Cisco Self Defending Network

Mai 2007

Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1 Intelligent Networking Using the Network to Enable Business Processes Cisco Network Strategy Utilize the Network to Unite Isolated Layers and Domains to Enable Business Processes Connectivity Intelligent Networking

Business Networked Processes Infrastructure • Active participation in application and service delivery • A systems approach integrates Resilient technology layers to reduce Integrated complexity Adaptive • Flexible policy controls adapt this intelligent system to your Applications business though business rules and Services

Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2 When it comes to information security, what are the objectives? Adaptive On Demand Agile Align security practice Organization Organization and policy to business requirements. Security that’s a business enabler, not an inhibitor. Keep costs appropriate: It’s not necessarily about reducing costs, but rather, spending where it counts the most • The network touches all Reduce complexity of parts of the infrastructure the overall environment • It is uniquely positioned to Control and contain threats so help solve these issues they don’t control you

Efficient Security Management, Control, Operational Management and Response and Policy Control

Advanced technologies and security services to Threat Control Secure • Mitigate the effects and Containment Transactions of outbreaks • Protect critical assets Confidential Communications • Ensure privacy

Secure Network Network as Platform Platform

Succursale Les 3 Pilliers du SDN: Intégration Collaboraton MARS & CSM Réaction PCs

Détection D’Intrusion WAAS CSA – Cisco Security “Distribution automatique Agent des signatures”

Wan avec SONA chiffrement Prévention Cisco Commutateurs Routeur Pare-Feu ISR d’Intrusion NAC ASA WAAS FW FW Serveurs IPS VPN VPN IPS “Vision limitée, Anti-X précision limitée CSA

Prévenir la propagation de

Authentification Internet Intranet Qui peut accéder le réseau L’impact de la téléphonie 802.1x, les visiteurs, Web Base . Authentification La conformité des postes au moment de la connexion Si Si Sur le LAN, en VPN, etc... Les bonnes pratiques pour le contrôle des usagers connectés au Si Si réseau Fonctions de sécurité présentent dans les commutateurs Cisco QoS déployée? Cisco Securité Agent (CSA) La surveillance et la configuration du réseau

802.1q

802.3 - (Sans étiquette 802.1q)

Bande passante Réservée

Standard set by the IEEE 802.1 working group Is a framework designed to address and provide port-based access control using authentication Primarily 802.1x is an encapsulation definition for EAP over IEEE 802 media—EAPOL (EAP over LAN) is the key protocol Layer 2 protocol for transporting authentication messages (EAP) between supplicant (user/PC) and authenticator (switch or access point) Assumes a secure connection Actual enforcement is via MAC-based filtering and port-state monitoring

IEEE Terms Normal People Terms

Supplicant Client

Authenticator Network Access Device

Authentication Server AAA/RADIUS Server

Authenticator Identity Store/Management • Switch • MS AD • Router • LDAP • WLAN AP • NDS • ODBC

Request for Service Backend Authentication Identity Store (Connectivity) Support Integration

Supplicant Authentication Server • Desktop/laptop • IAS • IP phone • ACS • WLAN AP • Any IETF RADIUS server • Switch

Port Unauthorized Cisco IOS

aaa authentication dot1x default group radius aaa authorization network default group radius

radius-server host 10.100.100.100 radius-server key cisco123

dot1x system-auth-control

interface GigabitEthernet1/0/1 dot1x port-control auto CatOS

set radius server 10.100.100.100 set dot1x system-auth-control enable

set port dot1x 3/1 port-control auto

Port Unauthorized EAPOL-Start EAP-Identity-Request EAP-Identity-Response

802.1x

Port Unauthorized EAPOL-Start EAP-Identity-Request EAP-Identity-Response EAP—Method Dependent EAP-Auth Exchange Auth Exchange w/AAA Server EAP-Success/Failure Authentication Successful/Rejected

802.1x RADIUS

Port Unauthorized EAPOL-Start EAP-Identity-Request EAP-Identity-Response EAP—Method Dependent EAP-Auth Exchange Auth Exchange w/AAA Server EAP-Success/Failure Authentication Successful/Rejected Port Authorized Policy Instructions Port Unauthorized EAPOL-Logoff Actual Authentication Conversation Is Between Client and Auth Server Using EAP; the Switch Is an EAP Conduit, but Aware of What’s Going on 802.1x RADIUS

Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18 802.1x: Default Operation No EAPOL EAPOL-Request (Identity) 802.1x Process D = 01.80.c2.00.00.03 1 Upon Link Up X EAPOL-Request (Identity) 2 30 Seconds X D = 01.80.c2.00.00.03

Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19 802.1x: Default Operation No EAPOL EAPOL-Request (Identity) 802.1x Process D = 01.80.c2.00.00.03 1 Upon Link Up X EAPOL-Request (Identity) 30 Seconds D = 01.80.c2.00.00.03 2 X EAPOL-Request (Identity) 3 30 Seconds X D = 01.80.c2.00.00.03

Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20 802.1x: Default Operation No EAPOL EAPOL-Request (Identity) 802.1x Process D = 01.80.c2.00.00.03 1 Upon Link Up X EAPOL-Request (Identity) 30 Seconds D = 01.80.c2.00.00.03 2 X EAPOL-Request (Identity) 3 30 Seconds X D = 01.80.c2.00.00.03

Any 802.1x-enabled switch port will send EAPOL identity-request frames on the wire (whether a supplicant is there or not) Switch defaults to no supplicant being on the wire based on no EAPOL response to its requests No network access is given Transient state; whole process restarts after a hold timer Process can start again if a supplicant appears on the port

Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23 802.1x with Guest VLAN No EAPOL EAPOL-Request (Identity) 802.1x Process D = 01.80.c2.00.00.03 1 Upon Link Up X EAPOL-Request (Identity) 2 30 Seconds X D = 01.80.c2.00.00.03

Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24 802.1x with Guest VLAN No EAPOL EAPOL-Request (Identity) 802.1x Process D = 01.80.c2.00.00.03 1 Upon Link Up X EAPOL-Request (Identity) 30 Seconds D = 01.80.c2.00.00.03 2 X EAPOL-Request (Identity) 3 30 Seconds √ D = 01.80.c2.00.00.03

Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25 802.1x with Guest VLAN No EAPOL EAPOL-Request (Identity) 802.1x Process D = 01.80.c2.00.00.03 1 Upon Link Up X EAPOL-Request (Identity) 30 Seconds D = 01.80.c2.00.00.03 2 X EAPOL-Request (Identity) 3 30 Seconds √ D = 01.80.c2.00.00.03 CatOS set port dot1x 5/1 guest-vlan 10 IOS dot1x guest-vlan 10 Any 802.1x-enabled switch port will send EAPOL-Identity-Request frames on the wire (whether a supplicant is there or not) Port is moved to guest VLAN after step three above; instead of transitioning to disconnected, the port immediately transitions to a state of authorized and the auth-SM state is authenticated

Default timeout is 30 seconds with three retries; total timeout period is 90 secs by default A device is deployed to guest VLAN based on lack of response to switch’s EAPOL-Identity-Request frames (which can be thought of as 802.1x hellos) No further security or authentication to be applied It is exactly like the administrator deconfigured 802.1x, and hard-set the port into a determined VLAN No machines that speak 802.1x (or who can indeed respond to the switch via EAPOL) should ever go into the guest VLAN

