Professional Documents
Culture Documents
Service Providers
Georgina Schaefer
georgina@cisco.com
Session Number
Presentation_ID
Agenda
Presentation_ID
Agenda
Presentation_ID
Service Providers
Difficult to demonstrate quantifiable ROI
Difficult to provide an SLA
Presentation_ID
SPs are familiar with SLAs but security SLAs are only
just being introduced
Presentation_ID
Presentation_ID
MSS Offerings
Access Security
Service Management
Managed Firewall
Remote Access
Security Consultancy
Consulting
IP VPNs
Business Continuity
Service Level
Agreements
Intrusion Detection/Prevention
Public Key Infrastructure
Presentation_ID
Agenda
Presentation_ID
10
Managed Firewall
Most basic service and network security
measure
Management and monitoring services vary
considerably
Installation and configuration (based on policy given by
customer)
Status and performance monitoring
Real-time analysis
Incident response procedures
Periodic reports
Presentation_ID
11
Enterprise threats
Internal Network
External Network
May be home to
attackers
192.168.27.131
192.168.27.129
192.168.27.1
DMZ network
No outgoing connections;
provides safe meeting
ground for internal and
external users.
Presentation_ID
192.168.27.3
DNS (private),
Mail servers
(private), Web
content (public)
12
Small
Division
Internet
Service
Provider
PIX 515
Server Farm
PIX 535
Branch/Retail
Regional Office
PIX 506
PIX 525
PIX 501
PIX 501
Telecommuter/Day
Extender
Presentation_ID
Same OS regardless of
platform
Common features and
Mgt.
13
Model
501
506E
515E-UR
525-UR
535-UR
Market
SOHO
ROBO
SMB
Enterprise
Ent. + SP
MSRP
$595 or $1195
$1,695
$7,995
$18,495
$59,000
Licensed Users
10 or 50
Unlimited
Unlimited
Unlimited
Unlimited
25
2,000*
2,000*
2,000*
Cleartext (Mbps) 10
20
188
360
1.7 Gbps
3DES (Mbps)
16
63*
70*
95*
GigE
Enabled
* Using an integrated VPN Accelerator Card (VAC)
Presentation_ID
2001, Cisco Systems, Inc. All rights reserved.
14
Security
Layer
Core
Layer
Catalyst 6500
Distribution/
Aggregation
Layer
Access Layer
Catalyst
Catalyst
Catalyst
Catalyst
Catalyst
Cust. A
2900
3500
4000
5500
6500
Cust. B
Cust. C
Dedicated Servers
PIX Firewalls
(Dedicated)
Presentation_ID
Shared Servers
Unmanaged Customer Cages
for Collocation services
15
Presentation_ID
16
Dedicated firewalls
Policies are specific to the customers and/or servers
ACLs may limit the effect of an attack on one set of servers does
not affect ALL customers
17
New Hardware
Cat6500 Firewall Services Module
Industrys leading firewall
performance!
Fabric Enabled
Available now
18
Branch
Office
B
MPLS-VPN
Virtual Firewall:
VRF advertises
default to VPN
VPN
Firewall
Head Office
Firewall
INTERNET
Branch
Office
Presentation_ID
19
Internet
Gateway
VPN-A
Hosted
Content
VPN A
London
CE
Amsterdam
VPN-A
VPN A
CE
Paris
Presentation_ID
Video
Server
VPN-B
CE
VPN A
H.323
Gatekeeper
VPN-B
CE
VPN A
Bruxelles
20
Business drivers
MPLS VPN Global Services
Enables a Service Provider to offer a set of Shared
Services to their customers across VPNs
Issue today :
- Overlapping private addresses
Presentation_ID
21
Presentation_ID
22
23
Agenda
Presentation_ID
24
Intrusion Detection/Prevention
80% of recent attacks have been performed over
port 80
In-depth examination of traffic is required to
identify attacks within legal traffic on both the
network and the critical hosts
IDS services require powerful and complex
management (updates, tuning), monitoring and
response procedures
Needs 24x7 service operation - requires an
automated system
Presentation_ID
25
2. Signalling:
e.g. ICMP, management protocols
3. Flooding:
TCP SYN flood, UDP, ICMP, other IP protocols,
26
Customer call
SNMP: line/CPU overload, drops
Netflow: counting flows
Access Lists with logging
Sniffers
Dedicated detection devices.
