Lesson 3 The Cisco Security Portfolio © 2005 Cisco Systems, Inc. All rights reserved. CSI v2.13-1
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Objectives Upon completion of this lesson, you will be able to perform the following tasks: List the devices that are part of the Cisco security portfolio Describe the basic guidelines to use for product selection Describe the Cisco AVVID program
Cisco Security Portfolio Overview © 2005 Cisco Systems, Inc. All rights reserved. CSI v2.13-3
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Identity Secure Connectivity Perimeter Security Intrusion Protection Security Management Cisco Security Solutions Firewalls VPN Cisco VPN 3000 Series Concentrator Cisco Security Appliances Intrusion Detection and Prevention Scanning Authentication Management Cisco IOS VPN Cisco IOS IPS Cisco IOS Firewall Cisco Security Appliances Cisco IPS SensorsNetwork-, Router-, and Switch-Based Host-Based Intrusion Prevention SystemCisco Security Agent Cisco Security Appliances Cisco Secure Access Control Server Network Admission Control CiscoWorks VPN Security Management Solution Cisco IP Solution Center
© 2005 Cisco Systems, Inc. All rights reserved. CSI v SAFE Blueprint and Ecosystem Solutions Ecosystem $ Cisco Programs and Services Security Associate Solutions Integration Partners Applications Directory Operations Service Control Infrastructure Appliances or Clients Cisco AVVID Architecture Secure E-Commerce Secure Supply Chain Management Secure Intranet for Workforce Optimization
Secure Connectivity: VPN Solutions © 2005 Cisco Systems, Inc. All rights reserved. CSI v2.13-6
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Secure Connectivity Secure connectivity provides the following: Data privacy, encryption, and VPN Extended network reach Cost-effective high- bandwidth connectivity
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Overview: VPNs Main Office VPN Business Partner Remote Office Home Office Mobile Worker POP Remote access VPN: Cost effective Extranet VPN: Extends WANs to business partners, which leads to new applications and business models Intranet VPN: Low-cost, tunneled connections with rich VPN services, which lead to cost savings and new applications
© 2005 Cisco Systems, Inc. All rights reserved. CSI v VPN Solutions: Choices
Secure Connectivity: The VPN 3000 Series Concentrator © 2005 Cisco Systems, Inc. All rights reserved. CSI v
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Cisco VPN 3000 Series Concentrator The following are the features and uses of the Cisco VPN 3000 Series Concentrator: Primarily used for remote access Includes a standards-based VPN client and management GUI Allows mobile workers and telecommuters broadband connectivity over cable and DSL Uses RADIUS for authentication Performs split tunnelingcorporate and Internet Implements behind the Internet access router and is parallel to the Cisco PIX Security Appliances
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Concentrator Product Comparison
© 2005 Cisco Systems, Inc. All rights reserved. CSI v The Cisco Secure VPN Client Framework Connectivity between all clients and all Cisco central-site VPN gear Centralized push policy technology –Simplifies user experience –Provides more control for companies –Reduces complexity of VPN deployments Implementation across all Cisco VPN Concentrators, Cisco IOS routers, and Cisco PIX Security Appliances –Includes non-Windows operating systems (Linux, Mac, and Solaris) –Offers substantial savings –Reduces support expense –Consolidates hardware –Reduces administration in the central site at the central site
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Cisco VPN 3002 Hardware Client Easy deployment Centralized policy push Two 10/100 and 8-port hub version DHCP client and server PAT (external and tunnel) Client and network extension modes Cisco VPN Client 3002 DSL Modem 3002 Single User Home Office Small Office Internet Cisco VPN 30xx ISDN Modem Cable Modem
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Aironet Client Aironet Client Cisco VPN 3000 Client Mobile Certicom Client Main Office Cisco VPN 30xx Remote Access Wireless VPN Internet
Secure Connectivity: Cisco WebVPN © 2005 Cisco Systems, Inc. All rights reserved. CSI v
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Cisco WebVPN Overview Cisco WebVPN (SSL VPN) complements IPsec-based remote access by allowing secure remote access to corporate network resources without the use of VPN Client software.
