Intrusion Prevention
System Modules
for Integrated
Services Routers
Cisco IPS AIM and IPS NME Overview
for Business Decision Marker
Tina Lam, Product Manager, Cisco Systems
C97-494048-00
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
1
Organizational Impacts
of Security Threats
Security Threats
ƒ Distributed Denial
of Service
Disruption impacts productivity
ƒ Virus out-break
CIO Problem
ƒ Random or direct theft
Loss Impacts value
ƒ Break-in, espionage
CFO Problem
ƒ Web-site defacement
ƒ Customer
information leak
C97-494048-00
Who Sees the Pain
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Loss damages customer,
shareholder
h
h ld confidence,
fid
company reputation
CEO Problem
2
Reducing the Grey:
U
Uncertainty
t i t Equals
E
l Ri
Risk
k and
dC
Costt
GOOD: Allow
RELEVANT:
Pass and Log
NAC
Traffic Shaping
IPS
Monitoring
g and
Correlation
SUSPICIOUS:
Pass and Alarm
BAD: Block
Inefficient;
Highly Manual
C97-494048-00
© 2008 Cisco Systems, Inc. All rights reserved.
IPS,
Anti-X, DDoS,
Firewall
SelfD f di
Defending
Network
Cisco Confidential
GOOD: Allow
Relevant: Pass and Log
Suspicious: Pass and Alarm
BAD: Block
Efficient Operations;
Effective Security
3
Cisco Intrusion Prevention Strategy
C
Comprehensive
h
i Th
Threatt P
Protection
t ti ffor the
th SDN
Cisco ASA 5500
Adaptive Security
Appliance
Cisco Security Cisco Integrated
Agent
Services Routers
Internet
Endpoint
Protection
Branch
Protection
Cisco IPS 4200 Series
Catalyst®
Cisco
Services Modules
Cisco
Security
MARS
Cisco
Security
Manager
Intranet
Perimeter
Protection
Data Center
Protection
Server
Protection
Monitoring and
Correlation
Solution
Management
Integrated
Adaptive
Collaborative
Location
ocat o Matters
atte s
Focused
ocused Protection
otect o
Better
ette Together
oget e
ƒ The most diverse line of IPS
sensors: the right tool for
the right job, anywhere in
the network
ƒ IPS integrated into the
fabric of the network
ƒ B
Built
ilt on Cisco
Ci
security
it and
d
network intelligence
C97-494048-00
© 2008 Cisco Systems, Inc. All rights reserved.
ƒ Modular inspection engines:
respond rapidly with
minimal downtime
ƒ On-box and network-wide
correlation to provide greater
accuracy and confidence
ƒ Behavioral anomaly
detection: protect against
zero-day attacks
ƒ Endpoint and network
sensors sharing live network
information
ƒ D
Dynamic
i risk-based
i kb
d threat
th
t
rating: adapt threats policy
in real time
ƒ R
Reduced
d
d operational
ti
l costs
t
with a common, solutionbased management interface
Cisco Confidential
4
Intrusion Prevention System (IPS)
Ad
Advanced
d IIntegration
t
ti M
Module
d l and
dN
Network
t
kM
Module
d l
® ISR
Incorporates
Network
Admission
Accelerated Threat
Control
for Cisco
NEW
NME-IPS-K9
Cisco 2811, 2821,
2851, 3800
(NAC) appliance
ƒ Enables inline Control
and promiscuous
Intrusion server
ƒ Enforces security policies,
Prevention (IPS)
S (CIPS
Scans
ffor latest
l 6.1)
t t and
anti-virus
ti enables
i
software
ft
ƒ Runs same software
Prevents
access and
same features as Cisco
IPSunauthorized
4200
spread of viruses on the network
ƒ Performance improvement
p
by
y hardware
S
Supports
t wired,
i d wireless
i l
and
d guestt NAC
acceleration; dedicated CPU and DRAM
into Cisco ISRs
to offload host Integrated
CPU
AIM IPS K9
AIM-IPS-K9
Cisco 1841, 2800, 3800
Cisco IOS® Advanced Security
or Above
AIM—12.4(15)XY, 12.4(20)T
NME—12.4(20)YA
AIM-IPS
NME-IPS
C97-494048-00
© 2008 Cisco Systems, Inc. All rights reserved.
AIM—Up to 45ƒ Mbps
Provides size and scale ideal for
remote offices (<100 users)
NME—Up to 75 Mbps
Works
with NAC
appliances
at
ƒ Device management
through
Cisco
IPS
headquarters in a network system
Device Manager
g ((IDM),
), Cisco Configuration
g
ƒ Benefits
of router integration
Professional (CCP);
network-wide
management
Systems
Integration
through Cisco Security
Manager
(CSM)
pp
by
y IPS Lower
Manager
gOperating
Express
p Costs
((IME)) and
ƒ Supported
CS-MARS on event monitoring and correlation
Cisco Confidential
5
Cisco IPS Product Portfolio
IPS 4200 Series
Dedicated appliances for
high performance, data
center, and focused
function environments
IPS 4255
IPS 4270
IPS 4240
IPS 4260
Cisco Catalyst 6500 Series
Switch Integrated Service
Modules for data center
and switch integration
IDSM2
Cisco Catalyst 6500
IDSM2 Bundle
ASA 5500 Series
Firewall-integrated for
comprehensive
security and Unified
Threat Management
ASA5540-AIP40
ASA5510-AIP10
ASA5520-AIP20
ISR Series Routers
Remote Office/
Off /
Branch services
for scalable remote
office protection
Cisco IOS IPS
IPS AIM and
IPS NME
Performance
C97-494048-00
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
6
Branch Needs for Self
Self-Defending
Defending Network
Trends
Security
ƒ PCI Compliance (Retail); HIPAA (Healthcare); SarbanesOxley/GLBA (Finance)
ƒ Moves protection to the
edge before threats enter
corporate or SP network
tunnels, contaminated laptops
ƒ Prone to attacks from split tunnels
and rogue APs
Protect Servers
at Branch
Threat
ƒ Helps to manage
unmanaged devices
Servers
192.168.3.14-16/24
Protect WAN Link and
Upstream Corporate
Resources
Employees
192.168.1.x/24
Threat
Internet
ISR with IPS AIM
or IPS NME
IPSec
Tunnel
Corporate
Office
Threat
Wireless Guests
192.168.2.x/24
C97-494048-00
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
7
Benefits of Integrated IPS on ISR
42xx IPS Sensor
SMB Network
Corporate Office
MSSP CE Router
AIM IPS
CS-MARS
Internet/
SP Network
ISR
Cisco
Security
Manager
NME IPS
AIM IPS
Small Branch
Large Branch
ƒ Full feature, high performance threat protection in the Branch or SMB network
ƒ Requires no additional footprint, cabling, and power requirements
ƒ Systems integration with data,
data security and voice features on ISR
ƒ Supports any routed WAN link—transport agnostic: T1/E1, T3/E3, Ethernet, xDSL,
MPLS, 3G WWAN
ƒ P
Provides
id d
defense-in-depth
f
i d th tto th
the perimeter
i t off the
th network:
t
k ICSA-certified
ICSA
tifi d Cisco
Ci
IOS
Firewall, IPSec and SSL VPN, NAC, URL Filtering
C97-494048-00
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
8
Securing Cisco Unified Communication
Manager and Phones with Cisco IPS
ƒ In-line inspection of voice and video traffic
ƒ Protect infrastructure that voice runs on:
Protect Call Management infrastructure from attack
Real-time anomaly detection for day-zero threats
Drop calls that are coming from IP addresses identified
on the Cisco Security Agent “watch list”
ƒ Complements firewall application inspection technology
Cisco IPS’ Risk-Based Policy enables easy management of IPS by non-experts
Protection against:
Firewall
C97-494048-00
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
IPS
ƒ
ƒ
ƒ
ƒ
ƒ
Legitimate
Traffic
Application misuse
DoS/hacking
Known attacks
Zero-day attacks
Viruses/worms, spyware
infecting traffic
9
Cisco High-Performance
IPS Applications:
Wireless Intrusion Prevention
ƒ Protect the enterprise from wireless users
High-performance IPS helps protect at
WLAN speeds for guest users’ and employees’
infected computers
Cisco High-Performance IPS
ƒ Selectively block malicious traffic
Cisco IPS inspection
p
services help
p enable
accurate protection from wireless traffic
Ci
Cisco
WLAN C
Controller
t ll
ƒ Remove repeat offenders from
the network
Cisco IPS and Cisco WLAN Controllers work
collaboratively to detect attackers from Layer 2
to Layer 7,
7 and remove repeat offenders from
