Managed Security Services

Georgina Schaefer Consulting Systems Engineer, SP Wireline EMEA Solution Architect, Managed Security Services

ost s "c ute st a dil jus se not erti ce is n e" xpe ten ity ntr y e pe ur ce rit om Sec ecu e c S S cor

ty exi en pl twe as com be re h d c nds ter cur r an an el me se er ber dem nn eri d in tom um ks rso P and us e n tac pe re to c The att ed ecu d t ise of enc se ove em erie m pr exp

Customer’s CentralizedHybrid Network dedicated based / Head Office appliancedistributed based integrated Model security Model

Internet IP/MPLS/Layer 2- Based Network

Customer’s Small Branch Office

Customer’s Internet Branch Office

Customer’s Small Branch Office

Customer’s Customer’s Branch Office Branch Office

Customer’s Small Branch Office

• Managed Security Services Market • Managed Security Services Managed Threat Defense Managed Trust Identity Managed Secure Connectivity • Summary - Q&A

MSS offerings have been around for sometime Services include: • Managed Firewalls (bulk of revenue) • Managed VPNs • Managed IDS • Managed Anti-Virus • Managed Authentication

Rapid growth in Managed IDS

PS = Professional Services AV = Anti-Virus VA = Vulnerability Assessment IDS = Intrusion Detection System SIS = Security Intelligence Services REPS = Remote End-Point Security

Source: Yankee Group, 2002

2015 Adaptive networks – future state • Self-managing, self-protecting, self- healing • Highly available network services • Security-aware network elements

2005 Protection from simple threats Today • Convergence of scanning or filtering • Comprehensive view of all security elements • Security embedded in switch or router • Manageability is critical 1995

Detection of simple threats • Reactive virus and intrusion detection • Automates some manual procedures 1985 • “Best-of-breed” perimeter point products • Dedicated security appliance introduced Operational Capability Operational Capability Block and Hide • Crypto solves everything • CLI Operator Interfaces • Manual procedures

Applications to Services & Complexity of Security

Mainly from 4 different categories:

• Network/Systems Integrators (e.g. CGEY, Unisys, IBM) – Focus on global outsourcing deal with custom solutions • Pure play security SP (e.g. Ubizen, Getronics, NetSec) – Often positioned as niche players • Technology owners/Software vendors (e.g. Symantec, ISS, Baltimore) – Services tend to be limited to their own technology • Service Providers (e.g. BT, DT, FT, C&W, Equant, AT&T) – Traditionally deliver connectivity services

• Most of the current portfolios are targeted at medium/large enterprises and are based on appliances each solving a single problem SPs started to build Managed Security Services 2-3 years ago when not all the required security features were available in routers Difficult to address the price-sensitive and mass-markets (high capex, high opex, integration complexity)

• Enterprises unwilling to outsource security • Lack of perceived need for extensive security • Unproven reputation of MSS Provider • SPs unwilling to go beyond CPE • Perceived higher costs of Outsourced service • Too many offerings with unclear definitions • Product oriented vs Global Security Solution

Custom • SLAs (bronze, silver, gold) 1500-3000 euro/month • High Price + • 24X7 • Detailed reports MNC • On-going monitoring • Log analysis Large Ent. (250+) • Redundancy Bundled • Delta Price to CX Medium (50-249) • Packaged with CX 50-150 euro/month

• Basic reports Value/price • Network/CPE Small (10-49)

Mass market • Price sensitive Micro (< 10) • Point product - • Self managed 5 euro/month

SMEs represent more than 99% of companies! By 2008 they should generate 66% of European MSS sales

Managed Intrusion Protection

SP IP Network

Managed Firewall Managed Router + VPN • Many devices Î High CAPEX • Labour intensive operation Î High OPEX • Different services coming from different providers (SP, SI, MSSP, …) Î Lack of consistency in Security Policy Not the best model to address small offices or SMBs