Presentation_ID
27
Spoofed:
Netflow:
Trivial if mechanisms are installed
Manually: Router by router
No additional impact on network
ed
d
n
me
m
o
rec
28
Presentation_ID
29
Careful!
CPU impact!!
input i/f
MAC address of upstream router
Presentation_ID
30
i/f 2
i/f 1
S D data
i/f 2
i/f 3
FIB:
...
S -> i/f 1
...
Same i/f:
Forward
Presentation_ID
i/f 1
S D data
i/f 3
FIB:
...
S -> i/f 2
...
Other i/f:
Drop
31
i/f 2
i/f 1
S D data
i/f 2
i/f 3
FIB:
...
S -> i/f x
...
Any i/f:
Forward
Presentation_ID
i/f 1
S D data
i/f 3
FIB:
...
...
...
Not in FIB
or route -> null0:
Drop
32
Scheduler allocate
Schedules CPU time spent on processes
versus packet handling
Syntax:
scheduler allocate <interrupt> <processes>
<interrupt>: 3000-60000 Microseconds handling network
interrupts
<processes>: 1000-8000 Microseconds running processes
Example:
router(config)#scheduler allocate 8000 8000
33
Presentation_ID
34
IDS Portfolio
Solution Breadth
Network
Sensor
4210
4230
4235
Switch
Sensor
IDSM-1
Host
Sensor
Standard Sensor
Router
Sensor
800
Firewall
Sensor
501
Mgmt
Presentation_ID
1700
506E
Secure
Command Line
2001, Cisco Systems, Inc. All rights reserved.
IDSM-2
4250
IDSM-2-XL
Web Sensor
2600
515E
Web UI
Embedded Mgr
3600
525
7x00
535
Enterprise Mgmt
VMS
35
Presentation_ID
Price: $12,500
Availability: May 2002
36
Switch Sensor
Catalyst 6500 IDS Module
IDSM delivers switch-integrated
protection allowing customers to
leverage their network investment by
delivering security and switching
services in a single box
Key Features
Network-integrated protection
Interfaces directly into switch
backplane
Advanced VLAN ACLs to shape/target
traffic
Monitors 802.1q and ISL traffic multi
VLANs
Presentation_ID
Low
Hi
Risk Mitigation
38
IDSM-1
IDSM-2
IDSM-2-XL
120
500
1000
1 slot
1 slot
1 slot
Processor (MHz)
Custom
Custom
Custom
Hardware Assist
Yes
No
Yes
Today
2H02
2H02
Performance (Mbps)
Size (RU)
Availability
Presentation_ID
39
Host Sensor
Industry-leading Host Sensor
(Entercept), provides attack prevention
against operating systems,
applications, and critical system
resources providing unique day zero
protection
Key Features
Sophisticated attack protection
OS and application attacks
Buffer Overflow attacks
Web server application attacks
SSL encrypted HTTP attacks
Prevents access to server resources
before any unauthorized activity
occurs
Presentation_ID
Low
Hi
Risk Mitigation
40
Platforms
Standard
Server
Agent
Web
Server Agent
Host
Console*
Win NT 4.0
Windows 2000
Solaris 2.6, 2.7, 8
Win NT 4.0
Windows 2000
Solaris 2.6, 2.7, 8
Win NT 4.0
Windows 2000
Web Applications
Presentation_ID
41
Riverhead guard
Detection device
Cisco IDS or Riverhead detector
Once a threat is detected, only the traffic addressed to the attacked host is
diverted for treatment. Traffic addressed to other hosts remains undisturbed.
