems, Inc. All rights reserved. 8
 The Self Defending Network

5491_06_2002_c1
Presentation_ID ©
© 2001,
2003 Cisco
Cisco Systems,
Systems, Inc.
Inc. All
All rights
rights reserved.
reserved. 9
 Self Defending Network Strategy

Cisco strategy to
An initiative to dramatically
dramatically improve the
improve the network’s ability
network’s ability to
to
identify, prevent, and adapt
identify, prevent, and
to threats
adapt to threats
SECURITY
INTEGRATED TECHNOLOGY SYSTEM LEVEL
SECURITY INNOVATION SOLUTIONS
• Secure Connectivity • Endpoint Security • Endpoints
• Threat Defense • Application Firewall • Network
• SSL VPN
• Trust & Identity • • Services
Network Anomaly

5491_06_2002_c1 © 2001, Cisco Systems, Inc. All rights reserved. 10

 Cisco’s Integrated Network Security Systems

Defend the Edge:

Threat Defense

• Integrated Network FW+IDS

Detects and Prevents External Attacks
Internet Intranet

Protect the Interior:

• Catalyst Integrated Security
Protects Against Internal Attacks

Guard the Endpoints:

• Cisco Security Agent (CSA)
Protects Hosts Against Infection
Secure Trust and
Identity

Verify the User and Device:

• Identity-Based Networking/NAC
Control Who/What Has Access

Secure the Transport:

Comm.

• IPSec VPN
• SSL VPN
• MPLS
Protects Data/Voice Confidentiality

5491_06_2002_c1 © 2001, Cisco Systems, Inc. All rights reserved. 11

 5 Characteristics of a
Self-Defending Network

End Point Network Dynamic/ Dynamic Automated

Posture Device Secure Communication Threat
Enforcement Protection Connectivity Between Response
Elements

5491_06_2002_c1 © 2001, Cisco Systems, Inc. All rights reserved. 12

 Cisco Self-Defending Network - In Action

• End-point security enforcement

Network Admission Control, Identity Based Network Services
• Network device protection
Control Plane Policing, Auto-Secure, Switch/Router/WAP
protection technologies.
• Dynamic/Secure connectivity
Dynamic Multipoint VPN, VLAN
• Dynamic communication between elements
Netflow, NBAR, Dynamic Intrusion Protection, ‘AreYouThere?’
• Automatic response
Cisco Security Agent, Network Anomaly Detection (Riverhead)

5491_06_2002_c1 © 2001, Cisco Systems, Inc. All rights reserved. 13

 Network Admission Control

5491_06_2002_c1
Presentation_ID ©
© 2001,
2003 Cisco
Cisco Systems,
Systems, Inc.
Inc. All
All rights
rights reserved.
reserved. 14
 Cisco Network Admission Control
(NAC)

Cisco-led, multi-partner program

Limits damage from viruses, worms, etc.
Limits network access to compliant, trusted
endpoints
Endpoint device interrogated for policy
compliance
Network determines appropriate admission
enforcement: permit, deny, quarantine,
restrict
Phase I of Cisco Self-Defending Network
Initiative
Dramatically improves network’s ability to
identify, prevent, and adapt to threats

5491_06_2002_c1 © 2001, Cisco Systems, Inc. All rights reserved. 15

 Industry Collaboration -
Critical for Success

Cisco Network Admission Control Program

Co-Sponsors

5491_06_2002_c1 © 2001, Cisco Systems, Inc. All rights reserved. 16

 Cisco’s NAC Solution Overview
NAC Solution: Leverage the network to intelligently enforce access privileges
based on endpoint security compliance

Network Policy Server 1

Host Sends Credentials to Access
Host Access Device using EAP (UDP or 802.1x)
Attempting Decision
Devices Points Access Device forwards
Network
2 Credentials to Policy Server (ACS)
Access using RADIUS

ACS Server authenticates ID and

1 2 3 3 passes AV info to AV Vendors
Servers
EAP RADIUS HTTPS
AV Vendors Servers respond with
4 Compliance/Non-Compliance
7 5 Cisco 4 AV
Cisco Message
Trust ACS Vendor
Agent Server Server Policy Server Responds to Access
5 Device with Access Rights and
VLAN assignment

6 6 Access Device accepts rights,

enforces policy, and notifies client:
7 (Allow/Deny/Restrict/Quarantine)