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Cisco WebVPN Features Features: Access to internal web sites (HTTP and HTTPS) including filtering Access to internal Windows (CIFS) file shares TCP port forwarding for legacy application support Access to via POP3S, SMTPS, and IMAP4S over SSL Corporate Network Cisco WebVPN Broadband Provider VPN Concentrator ISP Cisco WebVPN Wireless LAN Access Point Encrypted Tunnel Broadband Modem
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Cisco WebVPN and IPSec Comparison Cisco WebVPN VPNIPSec VPN Uses a standard web browser to access the corporate network SSL encryption native to browser provides transport security Applications accessed through browser portal Limited client and server applications accessed using applets Uses purpose-built client software for network access Client provides encryption and desktop security Client establishes seamless connection to network All applications are accessible through their native interface
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Cisco WebVPN Session Limits Model Cisco WebVPN Users 25–5025–75100–200100–500200–500 RAM – Note the following when computing Cisco WebVPN session limits: The Cisco WebVPN session limits that are listed require OS v4.1 with SEP-E (where applicable) and the maximum allowable RAM. Other remote sessions can impact performance.
Secure Connectivity: Cisco VPN-Optimized Routers © 2005 Cisco Systems, Inc. All rights reserved. CSI v
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Cisco VPN-Optimized Routers The following are features of Cisco VPN-optimized routers: Used for site-to-site VPNs Include Cisco 800, 900, 1700, 2600, 3600, 3700, and 7000 series models Replace and augment private networks that use: –A leased line –Frame Relay –ATM Connect remote, branch office, and central sites Enable customers to avoid modem technology and exorbitant 800-number costs Implement at the WAN edge
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Site-to-Site VPN Features Summary Scalability Network resiliency Bandwidth optimization and QoS Deployment flexibility
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Cisco Site-to-Site VPN Solutions: Scalability for Every Site Main Office SOHO Remote Office Regional Office Cisco 1700 Series VPN-optimized router connecting remote offices at T1/E1 speeds Cisco SOHO, 800, and 900 Series VPN-optimized routers for ISDN, DSL, and cable connectivity Cisco 2600 and 3600 Series VPN-optimized routers connecting branch and regional offices at nxT1/E1 speeds Cisco 7000 Series VPN-optimized routers for dedicated VPN headend and hybrid private WAN and VPN connectivity Internet
© 2005 Cisco Systems, Inc. All rights reserved. CSI v VAM2: For Cisco 7100, 7200, and 7400 Series Routers Hardware acceleration for: IPSec encryptionUp to 145 Mbps of VPN performance and 5000 tunnels Rivest, Shamir, and AdlemanFaster tunnel-recovery key generation and authentication IP Payload Compression Protocol Lempel-Ziv-Stac compression
Perimeter Security: Cisco PIX Security Appliances and Cisco IOS Firewall © 2005 Cisco Systems, Inc. All rights reserved. CSI v
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Perimeter Security: Cisco PIX Security Appliances The following are features and uses of the Cisco PIX Security Appliances: Typically used for site-to-site VPNs Contains limited IPS Functions as a dedicated hardware appliance Restricts access to network resources Implemented at the physical perimeter between the customers intranet and the other companys intranet Determines whether traffic crossing in either direction is authorized Has little or no impact on network performance
© 2005 Cisco Systems, Inc. All rights reserved. CSI v SMB Price Functionality Gigabit Ethernet Cisco PIX Security Appliance Family Enterprise ROBO PIX 515E PIX 525 PIX 535 SOHO PIX 501 PIX 506E SP ROBO = remote office/branch office SMB = small and midsize business SP = service provider
© 2005 Cisco Systems, Inc. All rights reserved. CSI v VAC and VAC+ The VACs for the Cisco PIX Security Appliances provide high-performance tunneling and encryption services suitable for site-to-site and remote-access applications. VAC VAC+
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Cisco IPS Feature Set = 5.0 (SSM-AIP) Security Services Module (SSM-AIP) Security services module features are as follows: High-performance design provides additional security services Diskless (flash-based) design Improved reliability Gigabit Ethernet port for out-of-band management and so on AIP = Auxiliary Interface Protection
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Firewall Services Module Designed for high-end enterprise and service providers Runs in Catalyst 6500 Series switches and 7600 Series routers Based on Cisco PIX Security Appliances technology Includes Cisco PIX Security Appliances 6.0 feature set and some features of 6.2 Supports multiple performance and redundancy features
© 2005 Cisco Systems, Inc. All rights reserved. CSI v The following are features and uses of the Cisco IOS Firewall: Integrated software solution Limited IPS Add-on module to Cisco IOS software Cost-effective Highly scalable Home office to enterprise Intranet protection Familiar Cisco IOS configuration CBAC Authentication proxy Perimeter Security: Cisco IOS Firewall
© 2005 Cisco Systems, Inc. All rights reserved. CSI v User The user initiates an IP session. The return traffic for the users IP session is permitted. Cisco IOS Firewall Using CBAC The other IP traffic is blocked. IOS Firewall: CBAC The following are features of the CBAC: Stateful inspection State table maintains session state information ACL entries dynamically created and deleted
Cisco Intrusion Protection System © 2005 Cisco Systems, Inc. All rights reserved. CSI v
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Overview: Intrusion Prevention Deployment Scenarios NAS DMZ Servers Data Center Users Corporate Office Business Partner Internet Extranet IPS: Monitors partner traffic where trust is implied but not assured Intranet and internal IPS: Protects data centers and critical assets from internal threats Remote-access IPS: Hardens perimeter control by monitoring remote users Internet IPS: Complements the firewall and VPN by monitoring traffic for malicious activity
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Cisco IPS Solution Active Defense System Network sensors: Overlaid network protection Switch sensors: Integrated switch protection Router sensors: Integrated router protection Firewall sensors: Integrated firewall protection feature Comprehensive management: Robust system management and monitoring
© 2005 Cisco Systems, Inc. All rights reserved. CSI v The following are the features and benefits of Cisco IPS Sensors: Real-time security monitoring Most effective signature-based attack recognition Intrusion defense options Network attack blocking Scalability and remote manageability High performance Low cost of operation Ease of installation and use Sensor Features and Benefits
© 2005 Cisco Systems, Inc. All rights reserved. CSI v The following are features and uses of the Cisco Appliance Sensor: Inline intrusion prevention System flexibility and deployment enhancements Signature definition and distribution enhancements Active update mechanism Comprehensive signature language Alarm summarization Active response extensions Shunning on the Cisco PIX Security Appliances Blocking with Cisco Catalyst switches Blocking with routers Secure administration Enhanced filtering Cisco Appliance Sensor
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Performance (Mbps) Network Media IDSM-2 IPS 4235 IPS 4250 IPS 4215 IPS 4250 XL IDS Network Module 10/100/1000 TX 1000 SX 10/100 TX 1000 SX Switched/ /100/1000 TX Cisco IPS Sensor Family
Host Intrusion Prevention System: CSA © 2005 Cisco Systems, Inc. All rights reserved. CSI v
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Application CSA Kernel Calls for System Resources Requests Allowed by Policy CSA compares application calls for system resources with the security policy. Host Intrusion Prevention System
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Firewall Corporate Network DNS Server WWW Server Agent Console Agent SMTP Server Application Server Agent Untruste d Network Agent Host Intrusion Prevention System (Cont.)
© 2005 Cisco Systems, Inc. All rights reserved. CSI v CSA Architecture Administration Workstation CSA MC Server Protected by CSA Alerts SSL Events Security Policy
© 2005 Cisco Systems, Inc. All rights reserved. CSI v CSA Interceptors Application Allowed Request Blocked Request Kernel Rules Engine StateRules and Policies Correlation Engine File System Interceptor Network Interceptor Configuration Interceptor Execution Space Interceptor
© 2005 Cisco Systems, Inc. All rights reserved. CSI v CSA Interceptors (Cont.) Security Application Network Interceptor File System Interceptor Configuration Interceptor Execution Space Interceptor Distributed Firewall X Host Intrusion Detection X X Application Sandbox XXX Network Worm Prevention X X File Integrity Monitor XX
© 2005 Cisco Systems, Inc. All rights reserved. CSI v CSA Features Real-time protection decisions Defense-in-depth approach –Intercepts communication between applications and the kernel –Protects system from attacks at all phases Ease of deployment –Deploys with default policies in 30 minutes –Custom policies easily configured Broad platform support – Windows and UNIX – Servers and desktops
© 2005 Cisco Systems, Inc. All rights reserved. CSI v CSA Features (Cont.) Real-time correlation at Agent and enterprisewide Ease of administration –No need for constant review of logs –No updatesDay Zero-ready –Manage from any web browser Centralized event management – , pager, SNMP alerts controlled at CSA MC –Logging and report-generating capability
Identity: Access Control Solutions © 2005 Cisco Systems, Inc. All rights reserved. CSI v
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Access Control Solutions Cisco Secure ACS Network Admission Control
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Cisco Secure ACS Features The following are the Cisco Secure ACS features: Key component used with firewall, dialup access servers, and routers Implemented at network access points to authenticate remote or dial-in users Extranet connections implemented at WAN to audit activities and control authentication and authorization for business partner connections
