Managed Security PDF

Managed Security Services from
Service Providers
Georgina Schaefer
georgina@cisco.com
Session Number
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.
Agenda
The Managed Security Services market

Managed firewall services
Presentation_ID
Managed intrusion detection services

Managed VPN services
Management
Cisco initiatives
Agenda

Presentation_ID

Management
Cisco initiatives
MSS Market Perception

General interest and demand for managed services
WAN, Hosting, ASP, Voice,
SPs can offer 24x7x365 monitoring
Economies of scale
Main growth for MSS amongst SME segment

Lack of both financial and technical recourses
Increases in the frequency, severity and complexity

of security attacks
Senior management realise the damage potential of
attacks
Willingness to invest more in security
Concerned about time to market
Presentation_ID
MSS Market Restraints

Customers
Enterprises are unwilling to lose control of their
networks
Unproven reputation of MSSPs
Large number of SP bankruptcies
Lack of perceived need for extensive security
Service Providers
Difficult to demonstrate quantifiable ROI
Difficult to provide an SLA
Presentation_ID
Where are the Enterprises today?

If implemented, security is a preventive measure
Firewall, Authentication, Encryption,
Prevention is not enough - need detection and

response
Time and resource consuming
Lack of implementation usually due to complexity,

the quantity of information to be processed and lack
of education
Enterprises are generally looking for partial or total
outsourcing of security services
SMEs looks for fully outsourced simple and cheap services
Larger corporates look for partially managed high level
security services want to keep control!
Presentation_ID
Where are the SPs today?

Most European SPs already provide basic security
offerings such as managed firewalls and user
authentication
Managed security has become a catch-all expression
e.g. VPN (L2, L3, MPLS, IPSec,)
More comprehensive security packages are

becoming increasingly important for SP
differentiation
MSS can involve installation and configuration but also
upgrading and on-going reconfiguration work
An additional service can be day-to-day monitoring and
response
SPs are familiar with SLAs but security SLAs are only
just being introduced
Presentation_ID
Who are the MSSPs?
Not only the service providers (Telcos, ISPs, ASPs)

but also
Systems Integrators
Pure MSSPs
Security Vendors
Services delivered via 1-tier or 2-tier model

Greatest market acceptance seems to be through
established SPs
e.g. Deutsche Telekom, Cable & Wireless/Exodus, Energis,
Presentation_ID
MSS Offerings
Access Security
Service Management
Managed Firewall
Remote Access
Data Transport Security
Security Consultancy
Consulting
IP VPNs
Business Continuity
Anti-Virus and content control
Service Level
Agreements
Intrusion Detection/Prevention
Public Key Infrastructure
Presentation_ID
Agenda

Presentation_ID

Management
Cisco initiatives
10
Managed Firewall
Most basic service and network security
measure
Management and monitoring services vary
considerably
Installation and configuration (based on policy given by
customer)
Status and performance monitoring
Real-time analysis
Incident response procedures
Periodic reports
Presentation_ID
11
Enterprise threats
Internal Network
External Network
May contain private

information or critical services
May be home to
attackers
192.168.27.131
192.168.27.129
192.168.27.1
DMZ network
No outgoing connections;
provides safe meeting
ground for internal and
external users.
Presentation_ID
192.168.27.3
DNS (private),
Mail servers
(private), Web
content (public)
12
PIX Firewall: Key Applications

Corp HQ
Small
Division
Internet
Service
Provider
PIX 515
Server Farm
PIX 535
Branch/Retail
Regional Office
PIX 506
PIX 525
PIX 501
PIX 501
Telecommuter/Day
Extender
Presentation_ID
Same OS regardless of
platform
Common features and
Mgt.
Small business/Small Satellite

Office
13
PIX Firewall Product Line Overview
Model
501
506E
515E-UR
525-UR
535-UR
Market
SOHO
ROBO
SMB
Enterprise
Ent. + SP
MSRP
$595 or $1195
$1,695
$7,995
$18,495
$59,000
Licensed Users
10 or 50
Unlimited
Unlimited
Unlimited
Unlimited
Max VPN Peers
25
2,000*
2,000*
2,000*
Cleartext (Mbps) 10
20
188
360
1.7 Gbps
3DES (Mbps)
16
63*
70*
95*
GigE
Enabled
* Using an integrated VPN Accelerator Card (VAC)
Presentation_ID
14
Cisco Web Hosting Data Center Design

SP network
WAN Edge
Layer
Geographic Content Switch

GSRs
Security
Layer
PIX Firewalls (Shared)
Core
Layer
Catalyst 6500
Distribution/
Aggregation
Layer
Cache / content Engine

IDS Sensor
Content switches
CSS-11800 & CSS-11150
Cat6K
Access Layer
Catalyst
Catalyst
Catalyst
Catalyst
Catalyst
Cust. A
2900
3500
4000
5500
6500
Cust. B
Cust. C
Dedicated Servers
PIX Firewalls
(Dedicated)
Presentation_ID
Web Server Farm
Shared Servers
Unmanaged Customer Cages
for Collocation services
15
Data Center Threats
Illegal access to servers

Illegal access to network devices
Denial of Service (DoS) attacks on
customer servers
Presentation_ID
16
Data Center Firewalling

Shared firewalls
Enforce general policies which apply to ALL customers/servers
e.g. may prevent outgoing connections, spurious protocols
Limit access to network devices
Policies modified once attacks have been detected and traced
Work in addition to router ACLs
Dedicated firewalls
Policies are specific to the customers and/or servers
ACLs may limit the effect of an attack on one set of servers does
not affect ALL customers
Firewalls not typically used to detect/trace attacks