Guest

Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27 802.1x with Auth Fail VLAN No EAPOL EAPOL-Request (Identity) MAX Attempts 1–3 D = 01.80.c2.00.00.03 1 EAPOL-Request (Identity) D = 01.80.c2.00.00.03 2 EAPOL-Request (Identity) 3 √ D = 01.80.c2.00.00.03

CatOS set port dot1x 5/1 auth-fail vlan 5 IOS dot1x auth-fail vlan 5 Any 802.1x-enabled switch port will send EAPOL-Identity-Request frames on the wire (whether a supplicant is there or not) Port is moved to auth fail VLAN after step three above; instead of transitioning to disconnected, the port immediately transitions to a state of authorized and the auth-SM state is authenticated Requires correct supplicant behavior

Multi-VLAN Access Ports (MVAP) With Multi-VLAN Access Ports, a port can belong to two VLANs, while still allowing the separation of voice/data traffic while enabling you to configure 802.1x An access port able to handle two VLANs Native or Port VLAN Identifier (PVID) Auxiliary or Voice VLAN Identifier (VVID) Hardware set to dot1q trunk Tagged 802.1q

Untagged 802.3

For Each 802.1x Switch Port, the Switch Creates Two Virtual Access Points at Each Port

The Controlled Port Is Open Only When the Device Connected to the Port Has Been Authorized by 802.1x

Controlled

EAPOL CDP Uncontrolled EAPOL+CDP

Uncontrolled Port Provides a Path for ExtensibleExtensible Authentication Authentication Protocol Protocol over over LAN LAN (EAPOL) (EAPOL)and TrafficCDP Traffic ONLYonly

A dot1x-vvid port is an MVAP, that has dot1x configured The PC has to authenticate before getting access to the data VLAN The IP phone (without dot1x supplicant implementation) can get access to the voice VLAN after sending proper CDP packets, CatOS regardless of the dot1x set vlan 2 5/1 state of the port set port auxiliaryvlan 5/1 12 set port dot1x 5/1 port-control auto VVID IOS Guest switchport mode access PVID switchport access vlan 2 switchport voice vlan 12 dot1x port-control auto

• Unauthenticated voice VLAN (VVID) access Authenticated data VLAN (PVID) access This allows 802.1x and VoIP to coexist at the same time

1 Port Already Authenticated

2 PC Leaves X √? 3 Port Remains Authorized

4 Illegitimate User √? 3 Port Remains Authorized

An illegitimate user can now gain access to the port by spoofing the authenticated MAC address, and bypass 802.1x completely— security hole In an attempt to workaround this, some customers have enabled periodic reauthentication of end-devices This is not the reason to enable reauthentication We need to deal with the fact that any machine can disappear from the network and the switch (and 802.1x) does not know about it explicitly (i.e. link doesn’t go down)

1 Port Already Authenticated

2 PC Leaves X √? 3 Port Remains Authorized

4 Legitimate User X 5 Security Violation

A legitimate user may now attempt to gain access to the port by way of 802.1x However, assuming MAC addresses are different, now the switch may treat this as a security violation In an attempt to workaround this, some customers have enabled periodic reauthentication of end-devices This is not the reason to enable reauthentication Overall, same issue as previous slides

1 Port Already Authenticated

2 PC Leaves X X 3 EAPOL-Logoff Transmitted

If an end-user disconnects, an IP phone transmits an EAPOL-logoff frame to the switch SA = PC MAC address DA = 01-80-C2-00-00-03 (PAE group address) Two basic functions needed from phone Monitor the PAE group address to determine who and where supplicant is Actually transmit the EAPOL-logoff frame

√

4 New Authenticated Session The switch thinks it is a standard EAPOL-logoff frame transmitted by a supplicant indicating end of service This closes the current security hole, and promotes subsequent mobility

No EAPOL 802.1x Process EAPOL-Request (Identity) 1 Upon Link Up D = 01.80.c2.00.00.03 EAPOL-Request (Identity) X 2 30 Seconds D = 01.80.c2.00.00.03 X EAPOL-Request (Identity) 3 30 Seconds √ D = 01.80.c2.00.00.03

Assuming no supplicant on the wire, a port will be deployed into the guest VLAN after step three above, if guest VLAN is configured

Supplicant 802.1x Process EAPOL-Request (Identity) 1 Upon Link Up D = 01.80.c2.00.00.03 EAPOL-Request (Identity) X 2 30 Seconds D = 01.80.c2.00.00.03 X EAPOL-Request (Identity) 3 30 Seconds √ D = 01.80.c2.00.00.03

If any user plugs into a phone, 802.1x is now totally dependent on how their supplicant is configured to operate By default, Microsoft Windows supplicants do not send EAPOL- starts; you will want to know why 802.1x works when you plug into a switch, and why it doesn’t work when you plug into a phone

Client Dot1x/MAB RADIUS EAPOL-Request (Identity) 1 Upon link up D = 01.80.c2.00.00.03 EAPOL-Request (Identity) X 30-seconds D = 01.80.c2.00.00.03 2 XEAPOL-Request (Identity) 30-seconds D = 01.80.c2.00.00.03 3 X EAPOL-Timeout 30-seconds ? Initiate MAB 4 Learn MAC 5 Variable RADIUS-Access ? 6 Request RADIUS-Access 7 Accept √√ 8 Port Enabled CatOS 00.0a.95.7f.de.06 Console> set port mac-auth-bypass 5/1 enable IOS Switch(config-if)# dot1x mac-auth-bypass

802.1x Timeouts 1 Client Initiates Connection—Activates Port Authentication State Machine 2 Switch Port Filters Traffic Limiting It to HTTP, HTTPS, DNS and DHCP 3 Switch Port Relays DHCP Address from DHCP Server 4 User Starts Web Browser and Initiates Web Connection 5 Switch Port Redirects URL and Presents HTTP Form Prompting for Userid/Pwd 6 User Enters Credentials—They Are Checked Against RADIUS DB—If Authenticated Then Switch Port Opened for Normal Network Access 7

1) Authentification avec 802.1x 2) Le téléphone ferme la session 802.1x 3) Authentification dans le vlan visiteur avec Web Base Authentification

Inherent Assumption of Network Connectivity

Power Up Load NDIS DHCP Setup Secure Update GPOs Apply Present GINA Drivers Channel to DC Computer (Ctrl-Alt-Del) GPOs Login

If We Wait for 802.1x User Authentication We Break Microsoft Assumption

Power Load 802.1x DHCP Setup Secure Update GPOs Apply Present GINA Up NDIS Authenticate Channel to DC Computer (Ctrl-Alt-Del) Drivers as Computer GPOs Login

What is machine authentication? The ability of a Windows workstation to authenticate under its own identity, independent of the requirement for an interactive user session What is it used for? Machine authentication is used at boot time by Windows OSes to authenticate and communicate with Windows domain controllers in order to pull down machine group policies Why do we care? Pre-802.1x this worked under the assumption that network connectivity was a given; post-802.1x the blocking of network access prior to 802.1x authentication breaks the machine-based group policy model— UNLESS the machine can authenticate using its own identity in 802.1x