SP IP Network SP IP Network

Full Managed Security Services

• Service are turned on on-demand Î extending CPE lifecycle • 1 or 2 devices for the full service portfolio Î Lower CAPEX • Less truck-roll and devices to manage Î Lower OPEX • Decreased churn through a comprehensive Portfolio Better Model for mass-deployment services

Managed Security as a Option Secured Managed Services Security is an add-on Security is built-in Challenging integration Intelligent collaboration Not cost effective Appropriate security Gartner: By 2006, 60 percent of firewall and intrusion detection functionality will be delivered via network security platforms Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 15 Managed Security Service Examples

SecuritySecurity PolicyPolicy Security Policy Defines Network Design Requirements

TrustTrust && IdentityIdentity SecureSecure ConnectivityConnectivity Secure Leverage the network to intelligently protect Secure and scalable

Monitor network connectivity endpoints Security

NetworkNetwork InfrastructureInfrastructure ThreatThreat DefenseDefense Manage Lifecycle ProtectionProtection Protect the network Prevent and respond infrastructure from attacks Audit to network attacks and and vulnerabilities threats such as worms

SecuritySecurity OperationOperation Security Management and Monitoring, Incident Response processing

• Threat Defense Services Managed Firewall - • Ability to customize security rules, policies and ports Managed Intrusion Protection - Protection of vital information from intruders Managed DDOS Protection Managed Endpoint Protection (Server and Desktop protection) Email Virus Protection - Protection against spam attacks and virus spread Content Filtering • Secure connectivity Services Secure remote-user access to company information Virtual Private Network (VPN) Services using IPSec or SSL VPN • Trust and Identity Services On single factor or Two-factor authentication (token/smart USB or card) PKI certificate Endpoint security compliancy (Network Admission Control)

SP Managed Security Service or customer managed

SP Managed Security Services

SP Secured Infrastructure

Cisco can help SP provide a complete security portfolio • CPE & network-based VPN, firewalls & IDS/IPS • Endpoint threat protection • Identity management • Security service provisioning

Security Devices / Products MSSP SOC – Cisco ISR with integrated security – ASA, PIX, IPS appliances – Cisco 7600 with security service modules Customer B Service Provisioning Head Office – CiscoWorks VMS – Cisco Configuration Engine

Customer A – Partner product Head Office Service Monitoring Internet – CS-MARS

Managed Services Customer A – Firewall Branch Office Customer A – IPS Branch Office Customer B Customer B – IPSec / SSL VPN Branch Office Branch Office – Managed authentication

Adaptive Security Integrated Services Appliance Routers •• PreferencePreference forfor andand familiarityfamiliarity withwith • Preference for dedicated security • Preference for dedicated security IOS-basedIOS-based devicesdevices devicesdevices •• LANLAN andand WANWAN interfacesinterfaces •• LANLAN interfacesinterfaces •• DeliversDelivers bestbest ofof breedbreed routingrouting andand • Delivers latest threat mitigation • Delivers latest threat mitigation QoSQoS functionality functionality innovationsinnovations •• ConsolidatesConsolidates maximummaximum networknetwork • Most feature rich remote access • Most feature rich remote access andand securitysecurity functionsfunctions onon singlesingle VPN solution VPN solution platformplatform • Dedicated functions ensure • Dedicated functions ensure •• MostMost featurefeature richrich site-to-sitesite-to-site VPNVPN maximum software versioning maximum software versioning solutionsolution simplicitysimplicity •• LeverageLeverage existingexisting routerrouter investmentinvestment

TailoredTailored SolutionsSolutions forfor EveryEvery DeploymentDeployment EnvironmentEnvironment Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 22 Managed Security Services Trends