Once attacks are known, firewalls can apply ACLs
Presentation_ID
17
New Hardware
Cat6500 Firewall Services Module
Industrys leading firewall
performance!
Fabric Enabled
PIX 6.0 base Feature Set + some feature of 6.2

High Performance Firewall, targeted OC48 or 2.5Gbps
1 million Concurrent connections
3 Million pps
100K new connections/sec for HTTP, DNS
100 VLANs
Supports 128K Rule Set
LAN failover active/standby (both intra/inter chassis)
Dynamic Routing i.e. RIP, OSPF
Support multiple blades in the chassis
Supports multiple IN/OUT and DMZs
IPSec for management only
No IDS Signatures
Supported on Native IOS only
Virtual firewalls (future release)
Presentation_ID
Available now
18
Virtual Firewall Application

Branch
Office
Branch
Office
Head Office advertises

default route to VPN and
forces all traffic through
firewall
B
MPLS-VPN
Virtual Firewall:
VRF advertises
default to VPN
VPN
Firewall
Head Office
Firewall
INTERNET
Branch
Office
Presentation_ID
19
Shared Services Model

ERP
Internet
Gateway
VPN-A
Hosted
Content
VPN A
London
CE
Amsterdam
VPN-A
VPN A
CE
Paris
Presentation_ID
Video
Server
VPN-B
CE
VPN A
H.323
Gatekeeper
VPN-B
CE
VPN A
Bruxelles
20
Business drivers
MPLS VPN Global Services
Enables a Service Provider to offer a set of Shared
Services to their customers across VPNs
By enabling Shared Services, a Service

Provider will
- Differentiate SP from competition
- Increase services portfolio
Issue today :
- Overlapping private addresses
Presentation_ID
21
Network Address Translation today

NAT occurs
after routing, from inside-to-outside
before routing, from outside-to-inside
NAT intercepts all traffic against the

configured NAT translations
An interface can be configured as being
Inside or Outside
Presentation_ID
22
NAT and MPLS VPN Integration

Maintains support for all existing applications &
protocols in an MPLS VPN environment
NAT can be configured on 1 or more PEs
providing NAT Redundancy
the Shared service does not need to be physically
connected to the PE device performing NAT
An interface is still either inside or outside

An outside interface can be part of a VRF or a
regular generic interface
NAT will inspect all traffic routed VRF-to-VRF or VRFto-Global
Presentation_ID
23
Agenda

Presentation_ID

Management
Cisco initiatives
24
Intrusion Detection/Prevention
80% of recent attacks have been performed over
port 80
In-depth examination of traffic is required to
identify attacks within legal traffic on both the
network and the critical hosts
IDS services require powerful and complex
management (updates, tuning), monitoring and
response procedures
Needs 24x7 service operation - requires an
automated system
Presentation_ID
25
Denial of Service (DoS)

The Mechanisms Used
1. Cracking:
Manually, through viruses, worms (code red, nimba.)
always exploiting host vulnerabilities
2. Signalling:
e.g. ICMP, management protocols
3. Flooding:
TCP SYN flood, UDP, ICMP, other IP protocols,
Attacking a Line: big packets (bandwidth!)

Attacking a Host/Router: small packets (pps!)
Presentation_ID
26
Detecting DoS Attacks
Customer call
SNMP: line/CPU overload, drops
Netflow: counting flows
Access Lists with logging
Sniffers
Dedicated detection devices.
Presentation_ID
27
Tracing DoS Attacks

Non-spoofed: Technically trivial (IRR)
But: Potentially tracing 100s of sources
Spoofed:
Netflow:
Trivial if mechanisms are installed
Manually: Router by router
No additional impact on network
ed
d
n
me
m
o
rec
Access lists (logging):

Has performance impact on most platforms
Mostly manual: Router by router
Presentation_ID
28
Router Security Features
Detect DoS Attacks: SNMP, Netflow, ACLs

Trace back packet floods: Netflow, ACLs (logging),
Shun a source: Unicast RPF, ACLs
Shun a destination: Null-routing, ACLs
Limit attacking traffic: CAR, Scheduler Allocate
And update all routers via BGP
Presentation_ID
29
ACLs with log and log-input
Careful!
CPU impact!!
ACLs with log

router_B(config)#access-list 101 permit ip any any log
router_B#
14:30:34: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 178.12.60.96(0) -> 192.168.1.1(0), 1 packet
ACLs with log-input

router_B(config)#access-list 101 permit ip any any log-input
router_B#
14:17:19: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 67.90.141.3(0) (Serial0/0 *HDLC*) ->
192.168.1.1(0), 1 packet
14:17:21: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 105.12.73.84(0) (FastEthernet0/0
0006.d780.2380) -> 192.168.1.1(0), 1 packet
14:17:22: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 166.159.237.65(0) (FastEthernet0/0
0006.d780.2380) -> 192.168.1.1(0), 1 packet
input i/f
MAC address of upstream router
Presentation_ID
30
Strict uRPF Check (Unicast Reverse Path Forwarding)

router(config-if)# ip verify unicast reverse-path
i/f 2
i/f 1
S D data
i/f 2
i/f 3
FIB:
...
S -> i/f 1
...
Same i/f:
Forward
Presentation_ID
i/f 1
S D data
i/f 3
FIB:
...
S -> i/f 2
...
Other i/f:
Drop
31
Loose uRPF Check (Unicast Reverse Path Forwarding)

router(config-if)# ip verify unicast source reachable-via any
i/f 2
i/f 1
S D data
i/f 2
i/f 3
FIB:
...
S -> i/f x
...
Any i/f:
Forward
Presentation_ID
i/f 1
S D data
i/f 3
FIB:
...
...
...
Not in FIB
or route -> null0:
Drop
32
Scheduler allocate
Schedules CPU time spent on processes
versus packet handling
Syntax:
scheduler allocate <interrupt> <processes>
<interrupt>: 3000-60000 Microseconds handling network
interrupts
<processes>: 1000-8000 Microseconds running processes
Example:
router(config)#scheduler allocate 8000 8000
Very useful under heavy load!