User Authentication Setup Load Apply Windows 802.1x Power Secure Update Present NDIS DHCP Computer Domain User Up Channel GPOs GINA Drivers GPOs Auth Auth to DC * No Connectivity to Domain Controller Until User Logs In Machine Authentication Setup Load 802.1x Apply Windows Power Secure Update Present NDIS Machine DHCP Computer Domain Up Channel GPOs GINA drivers Auth GPOs Auth to DC * 802.1x Early in Boot Process User + Machine Authentication Setup Load 802.1x Apply Windows 802.1x Power Secure Update Present NDIS Machine DHCP Computer Domain User DHCP Up Channel GPOs GINA Drivers Auth GPOs Auth Auth to DC * Users Can Be Individually Authenticated Network Connectivity

Point of 802.1x Authorization

Controlled by registry keys Authentication by machine only No need for user authentication if machine authentication is successful Authentication by user only No machine authentication taking place at all— be careful, this breaks group and system policies Authentication by user and machine Uses authentication of both user and machine; switches contexts when going from one to the other

Make sure the computer is a member of the domain If using TLS, make sure the computer gets a cert— either through auto-enrollment or manually If using EAP-FAST, PEAP or EAP-TLS make sure that the CA cert is in the local machine store; typically added if CA is up when machine is added to the domain; if not, you can force via auto-enrollment too Click the check box for the “authenticate as computer when computer information is available” in the authentication tab of the local-area connection properties window

Machine authentication using PEAP Uses account information for the computer created at the time the machine is added to the domain Computer must be a member of the domain If doing mutual authentication, the computer must trust the signing CA of the RADIUS server’s cert Machine authentication using EAP-TLS Authenticates the computer using certs The computer must have a valid cert If doing mutual authentication, the computer must trust the signing CA of the RADIUS server’s cert Easiest way to deploy is using MS-CA and Windows GPOs

Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 53 Microsoft Issues with DHCP DHCP Is a Parallel Event, Independent of 802.1x Authentication With wired interfaces a successful 802.1x authentication does not force an DHCP address discovery (no media- connect signal) This produces a problem if not properly planned DHCP starts once interface comes up If 802.1x authentication takes too long, DHCP may time out

802.1x Auth—Variable Timeout

DHCP—Timeout at 62 Seconds

DHCP Power Up Load NDIS Setup Secure Present GINA Drivers Channel (Ctrl-Alt-Del) Login to DC

Use machine authentication—this allows the initial machine authentication to obtain an IP address Supplicant behavior has been addressed by Microsoft Windows XP: install service pack 1a + KB 826942 Windows 2000: install service pack 4 Updated supplicants trigger DHCP IP address renewal Successful authentication causes client to ping default gateway (three times) with a subsecond timeout Lack of echo reply will trigger a DHCP IP renew Successful echo reply will leave IP as is Prerenewal ping prevents lost connections when subnet stays the same but client may be WLAN roaming

Supplicant Authenticator Authentication Server

Accept Auth Successful (EAP—Success)

ICMP Echo (x3) for Default GW VLAN Assignment from “Old IP” as Soon as EAP-Success Frame Is Rcvd DHCP-Request (D=255.255.255.255) (After Pings Have Gone Unanswered) DHCP-NAK (Wrong Subnet) DHCP-Discover (D=255.255.255.255) At This Point, DHCP Proceeds Normally

i Machine boots up Interface becomes active (not authenticated) 802.1x authentication starts Machine sends its credential

e Authenticat EAP-TLS „Machine Certificate“ PEAP-MS-Chapv2 „Windows AD shared secret EAP-FAST with CTA 2.0 supplicant Machin machine authentication name prefix „host/“ on i • If user logs on to machine, machine sends EAPOL-start message to notify the access point or switch that a new authentication is being performed • Following EAP-TLS, PEAP-MS-Chapv2, EAP-FAST authentication will be done with users credential User Authenticat Note: Those Are Two Independent Authentications

If machine authentication fails or is not enabled, a user can still successfully access the network So machine authentication does not prevent users from accessing the network with a unregistered machine

on • If user logs on to machine, machine sends i EAPOL-log-off message to notify the access point or switch that previous authentication is no longer valid anymore • Following EAP-TLS, PEAP-MS-Chapv2, EAP- FAST authentication will be done with users credential

User Authenticat • Host/name format of the authentication request triggers MAR check

User authentication is only successful after a previous successful machine authentication EAP-FAST, PEAP with EAP-MS-CHAPv2 and EAP-TLS only Allows to use machine authentication as a condition for user authorization This provides a way to deny authentication for a user because machine authentication to the network was not completed prior to a login attempt Machine authentication by itself does not prevent users from accessing the network with an unregistered machine; to enforce this restriction, ACS now only completes a user authentication if the MAC address associated with the attempt was previously included in a successful machine authentication

802.1x requires client side code (supplicant code) Growing support for supplicants in the industry Microsoft—native in Win2K, XP, and 2003 Meetinghouse—support for WinNT, Win2K, WinXP, Win98, WinME, Solaris, Red Hat Linux Opensource—Open1x xsupplicant for UNIX/Linux platforms Apple—native OS X support Cisco ACU: wireless client CTA: wired client

Microsoft Windows User and machine authentication DHCP request time out Machine authentication restriction Default methods : MD5, PEAP, EAP-TLS Unix/Linux considerations Open source : xsupplicant Project (University of Utah) Available from http://www.open1x.org Supports EAP-MD5, EAP-TLS, PEAP/MSCHAPv2, PEAP/EAP-GTC Native Apple supplicant support in OS X 10.3 802.1x is turned off by default! Default parameters—TTLS, LEAP, PEAP, MD5 supported Support for airport and wired interfaces Single sign on can be accomplished w/Applescripts Commercial products MEETINGHOUSE http://www.mtghouse.com/ AEGIS supplicant

Authorization is the embodiment of the ability to enforce policies on identities Typically policies are applied using a group methodology—allows for easier manageability The goal is to take the notion of group management and policies into the network The most basic authorization in 802.1x and IBNS is the ability to allow or disallow access to the network at the link layer Other forms of authorization include VLAN assignment, ACL assignment, QoS policy assignment, 802.1x with ARP inspection, etc.

Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 62 802.1x with VLAN Assignment AV Pairs Used—All Are IETF Standard [64] Tunnel-type—“VLAN” (13) [65] Tunnel-medium-type—“802” (6) [81] Tunnel-private-group-ID—

Marketing

CatOS RADIUS attributes received in CatOS are automatically implemented if 802.1x is enabled. IOS aaa authorization network default group radius VLAN name must match switch configuration Mismatch results in authorization failure

Dynamic VLAN assignment based on identity of group, or individual, at the time of authentication VLANs assigned by name—allows for more flexible VLAN management Allows dynamic VLAN policies to be applied to groups of users (i.e., VLAN QoS, VLAN ACLs, etc.) Tunnel attributes used to send back VLAN configuration information to authenticator Tunnel attributes are defined by RFC 2868 Usage for VLANs is specified in the 802.1x standard

Vendor-specific attributes used for RADIUS [026]—vendor specific [009]—vendor ID for Cisco [001]—refers to the VSA number Attribute used for predefined ACLs [11]—filter ID

permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255 deny ip 10.1.1.0 0.0.0.255 10.3.3.0 0.0.255 permit ip any 209.165.201.5

CatOS RADIUS attributes received in CatOS are automatic implemented if 802.1x is enabled. IOS aaa authorization network default group radius