PrimaryPrimary servicesservices Application FW Deep Packet Managed Service • Threat Defense Inspection Managed Service ImplementationImplementation && deliverydelivery - Firewall Day Zero Attack - Virus scanning Protection • Quality guarantees (SLAs) - Intrusion & DDoS detection • Sales, lease IPS • Secure Connectivity • Setup/installation - VPN/tunneling SSL VPN • Configuration • Trust & Identity • Proactive fault, life-cycle, and - Authentication Security performance management Compliance • Immediate alert response Check Trouble-ticket process Analysis Configuration Troubleshooting • Emergency response - threat or service outages

• Analyses all data traffic flowing from one network to another • Allows or denies access based on pre-defined security policies • High-volume packet inspection • Internal address masking (NAT/PAT) • Most common managed security service: CPE based service (FW installed at customer’s premise) Network based service • User authentication and Content filtering as a service option

Baseline service • Stateful packet filtering • Address translation support • Routing Service options • Advanced Application Support • Redundancy / High Availability • Authentication • Web content Filtering • Virtual Firewall

Internal Users “…75% of successful attacks against Web servers are entering through applications and not at the network level.”

Internet access 98%

Rich media 43%

IM traffic 43%

Web enabled apps 55% Port 80 Web services 43%

80 – Internet HTTP

64% of enterprises have opened Port 80 on their firewalls for their growing web application traffic John Pescatore, VP and Research Director, Gartner, June 2002. SessionSource: Number Aug 2002 InfoWorld/Network Computing survey of IT Professionals Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 27 Advanced Application Support Web-Traffic Inspection Services

I am email traffic… honest!

Payload Port 25 Payload Port 80

I am http web Corporate Server Farm traffic… honest! Office

Supported on IOS / PIX 7.0 / ASA / FWSM 3.1 Email Inspection Engine HTTP Inspection Engine • Control misuse of email protocols • Delivers application level control through inspection of • SMTP, ESMTP, IMAP, web-based (port 80) traffic POP inspection engines • Prevents port 80 misuse by rogue apps that hide traffic inside http to avoid scrutiny e.g. Instant Messaging (AIM, MSN Messenger, Yahoo….) Inspection Engines Peer-to-Peer Protocols (Kazaa…) provide protocol Example: Instant messaging and peer-to-peer applications anomaly detection such as Kazaa services • MIME type/content filtering….

Monthly Recurring Cost • Benefits of (Nine Sites, 2500 Users) out-tasking $10,000

Reduced monthly $9,000 recurring management 65%+ HW/SWHW/SW LeaseLease CostCost cost (65%) $8,000 Savings $7,000 EventEvent ResponseResponse Increased network reliability (24-hour $6,000 monitoring) $5,000 AlertAlert AnalysisAnalysis Lower implementation $4,000 and training cost $3,000

Flexibility to $2,000 reallocate IT staff to FWFW ManagementManagement $1,000 strategic projects ReportReport //DocumentationDocumentation $0 Managed by In House SP

• 80% of the recent attacks have been performed over port 80 • It is not enough to firewall to counter attack • In-depth inspection of traffic is required to identify attacks within legal traffic on both the network and the critical hosts • IDS services only generate alarms – Intrusion “Prevention” Services or “Inline IDS” can DROP traffic matching attack signatures False positives will drop good traffic!! • Not very common today in the low end space

• Provides protection against : Viruses, Worms, Spyware / Adware, Denial of Service.. • Use IDS/IPS hybrid technology – Signature based, anomaly based, behaviour based • Signatures must be updated on a regular basis • Events must be regularly monitored and False Positives / Negatives tuned • IPS services require powerful and complex management, monitoring and response procedures • Need 24x7 service operation hence required a well automated system

Baseline service • 24 x 7 Service and Support • Intrusion monitoring • Event correlation / Alarm filtering • Web Portal: Log trending and analysis with periodic traffic and alert reports Service options • Vulnerability Assessment • Signature updates (Managed IPS / Anti-Virus service) • Incident handling • Anti-X services (Anti Virus, Anti-Spyware, Intrusion / Worms/ DOS attack prevention) • Redundancy/failover

