Creating a Cisco Self Defending Network

Many modern security threats rapidly propagate across the Internet and internal networks. As a result, security components need to be able to respond rapidly to emerging threats. To combat these threats, Cisco offers the Cisco Self-Defending Network, which is its vision for using the network to recognize threats and then prevent and adapt to them. This section describes the implementation of the Cisco Self-Defending Network approach, which leverages Cisco products and solutions.

Evolving Security Threats

As computing resources have evolved over the past couple of decades, security threats have kept pace. For example, in the 1980s, boot viruses presented a threat to computer systems. However, such viruses took weeks to propagate throughout an individual network. During the 1990s, more-advanced viruses, denial-of-service (DoS) attacks, and other hacking attacks evolved. These attacks could impact multiple networks and propagate in a matter of days.

Modern networks face threats such as blended threats, which combine worm, virus, and Trojan horse characteristics. Such advanced threats can spread throughout regional networks in a matter of minutes. Future threats are anticipated to spread globally within just a few seconds.

One of the challenges of protecting against these evolving threats is the ambiguity of network boundaries. For example, consider the following:

■ Port 80 traditionally is thought of as the port used for web traffic. Because it is often an open conduit entering "secured" networks, attackers can attempt to send malicious traffic in the form of port 80 payloads.

■ Because traffic is often sent in an encrypted format (for example, using Secure Socket Layer [SSL] or Transport Layer Security [TLS]), malicious traffic can often escape recognition (for example, by Intrusion Prevention System [IPS] or Intrusion Detection System [IDS] appliances).

■ Clients often have multiple network connections (for example, a wireless laptop connected to a corporate wireless access point and also acting as a peer in a wireless ad-hoc network). Therefore, those clients might act as conduits for malicious users to access a "secured" network.

Constructing a Cisco Self-Defending Network

When a Cisco Self-Defending Network is constructed, consideration is given to how the individual security products work together. As a result, a Cisco Self-Defending Network integrates a collection of security solutions to identify threats, prevent those threats, and adapt to emerging threats.

Figure 2-4 highlights the three core characteristics of a Cisco Self-Defending Network, which are described in Table 2-7.

Figure 2-4 Cisco Self-Defending Network Core Characteristics

Figure 2-4 Cisco Self-Defending Network Core Characteristics

Table 2-7 Cisco Self-Defending Network Core Characteristics

Characteristic

Description

Integrated

Security is built in to the network, as opposed to being added to an existing network.

Collaborative

IT personnel focusing on security collaborate with IT personnel focusing on network operations.

Adaptive

Security solutions can adapt to evolving threats.

Cisco Self-Defending Networks can be more cost-effective, as compared to merely implementing a series of standalone solutions (also known as point solutions). This is because a complementary infrastructure simplifies management and administrative tasks. Similarly, equipment upgrade cycles can be better coordinated. Construction of a Cisco Self-Defending Network begins with a network platform that has integrated security. Then, strategic security features such as the following are layered on top of the already secure foundation:

■ Threat control: Strategies to contain and control threats include the following:

— Endpoint threat control defends endpoints against threats, typically sourced from the Internet, such as viruses and spyware.

— Infrastructure threat control protects servers and shared applications from internal and external threats.

— E-mail threat control blocks security threats sourced from e-mail, such as malicious attachments.

■ Confidential and authenticated communication: Technologies such as IPsec and SSL VPNs can provide confidential and authenticated communications channels. Specifically, the Cisco Secure Communications solution offers a set of products that can be categorized into one of two broad categories:

— Remote-access communications security secures transmission to an organization's network and applications via a secure tunnel formed across the Internet on an as-needed basis.

— Site-to-site communications security secures transmission between an organization's primary site and other sites (for example, home offices or business partners) via an Internet-based WAN infrastructure.

■ Management solutions: Products that provide system-wide control of policies and configuration offer a variety of benefits:

— Efficiency of rolling out a new policy to multiple devices while maintaining consistency of the configuration

— Comprehensive view of a network's end-to-end security status

— Quick response to attacks

— Improved congruity with an organizational security policy Figure 2-5 shows the hierarchical structure of a Cisco Self-Defending Network.

Figure 2-5 Cisco Self-Defending Network Hierarchical Structure

Cisco Security Management Suite

As an organization's network begins to grow, end-to-end security management becomes a more daunting task. Fortunately, Cisco offers a suite of security management tools, the main components of which are Cisco Security Manager and Cisco Security Monitoring, Analysis, and Response System (MARS).