Presentation_ID
33
Advanced Intrusion Protection

Intrusion Protection provides:
Enhanced security over classic
technologies e.g. ACLs
Advanced technology to address
the changing threat
Increased resiliency of eBusiness systems and
applications
Effective mitigation of malicious
activity and insider threats
Presentation_ID
34
IDS Portfolio
Solution Breadth
Network
Sensor
4210
4230
4235
Switch
Sensor
IDSM-1
Host
Sensor
Standard Sensor
Router
Sensor
800
Firewall
Sensor
501
Mgmt
Presentation_ID
1700
506E
Secure
Command Line
IDSM-2
4250
IDSM-2-XL
Web Sensor
2600
515E
Web UI
Embedded Mgr
3600
525
7x00
535
Enterprise Mgmt
VMS
35
IDS-4235 Network Sensor Appliance

Extending Ciscos powerful
intrusion protection line-up to
performance-conscious
enterprise and service provider
customers
Key Features
High speed performance (150
Mbps)
Integrated, web-base UI
1 RU form factor
10/100/1000 Base-T copper
interface support
Advanced protection algorithms
Presentation_ID
Price: $12,500
Availability: May 2002
36
IDS-4250 Network Sensor Appliance

Extending Ciscos technical and
innovation leadership with the
fastest gigabit appliance
offering high performance
intrusion protection
Key Features
Gigabit performance
Integrated, web-base UI
1 RU form factor
Gigabit copper and fiber
interface support
Optional redundant power
supplies
Performance upgradeable
Advance protection algorithms
Presentation_ID
Price: Starting at $25,000

Availability: May 2002
37
Switch Sensor
Catalyst 6500 IDS Module
IDSM delivers switch-integrated
protection allowing customers to
leverage their network investment by
delivering security and switching
services in a single box
Key Features
Network-integrated protection
Interfaces directly into switch
backplane
Advanced VLAN ACLs to shape/target
traffic
Monitors 802.1q and ISL traffic multi
VLANs
Presentation_ID
Low
Hi
Risk Mitigation
38
Switch Sensor Portfolio
IDSM-1
IDSM-2
IDSM-2-XL
120
500
1000
1 slot
1 slot
1 slot
Processor (MHz)
Custom
Custom
Custom
Hardware Assist
Yes
No
Yes
Today
2H02
2H02
Performance (Mbps)
Size (RU)
Availability
Presentation_ID
39
Host Sensor
Industry-leading Host Sensor
(Entercept), provides attack prevention
against operating systems,
applications, and critical system
resources providing unique day zero
protection
Key Features
Sophisticated attack protection
OS and application attacks
Buffer Overflow attacks
Web server application attacks
SSL encrypted HTTP attacks
Prevents access to server resources
before any unauthorized activity
occurs
Presentation_ID
Low
Hi
Risk Mitigation
40
Host Sensor Portfolio
Platforms
Standard
Server
Agent
Web
Server Agent
Host
Console*
Win NT 4.0
Windows 2000
Solaris 2.6, 2.7, 8
Win NT 4.0
Windows 2000
Solaris 2.6, 2.7, 8
Win NT 4.0
Windows 2000
Web Applications
Presentation_ID
IIS Web Svr

Apache Web Svr
iPlanet Web Svr
Netscape Ent Svr
41
DoS Defence Partners

Example: Riverhead
Riverhead guard
Detection device
Cisco IDS or Riverhead detector
Once a threat is detected, only the traffic addressed to the attacked host is
diverted for treatment. Traffic addressed to other hosts remains undisturbed.
Presentation_ID
42
DoS Attacks: Data Diversion
Data diversion:
diverts victims traffic transparently to the cleaning device
returns legitimate traffic back to the intended destination
Presentation_ID
43
IOS Security
Offers an integrated solution
IDS
IPsec HW client
FW
WAN Router
Cisco IOS
WAN Router
with integrated
IPsec & FW &
IDS & Mobile IP
& WAN etc
Tight IOS feature integration with GRE, L2TP, routing,

Presentation_ID
44
Cisco IOS Firewall Benefits

Internet
Combined with Cisco IOS software-based

technologies
Positioned at the networks perimeter and aggregation points
Enhances Cisco IOS security

Strong security at lower cost of ownership
Leverages investment in Cisco infrastructure
Future enhancements include Websense/N2H2
filtering, SIP/H.323 support, token authentication
etc.
Presentation_ID
45
Cisco IOS Firewall Features

Context-Based Access Control (CBAC)
Stateful, per-application filtering
Support for advanced protocols
(H.323, SQLnet, RealAudio and more)
Integrated intrusion detection

Denial of Service detection and prevention
Per-user authentication and authorization
Real-time alerts
TCP/UDP transaction log
Presentation_ID
46
Cisco IOS Intrusion Detection System

Inline monitoring of network traffic for potential misuse
or policy violations
Matches network traffic against lists of 59 signatures,
which look for patterns of misuse
Takes action upon detection
Future IOS IDS development committed to:
Enhance Signature support
Dynamic signature update functionality
Combined with Cisco IOS Firewall for 1720, 2600, 3600,

7100 and 7200 router platforms
Presentation_ID
47
Newly published IDS white paper

The Science of IDS Attack Identification
Details the different approaches to
recognise an attack
Freely accessible at:
http://www.cisco.com/warp/public/cc/pd/sqs
w/sqidsz/prodlit/idssa_wp.htm
Presentation_ID
48
Agenda

Presentation_ID

Management
Cisco initiatives
49
Managed VPNs
Enterprises outsource VPNs to cut costs!
Shift towards the adoption of Layer 3 VPNs (IP based)
MPLS-VPN is a connectivity service well suited for this
application and well adopted by European SPs
Enterprises may ask for IPSec together with MPLS for the
following services
Site-to-site confidentiality if they do not accept the level of
security provided by MPLS or the service provider
Secure off-net access to extend beyond their MPLS
network boundaries
The key question is: is there a business case and demand

for outsourced IPSec VPNs?
Presentation_ID
50
Site-to-Site (Full Mesh) IPsec VPN

30.30.30.0 255.255.255.0
30.30.30.30
Hub
Internet
Static known
IP addresses
130.233.9.42
Default GW
130.233.8.1
Intranet
130.233.9.41
Spoke
130.233.9.44
130.233.8.2
40.40.40.40
NTP server
130.233.9.43
40.40.40.0 255.255.255.0
=IPsec tunnel
Presentation_ID
51
Issues with site-to-site

Spokes (small sites) are often connected to the
Internet.
Their external Internet address changes each time they
connect.
IPsec uses an access-list to define what user

traffic is to be encrypted.
Each time a new (sub)network is added behind a spoke
or the hub the customer must change the ACL on the
hub and spoke routers.
The customer must notify the SP in order to get the
IPsec ACL changed so that new destination traffic will
be encrypted!!
Presentation_ID
52
Hub-and-spoke IPsec VPN

30.30.30.0 255.255.255.0
30.30.30.30
Hub
Internet
Static known
IP addresses
Default GW
130.233.8.1
Dynamic
unknown
IP addresses
Intranet
Spoke
NTP server
40.40.40.40
40.40.40.0 255.255.255.0
=IPsec tunnel
Presentation_ID
53
Issues with Hub-and-Spoke
With large Hub-and-spoke networks the size of

the configuration on the Hub router can become
very large, to the point that it is unusable.
It is not known before hand which spokes will
need to talk directly with each other. Trying to
configure IPsec on a small spoke router to have
direct connectivity with all other spoke routers in
the network is usually not feasible
Presentation_ID
54
Full Mesh with TED IPsec VPN

30.30.30.0 255.255.255.0
All LANs must have

routable/public IP
addresses. Otherwise
TED wont work
30.30.30.30
Hub
Internet
Static known
IP addresses
Default GW
130.233.8.1
Dynamic
unknown
IP addresses
TED probes
TED probes
TED probes
Spoke
TED probes
TED probes
NTP server
TED probes
40.40.40.40
40.40.40.0 255.255.255.0
=IPsec tunnel
Presentation_ID
55
Issues with TED
TED probes need to routable

Is it really feasible to assume public
address?
Presentation_ID
56
TED Example
No need to configure tunnel endpoints
ACLs determine WHICH TRAFFIC to encrypt
Ideal for MPLS VPNs - maintains Any-to-Any nature
Alice
X
UDP traffic
must be protected.
No SA => send probe
IKE:
A to
IP: A to B
B (pr
oxy=
X)
IKE: B
to A (
proxy
=Y)
Bob
Presentation_ID
57
New feature: Dynamic Multipoint VPN

30.30.30.0 255.255.255.0
Hub
Internet
30.30.30.30
LANs can have

private addressing
Static known
IP addresses
Default GW
130.233.8.1
Dynamic
unknown
IP addresses
Spoke
NTP server
40.40.40.40
40.40.40.0 255.255.255.0
= Static spoke-to-hub IPsec tunnels
Presentation_ID
= Dynamic&Temporary Spoke-to-spoke IPsec tunnels

58
Automatic IPSec Tunnel Creation

IPSec initiates tunnels when data flows
GRE tunnel configuration must already include the GRE
tunnel peer AND IPsec peer address must also be preconfigured
Solution is NHRP
NHRP is used to dynamically determine the required destination
address of the target spoke.
IPSec is triggered immediately for the GRE tunnel or when the GRE
peer address is resolved.
There is no need to configure any crypto access-lists since these
will be automatically derived from the GRE tunnel source and
destination addresses.
Presentation_ID
59
Automatic IPSec Tunnel Creation contd
Spoke-to-hub tunnels are up continuously.

The hub router acts as the NHRP server and handles
NHRP requests from the source spokes.
The two spokes then dynamically create an IPsec tunnel
between them and data can be directly transferred.
The IP next-hop address on routing table entries control
whether IP data packets will trigger the creation of a direct
spoke to spoke tunnel or the data packets will be
forwarded via the hub router.
A timeout function will automatically tear down the tunnel
after a period of inactivity.
Presentation_ID
60
Easy VPN
Single User
Cisco IOS
Router
With
Unity
Client
Cisco Unity VPN Clients

Gateway options:
Cisco VPN 30xx
Cisco IOS 12.2(8)T
PIX 6.0
PIX501
12.2(4)YA
Home Office
Cisco IOS
Router
With
Unity
Client
Ca
ble
DSL
HQ
Internet
800, 12.2(4)YA
uBR900,
1700
Small Office
Cisco IOS
Router
With
Unity
Client
800,12.2(4)YA
uBR900,
1700
Presentation_ID
T1
=IPsec tunnel
Advantages:
Home Office
VPN300
2
IOS
Router
Unity is the common language

within Cisco VPN environment
No separate configuration for
CPEs, treated as normal Unity
clients.
61
Easy VPN
The Cisco Easy VPN Remote feature allows Cisco routers,

PIX firewalls, as well as hardware clients to act as remote
VPN clients.
These devices can receive predefined security policies
and configuration parameters from the headquarters' VPN
head-end.
Minimises the VPN configuration required at the remote
location.
Parameters such as internal IP addresses, internal subnet

masks, DHCP server addresses, WINS server addresses,
and split-tunneling flags are all pushed to the remote
device.
Presentation_ID
62
Easy VPN Clients & Servers

Easy VPN Clients:
Cisco VPN Client 3.x
Cisco VPN 3002 OS 3.x
Cisco PIX OS 6.2
Cisco IOS Easy VPN Client 12.2(10)T
Easy VPN Servers:

Cisco VPN 3000 Series OS 3.x
Cisco IOS Routers 12.2(8)T
Cisco PIX Firewalls OS 6.0
Presentation_ID
63
New Hardware
Cat6500 IPSec VPN Services Module
Speeds & Feeds!

1.9 Gbps 3DES (Max)
1.65 Gbps 3DES (IMIX)
1.6 Gbps 3DES (300 byte pkt)
8,000 tunnels
60 tunnels per second
List Price: $35,000 US
Presentation_ID
64
Deployments for VPN Services Module

Campus VPN
WAN Edge VPN
Campus
1
Presentation_ID
Campus
2
Deployment
Description
Campus
Secure LAN traffic between switches, floors, building

and specific sensitive network applications such as
iSCSI
WAN Edge
Provide VPN termination services on the WAN

aggregator router
Link-Layer Encryption
Replacement
Replace old ATM and other link-layer encryption with

modern a IPSec layer 3 VPN solution
Extranet
Enables partner networks to securely connect and

transfer large amounts of data
Enterprise
65
Several Deployment Options
Site-to-site (full mesh) IPsec VPN

HubandSpoke IPsec VPN
Full mesh with TED IPsec VPN
Cisco IOS Easy VPN
Server
12.2(8)T
Dynamic Multipoint VPN (Phase 2)
Presentation_ID
66
VPN Services Module Roadmap

Initial Release
Cat6500
Phase 2
7600 OSR
MSFC2/Sup2
Native IOS only,
No CatOS support
FE & GE Interface
blades
Site-to-site (full mesh)
IPsec VPN
HubandSpoke IPsec
VPN
Full mesh with TED
IPsec VPN
Support for all WAN

interface blades
including OSMs
Multiple blades per chassis
after FCS (7 x)
Phase 3
VRF-aware IPSec
Multi-chassis IPSec
stateful failover
32,000 tunnels
NAT transparency
VPN Remote Access

termination (EasyVPN Server)
Dynamic Multipoint VPN
Onboard GRE for faster
routing/multicast VPN
Faster tunnel setup (~200
t/s)
VPN Solutions Center
support
Presentation_ID
67
Remote Access to VPNs
Session Number
Presentation_ID
68
Solution Overview
Branch
Office
Cisco
IOS
Router
SOHO
Access
VPN
Solution Center
(IPSec and MPLS)
SP Shared Network
MPLS/L2/L3
Based Network
Provider
Networks
Corporate
Intranet
VPN A
Customer A
head office
PE
PE
Local or Direct
Dial ISP
PE
PE
VPN B
One or Two Box

Network Based
IPSec Solution
Cable/DSL/
ISDN ISP
PE
PE
Customer B
PE
PE
VPN C
Remote Users/
Telecommuters
IP
Presentation_ID
Cisco IOS VPN Routers or

Cisco Client 3.x
IPSec Session
Customer C
Customer A
branch office
IP, MPLS or L 2/3 based VPN
IP
69
IPsec to MPLS Service Architecture

Cisco IOS Solutions
Inside the IPsec/MPLS PE Router
Decrypted
IPsec packets
get forwarded
to the global
routing table
Based on the info in

the Global routing
table the clear text
packets are
forwarded to the
right VRFs.
IOS
Global routing Router
table
VRF-1
IPs
ec
int
IPsec crypto
map
MPLS
interface
VRF-2
MPLS wrapped
clear-text packets
forward to MPLS
VPNs
int
MPLS int
LIMITATION: No overlapping IP addresses between the VRFs

Presentation_ID
70

Cisco IOS Solutions
Inside the IPsec/MPLS PE Router
Decrypted IPsec
packets enter the
GRE tunnel interface
IPs
ec/G
RE
IOS Router
Global routing
table
IPsec crypto
map
GRE tunnel int
VRF-2
int
IPs
ec/G
RE
GRE tunnel interfaces are

associated directly with
VRFs. Clear text packets
bypass the global routing
table and are directly
forwarded to the VRF.
MPLS
interface
IPsec crypto
map
GRE tunnel int
VRF-2
MPLS wrapped clear-text
packets forward to MPLS
VPNs
int
MPLS int
Ability to have overlapping IP address

Limitation: no IPsec Client support because this requires GRE
Presentation_ID
71

Cisco IOS Solution 12.2(6th)T
Based on the IKE
authentication, the IPsec
tunnel is directly
associated with the VRF.
AAA server that is used in
the IPsec/IKE
authentication will inform
the IOS router what is the
right VRF ID for this tunnel.
Decrypted clear-text
packets get forwarded
directly to the right VRF
thus by-passing the global
routing table.
Inside the IPsec/MPLS

PE Router
Global routing
table
int
IPs
ec
IOS Router
VRF-1
IPsec crypto
map
int
MPLS
Interface
VRF-2
MPLS wrapped
clear-text
packets forward
to MPLS VPNs
MPLS int
No limitations !!! Works for both site-to-site and client-toconcentrator type of IPsec tunnels. Per-VRF AAA supported.
Presentation_ID
72
Managed VPN Summary

Cisco IOS IPsec VPN implementation offer
several solutions that have been designed with
different customer scenarios in mind.
Some of the solutions target simplicity (Easy
VPN), where as others try to offer comprehensive
functionality (Dynamic Multipoint VPN).
Our intension is to continue developing followup releases for each of the solutions with added
functionality.
Presentation_ID
73
Agenda

Presentation_ID

Management
Cisco initiatives
74
Managing PIX, IDS and VPN routers

VMS Components Enterprise solution
CiscoSecure Policy
Manager 3.0 (CSPM)
PIX,
PIX,IDS
IDS
configuration
configuration
VPN
Monitor
IOS
IOS &&
VPN
VPN C3000
C3000
RME/
CD Two
CiscoView &
CiscoWorks2000
Server (CD One)
IDS Host
Sensor
Device
Device
Inventory,
Inventory,
Config
Config &&
Software
Software Admin
Admin
Graphical
Graphical
Web
Web-based Device
Web-based
Device
Management
Managementand
and
Common
Common Services
Services
Includes
Includes console
console
and
and evaluation
evaluation
agents
agents
New
New
S
VM
Internet
PIX
Intrusion
Detection
Sensor
Presentation_ID
VPN VPN 7100,

7200,
C3000
1700,2600
3600
IP-VPN
Site to Site
Remote
Access
Partners /
Customers
75
VMS 2.1 Developments

Management Centers for PIX, IDS and VPN
routers
Web-based application
Setup and maintain large-scale VPN connections
Hub-and-spoke topology
Spoke-to-spoke connectivity via hub
Support of second hub for resilliance
Centralized configuration of IKE and IPsec tunnel
policies
Translation of VPN policy into CLI commands
Support for Cat6500 blades will follow

Presentation_ID
76
Auto Update Server

Introduces new push / pull paradigm for remote
management of Cisco PIX Firewalls
Works in conjunction with PIX MC
Flexible, secure remote management interface
Supports both configuration and software updates
Scalable push / pull model for updating
Lightweight XML over HTTPS implementation
All management traffic authenticated and encrypted
Presentation_ID
77
HTTPS-Based CLI Access

HTTPS server interface on PIX requires User ID /
Password authentication
Authentication database can be locally stored on PIX or
on AAA (RADIUS/TACACS+) server
Examples of HTTPS GET command

https://user:password@192.168.1.1/exec/show%20ver
Will provide show ver output via HTTPS response
https://user:password@192.168.1.1/exec/show%20config
Will provide show config output via HTTPS response
Presentation_ID
78
Auto Update Overview

Security overview
All management traffic encrypted using SSL (3DES/DES)
PIX authenticated using either User ID/PW or X.509 cert
Auto Update Server optionally authenticated via X.509 cert
Envisioned as pull-based solution for scalability

PIX automatically polls Auto Update Server on regular basis
At power-up of PIX Firewall
At administrator defined interval
Upon change of outside interface IP address
Auto Update Server can send message to PIX and force a
pull at any time (push)
Presentation_ID
79
MSSP Management Solutions

Operational Support Systems
(OSS)
Expectations:
Network
Equipment
Operations
62%
38%
Speed and volume of service provisioning

SLA conformance
Accounting and Billing accuracy
Firewall management
Intrusion Detection management
Operation Expenses
Occupies ~40%
of the TCO of a
Service Provider
Security Event Analysis

Operations responsiveness
Speed of integrating new products
Support for Business Support Systems
Lower TCO
Source: The Yankee Group

Presentation_ID
80
MSSP Management Product Overview

BML
SP IP
VPN
OSS:
Third
Party
BSSSecurity
Apps and Solution
SP Customer Legacy Apps
Fault Mgmt
SML
^
|
Pre-integrated
Apps
for an
enhanced OSS
CIC
Perf Mgmt
SLA
Concord
Visual Net.
Security Mgmt
Billing
FW Mgmt
Security
Event
Analysis &
Reporting
Solsoft NP
NetForensics
Portal
Digiquant
|
V
CORBA API
NML
^
|
|
V
Cisco
VPN Solutions
Center
IP VPN OSS in a box
SP starter kit
IPsec/MPLS VPN service

provisioning
IOS/PIX firewall
provisioning
VPN Usage
Measurement &
reporting
IPsec/MPLS VPN service

auditing
VPN SLA
measurement
& reporting
IPsec/MPLS VPN
QoS
configuration
Presentation_ID
CSPM
Embedded Device Configuration
EML
EL
IDS Mgt
PIX/IOS
FW
VPN5K
VPN3K
IOS
router
IDS
Non-Cisco
(FW, VPN, PKI)
81
VPNM = IP-VPN Network Management Solution

Value Proposition
VPNM is Ciscos out-of-the-box, pre-integrated, pretested, fully automated, carrier-grade Internet OSS
solution that enables Service Providers to efficiently
and economically manage the deployment of IP VPN
services and monitor their continuous, fault-free/faultrecovered performance.
Presentation_ID
82
VPN Management
Topology
Views
Cisco VPN Solution Center
IP VPN OSS-in-a-box - MSSP starter kit

Carrier Class IP VPN OSS
Widely deployed(~100 SP WW)
Supports fastest growing VPN Technologies
IPSec, MPLS or both!, L2oMPLS
Management support for every Cisco Security VPN
Platform
Service Auditing
VPN Views
& Inventory
VPN3K, PIX, IOS + Broadband platforms

Multi-tiered non-recurring licensing model
Multi-vendor management support planned
Provisioning
Presentation_ID
Performance
Monitoring &
Reporting
83
Fault Management
Cisco Information Center (CIC)
SLA Reports
Event Consolidation and data reduction

Service Views and Event Correlation across diverse
technologies & vendors
Faster problem resolution
Service Level (SLA) Orientation
Compliance with defined customer SLAs
Real-time reporting for NOC and customer
Web-based, canned and configurable
Custom GUI
Presentation_ID
84
IPsec
cache
MPLS API IPsec API
Cisco VPN
Policy
Manager
CORBA Bridge
Event
Broker
Data Source Adaptor
VPN
views
MPLS
Policy
MPLS
cache
CIC Info Server
IPsec
Policy
VPNM Version 1.2

VPN Solution Center
Repository
(VPN Inventory)
Events tagged for VPN correlation

CIC Info Mediator
RTTRAPD
CIC Info Mediator

MTTRAPD
CIC Info Mediator

Tibco rdv
VPNSC Tibco bus
IPsec CPE
MPLS PE,CE
C-NOTE
Keep
Alive
Node
Polling
SNMP Traps
IOS Syslog Messages
Cisco Routers
Network
Presentation_ID
SNMP Traps
- MPLS VPN MIB
- IPsec Flow Monitor MIB
- MIB II
- ALTIGA-Hardware-Stats MIB
- SEP-Stats MIB
IOS Syslog Messages
- Managed MPLS CE int and sub-int
- CRYPTO
85
New Features in VPNM 1.2

Integration of C-NOTE
Provides IOS syslog / SNMP mediation

Triggers keep alive node polling
Service Assurance Capabilities (IPsec & MPLS VPN):
Automated monitoring of IPsec SNMP traps for IKE and data tunnels between IPseccompliant CE/CPE (IOS and VPN 3K) devices as defined in the IPsec Flow Monitor MIB
Automated monitoring of CRYPTO IOS syslog messages for encryption fault detection at
IPsec-compliant CE/CPE devices
Automated monitoring of SNMP traps for link status on secured interface of IPsec-compliant
CE/CPE devices as defined in the MIB II
Automated monitoring of MPLS VPN SNMP traps for PE routers as defined in the MPLS
VPN MIB
Keep alive node polling for MPLS PE, Managed MPLS CE, and IPsec CE/CPE
LinkStateChange fault for Managed MPLS CE and IPsec CE/CPE
VPN-aware fault & alarm management for events at the subinterface level (e.g., Frame
Relay PVC, ATM VCI/VPI)
VPNSC Audit Failure Integration (Tibco bus processing of VPNSC published events)
SA Agent as a VPN Site Poller and for VPN SLA Monitoring
Presentation_ID
86
Firewall Management
Firewall Management Center under VMS
or
SolSoft NP: Visual Security Policy Management Solution

Simplifies the deployment and policy management of switches,
routers, firewalls, and VPNs
Policy import, design, audit, generation & distribution
High scalability up thousands of devices release X.0 (Q4,01)
Multi-Product (Switches, routers, firewalls, VPN)
Multi-Vendor (Check Point, Cisco, Nokia, Nortel)
Multi-Platform (AIX, HP-UX, Linux, Solaris, Windows)
Presentation_ID
If you can draw it

you can deploy it

87
IDS Management
Intrusion Detection Management
Monitoring &
Event Analysis
ISP NOC
Customer
Network
IDS
Configuration
ISP
Network
VMS - IDS
Security monitoring and event
analysis - FW, IDS, ACL
Collects security event data
Correlation of data from multiple
events and devices
Reveals more urgent threats from
thousands of events
Uniform & consistent configuration

Configuration wizards
Define, distribute, enforce & audit
policy
Sensor and Cat Line Card
Real-time event notification
Update signatures
Forensic analysis
New installation configurations
Reduces staff, expertise and cost

required to staff & scale SOC
Presentation_ID
GUI-based IDS Provisioning
Policy rollback
88
Event Analysis
Security Event Analysis
Aggregate log data and alerts from firewalls,

IDS, VPNs, etc.
Process/correlate data from thousands of

events
Quickly root-out actual, urgent threats

Faster true attack identification
Reduce false positives
Scalability (number customers/devices)
Maintain quality and cost of operation
Partners:
Product: NetForensics
Presentation_ID
89
SLA Management
Concord eHealth Suite
The Cube
End-to-end fault, performance & availability

Pre-integration faster time-to market
xDSL
Routers & Switches, VPN Concentrators,

Solutions
Gateways, Firewalls & more
IP-VPN
Solutions
Service differentiation
Dial/PPP
SLA reports by VPN, customer, or Class of Solutions
Service (CoS)
Proactive SLA Violation Notification
Reduce paybacks, irate customers
O
N
F
I
G
C
C
O
U
N
T
I
N
G
E
R
F
O
R
M
A
N
C
E
E
C
U
R
I
T
Y
BUSINESS
MANAGEMENT
SERVICE
MANAGEMENT
NETWORK
MANAGEMENT
Supports over 60 Cisco devices
Presentation_ID
A
U
L
T
S
ELEMENT
MANAGEMENT
ITU TMN model
VPNSC, CIC, Wan Mgr, NetFlow, Service

Assurance Agent
ELEMENTS
90
Billing and Reporting

Billing
State-of-the-art billing systems
Future services (VoIP, Video, etc)
Measure, analyze and gain maximum revenue
Low operating costs
Fast and reliable
Reporting
Web-based interface for viewing reports
Push and/or pull reports via web
Charting, graphing, color coding, etc.
PIX, IOSFW, Cisco IDS, Entercept host IDS, VPN 3000 Concentrator, Cisco
ACLs., Windows event agent
Presentation_ID
91
Agenda

Presentation_ID

Management
Cisco initiatives
92
MSSP Programs
AVVID Partner Program
Security and VPN Solutions
Product and Technology Partners
Complementary, interoperable Enterprise products
Services Partners
Best-in-class, Security-focused, tier-3 service providers
Monitoring and Management: alarm & incident tracking and networkwide device administration
Cisco Powered Networks

Managed Security Services
Presentation_ID
Management and monitoring services base on Ciscos VPN, FW, IDS
Complements the CPN VPN Services designation; typically tier-1 &

tier-2 service providers
93
MSSP Programs
JumpStart Program for CPNs
Assist SPs to define & launch new services
On-line information & planning toolkit (JOLT)
Consultant support
Proven methodology
Accelerate time-to-market
Joint marketing program planning & execution for

revenue generation
Lead generation
Current Programs
Dedicated Internet Access, DSL,
IP Fax, Remote Access,
Dedicated VPN, Web Hosting,
Voice Over IP, Unified
Communications, Cable,
Broadband Wireless Access,
ASP/AIP
Presentation_ID
Sales Training
New Managed VPN & Security Support program
94
MSSP Programs
Cisco Programs Impact MSSP Sales
Trust & credibility via Cisco brand association
Assurance of quality services
Assurance of quality products
Impact of Cisco SAFE and AVVID marketing
Introduction to Cisco Customer-base

Designed to direct Cisco customers to MSSP Partners
Co-marketing resources
Participation in Industry-leading marketing and seminar
programs
Presentation_ID
95
Agenda


Management
Cisco initiatives
More Information
Presentation_ID
96
References (Cisco - public)

Product Security:
Ciscos Product Vulnerabilities; A page that every engineer MUST know!!!
[http://www.cisco.com/warp/public/707/advisory.html]
Security Reference Information: Various white papers on DoS attacks and how
to defeat them [http://www.cisco.com/warp/public/707/ref.html]
ISP Essentials:
Technical tips for ISPs every ISP should know
[http://www.cisco.com/public/cons/isp/]
SAFE Blueprint
The SAFE Blueprint is a flexible, dynamic blueprint for security and VPN
networks, including actual network designs
[http://www.cisco.com/warp/public/779/largeent/issues/security/safe.html]
Presentation_ID
97
Security Vulnerability Management in

Cisco
Overview:
http://www.cisco.com/warp/public/707/sec_incident_response.shtml
Reporting Security Problems:

security-alert@cisco.com (emergencies) or
Tel +1 877 228 7302 or +1 408 525 6532
psirt@cisco.com (non-emergencies)
Keeping Informed:
www.cisco.com/warp/public/770 : Field Notices concerning security
cust-security-announce@cisco.com: To receive announcements.
(subscribe: Sent mail to "majordomo@cisco.com", with the single line in
body "subscribe cust-security-announce)
cust-security-discuss@cisco.com: To discuss with other customers about
security related problems. (subscribe as above)
Presentation_ID
98

Managed Security PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Managed Security PDF

Uploaded by

Copyright:

Available Formats

Managed Security Services from

2001, Cisco Systems, Inc. All rights reserved.

The Managed Security Services market

Managed intrusion detection services

2001, Cisco Systems, Inc. All rights reserved.

The Managed Security Services market

Managed intrusion detection services

2001, Cisco Systems, Inc. All rights reserved.

MSS Market Perception

Main growth for MSS amongst SME segment

Increases in the frequency, severity and complexity

2001, Cisco Systems, Inc. All rights reserved.

MSS Market Restraints

2001, Cisco Systems, Inc. All rights reserved.

Where are the Enterprises today?

Prevention is not enough - need detection and

Lack of implementation usually due to complexity,

2001, Cisco Systems, Inc. All rights reserved.

Where are the SPs today?

More comprehensive security packages are

2001, Cisco Systems, Inc. All rights reserved.

Who are the MSSPs?

Not only the service providers (Telcos, ISPs, ASPs)

Services delivered via 1-tier or 2-tier model

2001, Cisco Systems, Inc. All rights reserved.

Data Transport Security

Anti-Virus and content control

2001, Cisco Systems, Inc. All rights reserved.

The Managed Security Services market

Managed intrusion detection services

2001, Cisco Systems, Inc. All rights reserved.

2001, Cisco Systems, Inc. All rights reserved.

May contain private

2001, Cisco Systems, Inc. All rights reserved.

PIX Firewall: Key Applications

Small business/Small Satellite

PIX Firewall Product Line Overview

Max VPN Peers

Cisco Web Hosting Data Center Design

Geographic Content Switch

PIX Firewalls (Shared)

Cache / content Engine

Web Server Farm

2001, Cisco Systems, Inc. All rights reserved.

Data Center Threats

Illegal access to servers

2001, Cisco Systems, Inc. All rights reserved.

Data Center Firewalling

Firewalls not typically used to detect/trace attacks

2001, Cisco Systems, Inc. All rights reserved.

PIX 6.0 base Feature Set + some feature of 6.2

2001, Cisco Systems, Inc. All rights reserved.

Virtual Firewall Application

Head Office advertises

2001, Cisco Systems, Inc. All rights reserved.

Shared Services Model

2001, Cisco Systems, Inc. All rights reserved.

By enabling Shared Services, a Service

2001, Cisco Systems, Inc. All rights reserved.

Network Address Translation today

NAT intercepts all traffic against the

2001, Cisco Systems, Inc. All rights reserved.