• Service is based on Cisco IDS/IPS appliances • Monitoring and management is provided by Ubizen (Cybertrust) Ubizen analyzes the IDS logs and identifies the threats that require immediate action Customer benefits: real-time discovery of attacks with predictable turn- around time and consistent procedures; reduction of false alarms; lower TCO Service is integrated with Equant delivery

DMZ Network

Internal Network Internet d all w ce e a ir F F Internet

IDS Management network Equant/Ubizen SOC Customer site

• Done By Equant – Professional consultancy engagement – Device Installation, Management and Monitoring • Done by Ubizen (under Equant branding) – 24x7 Real-time intrusion monitoring – 24x7 Real-time event correlation & interpretation – 24x7 Incident handling « Real-time » customer alerting and recommendations – Full Reporting capabilities Real-time reports at Equant Intrusion Detection Report Center Consolidated Monthly reports, SLA’s

Monthly Recurring Cost • Benefits of (4-IPS Sensors) Managed IDS/IPS $40,000 Reduced monthly recurring management $35,000 75%+ cost (75%) $30,000 Savings ProactiveProactive MonitoringMonitoring Increased network $25,000 reliability (24-hour monitoring) $20,000 BackupBackup Lower implementation $15,000 ITIT PersonnelPersonnel and training cost MajorMajor ChangeChange $10,000 Flexibility to andand RequestRequest Config.Config. MgmtMgmt reallocate IT staff to $5,000 strategic projects EventEvent WatchWatch andand ResponseResponse $0 ReportReport GenerationGeneration Managed by SP In House

• DoS/DOS : deny access to authorized Attack ombies: users and consume Use valid protocols resources: Spoof source IP bandwidth, Massively distributed CPU, Variety of attacks memory blocks

Provider infrastructure: • DNS, routers and links

Entire data center: Access line • Servers, security devices, routers • Ecommerce, web, DNS, email,…

z 100Ks packets/sec z Essential protocols z Spoofed z 10Ks of zombies z Compound worm & z 10Ks DDoS attacks packets/sec z Non-essential protocols (eg z Million+ packets/sec ICMP) z 100Ks of zombies z 100s sources Scale of Attacks

1999 2003 2004

Sophistication of Attacks

“Effective protection against DoS attacks rests in the hands of the ISPs providing the physical connection. E-businesses should demand quality-of service statements from their ISPs requiring them to control a DoS attack.”

J. Pescatore and W. Malik from Gartner Group

Customer Access / Aggregation Core Cleaning Carrier Peering Center Premise PE(s) Guard(s) L2 Agg. Arbor Detector P P Controller ASBR PE

ISR Peering Edge /Alt ISP Provider P P Arbor Arbor Arbor Detector Collector Collector Collector Hosting IDC

Detection Diversion/Injection Mitigation

Identify and classify Divert “attack” traffic to the Anti-spoofing, anomaly attacks based on its cleaning center to be recognition and packet characteristics. “scrubbed”, inject clean inspection and cleaning (i.e. traffic back to Enterprise scrubbing) of “bad” traffic customer

Provisioning and Management – WBM for Guard/Detector, Controller based Mgmt for Arbor Built on Cisco Network using Infrastructure Security “Best Common Practices”

Detects and automatically mitigates the broadest range R3 of Distributed Denial of Service (DDoS) attacks: Aug 04 Ensures legitimate transactions get through • Multiple defenses including source verification Cisco Guard XT 5650 & • Behavioral anomaly recognition engine Traffic Anomaly Detector XT 5600 Performance for largest enterprises and providers R4 • On-demand diversion for attack scrubbing 1QCY05 • 1Mpps+ per appliance and clustering capability Cisco Catalyst 6500 / 7600 Anomaly Guard Module & On Demand Scrubbing Traffic Anomaly Detector Module

Traffic destined Cisco (Riverhead) Multi- Guard XT to the target Verification Anti-spoofing Dynamic filters to to block spoofed Legitimate traffic block attack sources Process packets Rate limits to target