Cisco Security Manager

The Cisco Security Manager application can be used to configure security features on a wide variety of Cisco security products. From a scalability perspective, Cisco Security Manager can be useful on smaller networks (for example, networks with fewer than ten devices), and it can also help more efficiently manage networks containing thousands of devices. As a few examples, the Cisco Security Manager application offers these features:

■ Provisioning security on a variety of Cisco platforms, including Cisco IOS-based routers, Cisco ASA 5500 series security appliances, Cisco PIX 500 series security appliances, Cisco IPS 4200 sensors, and the Advanced Inspection and Prevention Security Services Module (AIP-SSM), available for the Cisco Catalyst 6500 series switch platform

■ Performing configuration tasks via a graphical interface

■ Applying a centralized policy, which maintains consistency throughout a network and that can be inherited by newly installed devices

■ Interoperates with Cisco Secure Access Control Server (ACS) to provide different sets of permissions to different users

NOTE The following URL offers a flash-based introduction to Cisco Security Manager: http://www.cisco.com/cdc_content_elements/flash/sec_manager/index.html

Cisco Security MARS

The Cisco Security MARS product offers security monitoring for security devices and applications. In addition to Cisco devices and applications, Cisco Security MARS can monitor many third-party devices and applications. As a few examples, Cisco Security MARS performs these functions:

■ It uses event correlation to collect events from multiple devices in the network, thereby reducing the number of false positives.

■ It identifies appropriate mitigation strategies for specific security challenges.

■ It uses Cisco NetFlow technology to more readily identify network anomalies.

NOTE The following URL offers a flash-based introduction to Cisco Security MARS: http://www.cisco.com/cdc_content_elements/flash/security_mars/demo.htm

Cisco Integrated Security Products

A Cisco Self-Defending Network relies on a collection of complementary security solutions. Table 2-8 identifies some of the products available in the Cisco product line that could contribute to a Cisco Self-Defending Network.

Table 2-8 Examples of Cisco Security Products

Product

Description

Cisco IOS router

Many Cisco IOS routers can be configured with Intrusion Prevention System (IPS), virtual private network (VPN), and firewall features.

Cisco ASA 5500 series security appliance

The Cisco 5500 series of Adaptive Security Appliances (ASA) offers a wide variety of security solutions, such as firewall, IPS, VPN, antispyware, antivirus, and antiphishing. Figure 2-6 shows a collection of Cisco ASA 5500 series security appliances.

Cisco PIX 500 series security appliance

The Cisco PIX 500 series of security appliances offer firewall and VPN-termination features. As an example, Figure 2-7 shows a Cisco PIX 535 security appliance.

Table 2-8 Examples of Cisco Security Products (Continued)

Table 2-8 Examples of Cisco Security Products (Continued)

Product

Description

Cisco 4200 series IPS appliances

The Cisco 4200 series of IPS appliances can analyze traffic inline. If this inline analysis identifies traffic believed to be malicious, the IPS appliance can perform such operations as dropping the traffic, sending an alert, and instructing another network device (such as a Cisco PIX security appliance) to block connections from the offending host. Figure 2-8 shows a selection of Cisco 4200 series IPS appliances.

Cisco Security Agent (CSA)

Cisco Security Agent (CSA) is an application that provides IPS services on a host. Therefore, CSA is called a Host-based Intrusion Prevention System (HIPS) application.

Cisco Secure Access Control Server

The Cisco Secure Access Control Server (ACS) application can provide an authentication, authorization, and accounting (AAA) function, thus allowing different sets of permissions to be applied to different users.

Cisco

Catalyst 6500 series switch and Cisco 7600 series router modules

Cisco Catalyst 6500 series switches and Cisco 7600 series routers use a modular chassis with multiple interchangeable modules. Some of these modules provide security features to the chassis. For example, you could insert a Firewall Services Module (FWSM) into a chassis to provide firewall services between various VLANs defined on a Cisco Catalyst 6500 series switch.

Cisco Router and Security Device Manager (SDM)

Cisco SDM provides a graphical interface for configuring a variety of security features (for example, IPS, IPsec site-to-site VPN, and firewall features), in addition to multiple router configuration features. Figure 2-9 shows the home screen of the SDM application.

Figure 2-6 Cisco ASA 5500 Series Security Appliances

Figure 2-6 Cisco ASA 5500 Series Security Appliances

Figure 2-7 Cisco PIX 535 Security Appliance
Figure 2-8 Cisco 4200 Series IPS Appliances
Figure 2-9 SDM Interface

00:04:15 UTC Fri Mar 01 2002 ^

00:04:15 UTC Fri Mar 01 2002 ^

0 0

Post a comment