1. No category

Network - Da boogie crew

“Beveiliging in de KMO”
LAN, WAN & Remote Access
Peter Saenen
Cisco Systems
VOI Day
© 2004, Cisco Systems, Inc. All rights reserved.
1
Recente uitdagingen
VOI Day
©©
2004,
2003Cisco
CiscoSystems,
Systems, Inc. All
All rights
rightsreserved.
reserved.
2
Snelheid van de Internet aanvallen
Do You Have Time To React?
1980s-1990s
Usually had weeks or months
to put defense in place.
2000-2002
Attacks progressed over hours, time
to assess danger and impact.
Time to implement defense.
In 1/2 the time it took to read this
slide, your network
And all of your applications would
have become unreachable
VOI Day
© 2004, Cisco Systems, Inc. All rights reserved.
2003-Future
Attacks progress on the timeline
of seconds.
SQL Slammer Worm:
Doubled every 8.5 seconds
After 3 min : 55M scans/sec
1Gb Link is saturated after one minute
SQL Slammer was a warning.
Newer “Flash” worms are
exponentially faster.
3
Example – The Sapphire Worm, aka
“Slammer”
• Infections doubled every 8.5 seconds
• Infected 75,000 hosts in first 11 minutes
• Caused network outages, cancelled airline
flights and ATM failures
Minutes after Release
11
VOI Day
At Peak,
Scanned 55 Million Hosts per Second
8
6
© 2004, Cisco Systems, Inc. All rights reserved.
4
Een open netwerk is vereist
Increased partnering, acquisitions, customer service,
contractors, visitors, …
Increased requirement for
Customer/partner/supplier/
Contractor access
Creates increased opportunity
To exploit the ”swiss cheese”
Perimeter policy
Corporate
Resources
• Customers with an aggressive Internet business stance view perimeter
security as less relevant as the access policy becomes more open.
• The perimeter is evolving from a simple perimeter, to layered perimeter, to
ubiquitous embedded security.
• More interior security hardening/fortification is required.
VOI Day
© 2004, Cisco Systems, Inc. All rights reserved.
5
Mobiliteit van onze systemen
Where has your PC been?
HQ
WAN
Airports, Hotels,
WLAN Hotspots Etc
Branches
Teleworker
• Example – The Sapphire Worm or “Slammer”
Disabled Networks, Applications through brute force DDOS
Caused Network Outages, Cancelled Flights and ATM failures
Even the most effective perimeter defense won’t stop “piggyback” infections
VOI Day
© 2004, Cisco Systems, Inc. All rights reserved.
6
Beveilingingsstrategie van Cisco
• Create Integrated and Secure Intelligent Networks
with Auto-Response Capabilities (AKA, SelfDefending Network) to improve reaction times and
reduce windows of vulnerability
• This requires:
A presence on the endpoint as well as the
network
Security features into the network infra-structure
Complimentary Anomaly-based (coarse-grained)
and Signature-based (fine-grained) detection
methods
A proper Trust and Identity Infrastructure
VOI Day
© 2004, Cisco Systems, Inc. All rights reserved.
7
Cisco’s Self Defending Network
Integrating the Endpoints with the Network
Intelligent Linkage of
Endpoint with Network
Behavior/
Anomaly
IPS/FW
SSL
VPN
VPN
AV
HIDS
Personal
FW
End
SystemBased
Security
VPN
ID/
Trust
Identity
and Trust
NetworkBased
Security
FW +
VPN
FW
APP
FW
IDS
AD IDS
IPS
DDOS
• Endpoint security solutions know security context and posture
• Policy servers know compliance and access rules
• Network infrastructure provides enforcement mechanisms
VOI Day
© 2004, Cisco Systems, Inc. All rights reserved.
8
Een goed beveiligingsbeleid
• List out each risk
and analyze how
often potential
loss is likely to
occur per year
• Play out sample
scenarios
• Find your optimal
risk/cost value
• Involve decision
maker and
confront with risk
vs cost solution
Cost of Precaution < Probability of Loss * Likely amount of Loss
VOI Day
© 2004, Cisco Systems, Inc. All rights reserved.
9
Een ‘standaard’ KMO netwerk?
Provider
Internet
VOI Day
© 2004, Cisco Systems, Inc. All rights reserved.
10
Controle van Integriteit – Identiteit & compliance
Who/what is connecting? Can you trust them and the
device?
End devices (PC, laptop, telephone, printer, …)
Internal user groups (production, labs, development, testing, …)
External user groups (consultants, customers, partners, …)
Classification based on trust and identity
Provider
Internet
VOI Day
© 2004, Cisco Systems, Inc. All rights reserved.
11
Idenititeit:
So, you said MAC Address ?