Legitimate traffic

Cisco (Riverhead) Traffic Anomaly Detector XT

Dynamic & Active Statistical Layer 7 Rate Limiting Static Filters Verification Analysis Analysis Non-targeted zone(s) Behavioral Anomaly Engine Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public 42 SP Revenue Models

SUBSCRIPTION Customer pays X% of markup on SERVICE - A transit/bandwidth purchased for guarantee of availability

SUBSCRIPTION Customer pays normal rates for SERVICE- B transit/bandwidth, then pays extra flat fee for detection and mitigation (pricing subject to business model)

ON-DEMAND Customer pays premium for ‘scrubbed’ bandwidth after calling during an attack (not seen often).

Customer Service Name Deployment Model Scenario

DDoS Defense Option NetFlow + Arbor AT&T for Internet Protect Managed Network DDoS Peakflow SP + managed services Protection Service Guard

IP Defender managed Managed Network DDoS SPRINT service Protection Service Detector + Guard

DDoS Attack Managed Network DDoS Cable & Wireless Mitigation Service Protection Service Detector + Guard

NetFlow + Arbor Telecom Italia DDoS Peering Point Peering Edge DDoS Peakflow SP + Protection Protection Service Guard

Arbor PrevenTier DDoS Managed Hosting DDoS PeakflowSP + Rackspace Mitigation service Protection Service NetFlow Detector + Guard

SureArmour DDoS Managed Hosting DDoS DataPipe protection service Protection Service Detector + Guard

• A new kind of Host Protection product for desktop, laptop, & server computers Windows NT, Windows 2000, Windows XP, Solaris 2.8, Linux Aggregates multiple security functions in one agent • Shift from Signature-based to Policy-Based Effective against existing & previously unseen attacks Stopped Slammer, nimda & code red sight unseen with out-of-the-box policies • Centrally administered, with distributed, autonomous policy enforcement Scales well & also works with intermittently connected hosts Can also adapt defenses based upon correlation of events from different hosts Definition of active endpoint protection

Personal Personal Data Firewall protection

OS Distributed Hardening IPS tool

Server & Desktop Protection

ConventionalConventional ConventionalConventional DistributedDistributed HostHost-based-based CSACSA FirewallFirewall IDSIDS Desktop/LaptopDesktop/Laptop ProtectionProtection 99 99 BlockBlock IncomingIncoming NetworkNetwork RequestsRequests 99 99 BlockBlock OutgoingOutgoing NetworkNetwork RequestsRequests 99 99 StatefulStateful PacketPacket AnalysisAnalysis 99 99 DetectDetect /Block/Block PortPort ScansScans 99 99 DetectDetect /Block/Block NetworkNetwork DoSDoS AttacksAttacks 99 99 DetectDetect /Prevent/Prevent MaMaliciouslicious ApplicationsApplications 99 99 Detect/PreventDetect/Prevent KnownKnown BufferBuffer OverflowsOverflows 99 99 Detect/PreventDetect/Prevent UnknownUnknown BufferBuffer OverflowsOverflows 99 99 Detect/PreventDetect/Prevent UnauthorizUnauthorizeded FileFile ModificationModification 99 99 OperatingOperating SystemSystem LockdownLockdown 99 99

CSACSA AntiAnti-Virus-Virus

MaliciousMalicious CodeCode ProtectionProtection StopStop KnownKnown Virus/WormVirus/Worm PropagationPropagation 99 99 StopStop UnknownUnknown Virus/WormVirus/Worm PropagationPropagation 99 Scan/DetectScan/Detect InfectedInfected FilesFiles 99 ““Clean”Clean” Infected Infected FilesFiles 99 IdentifyIdentify Viruses/WormsViruses/Worms byby NameName 99 NoNo SignatureSignature UpdatesUpdates RequiredRequired 99 DistributedDistributed FirewallFirewall FunctionalityFunctionality 99 OperatingOperating SystemSystem LockdownLockdown 99 CorrelatesCorrelates EventsEvents AcrossAcross EndpointsEndpoints 99