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Cisco Secure ACS Product Summary The following summaries features of the Cisco Secure ACS: Easy-to-use web GUI Full RADIUS and TACACS+ user and administrator access control High performance (500+ authorizations per second) Supports LDAP, NDS, and ODBC data stores Scalable data replication and redundancy services Full accounting and user reporting features
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Identity and Authentication The following provide unified control of user identity for the enterprise: –Cisco IOS routers –VPNs –Firewalls –Dialup and broadband DSL –Cable access solutions –VoIP –Cisco wireless solutions –Cisco Catalyst switches –Network devices enabled by TACACS+ –Network devices enabled by RADIUS The following are authentication methods: –Static passwords –One-time passwords –RADIUS –TACACS+ Router ACS Firewall VPN Clients Certificate Authority Hard and Soft Tokens Remote Offices One-Time Password Server Internet
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Cisco NAC Solution Overview NAC preserves enterprise resilience by auditing and enforcing adherence to corporate endpoint security policies when accessing the network. 1 Noncompliant endpoint attempts connection 2 Noncompliant status determined 3 Infection contained; endpoints secured Campus Branch or Campus Access Denied Remediation Enforced Quarantine (via VLAN or ACL) Cisco Trust Agent
© 2005 Cisco Systems, Inc. All rights reserved. CSI v NAC Components Cisco NAC has the following components: Communications agent Network access devices Policy servers Management systems Advanced services
© 2005 Cisco Systems, Inc. All rights reserved. CSI v NAC Benefits Cisco NAC has the following benefits: Dramatically improved security Use of network and antivirus investment Deployment scalability Increased resilience and availability
© 2005 Cisco Systems, Inc. All rights reserved. CSI v NAC Availability and Use NAC Phase 1 implementation –Device support for routers –OS support for Microsoft Windows NT, XP, and 2000 operating systems NAC Phase 2 implementation –Device support for Cisco switches, wireless access points, VPN concentrators and firewalls –Dynamic infection containment
Security Management: Cisco IP Solution Center and Cisco VPN/Security Management Solution © 2005 Cisco Systems, Inc. All rights reserved. CSI v
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Cisco IP Solution Center Security Management The following are features of the Cisco IP Solution Center: Policy-based security management Customer-defined global service-level policies Easy and automatic (plug-and-play) deployment Flexible administration High-performance service auditing SLA monitoring and reporting Highly scalable open architecture Internet
© 2005 Cisco Systems, Inc. All rights reserved. CSI v CiscoWorks VPN/Security Management Solution The following are the features and uses of CiscoWorks VPN/Security Management Solution: Integrated management solution Web-based management Large-scale deployments One-stop configuring, monitoring, and troubleshooting of the following: –Firewall –VPN –Network IPS –HIPS
Cisco AVVID © 2005 Cisco Systems, Inc. All rights reserved. CSI v
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Cisco AVVID Overview Cisco AVVID is the one enterprise architecture that provides the intelligent network infrastructure for todays Internet business solutions. As the industrys only enterprisewide, standards-based network architecture, Cisco AVVID provides the roadmap for combining business and technology strategies of Cisco customers into one cohesive model.
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Cisco AVVID E-Learning Supply Chain Workforce Optimization Customer Care Internet Commerce Intelligent Network Services Network Platforms Multicast Load Balancing Caching DNS Services Management Accounting Real-Time Services QoS Security Intelligent Network Classification Internet Business Integrators Internet Middleware Layer Messaging Contact Center Voice Call Processing Collaboration Video on Demand Personal Productivity Policy Management Content Distribution Address Management Security SLA Management Clients Multimedia
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Cisco AVVID Benefits Integration: By leveraging Cisco AVVID and applying the network intelligence inherent in IP, companies can develop comprehensive tools to improve productivity. Intelligence: Traffic prioritization and intelligent networking services maximize network efficiency for optimized application performance. Innovation: Customers have the ability to adapt quickly in a changing business environment. Interoperability: Standards-based APIs enable open integration with third-party developers, providing customers with choice and flexibility.
© 2005 Cisco Systems, Inc. All rights reserved. CSI v Summary Cisco offers a complete security portfolio, which encompasses the following: –Secure connectivity: VPNs –Perimeter security: Firewalls –Intrusion prevention: IPSs –Identity: ACS and NAC –Security management: Cisco IP Solution Center and CiscoWorks VPN/Security Management Solution Cisco security products have a wide variety of specifications for implementation. Cisco AVVID is an integral part of the Cisco network security portfolio.