Win 2K & XP allow easy
change for MAC
addresses
MAC address is not an
authentication
mechanism…
VOI Day
© 2004, Cisco Systems, Inc. All rights reserved.
12
Customer Problems with Host
Security
•
Viruses and worms continue to
disrupt business – downtime,
patching, etc.
•
Non-compliant servers and
desktops difficult to detect or
contain
•
Locating, isolating, and repairing
infected systems time and
resource intensive
•
Point technologies preserve host
rather than network availability
and resiliency
VOI Day
© 2004, Cisco Systems, Inc. All rights reserved.
13
Understanding Trust and Identity
VOI Day
Identity-based
Networking
Network Access
Control
Identifies the user or
device on the network
and ensures access to
correct network
resources
Identifies the posture
(or compliance) of the
device to ensure the
device can safely be
admitted to the network
without undue hazard
© 2004, Cisco Systems, Inc. All rights reserved.
14
How the Trust and Identity System
Works
1. Who are you? 802.1x authenticates user in
conjunction with ACS
2. Are you healthy? Using NAC, the end-station
and network can check whether the device has
the correct virus software and protection.
3. Where can you go? Based on
authentication, user is placed in
correct workgroup or VLAN
4. What service level to you receive? The
user can be put into a firewalled VPN or
given specific QoS priority on the network
5. What are you doing? Using the identity and
location of the user, tracking and accounting
can be better managed
VOI Day
© 2004, Cisco Systems, Inc. All rights reserved.
15
Understanding 802.1x
How It Works:
Each person trying to enter the network must receive authorization
based on their personal username and password.
Valid Username
Valid Password
Yes
TACACS+ or
RADIUS
No
Invalid Username
Invalid Password
Client Accessing
Switch (802.1x Suplicant)
VOI Day
© 2004, Cisco Systems, Inc. All rights reserved.
TACACS+ or Radius
Server
16
Using the Guest VLAN and User Group
Segmentation
X
Authorized
User
Identity based
802.1x
Authentication
Finance
Network
Valid Credentials
√
Guest User
√
Marketing
Network
Guest
Network
Invalid/No Credentials
Internet
VOI Day
© 2004, Cisco Systems, Inc. All rights reserved.
17
Network Admission Control
Validate security compliance and build trust
Client attempts connection
Authentication and policy
check of client
Desktop
Si
Remediation
Cisco® Trust Agent
•
•
•
VOI Day
Access Granted
Access Denied
Quarantine
Remediation
© 2004, Cisco Systems, Inc. All rights reserved.
Corporate
Net
Quarantine VLAN
18
Current NAC Program Participants
INITIAL SPONSORS
ANTI VIRUS
PATCH MGT
VOI Day
© 2004, Cisco Systems, Inc. All rights reserved.
CLIENT SECURITY
19
End point
controlSecurity
and security
Cisco
Agent
Bescherming tegen nieuwe en nog ongekende aanvallen
Bescherming tegen Spyware en addware
Personal firewall & Intrusion Detection
Voorziet een oplossing naar patchmanagement
Provider
Waar kunnen we welke data bewaren?
Geen updates nodig
Welke software mag gebruikt worden
onder welke voorwaarden
Internet
Inventaris van welke software geinstalleerd is op de systemen
VOI Day
Een plaatsafhankelijke policy
© 2004, Cisco Systems, Inc. All rights reserved.
20
Cisco Secure Connectivity
Solutions
VOI Day
© 2004, Cisco Systems, Inc. All rights reserved.
21
Remote Access VPN solutions
Roaming users:
Browser based access
any place any PC
(SSL based VPN’s)
VPN3000
IOS router
ASA
Roaming users:
PDA support
Roaming users/tele workers:
Cisco IPsec client
Windows embedded client
Tele worker/home worker
low end PIX and routers
Suitable ISR for any size
of branch connection
VOI Day
© 2004, Cisco Systems, Inc. All rights reserved.
22
Flexibiliteit, beveiliging en toegevoegde
waarde
Controle
geintegreer Add.
de
diensten
beveiliging
Cisco
Security
Agent
SSL VPN
Afhankelijk
van PC
CSD/NAC
Afhankelijk
van PC
IPsec VPN
Gedeeltelijk
/mobiel
FW/ST/NAC & neen
IPsec
PIX
Gedeeltelijk/t FW/IDS &
huisPC
IPsec
Voice support
Router
Volledig
Voice services ja
VOI Day
FW/IPS &
anti-virus
outbreak
prevention
© 2004, Cisco Systems, Inc. All rights reserved.
neen
ja
ja
Video
Content
23
Geintegreerde beveiliging reduceert het
RISICO
Risk-ometer
Open
Network
Easy VPN
DMVPN
Gevaar
Hoog
gemiddeld
Laag
VOI Day
© 2004, Cisco Systems, Inc. All rights reserved.