the network
C97-494048-00
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Cisco Access Point
10
Cisco IPS Manager Express (IME)
NEW
All-in-One IPS Management Application
for up to Five IPS SensorsAt-A-Glance
At A Glance Dashboard
ƒ Startup Wizard:
At-a-Glance Dashboard
ƒ
ƒ
ƒ
ƒ
C97-494048-00
Get up and running in
just minutes
Dashboard:
Put needed information
at your fingertips
Configuration:
Save time with intuitive
interface
Reporting:
Create and share security
and compliance reports
Monitoring:
See what’s happening with
real time and historical
real-time
security events
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
11
Cisco Security Manager
I t
Integrated
t d Security
S
it Configuration
C fi
ti Management
M
t
Firewall Management
ƒ Support for PIX®,
ASA, FWSM, and
Cisco IOS Routers
ƒ Rich FW rule
definition: shared
objects, rule
grouping, and
inheritance
ƒ Powerful analysis
tools: conflict
detection rule
detection,
combiner, hit
counts, …
C97-494048-00
VPN Management
IPS Management
ƒ Support for PIX,
ASA, VPNSM, VPN
SPA, and Cisco
IOS Routers
ƒ Support for IPS
Sensors, modules
and Cisco IOS IPS
ƒ Support for wide
array of VPN
technologies such
as DMVPN, Easy
VPN, and SSL VPN
ƒ VPN Wizard
for Three-Step
Three Step
Point-and-Click
VPN Creation
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
ƒ Automatic policypolicy
based IPS Sensor
software and
signature updates
ƒ Signature Update
Wizard allowing
easy review/editing
prior to deployment
Reduce OpEx
ƒ Unified security
management for
Cisco devices
supporting FW,
VPN, and IPS
ƒ Efficiently manage
up to 5000 devices
per server
ƒ Multiple views for
task optimization
D i Vi
Device
View
Policy View
Topology View
12
Cisco Services for IPS
R id Si
Rapid
Signature
t
U
Updates
d t ffor E
Emerging
i Th
Threats
t
Vulnerabilities
and Threats
Cisco IPS Signature
R&D Team
Updated Signature
Package
ƒ Follow-the-Sun Research:
Extensive around-the-clock
research capability gathers,
identifies and classifies
vulnerabilities and threats
p Response:
p
ƒ Rapid
Signatures are created to
mitigate the vulnerabilities
within hours of classification
ƒ Human Intelligence:
Applied Intelligence Reports
provide
id iinsight
i ht and
d guidance
id
on using IPS technology to
protect yourself
C97-494048-00
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
13
Cisco Security IntelliShield Alert
Manager Service
Now Includes IPS Signature-to-Threat Correlation
ƒ Complete vulnerability and threat
information in a single database
ƒ Notification of only those vulnerabilities
relevant to a p
pre-defined infrastructure
ƒ Actionable alerts in a standardized format
based on user-customized profiles
ƒ Each vulnerability or threat is analyzed and
validated by security analysts
ƒ Vulnerability and threat information is
vendor-neutral
vendor
neutral and objectively graded
ƒ Comprehensive library of over 10,000
threats and vulnerabilities
ƒ B
Built-in
ilt i workflow
kfl
allows
ll
easy managementt
of tasks and remediation efforts
C97-494048-00
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
14
Cisco License Manager
ƒ Automates license management for IPS AIM
AIM, IPS NME and more
ƒ Increased productivity
Rapidly roll out new services—500 licenses deployed in two minutes
Scales to 30,000 devices
ƒ Enhanced Security and Virtualization
Role-Based Access Control via user roles
Access Control Lists limit access to PAKs and Devices
ƒ Reduced complexity
Automated licensing workflows
License reports aid in audit compliance
ƒ Investment protection
Full-functionality Java and Perl Software Development Kits (SDK)
to integrate with existing applications
ƒ Faster failure recovery
Restore device licenses from database backup
Resend all licenses from Cisco.com and deploy them quickly
C97-494048-00
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
15
C97-494048-00
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
16