• Lower Operating Costs Remove monitoring/maintenance tasks, remove need for hiring/training of security experts • Higher Level of Security MSSP has more extensive IT resources, 24x7x365 protection of systems, reduced implementation time, and faster resolution for security incidents • Reduced False Positives MSSP has extensive knowledge of best practices to customize the technology • Increased Security Posture Awareness MSSPs offer real-time and historical perspectives of device security easily accessible via the web

• If you already have existing know-how/infrastructure to support IDS services Similar type of service – define policies, implement, monitor and correlate events, tune…. • Do not necessarily need to be involved in “desktop management” if the customer has the resources to do this • Probably best to partner with an established MSSP e.g. Ubizen?

• Restricts and Controls Network Access Endpoint device interrogated for policy compliance Network determines appropriate admission enforcement: permit, deny, quarantine, restrict • Cisco-led, Multi-partner Program Limits damage from viruses & worms Coalition of market leading vendors • A Cisco Self-Defending Network Initiative Dramatically improves network’s ability to identify, prevent, and adapt to threats

1. Non-compliant endpoint 2. Non-compliant 3. Infection contained; attempts connection status determined endpoints secured

BRANCH OR CAMPUS CAMPUS CAMPUS Access Denied Remediation Cisco QuarantineQuarantine Trust Agent

• Dramatically improved security Proactive protection against worms & viruses Leverage the network to audit & enforce host security policies Network segmentation services for isolation and remediation • Extend existing investment Leverage investment in network infrastructure and host security Focus operations on prevention, not reaction • Increase enterprise resilience Comprehensive admission control across all access methods Ensure endpoints conform to security policy

Branch Office Central Site

Cisco IOS Router, Cisco IOS 9 Simple 3002, or Internet PIX Router, VPN Concentrator, 9 Scalable or PIX Home Office 9 Flexible

Cisco VPN S/W Client on PC/MAC/Unix

• Remote/branch device can be a PIX, IOS router, 3002, or Cisco client software on a PC/Mac/Unix computer. • Remote device contacts central-site router/concentrator, and provides authentication credentials. • If credentials are valid, central-site “pushes” configuration data securely to the remote device and VPN is established.

Secure Meshed Tunnels Automatically!

Hub Benefits: • Full Meshed connectivity with configuration simplicity of hub and spoke • Preserves (central) bandwidth, Spoke VPN minimizes latency B • Support for dynamically addressed spokes • Zero touch configuration for addition of new spokes in the Spoke A DMVPN

= DMVPN Tunnels = Traditional Static Tunnels = Static Known IP Addresses = Dynamic Unknown IP Addresses

V3PN: • Data, voice and video traffic delivered SRTP Protects LAN with QoS policies for latency sensitive traffic LLQ before crypto to Egress Interface ensure voice priority QoS Policy Benefits:

VPN • Wirespeed encryption Encryption IPSec/GRE Telco/Broadband • Bandwidth conservation Tunnel Service Provider • Toll quality, jitter-free voice and video

LLQ before crypto to Egress Interface • LAN and WAN security ensure voice priority QoS Policy

VPN QoS SRTP Protects LAN V3PN Voice Video

SSL VPN IPSEC VPN

• Uses a standard web browser • Uses purpose-built client to access the corporate software for network access network • Client provides encryption and • SSL encryption native to desktop security browser provides transport security • Client establishes seamless connection to network • Applications accessed through browser portal • All applications are accessible through their native interface • Limited client/server applications accessed using applets

SSL VPN DEPLOYMENTS

• Anywhere access • Unmanaged desktops • Access from non-corporate Extranets machines Employee-owned computers • “Lite” users • Customized user portals Employees who only need • Granular access control occasional access • Easy firewall traversal from Employees who need access to few applications any location • Simple or locked-down access Restricted server and application access by population