Presentation_ID
42
Data diversion:
diverts victims traffic transparently to the cleaning device
returns legitimate traffic back to the intended destination
Presentation_ID
43
IOS Security
Offers an integrated solution
IDS
IPsec HW client
FW
WAN Router
Cisco IOS
WAN Router
with integrated
IPsec & FW &
IDS & Mobile IP
& WAN etc
44
45
Presentation_ID
46
Presentation_ID
47
Presentation_ID
48
Agenda
Presentation_ID
49
Managed VPNs
Enterprises outsource VPNs to cut costs!
Shift towards the adoption of Layer 3 VPNs (IP based)
MPLS-VPN is a connectivity service well suited for this
application and well adopted by European SPs
Enterprises may ask for IPSec together with MPLS for the
following services
Site-to-site confidentiality if they do not accept the level of
security provided by MPLS or the service provider
Secure off-net access to extend beyond their MPLS
network boundaries
50
Hub
Internet
Static known
IP addresses
130.233.9.42
Default GW
130.233.8.1
Intranet
130.233.9.41
Spoke
130.233.9.44
130.233.8.2
40.40.40.40
NTP server
130.233.9.43
40.40.40.0 255.255.255.0
=IPsec tunnel
Presentation_ID
51
Presentation_ID
52
Hub
Internet
Static known
IP addresses
Default GW
130.233.8.1
Dynamic
unknown
IP addresses
Intranet
Spoke
NTP server
40.40.40.40
40.40.40.0 255.255.255.0
=IPsec tunnel
Presentation_ID
53
Presentation_ID
54
30.30.30.30
Hub
Internet
Static known
IP addresses
Default GW
130.233.8.1
Dynamic
unknown
IP addresses
TED probes
TED probes
TED probes
Spoke
TED probes
TED probes
NTP server
TED probes
40.40.40.40
40.40.40.0 255.255.255.0
=IPsec tunnel
Presentation_ID
55
Presentation_ID
56
TED Example
No need to configure tunnel endpoints
ACLs determine WHICH TRAFFIC to encrypt
Ideal for MPLS VPNs - maintains Any-to-Any nature
Alice
X
UDP traffic
must be protected.
No SA => send probe
IKE:
A to
IP: A to B
B (pr
oxy=
X)
IKE: B
to A (
proxy
=Y)
Bob
Presentation_ID
57
Internet
30.30.30.30
Static known
IP addresses
Default GW
130.233.8.1
Dynamic
unknown
IP addresses
Spoke
NTP server
40.40.40.40
40.40.40.0 255.255.255.0
= Static spoke-to-hub IPsec tunnels
Presentation_ID
Presentation_ID
59
Presentation_ID
60
Easy VPN
Single User
Cisco IOS
Router
With
Unity
Client
PIX501
12.2(4)YA
Home Office
Cisco IOS
Router
With
Unity
Client
Ca
ble
DSL
HQ
Internet
800, 12.2(4)YA
uBR900,
1700
Small Office
Cisco IOS
Router
With
Unity
Client
800,12.2(4)YA
uBR900,
1700
Presentation_ID
T1
=IPsec tunnel
Advantages:
Home Office
VPN300
2
IOS
Router
Easy VPN
Presentation_ID
62
63
New Hardware
Cat6500 IPSec VPN Services Module
Presentation_ID
64
Campus
1
Presentation_ID
Campus
2
Deployment
Description
Campus
WAN Edge
Link-Layer Encryption
Replacement
Extranet
Enterprise
65
Presentation_ID
66
Phase 2
7600 OSR
MSFC2/Sup2
Native IOS only,
No CatOS support
FE & GE Interface
blades
Site-to-site (full mesh)
IPsec VPN
HubandSpoke IPsec
VPN
Full mesh with TED
IPsec VPN
Phase 3
VRF-aware IPSec
Multi-chassis IPSec
stateful failover
32,000 tunnels
NAT transparency
Presentation_ID
67
Session Number
Presentation_ID
68
Solution Overview
Branch
Office
Cisco
IOS
Router
SOHO
Access
VPN
Solution Center
(IPSec and MPLS)
SP Shared Network
MPLS/L2/L3
Based Network
Provider
Networks
Corporate
Intranet
VPN A
Customer A
head office
PE
PE
Local or Direct
Dial ISP
PE
PE
VPN B
Cable/DSL/
ISDN ISP
PE
PE
Customer B
PE
PE
VPN C
Remote Users/
Telecommuters
IP
Presentation_ID
IPSec Session
2001, Cisco Systems, Inc. All rights reserved.
Customer C
Customer A
branch office
IP
69
Decrypted
IPsec packets
get forwarded
to the global
routing table
IOS
Global routing Router
table
VRF-1
IPs
ec
int
IPsec crypto
map
MPLS
interface
VRF-2
MPLS wrapped
clear-text packets
forward to MPLS
VPNs
int
MPLS int
70
Decrypted IPsec
packets enter the
GRE tunnel interface
IPs
ec/G
RE
IOS Router
Global routing
table
IPsec crypto
map
VRF-2
int
IPs
ec/G
RE
MPLS
interface
IPsec crypto
map
VRF-2
MPLS wrapped clear-text
packets forward to MPLS
VPNs
int
MPLS int
71
int
IPs
ec
IOS Router
VRF-1
IPsec crypto
map
int
MPLS
Interface
VRF-2
MPLS wrapped
clear-text
packets forward
to MPLS VPNs
MPLS int
No limitations !!! Works for both site-to-site and client-toconcentrator type of IPsec tunnels. Per-VRF AAA supported.
Presentation_ID
72
Presentation_ID
73
Agenda
Presentation_ID
74
PIX,
PIX,IDS
IDS
configuration
configuration
VPN
Monitor
IOS
IOS &&
VPN
VPN C3000
C3000
RME/
CD Two
CiscoView &
CiscoWorks2000
Server (CD One)
IDS Host
Sensor
Device
Device
Inventory,
Inventory,
Config
Config &&
Software
Software Admin
Admin
Graphical
Graphical
Web
Web-based Device
Web-based
Device
Management
Managementand
and
Common
Common Services
Services
Includes
Includes console
console
and
and evaluation
evaluation
agents
agents
New
New
S
VM
Internet
PIX
Intrusion
Detection
Sensor
Presentation_ID
IP-VPN
Site to Site
Remote
Access
Partners /
Customers
75
76
Presentation_ID
77
Presentation_ID
78
79
Network
Equipment
Operations
62%
38%
Operation Expenses
Occupies ~40%
of the TCO of a
Service Provider
80
SP IP
VPN
OSS:
Third
Party
BSSSecurity
Apps and Solution
SP Customer Legacy Apps
Fault Mgmt
SML
^
|
Pre-integrated
Apps
for an
enhanced OSS
CIC
Perf Mgmt
SLA
Concord
Visual Net.
Security Mgmt
Billing
FW Mgmt
Security
Event
Analysis &
Reporting
Solsoft NP
NetForensics
Portal
Digiquant
|
V
CORBA API
NML
^
|
|
V
Cisco
VPN Solutions
Center
IP VPN OSS in a box
SP starter kit
IOS/PIX firewall
provisioning
VPN Usage
Measurement &
reporting
VPN SLA
measurement
& reporting
IPsec/MPLS VPN
QoS
configuration
Presentation_ID
CSPM
EML
EL
IDS Mgt
PIX/IOS
FW
VPN5K
VPN3K
IOS
router
IDS
Non-Cisco
(FW, VPN, PKI)
81
Presentation_ID
82
VPN Management
Topology
Views
Service Auditing
VPN Views
& Inventory
Presentation_ID
Performance
Monitoring &
Reporting
83
Fault Management
SLA Reports
Custom GUI
Presentation_ID
84
IPsec
cache
Cisco VPN
Policy
Manager
CORBA Bridge
Event
Broker
VPN
views
MPLS
Policy
MPLS
cache
IPsec
Policy
Repository
(VPN Inventory)
IPsec CPE
MPLS PE,CE
C-NOTE
Keep
Alive
Node
Polling
SNMP Traps
IOS Syslog Messages
Cisco Routers
Network
Presentation_ID
SNMP Traps
- MPLS VPN MIB
- IPsec Flow Monitor MIB
- MIB II
- ALTIGA-Hardware-Stats MIB
- SEP-Stats MIB
IOS Syslog Messages
- Managed MPLS CE int and sub-int
- CRYPTO
85
Automated monitoring of IPsec SNMP traps for IKE and data tunnels between IPseccompliant CE/CPE (IOS and VPN 3K) devices as defined in the IPsec Flow Monitor MIB
Automated monitoring of CRYPTO IOS syslog messages for encryption fault detection at