5491_06_2002_c1 © 2001, Cisco Systems, Inc. All rights reserved. 17

 Products and Technologies

5491_06_2002_c1
Presentation_ID ©
© 2001,
2003 Cisco
Cisco Systems,
Systems, Inc.
Inc. All
All rights
rights reserved.
reserved. 18
Cisco Threat Defense System
Products and Technologies
PIX® security appliance, Cisco IOS® FW,
Firewall Catalyst® 6500 Firewall Services Module
IDS Sensors, Catalyst IDS Services Module,
Network IDS/IPS access router IDS module, Cisco IOS IDS s/w

Endpoint Security Cisco Security Agent

NetFlow, NBAR, sink hole, Catalyst

Network Services
Integrated Security features

AutoSecure, secure ACL, control plane

Cisco IOS Infrastructure Security policing, CPU/Memory thresholding

Intelligent Investigation Cisco Threat Response technology

Content engines, access router network

Content Security modules
Embedded device managers, CiscoWorks
Security Management VMS, CiscoWorks SIMS, IP Solution Center
5491_06_2002_c1 © 2001, Cisco Systems, Inc. All rights reserved. 19
 Unifying Proven Cisco Security Services

IPS
Firewall
VPN

Services Services Services

Pattern Recognition Packet Inspection Encryption
Protocol Analysis Protocol Validation User Authentication
Protocol Validation Application Inspection Packet Authentication
Features Features Features
Broad Attack Signatures State Awareness Easy VPN
Threat Response Protocol Decoding WebVPN
Multi-Sensor Technology L2 & L3 Integration Broad User Awareness
Flexible Policy Language Robust Failover Clustering
Virtualization Group-Based Management
Client Technologies

Cisco IDS PIX VPN 3000

Router & Catalyst IDS Catalyst Firewall Catalyst,
Modules Services Module Routers & PIX
5491_06_2002_c1 © 2001, Cisco Systems, Inc. All rights reserved. 20
 Cisco Security Agent Functions

• System Hardening
Syn-flood protection • Application-related
Malformed packet protection Application run control
Restart of failed services Executable file version control
• Resource Protection Protection against code injection
File access control Protection of process memory
Network access control Protection against buffer
overflows
Registry access control
Protection against keystroke
COM component access control logging
• Control of executable content • Detection
Protection against email worms Packet sniffers & unauthorized
Protection against automatic protocols
execution of downloaded files or Network scans
ActiveX controls
Monitoring of OS event logs

5491_06_2002_c1 © 2001, Cisco Systems, Inc. All rights reserved. 21

 2001: NIMDA
Virus uses
address book
to email to
target
Payload pretends to
be “audio/x-wav”
and is automatically
executed
Inserts trojan program into
executable files, LOAD.EXE in
system directory; starts
LOAD.EXE from SYSTEM.INI;
hides its files; adds administrator
account
Copy to remote file
shares; email to known
email addresses; scan
for remote web servers

Deletes files

5491_06_2002_c1 © 2001, Cisco Systems, Inc. All rights reserved. 22

 Cisco Security Agent
“MYDOOM” Screen Shot – Desktop Device

5491_06_2002_c1 © 2001, Cisco Systems, Inc. All rights reserved. 23

 Putting It All Together…

• Build a business infrastructure for productivity and competitive

advantage once!!
(not rebuilding it every time you get hacked or infected)
Clients and applications anywhere, anytime
Reduced administration
Faster deployment
Cost savings
Business impact
• Services Leverage a Secure IP infrastructure
• Layer the threat Defense in each piece of the network!! Don’t make it
easy for penetration.

5491_06_2002_c1 © 2001, Cisco Systems, Inc. All rights reserved. 24

 Business Benefits of Security Technologies-
Today

This is NOT about Bits and Bytes

Not just firewalls and Anti-virus

This IS about Business

Layers of security architecture results in available applications
Cisco, McAffee, Symantec, Trend Micro as early pioneers
Know who is allowed and what their security posture is
A network that truly Defends Itself, without human intervention
Increased Productivity for the IT Staff & business worker

5491_06_2002_c1 © 2001, Cisco Systems, Inc. All rights reserved. 25

5491_06_2002_c1 © 2001, Cisco Systems, Inc. All rights reserved. 26