Vendor-specific attributes used for RADIUS [026]—vendor specific [009]—vendor ID for Cisco [001]—refers to the VSA number

set qos acl ip ACL dscp 7 any

CatOS RADIUS attributes received in CatOS are automatica implemented if 802.1x is enabled. IOS aaa authorization network default group radius

Use to enable the automatic QoS provisioning of users In this example, RADIUS will send down a QoSPACL name along with an accept packet Policy converted into ACEs and installed on this switch

The switch will fail and authentication to a client if authorization from the authentication server cannot be applied to the switch For example, vlan = employee and there is no vlan named employee on the switch Issue is exacerbated with NAC2 since CTA pop up says healthy, ACS says healthy, the switch fails the authentication, and client shows a failed authentication

CatOS set port dot1x 5/1 critical 10 IOS Dot1x critical radius-server x.x.x.x username test password test Interface gigabitethernet 1/0/1 dot1x critical dot1x critical vlan 10 Port Unauthorized X

EAPOL-Start EAP-Identity-Request EAP-Identity-Response X √ Auth Exchange w/AAA Server EAP-Success/Failure • Port authorized • Move to access VLAN (first authentication) • Or keep existing VLAN (re-authentication)

Major components to IBNS monitoring RADIUS accounting NAD logs RADIUS logs NAD CLI Major components of IBNS reporting Correlated log reports (MARS)

Supplicant 802.1x Process RADIUS Process 1 Authenticate

2 EAPOL-Success 2 Access-Accept

Supplicant 802.1x Process RADIUS Process 1 Authenticate

2 EAPOL-Success 2 Access-Accept

3 Accounting Request

4 Accounting Response

Accounting-request packets Contains one or more AV pairs to report various events and related information to the RADIUS server Tracking user-level events are used in the same mechanism

Similar to other accounting and tracking mechanisms that already exist using RADIUS Can now be done through 802.1x Increases network session awareness Provide information into a management infrastructure about who logs in, session duration, support basic billing usage reporting, etc. Provides a means to map the information of authenticated Identity, Port, MAC, Switch Identity IP = IP, Port, MAC, Switch Switch + Port = Location

CatOS set dot1x radius-accounting enable IOS aaa accounting dot1x default start-stop group radius

Authentification avec 802.1x 1) Assignation dynamique du vlan 2) Déployment de la QoS sur le port du commutateur (avec et sans worm...) 3) Log Accounting sur le serveur Radius 4) Si possible, username dans la description du port

Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 76 What Is Network Admission Control? Using the network to enforce policies ensures that incoming devices are compliant.

Who is the user? Is s/he authorized? US What role does s/he get? PL identity

Please enter username: P

S device network security NACNAC security Is MS patched? Does A/V or A/S exist? Is policy established? Is it running? Are non-compliant Are services on? devices quarantined? Do required files exist? Si Si Is remediation required? Is remediation available?

Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 77 Make Access Contingent on Compliance First, establish ACCESS POLICIES. Then: Authenticate & Authorize Quarantine & Enforce Enforces authorization Isolate non-compliant devices policies and privileges from rest of network Supports multiple MAC and IP-based quarantine user roles effective at a per-user level

Scan & Evaluate Update & Remediate Agent scan for required Network-based tools versions of hotfixes, AV, etc for vulnerability and threat remediation Network scan for virus and worm infections and Help-desk integration port vulnerabilities NO COMPLIANCE = NO NETWORK ACCESS

Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 78 NAC Means Better Criteria for Security What System Is It? Windows, Mac or Linux Laptop or Desktop or PDA Printer or Other Corporate Asset Who Owns It? Company Employee Contractor Guest Unknown Where Is It Coming From? VPN LAN WLAN WAN

What’s On It? Anti-Virus, Anti-Spyware Is It Running? Personal Firewall Patching Tools

What’s The Preferred Pre-Configured Checks Way To Check/Fix It? Customized Checks Self-Remediation or Auto-Remediation Third-Party Software

Securely Enforce Quarantine Configure Identify Consistent and and Device and User Policy Remediate Manage

What It Associate Users Assess Devices; Isolate and Fix Create and Means to Devices Enforce Policies Non-compliant Manage Devices Policies Easily

Why It Is Associating Users Enforcement at Quarantine Critical Policies That Are Important with Devices the Network to Halt Spread of Easy to Create Enables Granular Reduces Reliance Vulnerabilities; and Maintain Enforcement of on the Integrity of Remediation Lead to Better Policies by Role the Endpoint Addresses Root System or group Cost Drivers Operations and Adherence

A Comprehensive NAC Solution Must Have All Four Capabilities: The Absence of Any One Weakens the Solution

NAC Appliance has 1500+ customers worldwide Managed LAN/ Unmanaged/ VoIP Users Guest LAN Users Mid-market and large enterprises Financial services Healthcare/Manufacturing Public Sector All use cases One Product Remote Access for Wireless/Guest All Use Cases Campus LAN

"Cisco.. is unrivaled as a market leader in the NAC appliance space, holding Wireless LAN VPN/Remote/ over 45% of the market." Users WAN Users -- Frost & Sullivan, 11/06

Cisco Clean Access Manager Centralizes management for administrators, support personnel, and operators Cisco Clean Access Server Serves as enforcement point for network access control Cisco Clean Access Agent Optional lightweight client for device-based registry scans in unmanaged environments Rule-set Updates Scheduled automatic updates for anti-virus, critical hot-fixes and other applications

Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 82 NAC Appliance Use Cases Branch Compliance Campus LAN Compliance Branch access only for LAN network access only for compliant devices Wireless Compliance compliant devices Secure network access only for compliant wireless devices REMOTE BRANCH

CAMPUS BUILDING 1

802.1Q Intranet Access Compliance Ensure hosts are hardened prior to WIRELESS BUILDING 2 connecting to ERP, HRIS, BPM, etc.

Guest Compliance Restricted access only for guest users VPN User Compliance Intranet access only for compliant remote access users INTERNET IPSec CONFERENCE ROOM IN BUILDING 3

1. End user attempts to access a Web page or uses an optional client Network access is blocked until wired or wireless end user provides login Authentication information Server

Cisco Clean Access Manager 2. User is Cisco Clean redirected to a login page Access Server Intranet/ Network Clean Access validates username and password, also performs device and network scans to assess vulnerabilities on the device 3b. Device is “clean” 3a. Device is noncompliant Quarantine Machine gets on “certified or login is incorrect Role devices list” and is User is denied access and assigned granted access to network to a quarantine role with access to online remediation resources

Click-through remediation

Flash Demo - cca_agentless_swf_v3.swf

Scan fails Remediate

Flash Demo - cca_inline_agent_sso_swf_v1.swf

Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 88 Cisco NAC Appliance Partnerships Cisco NAC is committed to protecting customer’s investments in partner applications

NAC Appliance Supports Policies for 300+ Applications, Including these Vendors:

Corporate Asset Tag Unique registries inserted into corporate devices Corporate PKI certificates installed in corporate devices Microsoft Hotfixes: Critical hot-fixes checks (provided via Cisco automated updates) SUS/WUS running or AU Options (can force setting) Patch Management SW running (can launch qualified .exe) Security Applications: HIDS (CSA) or Personal Firewall installed and running AV installed, running and latest DAT (can launch AV) Anti-Spyware installed and running Encryption software installed and running

