© 2006 Cisco Systems, Inc. All rights reserved. SND v Introduction to Network Security Policies Understanding the Requirement for a Secure Network Policy

© 2006 Cisco Systems, Inc. All rights reserved. SND v Outline Overview Need for Network Security Balancing Network Security Requirements Assuring the Availability and Protection of Information Adversaries, Hacker Motivations, and Classes of Attack Information Assurance Principles of Defense in Depth Network Security Process Network Security Design Factors Summary

© 2006 Cisco Systems, Inc. All rights reserved. SND v Closed Networks Remote Site Closed Network PSTN Frame Relay X.25 Leased Line Frame Relay X.25 Leased Line Attacks from inside the network remain a threat.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Open Networks Mobile and Remote Users Partner Site Remote Site Internet-Based Intranet (VPN) PSTN Internet-Based Extranet (VPN) Internet-Based Intranet (VPN) Remote Site Mobile and Remote Users

© 2006 Cisco Systems, Inc. All rights reserved. SND v Threat CapabilitiesMore Dangerous and Easier to Use Sophistication of Hacker Tools Packet Forging/ Spoofing Password Guessing Self-Replicating Code Password Cracking Backdoors Hijacking Sessions Scanners Sniffers Stealth Diagnostics Technical Knowledge Required High Low 2000 Exploiting Known Vulnerabilities Disabling Audits

© 2006 Cisco Systems, Inc. All rights reserved. SND v Size of the Problem Percentage of Incidents Source: 2005 CSI/FBI Computer Crime and Security Survey

© 2006 Cisco Systems, Inc. All rights reserved. SND v Network Security Challenge As business and management practices become more open and rely more on using Internet- powered initiatives and online collaboration, network security becomes a fundamental part of their survival in an increasingly competitive and threatening world.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Supply ChainCustomer Care E- Commerce E-LearningWorkforce Optimization E-Business Challenge Expanded Access; Heightened Security Risks Internet Access Corporate Intranet Internet Presence Internet Business Value Business security requirements: Defense in depth Multiple components Integration into e-business infrastructure Comprehensive blueprint

© 2006 Cisco Systems, Inc. All rights reserved. SND v Converging Dynamics New laws require organizations to better protect the privacy of sensitive and personal information. A growing level of terrorist and criminal activity is being directed at communications networks and computer systems. Cyber attacks and hacking are much easier now than in the past for a larger number of perpetrators.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Information Assurance Availability and Protection of Information

© 2006 Cisco Systems, Inc. All rights reserved. SND v Information Assurance Typical Network Architecture Private Engineering and Development Unrestricted Public Information Private Internal Departments DMZ Access Control Internet Site Boundary Head Office Home Office Corporate Research Center Customers and Suppliers Unrestricted Public Access Private WAN Internet

© 2006 Cisco Systems, Inc. All rights reserved. SND v Adversaries, Hacker Motivations, and Classes of Attack AdversariesMotivationsClasses of Attack Nation states Terrorists Criminals Hackers Crackers Competitors Script Kiddies Disgruntled Employees Government Intelligence Theft DoS Embarrassment Challenge Passive Active Close-in Insider Distribution

© 2006 Cisco Systems, Inc. All rights reserved. SND v Information Assurance An Integrated Set of Measures and Actions Availability, Integrity, Authentication, Confidentiality, and Nonrepudiation PeopleTechnologyOperations Information Assurance Defense-in-Depth Strategy

© 2006 Cisco Systems, Inc. All rights reserved. SND v Information AssurancePeople Hire good people. Train and reward them well. Penalize unauthorized behavior. Information Assurance Defense-in-Depth Strategy PeopleTechnologyOperations Physical security Personnel security Facilities countermeasures Policies and procedures Training and awareness System security administration

© 2006 Cisco Systems, Inc. All rights reserved. SND v Information AssuranceTechnology Use evaluated products and solutions. Integrate a layered defense strategy. Information Assurance Defense-in-Depth Strategy PeopleTechnology Operations Information assurance architecture Information assurance criteria Acquisition of evaluated products System risk assessment

© 2006 Cisco Systems, Inc. All rights reserved. SND v Information AssuranceOperations Information Assurance Defense-in-Depth Strategy Enforce security policies. Respond quickly to intrusions. Restore critical services. PeopleTechnologyOperations Security policy Certification and accreditation Security management Key management Readiness assessment ASW&R Recovery and reconstitution

© 2006 Cisco Systems, Inc. All rights reserved. SND v Defense in Depth Information Assurance Defense-in-Depth Strategy PeopleTechnologyOperations Defense-in-Depth Strategy Focus Areas Defend the network and infrastructure Defend the perimeter Defend the computing environment Provide support

© 2006 Cisco Systems, Inc. All rights reserved. SND v Layered Defense Class of AttackFirst Line of DefenseSecond Line of Defense PassiveLink layer and network layer encryption and traffic flow security Security-enabled applications ActiveDefend the enclave boundaries Defend the computing environment InsiderPhysical and personnel security Authenticated access controls, audit Close-InPhysical and personnel security Technical surveillance countermeasures DistributionTrusted software development and distribution Run-time integrity controls

© 2006 Cisco Systems, Inc. All rights reserved. SND v Network Security Design Factors Network security is a continuous process built around a security policy: Step 1: Secure Step 2: Monitor Step 3: Test Step 4: Improve Secure Monitor Test Improve Security Policy

© 2006 Cisco Systems, Inc. All rights reserved. SND v Secure Monitor Test Improve Security Policy Secure the Network This step involves implementing security solutions to stop or prevent unauthorized access or activities and to protect information. These solutions should be included: Authentication Encryption Firewalls Vulnerability patching

© 2006 Cisco Systems, Inc. All rights reserved. SND v Secure Monitor Test Improve Security Policy Monitor Security Detect violations to the security policy Involve system auditing and real-time intrusion detection Validate the security implementation in the previous step where you secured the network This step involves taking these actions:

© 2006 Cisco Systems, Inc. All rights reserved. SND v Secure Monitor Test Improve Security Policy Test Security This step involves validating the effectiveness of the security policy through system auditing and vulnerability scanning.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Secure Monitor Test Improve Security Policy Improve Security Use information from the monitor and test phases to make improvements to the security implementation Adjust the security policy as security vulnerabilities and risks are identified This step involves taking these actions:

© 2006 Cisco Systems, Inc. All rights reserved. SND v Network Security Infrastructure Security policy Security architecture Security technologies –Identity –Perimeter security –Secure connectivity –Security monitoring –Security policy management

© 2006 Cisco Systems, Inc. All rights reserved. SND v Summary Sophisticated attack tools and open networks continue to generate an increased need for network security policies and infrastructure to protect organizations from internally and externally based attacks. Organizations must balance network security needs against e-business processes, legal issues, and government policies. Establishing a network security policy is the first step in changing a network over to a secure infrastructure. The strategy of information assurance affects network architecture ensuring: –VLANs support various internal corporate functions. –Physical separation and isolation of workstations maintain the confidentiality and integrity of classified data. –Carefully controlled connections exist between the internal networks and the unclassified public network. There are many kinds of adversaries, motivations, and classes of attack that threaten networks. Information assurance mitigates threats brought to the system by people, technology, and operations. A layered defense strategy provides a defense-in-depth solution. Secure network infrastructure design factors include security policy, architecture, and technologies.

© 2006 Cisco Systems, Inc. All rights reserved. SND v