The Self-Defending Network:

Distributing Security Throughout the Network

Bernie Trudel Principal Consultant, Security, Cisco Asia Pacific

The Network as a Strategic Asset

Corporate Enterprises Customers Financial Performance Reduced Operational Costs Improved Productivity

Partners Suppliers Service Providers Small/Medium Businesses Employees

2

2004 Cisco Systems, Inc. All rights reserved.

Security Challenges The Cost of Threats

Dollar Amount of Loss By Type of Attack
Top Threats
1. 2.
3.

Theft DoS
Viruses/Worms

4.

Insider Abuse

CY2003 Total: $201.7M (US) or $380k per respondent on avg.

2004 Cisco Systems, Inc. All rights reserved.

CSI/FBI 2003 Survey; 251 respondents

Security Issues for IT is India

Availability of the IT infrastructure
Distributed Denial of Service Worm Persistence and Propagation

Keeping Rogue Users out of the Network

Physical Port Access Logical Port Access

Privacy of Information
Internal Theft of Information Social Engineering: Physhing, Ad-ware, Trojans
2004 Cisco Systems, Inc. All rights reserved.

Evolution of Security Requirements

PAST Reactive Standalone Product Level

NEEDED NOW Automated, Proactive Integrated Multiple Layers System-level Services

A Collaborative Systems Approach

2004 Cisco Systems, Inc. All rights reserved.

Self Defending Networks

An initiative to dramatically dramatically improve the improve the networks ability networks ability to to identify, prevent, and adapt identify, threats and to prevent,

Cisco strategy to

INTEGRATED SECURITY
Secure Connectivity Threat Defense Trust & Identity

adapt to threats ADVANCED SECURITY TECHNOLOGIES

Endpoint Security Application Firewall SSL VPN Network Anomaly

SYSTEM LEVEL SOLUTIONS

Dynamically identify, prevent, and respond to threats Endpoint + Network
6

2004 Cisco Systems, Inc. All rights reserved.

Self-Defending against Wireless Intrusion

Policy Server
Si

Si

Si

CiscoWorks WLSE Cluster WLSE 2.5

Si

RM-Agg Switch-Based WDS

Si

RM

RM

1. New RF is detected by WLAN endpoints 2. RM frames sent to Policy Server 3. Policy Server locates rogue AP and disables network switch port

Rogue AP
RM

2004 Cisco Systems, Inc. All rights reserved.

The Three Pillars of Security

PRIVACY
SECURE CONNECTIVITY SYSTEM
Secure Transport of Applications across Numerous Network Environments

PROTECTION
THREAT DEFENSE SYSTEM
Collaboration of Security and Network Intelligence Services to Minimize Impact of Both Known and Unknown Threats

CONTROL
TRUST & IDENTITY MANAGEMENT SYSTEM
Contextual Identity Required for Entitlement and Trust

Central Management and Analysis

2004 Cisco Systems, Inc. All rights reserved.

Privacy: Network Confidentiality

Extranets Branch Offices
Extend the Corporate Network to branch offices in a costeffective manner Improve communications and access with partners, suppliers and customers with IPSec or SSL

Wireless
Maintain security with new access technologies that enhance productivity

Teleworker
Provide multi-service access to SOHO users over secure broadband connections

Campus
Enhance security by ensuring privacy of critical information across the data center and the entire campus

Extranet Mobile User

Enhance productivity by providing anywhere, anytime access with IPSec or SSL

Management
Centralized control of all secure connections with one platform to configure, monitor and troubleshoot
9

Voice

2004 Cisco Systems, Inc. All rights reserved.

Protection: Securing the Endpoint

Business Challenge Day Zero attacks
Rapidly propagating attacks evade signature recognition

New Method Requirement To Zero-Update Protection

Stops new unknown attacks with no signature updates to manage

Point product challenges

Reactive products (PFW, etc.) fail to address the problem Requires multiple agents and management paradigms

To a Single Agent
Aggregates multiple security functionality in one agent Behavioral day-zero protection, firewalling and OS lockdown

Reactive Patching & Patch Management

Increasing # of vulnerabilities makes the task of patching systems an update race without end
2004 Cisco Systems, Inc. All rights reserved. 2003

To Scheduled Maintenance
Wait for roll-ups and Service Packs, which come better qualified from vendor Testing and implementation of updates can be scheduled without undue change control interruption

10

Protection: DDoS Mitigation

Riverhead Guard

BGP announcement

Cat6k

3. Divert only targets traffic

2. Activate: Auto/Manual

1. Detect Riverhead Detector, Cisco IDS, Netflow system,

Target Non-targeted servers
2004 Cisco Systems, Inc. All rights reserved.

11

Protection: DDoS Mitigation (contd)

Riverhead Guard 4. Identify and filter the malicious 5. Forward the legitimate

Traffic destined to the target

Cat6k

Legitimate traffic to target

6. Non-targeted
traffic, flows freely
Non-targeted servers
2004 Cisco Systems, Inc. All rights reserved.

Riverhead Detector, Cisco IDS, Netflow system,

Target

12

Control: Rogue endpoints

1. Non-compliant endpoint attempts connection
BRANCH OR CAMPUS NAC CTA

2. PC is denied access to the corporate Net Corporate Net

3. Quarantine area and remediation

CAMPUS

Remediation Quarantine Area

ACS

NAC CTA ACS

Network Admission Control Cisco Trust Agent Access Control Server

13

2004 Cisco Systems, Inc. All rights reserved.

Control: Rogue endpoints (contd)

4. Compliant endpoint attempts connection
BRANCH OR CAMPUS NAC CTA ACS

5. Security Posture is verified Corporate Net

6. Connection allowed by security policy

CAMPUS

NAC CTA ACS

Network Admission Control Cisco Trust Agent Access Control Server

14

2004 Cisco Systems, Inc. All rights reserved.

Cisco Integrated Security Portfolio

MANAGEMENT Security policy, security event monitoring and analysis AND Threat validation and investigation ANALYSIS

Security management

Embedded device management

COMPLETE COVERAGE FLEXIBLE DEPLOYMENT SECURITY SERVICES SECURE INFRASTRUCTURE

Protecting Desktops, Servers and Networks Security Appliances VPN / SSL Security Software Behavior

Switches

Routers

Firewall

IDS

Identity

Device Authentication, Port Level Security, Secure and Trusted Devices, Secure Access, Transport Security

ADVANCED SECURITY SERVICES

2004 Cisco Systems, Inc. All rights reserved.

15

Self-Defending is Good for Business

System-level Security solutions provides a foundation for increasing the immunity of the IT infrastructure to new breeds of threats. End-to-end security ensures that privacy controls are solid and that businesses maintain control of their critical assets. Long term, Security will be fundamentally integrated into the Intelligent Network and Connected Business Processes
2004 Cisco Systems, Inc. All rights reserved.

16

ANYONE CAN BUILD A STOP SIGN OR EVEN A TRAFFIC LIGHT BUT IT TAKES A DIFFERENT MINDSET ENTIRELY TO CONCEIVE OF A CITY-WIDE TRAFFIC CONTROL SYSTEM.
Bruce Schneier, Beyond Fear

July 2004, Cisco announced the formation of a separate July 2004, Cisco announced the formation of a separate Technology Group to be headed by SVP Jayshree Ullal. This Technology Group to be headed by SVP Jayshree Ullal. This results in more focus at developing and delivering the SDN. results in more focus at developing and delivering the SDN.
Presentation_ID
2004 Cisco Systems, Inc. All rights reserved. 2003 Cisco Systems, Inc. All rights reserved.

17

 2003 Cisco Systems, Inc. All rights reserved.

18