Corp Asset No access, call HelpDesk Internet only, SUS/SMS runs Tag Quarantine

No access, start service Internet Only, launch AV SUS/ SMS/ CSA

AV/AS Hotfixes UptoDate Access

Central Site Campus Building Corporate Users Multi-Hop IP

CCA

802.1q L2TPv3

Campus Building Campus Building Guest Users Corporate Users

FEATURES BENEFITS

Supports 802.1q trunking Enables central deployment mode Supports both L3 multi-hop and L2 End user devices can be several hops away Supports L2TPv3 tunneling Extends enforcement to campus buildings Supports both inband and out-of-band Leverages AD SSO

Central Site Supply Partner Extranet IPSec VPN

CCA

Multi-Hop IP SSL Tunnel VPN Account Manager Mobile User

IPSec VPN CCA Home Office Branch Office Unmanaged Desktop Corporate Users

FEATURES BENEFITS Extends policy enforcement and compliance to Supports IPSec and SSL Tunnel VPNs remote access and VPN users Supports site-to-site VPNs Extends enforcement to site-to-site VPN Supports VPN user sign-on partners Leverages VPN sign-on for single-sign-on

Flash Demo - cca_ssl_vpn_swf_v1.swf

Central Site

Wireless Network 802.1q CCA WLSM Guest LWAPP GRE Users

Wireless Network 802.1q LWAPP Users Campus Building Wireless Users

FEATURES BENEFITS

Supports 802.1q trunking Enables central deployment mode Support L2TPv3 or GRE tunneling End user devices can be several hops away Supports thin or thick wireless 802.11 APs Extends enforcement to any wireless networks Supports Wireless user sign-on Leverages EAP sign-on for single-sign-on

CAM

Switch VLAN 10 Network

Laptop with CCA Agent VLAN 10

VLAN 110 CAS

1. End user attaches a laptop to network 2. Switch sends MAC address via SNMP-based notification to CAM

Switch VLAN 10 Network

VLAN 110 Host with CCA Agent VLAN 10

VLAN 110 CCA Server

3. CAM verifies if laptop is on the “OOB online” or “Certified devices” lists. • If the laptop is not in the “OOB online” or “Certified devices” list, the CAM instructs switch to assign port to authentication VLAN. • DHCP addressed is assigned as DHCP/DNS traffic traverses the CAS using VLAN mapping.

CCA Manager

VLAN 110 Switch VLAN 10 Network

VLAN 10 Host with CCA Agent 4. CAS is on same authentication VLAN as laptop. CAS enforces network access restriction. 5. Laptop is challenged for credentials to determine “role” VLAN 110 CCA Server • CCA Agent receives compliance “checks” from CAS based on “role.” • CCA Agent guides host through a step by step remediation process. • User allowed access to remediation sites enforced by CAS.

7. CAM instructs switch to put port onto “access” VLAN based on CCA Manager port mapping or the role assignment.

VLAN 10 Switch Network VLAN 10

Host with CCA Agent VLAN 10

VLAN 110 6. CAS informs CAM that host is now CCA Server “certified.”

8. Laptop is now allowed access to the production network.

Flash Demo - cca_oob_agent_sso_swf_v1.swf

Catalyst Access Control Lists What It Does: Allows or denies access based on the source or destination address. Restricts users to designated areas of the network, blocking unauthorized access to all other applications and information. Benefits: Prevents unauthorized access to servers and applications. Allows designated users to access specified servers.

PACL - Provides granular control for limited access by the access port of the device RACL - Controls traffic on Layer 2 and 3 interfaces. VACL - Provides granular control for limited access within a VLAN or subnet. Time-Based ACL – ACL becomes active at certain time of the day

Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 102 Protecting against Worms – 1 How It Works: The ACL provide a mechanism to protect servers, users and applications against worms by determining what traffic streams or users can access what ports. Port 1434 Internal Network

Using ACLs, the virus or worm is not able to replicate from its hosts.

How It Works: Controls the switching of data based on the time of day.

OKOK toto UseUse ServerServer 11 NotNot OKOK toto UseUse ServerServer 22 OKOK toto UseUse ServerServer 33 NotNot OKOK toto UseUse ServerServer 44

ACL goes on ACL goes off at 8:00 AM at 5:00 PM

Problem: Neighbors on the same switch can view each others traffic, including logon ID and passwords. Enforcing policy on how traffic is passed between workgroups

Solution: Private VLAN Edge to block Layer 2 traffic between the users in same VLAN

00:0e:00:aa:aa:aa 00:0e:00:bb:bb:bb Only 3 MAC Addresses Allowed on the Port: Shutdown 132,000 Bogus MACs

“Script Kiddie” hacking tools enable attackers flood switch Port security limits MAC flooding CAM Tables with bogus macs; attack and locks down port and sends turning the VLAN into a “hub” and an SNMP trap eliminating privacy Switch CAM Table supports a limited # of Mac Addresses

Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 106 Port Security What It Does: Limits the number of MAC addresses that are able to connect to a switch and ensures only approved MAC addresses are able to access the switch. Benefit: Ensures only approved users can log on to the network.

11 MACMAC AddressAddress √√ XX AdditionalAdditional MACMAC AddressAddress

Network Administrator Alert! Unauthorized MAC Address Notification User Identified Alerts network administrators if unauthorized users come on to the network.

Unauthorized User

Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 108 DHCP Snooping DHCP DHCP Snooping Enabled Server What It Does: t Si Trusted Switch forwards only DHCP s e u requests from untrusted q D e H access ports, drops all other R C P P types of DHCP traffic. Allows C A H Untrusted XX C D K only designated DHCP ports or uplink ports trusted to relay √√ DHCP Messages Builds a DHCP binding table containing client IP address, client MAC address, port, DHCP VLAN number Client Rogue Benefit: Server Eliminates rogue devices from behaving as the DHCP server

Dynamic ARP Inspection Gateway = 10.1.1.1 Si Protects against ARP MAC=A Poisoning • Uses the DHCP snooping binding table • Tracks MAC to IP from DHCP transactions

Gratuitous ARP 10.1.1.50=MAC_B • Rate-limits ARP requests from client ports; stop port scanning

Gratuitous ARP 10.1.1.1=MAC_B • Drop BOGUS ARP’s; prevents ARP poisoning/MIM attacks

Attacker = 10.1.1.25 Victim = 10.1.1.50 MAC=B MAC=C

Si Gateway = 10.1.1.1 IP Source Guard Protects against spoofed IP Addresses • Uses the DHCP snooping binding table • Tracks IP address to port

Hey, I’m 10.1.1.50 ! associations • Dynamically programs port ACL to drop traffic not originating from IP address assigned via DHCP

Attacker = 10.1.1.25 Victim = 10.1.1.50

Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 111 Private VLAN How it Works: Default Gateway Default Gateway A common subnet is sub-divided into multiple private-VLANs. Hosts on given Private VLAN can only communicate with default gateway — NOT with other hosts on network.

Benefit: xx xx xx xx Simplified mechanism of Community Community Isolated traffic management while ‘A’ ‘B’ Ports conserving IP address space Primary VLAN Community VLAN Community VLAN Isolated VLAN

Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 112 Catalyst Integrated Security Features Summary IOS IP Source Guard ip dhcp snooping ip dhcp snooping vlan 2-10 Dynamic ARP Inspection ip arp inspection vlan 2-10 ! DHCP Snooping interface fa3/1 Port Security switchport port-security switchport port-security max 3

Port Security prevents MAC flooding switchport port-security violation restrict attacks switchport port-security aging time 2 DHCP snooping prevents client switchport port-security aging type inactivity attack on the switch and server ip arp inspection limit rate 100 Dynamic ARP Inspection adds security to ARP using DHCP ip dhcp snooping limit rate 100 snooping table ! IP Source Guard adds security to IP Interface gigabit1/1 source address using DHCP snooping table ip dhcp snooping trust All features work on switchports ip arp inspection trust

Endpoint + Network = Effective Collaborative Security

Novembre 2006

Cisco defines Host-Based Intrusion Prevention as the ability to stop Zero Day malicious code without reconfiguration or update. CSA has effectively stopped Zero Day exploits, worms, and viruses over past 6 years: 2001 – Code Red, Nimda (all 5 exploits), Pentagone (Gonner) 2002 – Sircam, Debploit, SQL Snake, Bugbear, 2003 – SQL Slammer, So Big, Blaster/Welchia, Fizzer 2004 – MyDoom, Bagle, Sasser, JPEG browser exploit (MS04-028), RPC- DCOM exploit (MS03-039), Buffer Overflow in Workstation service (MS03- 049) 2005 – Internet Explorer Command Execution Vulnerability, Zotob 2006 – Internet Explorer textrange vulnerability

No signatures, reconfiguration or binary updates required

The Cisco Security Agent intercepts application OS calls and invokes an allow/deny response Interceptors monitor calls for resource access: File system Network (inbound/outbound) Registry Execution (process creation, library access, executable invocation) “Zero Update” architecture – behavior based control means you don’t need a new signature to stop the next attack

Port 6667 CONNECT() System Call Open Command Shell Downloaded Content Modify Registry Run Keys Overwrite System Files

Malicious behavior is most accurately identified in context. Cisco Security Agent correlation does this automatically – no configuration required.

• Ping addresses 0Rapidly mutating • Scan ports 0Continual • Guess passwords signature • Guess mail users updates • Mail attachments 0Inaccurate • Buffer overflows Probe • ActiveX controls 1 • Network installs 2 Penetrate • Compressed messages • Backdoors Target 3 Persist • Create new files • Modify existing files 4 Propagate • Weaken registry 5 security settings Paralyze • Mail copy of attack • Web connection • Install new services • IRC • Register trap doors • Delete files • FTP • Modify files • Infect file shares • Drill security hole 0Most damaging • Crash computer 9 Changes very slowly • Denial of service • Steal secrets 9 Inspiration for the CSA solution

Agent Agent Correlation on Agent • Higher accuracy • Fewer “False Positive” Agent events

Correlation on Manager • Higher accuracy • Fewer “False Negative” Management events Center • Stops attack before it reaches targets Agent Agent Example: Distributed Cisco Security Agent offers “Ping Scans”, Network Worm propagation unique agent and management level correlation

Some types of behavior are not malicious, but are undesired because they violate Acceptable Use policy Music sharing via Peer-to-Peer (p2p) applications Instant messaging using non-corporate IM servers Protecting sensitive organizational data Configuration lockdown during end of year reporting period Which devices cannot be used (USB memory, multimedia devices) Use of unauthorized applications, or unauthorized versions of apps CSA policy control modules include Data Theft Prevention policy Instant Messenger Control policy Music Download Prevention policy Network Lockdown policy

Provide user feedback via pop-up query and audit to demonstrate compliance

QoS Benefits QoS Challenges DURING DISASTER Trust boundary generally ends at the access switch Mission critical data still gets through Lengthy configuration process based on addresses and ports Latency sensitive applications will not be affected Many applications don’t have QoS functionality

IN GENERAL Cheaters can skew service delivery Cost savings – especially on WAN links Entirety of QoS responsibility rests with network ops

- Enhanced contextual analysis of endpoint - Ability to use CSA inputs to influence IPS actions - Correlation of info. contained in CSA watch list Management Console - Host Quarantining

Service Provider

Elevate Risk Rating Deny 10.1.10.1

OS = WindowsXP

- Enhanced contextual analysis of endpoint - Ability to use CSA inputs to influence IPS actions - Correlation of info. contained in CSA watch list Management Console - Host Quarantining

CSA Watch List 10.1.10.1

Service Provider

Elevate Risk Rating Deny 10.1.10.1

- Enhanced contextual analysis of endpoint - Ability to use CSA inputs to influence IPS actions - Correlation of info. contained in CSA watch list Management Console - Host Quarantining

Service Provider

Port Scan from IP not in Watch List: Source 10.1.10.2 Alarm Only initiates a port scan destined for internal servers

- Enhanced contextual analysis of endpoint - Ability to use CSA inputs to influence IPS actions - Correlation of info. contained in CSA watch list Management Console - Host Quarantining

Service Provider

Port Scan from IP on Watch List: Drop Packet

Watch List Source 10.1.10.1 initiates a port scan destined for internal servers

What do I have?

What do I use?

Is it at risk or malicious?

How do I control it?

Which hotfixes are installed? Reports where Spyware may have been installed

Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 127 What Do I Use? Not all installed apps are actually used CSA can track which ones are and how they communicate Reports unnecessary apps (servers that listen on a port but don’t accept connections)

Unknown apps can be easily investigated, even when the agent is remote

Suspicious No network access – apps can be this probably is not a verified to be big risk malicious or safe, from central location

Cisco Security Agent policy fine grained control: Disallow execution of the app Allow execution, but block the bad behavior Use Query messages to let the user know that what they are doing is being audited Cisco Security Agent offers a behavior-based feedback loop so that you can actively understand and control what is happening on end points

Feedback Loop helps control identified behavior and refine default policies, without visiting the endpoint

Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 130 Trusted Boot No CSA running Boot to non- BIOS Update primary disk NAC Posture: QUARANTINE NAC CSA State: INSECURE BOOT Boot to primary disk NAC Posture: REMEDIATE

Dynamic Policy Change

Per-application QoS Prioritization

Restrict wireless communication when wired NIC is active

Connection restrictions - certain SSIDs, encryption, ad-hoc

Require VPN connection when out of the office

Variable based on interface properties and other strings Implemented as both NACL option and system state

Trunked NICs may show up as multiple virtual NICs Separation of Voice and Data VLAN at the endpoint Broadband cards can be restricted using PPP

Client Security Suites Cisco Security Agent

Anti- Personal Acceptable Application Anti-Virus Host IPS Spyware Firewall Use Policy Analysis Cisco’s Integration of NAC Endpoint and Network security Trusted QoS improves security and enhances Increased IPS network Accuracy - services Rapid containment

Superior Usability VPN Administration

VPN wizard setup site-to-site, hub-and-spoke, Administer policies and full-mesh VPNs visually on tables or with a few mouse clicks topology map Configure remote-access Policy Administration Jumpstart help: an extensive VPN, DMVPN, and Easy animated learning tool VPN Devices Firewall Administration Centrally provision Flexible management views: policies for firewalls, VPNs, and IPSs IPS Administration – Policy-based Configure policies for ASA, Very scalable – Device-based Cisco® PIX® Firewall, – Map-based FWSM, and Cisco ® Automatic updates to the Policy Inheritance IOS Software – VPN-based IPS Sensors feature enables Single rule table for all consistent policies platforms Support for Outbreak across enterprise Intelligent analysis of Prevention Services Powerful device grouping policies options Sophisticated rule table editing Compresses the number of access rules required

BH9 need to fix triple spacing of bullets in second column Bonnie Hupton, 12/3/2006 Cisco Security Manager Key Differentiation Value

Offers a single, integrated application for managing security across Cisco® security devices Provides multiple views to suit operational needs Scales to many hundreds of remote sites Enforces corporate rules and provides best-practice guidelines Reduces the complexity of different device classes through device abstraction Enables SecOps and NetOps to work together Controls who can do what on which device Offers efficiency in distributing changes to always-on and intermittently on devices

Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 138 Cisco Security Configuration Focus Focuses on configuration management of security polices in the network Usability is critical – Provides multiple views to fit the operational needs – Offers easy-to-use, visually appealing user interface – Provides wizards to reduce complexity – Offers advanced tools for the sophisticated user Core differentiating concepts – Policy sharing and inheritance – Domains-based policy enforcement – Decision support workflow for NetOps and SecOps – Role-based access control for scaled operations – Distributed large-scale deployment

Feature-rich front end TopologyTopology V Vieieww Different views for different administration preference – Device view PoPoliclicyy Vie Vieww – Topology view – Policy view

One-stop shop for VPN DeviceDevice View View creation and customization Unified service management

•• StartStart with with single single device device •• ClCloneone and and replicate replicate •• RapidlyRapidly deploy deploy the the device device settingssettings

•• CentralizedCentralized policypolicy managementmanagement •• PowerfulPowerful scalabilityscalability throughthrough inheritance,inheritance, reuse,reuse, assignment,assignment, andand sharingsharing

•• PutPut devices devices on on customizable customizable mapsmaps and and image image backd backdrropsops •• BuildBuild VPNs VPNs with with right right click click •• LaunchLaunch firmware firmware rules rules and and configureconfigure •• BuildBuild maps maps within within maps maps to to scalescale

Wizard-based 11 configuration Three steps to create a VPN 22

11 Æ Choose VPN topology and technology. 33 22 Æ Choose participants.

33 Æ Customize protected traffic if needed.

BH10 some of the bullets aren't seen Bonnie Hupton, 12/3/2006 Multiple VPN Topologies Site-to-Site, DMVPN, RA VPN, and Easy VPN

RetrieveRetrieve and and compare compare delta delta configurationsconfigurations for for deployment deployment CanCan roll roll back back to to “golden” “golden”oror “last “last knownknown good” good”configurationconfiguration CompareCompare among among previously previously deployedeployedd configurations configurations

FlexConfigFlexConfig Convert UsersUsers Can Can Create Create Custom Custom CLI CLI custom CLI to andand Deploy Deploy as as Jobs Jobs to to Device(s) Device(s) polices. Enable feature velocity. Rapidly add new feature support to devices.

Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 147 Policy Sharing and Inheritance Model “Scalable policy definition, set once, deploy to many” What Is It? Remote Branch Decoupled devices form polices Example Policy Share common policies across device groups for – Branch firewall Policy – Site-to-site VPN – Device administration Remote Branch Policy Corporate mandatory policies – No Napster traffic, period – Allow SSH and SSL Remote Branch Benefit Reduced complexity for administrators Optionally Override Central Policy at Do more with fewer resources Local Level

Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 148 Domain-Based Policy Enforcement “Fine-grain control of what traffic flows where” Interface Groups Interfaces related to a domain Marketing User customizable

Example Engineering Define policy to control traffic between domains

Benefit Sales Enforce policies based on organizational needs

What Is It? Structured process for Security change management that Operations Create/Edit Review/ Approve/ Policy Definition complements your • Policy Submit Commit operational environment Undo Example Who can set policies GeGeneraneratete// ApprovApprovee Who can approve them DepDeplloyoy SubmitSubmit JobJob Job Who can approve Policy Deployment Job deployment and when Network Rollback Who can deploy them Operations Policy Deployment Benefit Firewall, VPN, and IPS Services Enables teamwork and collaboration between NetOps and SecOps Provides scope of control

What Is It? Cisco • Authenticates administrator’s IOS®Soft access to management system ware

• Determines who has access to specific devices and policy Cisco Security Manager functions Cisco PIX® Firewall Example and • Verifies administrator and Cisco associate administrators to ASA AAA specific roles as to who can do what Remote Access Benefit Cisco Secure ACS • Enables delegation of administrator tasks to multiple operators

Home • Provides appropriate Office separation of ownership and controls

BH11 Yellow labels need to be fixed because with edits the words don't fit in allocated spaces. cannot use CS Manager. Bonnie Hupton, 12/3/2006 Scalable Distributed Deployment

Extranet Self-Managed What Is It? ROBO Telecommuter • Simplified distributed deployment method for thousands of remote devices Internet Example • Updates large numbers of remote firewalls, which may have dynamic addresses, intermittent links, or NAT addresses Update • Updates both configurations Appliance ® and software images Cisco CNS-CE DMZ • Devices self-updated whenever they come online

• Scales through Web technologies Enterprise Benefit • Helps customers with thousands Update Intranet of teleworkers and remote Servers locations with minimal technical Cisco CNS-CE staff at the remote site

Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 152 Cisco Security Manager 3.1 New Features • Native IPS • VPN discovery • SSL VPN support • Rule table enhancements, folders, and local rules • Rule combiner • Advanced Cisco IOS® Software interface and platform settings discovery • xDM (Cisco®ASDM, SDM, IDM, and IEV) cross launch • Native Cisco Catalyst® 6000, RACL • VACL on Cisco Catalyst 6000 • Inventory report with device status • Management protocol connectivity test • Detailed Activity report • High availability

Full IPS management integration into Cisco® Security Manager 3.1 Support of IPS 5.1, 6.0, and Cisco IOS® IPS 12.4(11)T1 Signature Update wizard that allows insight and editing of signatures before deployment with insight into MySDN. Automatic policy-based IPS sensor software and signature updates IPS subscription licensing provisioning Role-based access control, policy rollback, configuration archive, deployment manager, cloning and creation of signatures, policy sharing, and inheritance

Sort or Hide Columns Rapidly Edit Signatures Multiselect Signatures Assign Actions Named Filtering Action Menus Clone and Replicate

Quick Assignments Copy Policy Signature Inheritance Named Filtering Action Menus

Select Update Type (Signature or System) Check for Updates Preview of Available Updates

BH12 pls make sure parentheses are correct Bonnie Hupton, 12/3/2006 Cisco Security Manager 3.1 VPN Discovery

Choose what topology you want to discover. Choose where to discover (from live devices or configuration files). Choose technology used. Choose the VPN participant devices. Start the discovery.

Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 158 Cisco Security Manager 3.1 SSL VPN Wizard Wizard is provided to guide users through essential steps to create functional SSL VPN. Wizard provides a quick and easy way for novice users to set up SSL VPN.

Advanced users can use SSL VPN polices to fully customize every supported SSL VPN attribute.

Optimize the rule table and dramatically reduce the number of firmware rules.

Local Rules – Easily specify local rules in addition to inherited rules. Rule Table Sections – Segregate rule table into folder- like sections.

Cisco® Application Control Engine (ACE) import and CLI paste – Quickly get CLI-based Cisco ACEs into Cisco Security Manager rule table either from manual type or from files. Object group in real time – Instantly create objects from the rule table source and destination addresses.

NoNo embedde embeddedd device device managemanagerr code code required required onon the the device device OpenOpen connection connection from from CiscoCisco Security Security Manager Manager serverserver t oto device device NoNo need need to to have have connectionconnection from from user user desktopdesktop to to the the device device MuchMuch faster faster startup startup

UseUse device device manager manager logslogs to to cross cross launch launch to to policypolicy Use packet tracer in Use packet® tracer in CiscoCisco®AdaptiveAdaptive SecuritySecurity Device Device ManagerManager(ASDM)(ASDM)

Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 165 Cisco Security Manager 3.1 – Native Cisco Catalyst 6000 Management Interfaces, VLANs, and VLAN Groups Natively manage Cisco Catalyst® 6500 and Cisco® 7600; no more launching CiscoView Device Manager (CVDM). Manage all the VLANs, interfaces, VLAN groups, and mappings. Comprehensive Summary page shows all the mappings.

Manage the Layer 3 access control list on MSFC of Cisco Catalyst® 6500 and Cisco® 7600. Use the same powerful rule table as other devices such as Cisco ASA 5500 Series Adaptive Security Appliances, Cisco PIX® Firewall, or Cisco Integrated Services Routers.

OneOne place place to to see see all all cr crititicalical inventoryinventory information information Device,Device, VPN VPN status status DeDeploymentployment status status WhatWhat p poolicieslicies assigned assigned StatusStatus f rfromom ext exteernalrnal sources sources

TestTest Available Available from from DeviceDevice Properties Properties page page whenwhen adding adding a a device device

BH13 fix spacing between lines Bonnie Hupton, 12/3/2006 Cisco Security Manager 3.1 – Activity Report What Fields Changed; What Objects Changed

Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 170 Cisco Security Manager 3.1 High Availability and Disaster Recovery Optional high-availability and disaster-recovery configurations Off-the-shelf hardware (servers, storage arrays) and software (Symantec/Veritas) plus specific customizations for Cisco® Security Manager Supports a wide variety of deployment options based on customer requirements – Single, dual-node cluster for high availability – Multiple geographically diverse clusters for disaster recovery – Fully automated failure detection and recovery – Shared local storage for zero data loss – Synchronous or asynchronous replication between sites for zero or near-zero data loss

BH14 Edits for blue area: single- or Array; Switch or Router singel- or

also need to fix spacing on final sub-bullet Bonnie Hupton, 12/3/2006 Self-Defending Network Components

Defense-in-depth Firewalls Proxies VPN Anti-virus Network IDS/IPS Host IDS/IPS Vulnerability Assessment Patch Management Policy Compliance Router Switch

Leverage YOUR Existing Investment to Build Key Features: “Pervasive Security” Determines security incidents based on device Correlate Data from Across the Enterprise messages, events, and “sessions” NIDS, firewalls, routers, switches, CSA Incidents are topologically aware for visualization and replay Syslog, SNMP, RDEP, SDEE, NetFlow, endpoint event logs, multivendor Mitigation on L2 ports and L3 chokepoints Efficiently scales for real-time use across the Rapidly Locate and Mitigate Attacks Enterprise

Firewall Log IDS Event Server Log Switch Log Firewall Cfg. AV Alert Gain Network Intelligence Switch Cfg. NAT Cfg. App Log Topology, traffic flow, Router Cfg. Netflow. VA Scanner device configuration, . and enforcement devices Isolated Events ContextCorrelation™

Correlates, reduces and categorizes events C Sessions o n r io r t Validates incidents e c la u t d io Rules e n R Verify

Valid Incidents

1. Host A Port Scans Target X 2. Host A Buffer Overflow Attacks X Where X is behind NAT device and Where X is Vulnerable to attack 3. Target X executes Password Attacks Target Y located downstream from NAT Device

SureVector™ Analysis Visible and accurate attack path Drill-down, full incident and raw event details Pinpoint the true sources of anomalous and attack behavior More complete and accurate story

Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 175 CS-MARS – Attack Mitigation Use control capabilities within your infrastructure Layer 2/3 attack path is clearly visible Mitigation enforcement devices are identified Exact mitigation command is provided Switch

Router

Firewall

]

Popular reports with customization and distribution options Queries saved as rules or reports – intuitive framework (no SQL)

Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 177 CS-MARS Device Support Networking Vulnerability Assessment Cisco IOS 11.x and 12.x, Catalyst OS 6.x eEye REM 1.x NetFlow v5/v7 Foundstone FoundScan 3.x NAC ACS 3.x Qualys Guard Extreme Extremeware 6.x Host Security Firewall/VPN Cisco Security Agent (CSA) 4.x Cisco PIX 6.x, 7.x, ASA, IOS Firewall/IPS, FWSM McAfee Entercept 2.5, 4.x 1.x, 2.3, VPN Concentrator 4.x ISS RealSecure Host Sensor 6.5, 7.0 CheckPoint Firewall-1 NG FPx, VPN-1 Symantec AnitVirus 9.x NetScreen Firewall 4.x, 5.x Host Log Nokia Firewall Windows NT, 2000, 2003 (agent/agent-less) IDS Solaris Cisco NIDS 4.x, 5.x, IDSM 4.x, 5.x Linux Enterasys Dragon NIDS 6.x Syslog ISS RealSecure Network Sensor 6.5, 7.0 Universal device support Snort NIDS 2.x Applications McAfee Intrushield NIDS 1.x Web servers (IIS, iPlanet, Apache) NetScreen IDP 2.x Oracle 9i, 10i database audit logs Symantec ManHunt 3.x Network Appliance NetCache

You have two options for learning about rules that have fired: – You can log in and view the appropriate pages in the HTML interface – You can have CS-MARS send alerts to external devices and users.

The CS-MARS supports seven types of alerts when a rule is fired. User can configure these alert as part of the rule: – E-Mail – Syslog – Page – SNMP – SMS – DTM – XML

Aha! There is a permit rule from source 10.1.10.1 to any for IP. Better make the correction over in Cisco Security Manager and deploy to the device.

Integrating the log and policy views for fast remediation XML-based external integration of Incidents

Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 181 Full Spectrum Product Line Global CS-MARS Model 20 50 100e 100 200 Controller Events/Sec 500 1,000 3,000 5,000 10,000 N/A Flows/Sec 15,000 25,000 75,000 150,000 300,000 N/A RAID Storage 120GB 120GB 750GB 750GB 1TB 1TB Rack Size 1 RU 1 RU 3 RU 3 RU 4 RU 4 RU

Installation takes minutes Agent-less Event Collection NO JRE Conflicts Layer 2/3 Network Topology and Mitigation Raid 1+0 NetFlow Oracle Embedded - No DBA Needed Drill down to MAC addresses

Identify, Prevent and Adapt to Threats

INTEGRATED INDUSTRY SYSTEM LEVEL SECURITY COLLABORATION SOLUTION • Threat Defense • Network Admission • Dynamically identify, Control (NAC) Program prevent and respond • Secure Connectivity to threats • Collaboration with • Trust and Identity antivirus vendors • Security-aware infrastructure

Continuous Risk Assessment & Proactive Regulatory Compliance