IPsec-compliant CE/CPE devices
Automated monitoring of SNMP traps for link status on secured interface of IPsec-compliant
CE/CPE devices as defined in the MIB II
Automated monitoring of MPLS VPN SNMP traps for PE routers as defined in the MPLS
VPN MIB
Keep alive node polling for MPLS PE, Managed MPLS CE, and IPsec CE/CPE
LinkStateChange fault for Managed MPLS CE and IPsec CE/CPE
VPN-aware fault & alarm management for events at the subinterface level (e.g., Frame
Relay PVC, ATM VCI/VPI)
VPNSC Audit Failure Integration (Tibco bus processing of VPNSC published events)
SA Agent as a VPN Site Poller and for VPN SLA Monitoring
Presentation_ID
86
Firewall Management
Firewall Management Center under VMS
or
Presentation_ID
IDS Management
Intrusion Detection Management
Monitoring &
Event Analysis
ISP NOC
Customer
Network
IDS
Configuration
ISP
Network
VMS - IDS
Security monitoring and event
analysis - FW, IDS, ACL
Collects security event data
Correlation of data from multiple
events and devices
Reveals more urgent threats from
thousands of events
Update signatures
Forensic analysis
Policy rollback
88
Event Analysis
Security Event Analysis
Partners:
Product: NetForensics
Presentation_ID
89
SLA Management
Concord eHealth Suite
The Cube
xDSL
O
N
F
I
G
C
C
O
U
N
T
I
N
G
E
R
F
O
R
M
A
N
C
E
E
C
U
R
I
T
Y
BUSINESS
MANAGEMENT
SERVICE
MANAGEMENT
NETWORK
MANAGEMENT
Presentation_ID
A
U
L
T
S
ELEMENT
MANAGEMENT
ELEMENTS
90
Reporting
Web-based interface for viewing reports
Push and/or pull reports via web
Charting, graphing, color coding, etc.
PIX, IOSFW, Cisco IDS, Entercept host IDS, VPN 3000 Concentrator, Cisco
ACLs., Windows event agent
Presentation_ID
91
Agenda
Presentation_ID
92
MSSP Programs
AVVID Partner Program
Security and VPN Solutions
Product and Technology Partners
Services Partners
Monitoring and Management: alarm & incident tracking and networkwide device administration
Presentation_ID
93
MSSP Programs
JumpStart Program for CPNs
Assist SPs to define & launch new services
On-line information & planning toolkit (JOLT)
Consultant support
Proven methodology
Accelerate time-to-market
Current Programs
Dedicated Internet Access, DSL,
IP Fax, Remote Access,
Dedicated VPN, Web Hosting,
Voice Over IP, Unified
Communications, Cable,
Broadband Wireless Access,
ASP/AIP
Presentation_ID
Sales Training
94
MSSP Programs
Cisco Programs Impact MSSP Sales
Trust & credibility via Cisco brand association
Assurance of quality services
Assurance of quality products
Impact of Cisco SAFE and AVVID marketing
Presentation_ID
95
Agenda
More Information
Presentation_ID
96
Presentation_ID
97
Keeping Informed:
www.cisco.com/warp/public/770 : Field Notices concerning security
cust-security-announce@cisco.com: To receive announcements.
(subscribe: Sent mail to "majordomo@cisco.com", with the single line in
body "subscribe cust-security-announce)
cust-security-discuss@cisco.com: To discuss with other customers about
security related problems. (subscribe as above)
Presentation_ID
98