Sterk
gereduceerd
RISICO 24
Een voorbeeld van
geintegreerde beveiliging
VOI Day
© 2004, Cisco Systems, Inc. All rights reserved.
25
Security Services Silos Force Trade-Offs
Complementary Defenses, Limited Deployability
Firewall
IPS
Services
Access Control
Services
Services
Broad Attack
Detection
Packet Inspection
Granular Packet
Inspection
Protocol Validation
Application Control
Accurate
Enforcement
Dynamic Response
Network AV
IPSec/SSL VPN
Services
Virus Mitigation
Services
SSL VPN
Spyware, Adware,
Malware Detection
and Control
IPSec VPN
Malicious Mobile
Code Mitigation
User-Based Security
Group-Based
Management
Clustering
Robust Resiliency
Access Breaches
Session Abuse
Port Scans
Malformed Packets
Tunneled Traffic
Limited Protections
Application Misuse
DoS/Hacking
Known Attacks
Infected Traffic
Multiple Discrete Services x Multiple Locations = Security Trade-Offs
VOI Day
© 2004, Cisco Systems, Inc. All rights reserved.
26
Cisco ASA 5500 Series
Convergence of Robust, Market-Proven Technologies
Market-Proven
Technologies
Adaptive Threat Defense,
Secure Connectivity
Firewall Technology
Cisco PIX
App Inspection, Use
Enforcement, Web Control
Application Security
IPS Technology
Cisco IPS
Malware/Content Defense,
Anomaly Detection
Anti-X Defenses
NW-AV Technology
Cisco IPS, AV
VPN Technology
Cisco VPN 3000
Network Intelligence
Cisco Network
Services
VOI Day
© 2004, Cisco Systems, Inc. All rights reserved.
Traffic/Admission Control,
Proactive Response
Network Containment &
Control
Secure Connectivity
IPSec & SSL VPN
27
Cisco ASA Platforms
Key Platform Performance Metrics
ASA 5510
(► Sec Plus)
Features
Firewall Throughput
(300 / 1400 Byte)
VPN Throughput
(300 / 1400 Byte)
IPS Throughput
(500 Byte)
ASA 5520
VPN Plus
ASA 5540
ASA 5540
VPN Plus
ASA 5540
VPN Premium
100 / 300 Mbps 200 / 450 Mbps
200 / 450 Mbps
400 / 650 Mbps
400 / 650 Mbps
400 / 650 Mbps
50 / 100 Mbps
100 / 200 Mbps
200 / 360 Mbps
200 / 360 Mbps
200 / 360 Mbps
ASA 5520
100 / 200 Mbps
100 Mbps
200 Mbps
200 Mbps
200 Mbps
200 Mbps
with SSM-AIP 10 with SSM-AIP 20 with SSM-AIP 20 with SSM-AIP 20 with SSM-AIP 20
200 Mbps
with SSM-AIP 20
Maximum Connections
32,000 ► 64,000
130,000
130,000
280,000
280,000
280,000
S2S and IPSec RA VPN
Peers
50 ► 150
300
750
500
2,000
5,000
SSL VPN Connections
Shared
Shared
Shared
Shared
VPN Clustering / Load Bal.
No
Yes
Yes
Yes
Yes
Yes
High Availability
None ► A/S
A/A and A/S
A/A and A/S
A/A and A/S
A/A and A/S
A/A and A/S
Interfaces
3 x 10/100 +
OOB
► 5 10/100
4 x 10/100/1000,
1 10/100
4 x 10/100/1000,
1 10/100
Security Contexts
No
Up to 10
Up to 10
Up to 50
Up to 50
Up to 50
VLANs Supported
0 ► 10
25
25
100
100
100
Comparable PIX Model
PIX 515E
PIX 515E/525
PIX 515E/525
PIX 525+
PIX 525+
PIX 525+
VPN 3005
VPN 3015
VPN 3020
VPN 3015
VPN 3030
VPN 3060
Comparable VPN3K Model
VOI Day
4 x 10/100/1000, 4 x 10/100/1000, 4 x 10/100/1000,
1 10/100
1 10/100
1 10/100
© 2004, Cisco Systems, Inc. All rights reserved.
Shared, up to 1,250 Shared, up to 2,500
28
Is beveiliging werkelijk een optie?
Security as a Option
Security as part of a System
Security is an add-on
Security is built-in
Challenging integration
Intelligent collaboration
Not cost effective
Appropriate security
Cannot focus on core priority
Direct focus on core priority
VOI Day
© 2004, Cisco Systems, Inc. All rights reserved.
29
Questions?
VOI Day
© 2004, Cisco Systems, Inc. All rights reserved.
30
VOI Day
© 2004, Cisco Systems, Inc. All rights reserved.
31

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz