brksec-2007
TRANSCRIPT
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-200714465_04_2008_c2 2
Deploying IOS Security
BRKSEC-2007
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3BRKSEC-200714465_04_2008_c2
Agenda
Drivers for Integrated Security
Technology Overview
Design Considerations
Deployment Models
Real World Use Cases
Case Study
Summary
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 4BRKSEC-200714465_04_2008_c2
Security as an Option
Security is an add-onChallenging integration
Not cost-effectiveCannot focus on core priority
Security is built-inIntelligent collaboration
Appropriate securityDirect focus on core priority
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 5BRKSEC-200714465_04_2008_c2
Threats and Challenges
Branch Office
Head QuarterInternet
Web surfing
DDoS on Router
Threats at the Branch Office and HQ
Worms/Viruses Wireless attacksVoice
attacks
Attacks on branch servers
Branch Office
Branch Office
Attack on DMZ
QFP
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 6BRKSEC-200714465_04_2008_c2
Requirement of Integrated Security SolutionIOS Security
Branch Office
Head QuarterInternet
Regulate surfing
DDoS on Router
Worms congesting
WAN
Voice attacks
Attacks on branch servers
Branch Office
Network Foundation Protection
Application Firewall
011111101010101011111101010101
IPS FPM
URL Filtering Voice
Security Wireless attacks
Wireless Security
Secure Internet access to branch, without the need for additional devicesControl worms and viruses right at the remote site, conserve WAN bandwidthProtect the router itself from hacking and DoS attacks
Securing the Branch Office and HQ
QFP
Integrated HQ Firewall
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 7BRKSEC-200714465_04_2008_c2
Agenda
Drivers for Integrated Security
Technology Overview
Design Considerations
Deployment Models
Real World Use Cases
Case Study
Summary
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 8BRKSEC-200714465_04_2008_c2
Cisco IOS Security—Router Technologies
IPsec VPNSSL VPN
Secure Connectivity
GET VPN DMVPN
Network Admission
ControlAdvanced Firewall
Intrusion Prevention
Integrated Threat Control
URL Filtering 802.1x
Network Foundation Protection
Flexible Packet
Matching
011111101010101011111101010101
SDM NetFlow IP SLARole Based Access
Management and Instrumentation
Secure Network Solutions
Secure VoiceCompliance Secure
MobilityBusiness Continuity
QFP
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 9BRKSEC-200714465_04_2008_c2
Integrated Threat Control
Cisco IOS Firewall (Classic and Zone-Based)
Cisco IOS Application Intelligence Control
Cisco IOS Intrusion Prevention System
Cisco IOS URL Filtering
Cisco IOS Flexible Packet Matching (FPM)
Cisco IOS Network Foundation Protection (NFP)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 10BRKSEC-200714465_04_2008_c2
Cisco IOS Firewall Overview
Cisco IOS Firewall is Common Criteria certified firewall
Stateful filtering
Application inspection (Layer 3 through Layer 7)
Application control—Application Layer Gateway (ALG) engines with wide range of protocols and applications
Built-in DoS protection capabilities
Supports deployments with Virtualization (VRFs), transparent mode and stateful failover
IPv6 support
http://www.cisco.com/go/iosfw
Advanced Layer 3–7 FirewallAdvanced Firewall
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 11BRKSEC-200714465_04_2008_c2
Cisco IOS Zone-Based Policy Firewall
Allows grouping of physical and virtual interfaces into zonesFirewall policies are applied to traffic traversing zonesSimple to add or remove interfaces and integrate into firewall policy
DMZ
UntrustedTrusted
Private-Public Policy
Public-DMZ Policy
DMZ-Private Policy
Private-DMZ Policy
Supported FeaturesStateful InspectionApplication Inspection: IM, POP, IMAP, SMTP/ESMTP, HTTP URL filteringPer-policy parameter Transparent firewallVRF-aware firewall (Virtual Firewall)
Internet
Advanced Firewall
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 12BRKSEC-200714465_04_2008_c2
Cisco IOS Zone-Based Firewall—Rule Table (SDM) Advanced
Firewall
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 13BRKSEC-200714465_04_2008_c2
Cisco IOS Zone-Based Policy Firewall Configuration (Command Line Interface (CLI)
class-map type inspect match-any servicesmatch protocol tcp
!policy-map type inspect firewall-policyclass type inspect servicesinspect
!zone security privatezone security public!zone-pair security private-public source private destination publicservice-policy type inspect firewall-policy
!interface fastethernet 0/0zone-member security private
!interface fastethernet 0/1zone-member security public
Define Services Inspected by Policy
Configure Firewall Action for Traffic
Define Zones
Establish Zone Pair, Apply Policy
Assign Interfaces to Zones
192.168.1.2
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14BRKSEC-200714465_04_2008_c2
Cisco IOS Transparent Firewall
Introduces “stealth firewall” capabilityNo IP address associated with firewall (nothing to attack)No need to renumber or break up IP subnetsIOS Router is bridging between the two “halves” of the network
Use Case: Firewall Between Wireless and Wired LANsBoth “wired” and wireless segments are in same subnet 192.168.1.0/24VLAN 1 is the “private” protected network.Wireless is not allowed to access wired LAN
Fa 0/0
VLAN 1
Wireless
Transparent Firewall192.168.1.2
192.168.1.3
Internet
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 15BRKSEC-200714465_04_2008_c2
Transparent Cisco IOS Firewall Configuration (Command Line Interface (CLI)
Security Zone Policy:zone-pair security zone-policy source wired
destination wirelessservice-policy type inspect firewall-policy!interface VLAN 1description private interfacebridge-group 1zone-member security wired!interface VLAN2description public interfacebridge-group 1zone-member security wirelessLayer2 Configuration:bridge configurationbridge irbbridge 1 protocol ieeebridge 1 route ip
Classification:class-map type inspect match-any protocols
match protocol dnsmatch protocol httpsmatch protocol icmpmatch protocol imapmatch protocol pop3match protocol tcpmatch protocol udp
Security Policy:policy-map type inspect firewall-policyclass type inspect protocolsInspect
Security Zones:zone security wiredzone security wireless
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 16BRKSEC-200714465_04_2008_c2
Cisco IOS Flexible Packet Matching (FPM)
Network managers require tools to filter day-zero attacks, such as before IPS signatures are availableTraditional ACLs take a shotgun approach—legitimate traffic could be blocked
Example: Stopping Slammer with ACLsmeant blocking port 1434—denying business transactions involving Microsoft SQL
FPM delivers flexible, granular Layer 2–7 matching
Example: port 1434 + packet length 404B + specific pattern within payload Slammer
Rapid Response to New and Emerging Attacks
0111111010101010000111000100111110010001000100100010001001
Match Pattern AND OR NOTCisco.com/go/fpm
FlexiblePacket
Matching
011111101010101011111101010101
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 17BRKSEC-200714465_04_2008_c2
Cisco IOS Flexible Packet MatchingConfiguration - Slammer Filter
Class-map stack ip-udpMatch field ip protocol eq 17 next udp
Class-map access-control slammerMatch field udp dport eq 1434Match start ip version offset 224 size 4 eq 0x04011010Match start network-start offset 224 size 4 eq 0x04011010
Policy-map access-control udp-policyClass slammer
Drop
Poliyc-map access-control fpm-policyClass ip-udpservice-policy udp-policy
access-control typed class defines traffic pattern: udpdst port 1434, starting from IP header, offset 224 byte, the 4 byte value should be 0x04041010
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 18BRKSEC-200714465_04_2008_c2
Cisco IOS Intrusion Prevention (IPS)
Cisco IOS IPS stops attacks at the entry point, conserves WAN bandwidth, and protects the router and remote network from DoS attacksIntegrated form factor makes it cost-effective and viable to deploy IPS in Small and Medium Business and Enterprise branch/telecommuter sitesSupports 2000+ signatures sharing the same signature database available with Cisco IPS sensorsAllows custom signature sets and actions to react quickly to new threats
Small Branch
Branch Office
Small Office and Telecommuter
Corporate Office
Apply IPS on traffic from branches to kill worms from infected PCs
Stop attacks before they fill up the WAN
Distributed Defense Against Worms and Viruses
http://www.cisco.com/go/iosips
IPS
Internet
Protect router and local network from DoS attacks
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 19BRKSEC-200714465_04_2008_c2
Cisco IOS Intrusion Prevention System (IPS) Configuration (Command Line Interface (CLI)
Cisco IOS IPS Configuration (Con’t)retired false
interface fast Ethernet 0 ip ips ips-policy in
Load the signatures from TFTP servercopy tftp://192.168.10.4/IOS-S289-CLI.pkg idconfLoading IOS-S259-CLI.pkg from 192.168.10.4 :!!!
show ip ips signature countTotal Compiled Signatures:338 -Total active compiled signatures
Download Cisco IOS IPS Files to your PC http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup
IOS-Sxxx-CLI.pkgrealm-cisco.pub.key.txt
Configure Cisco IOS IPS Crypto Keymkdir ipstore (Create directory on flash)Paste the crypto key fromrealm-cisco.pub.key.txt
Cisco IOS IPS Configurationip ips config location flash:ipstore retries 1ip ips notify SDEEip ips name ips-policyip ips signature-categorycategory allretired truecategory ios_ips basic
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 20BRKSEC-200714465_04_2008_c2
Comprehensive, Scalable IPS Management
Full range of management options:Cisco SDM 2.5 † provides full IPS provisioning and monitoring for single router
Cisco Security Manager 3.1† / CS-MARS for Enterprise IPS
CLI option supports automated provisioning and signature update†
Cisco Configuration Engine for MSSP—scales to thousands of devices‡
Operational consistency across Cisco IPS portfolio
Risk Rating and Event Action Processor (SEAP) reduce false positives‡
Enhanced Microsoft signature support (MSRPC and SMB)†
† New in Cisco IOS 12.4(15)T2‡ Unique in the Industry
Integrated, Collaborative Security for the BranchIPS
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 21BRKSEC-200714465_04_2008_c2
Cisco IOS Transparent IPSUse Case: IPS Between Wireless and Wired LANs
Introduces “stealth IPS” capabilityNo IP address associated with IPS (nothing to attack)
IOS Router is bridging between the two “halves” of the network
Both “wired” and wireless segments are in same subnet 192.168.1.0/24
VLAN 1 is the “private” protected network.
Fa 0/0
VLAN 1
Wireless
Transparent IPS192.168.1.2
192.168.1.3
Internet
IPS
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 22BRKSEC-200714465_04_2008_c2
Cisco IOS Intrusion Prevention System (IPS)Configuration (Command Line Interface (CLI)
Cisco IOS IPS Configuration (Con’t)interface VLAN 1description private interfacebridge-group 1ip ips ips-policy out
interface VLAN 2description private interfacebridge-group 1ip ips ips-policy in
Load the signatures from TFTP servercopy tftp://192.168.10.4/IOS-S289-CLI.pkg
idconfLoading IOS-S259-CLI.pkg from 192.168.10.4 :!!!
show ip ips signature countTotal Compiled Signatures:338 -Total active compiled signatures
Download Cisco IOS IPS Files to your PC http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup
IOS-Sxxx-CLI.pkgrealm-cisco.pub.key.txt
Configure Cisco IOS IPS Crypto Key mkdir ips5 (Create directory on flash)Paste the crypto key fromrealm-cisco.pub.key.txt
Cisco IOS IPS Configurationip ips config location flash:ips5 retries 1ip ips notify SDEEip ips name ips-policyip ips signature-categorycategory allretired truecategory ios_ips basicretired false
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 23BRKSEC-200714465_04_2008_c2
Cisco IOS URL Filtering
Control employee access to entertainment sites during work hours
Control downloads of objectionable or offensive material, limit liabilities
Cisco IOS supports static whitelist and blacklist URL filtering
External filtering servers such as Websense, Smartfilter can be used at the corporate office, with Cisco IOS static lists as backup
SDM 2.3 supports configuring static lists and importing .csv files for URL lists
Internet Usage Control
Internet
Web Surfing
Branch Office
URL Filtering
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 24BRKSEC-200714465_04_2008_c2
A router can be logically dividedinto three functional planes:1. Data plane: The vast majority of
packets handled by a router travel through the router by way of the data plane
2. Management plane: Traffic from management protocols and other interactive access protocols, such as Telnet, Secure Shell (SSH) protocol, and SNMP, passes through the management plane
3. Control plane: Routing control protocols, keepalives, ICMP with IP options, and packets destined to the local IP addresses of the router pass through the control plane
Router Hardening
Data PlaneAbility to forward data
Control PlaneAbility to route
Management PlaneAbility to manage
Cisco NFPCisco NFP
Think “Divide and Conquer”: Methodical Approach to Protect
Three Planes
NetworkFoundationProtection
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 25BRKSEC-200714465_04_2008_c2
Network Foundation Protection
Control Plane
Data Plane
Defense-in-depth protection for routing control planeTechnologies: Receive ACLs, control plane policing, iACL’s, neighbor authentication, BGP best practices
Detects traffic anomalies & respond to attacks in real-timeTechnologies: NetFlow, IP source tracker, ACLs, uRPF, RTBH, QoS tools
Secure and continuous management of Cisco IOS network infrastructureTechnologies: CPU & memory thresholding, dual export syslog, image verification, SSHv2, SNMPv3, security audit, CLI views
Management Plane
http://www.cisco.com/go/nfp
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 26BRKSEC-200714465_04_2008_c2
Router Hardening: Traditional Methods
Disable any unused protocols
VTY ACLs
SNMP Community ACL
Views
Disable SNMP RWUse SNMPv3 for RW if needed
Prevent dead TCP sessions from utilizing all VTY lines
service tcp-keepalives-in
Use ‘type 5’ password‘service password encryption’ is reversible and is only meant to prevent shoulder surfing
Run AAADon’t forget Authorization and Accounting
Disable extraneous interface features
Encrypt SessionsSSH
IPSec
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 27BRKSEC-200714465_04_2008_c2
Best Practice - Features to Disable
BOOTP
CDP
Configuration auto-loading
DNS
DHCP Server
Finger
HTTP Server
FTP Server
TFTP Server
IP Directed Broadcast
IP mask reply
IP redirectsIP Source Routing IP unreachable notificationsIdentification serviceNTPPAD ServiceProxy ArpGratuitous ArpSNMPTCP Small ServersUDP Small ServersMOP ServiceTCP keep-alives
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 28BRKSEC-200714465_04_2008_c2
Cisco IOS Control Plane Policing
Mitigates DoS attacks on control plane (route processor) such asICMP floodsPolices and throttles incoming traffic to control plane; maintains packet forwarding and protocol states during attacks or heavy traffic load
IncomingPackets
Control Plane Policing(alleviates DoS attacks)
Silent Mode(prevents
reconnaissance)
PacketBuffer
Output Packet Buffer
LocallySwitched Packets
CEF/FIB Lookup
ProcessorSwitched Packets
Control Plane
ManagementSNMP, Telnet ICMP IPv6 Routing
UpdatesManagement
SSH, SSL …..
Output from control plane
Input to control plane
Cisco.com/go/nfp
Continual Router Availability Under Stress
NetworkFoundationProtection
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 29BRKSEC-200714465_04_2008_c2
Cisco IOS AutoSecure
http://www.cisco.com/go/autosecure
One Touch Automated Router Lockdown
Eliminates DoS attacks based on fake requestsDisables mechanisms that could be used to exploit security holes
Disables Non-Essential Services
Protects against SYN attacksAnti-SpoofingEnforces stateful firewall configuration on external interfaces, where available
Secures Forwarding Plane
Enforces enhanced security in accessing deviceEnhanced security logsPrevents attackers from knowing packets have been dropped
Enforces Secure Access
NetworkFoundationProtection
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 30BRKSEC-200714465_04_2008_c2
Secure ConnectivitySecure ConnectivitySecure Connectivity
GET VPN DMVPN Easy VPN SSL VPN
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 31BRKSEC-200714465_04_2008_c2
Features
Cisco IPsec VPN Technologies
Easy VPN DMVPN GET VPN
Infrastructure Network Public Internet Transport Public Internet Transport Private IP Transport
Network Style Hub-Spoke; (Client to Site)
Hub-Spoke and Spoke-to-Spoke; (partial mesh)
Any-to-Any; (full-mesh)
Routing Reverse-route Injection Dynamic routing on tunnels
Dynamic routing on IP WAN
Failover Redundancy Stateful Hub Crypto Failover
Route Distribution Model Route Distribution Model + KS: Stateful
Encryption Style
IP Multicast Multicast replication at hub
Multicast replication at hub
Multicast replication in IP WAN network
Peer-to-Peer ProtectionPeer-to-Peer Protection Group Protection
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 32BRKSEC-200714465_04_2008_c2
Subnet 4
Subnet 3
Cisco GET VPN
GET uses Group Domain of Interpretation (GDOI): RFC 3547 standards-based key distribution
GET adds cooperative key servers for high availability
Key servers authenticate and distribute keys and policies; group member provisioning is minimized; application traffic is encrypted by group members
GET VPN Simplifies Security Policy and Key Distribution
GET VPN Uses IP Header Preservation to Mitigate Routing Overlay
IP Payload
Original IP HeaderIP Payload
IP Payload
IPse
cG
ET
IP PayloadESP HeaderNew IP Header
IPsec Tunnel Mode
Original IP HeaderIP PayloadIP PayloadESP HeaderOriginal IP
Header
IP Header Preservation
IP Packet
Subnet 2
Subnet 1
Group Member
Group Member
Group Member
Group Member
Key Server
Original IP packet
Private WAN
Original IP Header
IP HeaderIP Header
Original IP Header
Key Server
GET VPN
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 33BRKSEC-200714465_04_2008_c2
Spoke A
Hub
Spoke C
WAN
= Traditional Static Tunnels= DMVPN Tunnels
= Static Known IP Addresses= Dynamic Unknown IP Addresses
Secure On-Demand Meshed Tunnels
Cisco Dynamic Multipoint VPN
Full meshed connectivity with simple configuration of hub and spokes
Supports dynamicallyaddressed spokes
Zero touch configuration for addition of new spokes
Cisco.com/go/dmvpn
Spoke B
What’s New in Phase 3Improved Scaling—NHRP/CEF Rewrite and EIGRP Scaling enhancementsManageability Enhancements
DMVPN
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 34BRKSEC-200714465_04_2008_c2
What’s New in Easy VPN?CTA/NAC policy enforcementCentralized policy push for integrated client firewallPassword aging via AAAcTCP NAT transparency and firewall traversalDHCP client proxy and DDNS registrationSplit DNSPer-user policy from RadiusSupport for identically addressed spokes behind NAT with split tunnelsVTI manageability—Display of VRF information, summary commands
Cisco Enhanced Easy VPN
Automated deployments—no user interventionEnforces consistent policy on remote devicesAdd new devices without changes at headend
Supports dynamic connections with VPNInteroperable across Cisco access and security devicesCisco VPN client—the only FIPS-certified client
Hardware Client: Cisco ASA, PIX®, Security Router
Cisco Security Router Corporate
Office
Remote calls ‘home’1.
VPN tunnel3.
Cisco VPN Software Client on PC/MAC/UNIX
Validate, Policy push2.
Centralized Policy-Based Management
http://www.cisco.com/go/easyvpn
Internet
Easy VPN
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 35BRKSEC-200714465_04_2008_c2
Internet
Web based + Application HelperBrowser-based (clientless)Gateway performs content transformationFile sharing (CIFS), OWA, CitrixJava-based application helper
IP-Based ApplicationsApplication agnosticTunnel client dynamically loadedNo reboot required after installationClient may be permanently installed or removed dynamically
Full Network Access
IP over SSL
Cisco IOS SSL VPN
Cisco Router and Security Device Manager—Simple GUI-based provisioning and management with step-by-step wizards for turnkey deployment
Cisco Secure Desktop—Prevents digital leakage, protects user privacy, easy to implement and manage, and works with desktop guest permissions
Virtualization and VRF awareness—Pool resources
Clientless Access
SSL
Internet
SSL VPN
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 36BRKSEC-200714465_04_2008_c2
Secure Connectivity Related SessionsBRKSEC-3005 : Advanced Remote Access with SSLVPN
BRKSEC-3008/2007 : Site to Site VPN with GETVPN
BRKSEC-3006 : Advanced Site to Site VPN Dynamic Multipoint VPNs (DMVPN)
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 37BRKSEC-200714465_04_2008_c2
Instrumentation and Management SDM NetFlow IP SLARole Based
Access
Management and Instrumentation
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 38BRKSEC-200714465_04_2008_c2
Cisco Security Management Suite
• Quickest way to setup a device
• Configures all device parameters
• Ships with device
Cisco® Security Device ManagerCisco® Security Device Manager
Quickest way to setup a device
Wizards to configure firewall, IPS, VPN, QoS, and wireless
Ships with device
Cisco Security MARSCisco Security MARS
Solution for monitoringand mitigation
Uses control capabilities within infrastructure to eliminate attacks
Visualizes attack paths
Cisco Security Manager
Cisco Security Manager
New solution for configuring routers, appliances, switches
New user-centered design
New levels of scalability
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 39BRKSEC-200714465_04_2008_c2
Instrumentation
IP Service Level Agent (IP SLAs)NetFlow and NBAR
SNMP V3 and SNMP informsSyslog Manager and XML-formatted syslogTcl Scripting and Kron (Cron) jobsRole-Based CLI Access
EEM Solving Security Challenges using EEM
Network performance data (latency & jitter)
Detailed statistics for all data flows in the network
Reliable traps using SNMP informs
Total flexibility to parse and control syslogmessages on the router itself
Flexible, programmatic control of the router
Provides partitioned, non-hierarchical, access (e.g. Network and Security Operations)
Advanced Netflow Deployment BRKNMS-3005
Your network management system is only as good as the data you can get from the devices in the network
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 40BRKSEC-200714465_04_2008_c2
Design Consideration
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 41BRKSEC-200714465_04_2008_c2
Design ConsiderationCisco IOS Firewall
Classic or Zone based FirewallZone based Firewall 12.4(4)T or Classic Firewall
All new features would be offered in zone based policy firewall configuration model; no end-of-life plan for Classic Cisco IOS Firewall but there will be no new features
ASR1000 supports IOS Zone-based Firewall
ManageabilityProvisioning firewall policies: CLI, Cisco Security Manager, SDM and Config Engine
Monitoring firewall activity:Syslog, snmp, screen-scrapes from "show" commands
Modifying Security policies SDM supports zone-based Firewall
InteroperateCisco IOS Firewall interoperate with other features: NAT, VPN, Intrusion Prevention System (IPS), WCCP/WAAS, proxy, URL Filtering and QoS
Memory UsageSingle TCP or UDP (layer3/4) session takes 600 bytes of memory
Multi-channel protocol sessions use more than 600 bytes of memory
Advanced Firewall
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 42BRKSEC-200714465_04_2008_c2
Design ConsiderationCisco IOS Firewall
Before Release 12.4(4)T & 12.4 Mainline Release 12.4(4)T & Later
Interface based policies Zone based policiesNo granular support Very granular Firewall policies
Support for Classic IOS Firewall Support for Classic IOS Firewall continued. No new features on Classic IOS Firewall
No advanced AIC support Advanced protocol conformance support (P2P, IM, VoIP, etc.)
Cisco IOS Firewall Went Through a Paradigm Shift12.4(4)T and Onward Supports Zone-Based IOS Firewall
Classic IOS Firewall Zone Based IOS Firewall Supported in CSM and SDM Supported in SDM. CSM planned for CY2008
MIB support No MIB—RoadmapIPv6 support No IPv6—Roadmap
Active/Passive failover support No Active/Passive failover—Roadmap
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 43BRKSEC-200714465_04_2008_c2
Design Consideration Cisco IOS Firewall
Denial of Service (DoS) Protection SettingsPrior 12.4(11)T default DoS settings were set low
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_white_paper0900aecd804e5098.shtml
12.4(11)T onwards DOS settings are max out by default
AddressingFirewall policies can be made much more efficient with a well thought-out IP address scheme
Performance ConsiderationCisco IOS Firewall Performance Guidelines for ISRs (800-3800) http://www.cisco.com/en/US/partner/products/ps5855/products_white_paper0900aecd8061536b.shtml
ASR1000 TCP/ICMP/UDP Inspection Performance (Up to 10G) with select ALGs (SIP UDP, active FTP, DNS, H.323v2, SCCP)
Advanced Firewall
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 44BRKSEC-200714465_04_2008_c2
Cisco IOS Firewall - ISRsReal World Performance: HTTP
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 45BRKSEC-200714465_04_2008_c2
Design Consideration Cisco IOS Firewall Voice Features
Protocol ISRs ASR1000 Comments
H.323 V1 & V2 Yes Yes Tested using CME 4.0
H.323 V3 & V4 No No RoadmapH.323 RAS Yes No
H.323 T.38 Fax No No Roadmap
SIP UDP Yes YesCCM 4.2 supportedRFC 2543, RFC 3261 not supported
SIP TCP No No RoadmapSCCP Yes Yes Tested with CCM 4.2/CME 4.0
Locally generated traffic inspection for SIP/SCCP No No Roadmap
For Cisco IOS® support, contact [email protected] with requirements
Advanced Firewall
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 46BRKSEC-200714465_04_2008_c2
Design ConsiderationCisco IOS Flexible Packet Matching
Functionality ACL ISR12.4(15)T2
ASR1000RLS 2.2
# of ACEs per interface Unlimited Unlimited 60,000
# of match criteria/ ACE 4 Unlimited 2
Depth of Inspection 44 Bytes Full Pkt 256 B
Raw offset No Yes Yes
Relative offset (fixed header length support)
No Yes Yes
Dynamic offset (variable header length support)
No Yes No
Nested policies No Yes Yes
Nested class-maps No Yes Yes
Regex match No Yes Yes
String match No Yes Yes
Match string pattern window No Full Pkt Full Pkt
Protocol Support IPv4, TCP, UDP, ICMP
IPv4, TCP, UDP, ICMP, Ethernet, GRE, IPsec
IPv4, TCP, UDP, ICMP, Ethernet
Actions supported permit, deny, log permit, count, drop, log, send-response, nested-policy redirect, rate limit
permit, count, drop, log, send-response
IOS FPM
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 47BRKSEC-200714465_04_2008_c2
Design ConsiderationCisco IOS IPS 4.x and 5.x
Before Release 12.4(11)T2 & 12.4 Mainline
Release 12.4(11)T2 & later
IOS IPS Internal Version (show subsys name ips)
2.xxx.xxx 3.000.000
Signature Format 4.x 5.xSignature Download URL
http://www.cisco.com/cgi-bin/tablebuild.pl/ios-sigup
http://www.cisco.com/cgi-bin/tablebuild.pl/ios-v5sigup
Signature Distribution
Pre Tuned Signature Files Basic/Advanced SDF Files
Signature packageIOS-Sxxx-CLI.pkg
Loading Signatures From a single SDF file From a set of configuration files
Configuration of Signatures
Flat single SDF file approach Hierarchical multi-level/multi-file approach
Cisco IOS IPS Went Through a Paradigm Shift12.4(11)T2 and Onward Supports IPS 5.x
Signature Update for Cisco IOS IPS 4.X (12.4(9)T or Prior)Will Continue Till ?
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 48BRKSEC-200714465_04_2008_c2
Design Consideration Migrating to Cisco IOS IPS 5.x (12.4(11)T2)
Option 1: Existing customer using non-customized pre-built signature files (SDFs)
No signature migration needed Signatures in 128MB.sdf are in IOS-Basic Category Signatures in 256MB.sdf are in IOS-Advanced Category
Option 2: Existing customer using customized pre-built signature files (SDFs)
Signature migration (TCL) script available on Cisco.com to convert customized SDF to 5.x formatThis migration script does not migrate user-defined (non-Cisco) signatures
Migration Guide:http://www.cisco.com/en/US/products/ps6634/products_white_paper0900aecd8057558a.shtml
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 49BRKSEC-200714465_04_2008_c2
Design ConsiderationCisco IOS IPS—12.4(11)T2 and Later Release
ManageabilityProvisioning IPS policies:
CLI, Cisco Security Manager, SDM and Config Engine
Signature Tuning and Update:The basic category is the Cisco recommended signature set for routers with 128 MB RAM and the advanced category is for 256MB RAM
Signature tuning with Command line Interface (CLI) is available after 12.4(11)T
Signature package update align with Cisco sensors 42xx. (Auto Update via CSM)
Monitoring IPS activity: Reporting via CS-MARS (SDEE and Syslog support) and screen-scrapes from "show" commands
Modifying Security policies: SDM/CSM supports IPS
IOS IPS
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 50BRKSEC-200714465_04_2008_c2
Design ConsiderationProvisioning and Monitoring Options
IPS Signature Provisioning IPS Event Monitoring
Up to 5 More than 5 1 Up to 5 More than 5
Cisco Security Device Manager (SDM)
Same signature set/policy: Opt 1: Cisco Security Manager (CSM)
Opt 2: Cisco SDM and Cisco Configuration Engine to copy generated IPS files to large # of routers
Different signature set/policy: Single or multiple instances of CSM
Cisco IPS Event Viewer (IEV)
or
Cisco SDM
Cisco IEV or syslog server
Cisco Security MARS x.3.2 (model and quantity depends on # of routers, topology and cumulative EPS)
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 51BRKSEC-200714465_04_2008_c2
Design ConsiderationCisco IOS Intrusion Prevention System (IPS)
Performance ConsiderationPerformance of router is not effected by adding more signatures
Memory UsageSignature compilation process is highly CPU-intensive while the signatures are being compiled. The number of signatures that can be loaded on a router is memory-dependent
FragmentationCisco IOS IPS uses VFR (Virtual Fragmentation Reassembly) to detect fragmentation attacks
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 52BRKSEC-200714465_04_2008_c2
Cisco IOS IPS and Out-of-Order Packets
Cisco IOS IPS supports Out-of-Order packet starting from the following two releases:
Release 12.4(9)T2
Release 12.4(11)T
Configurable via CLI: ip inspect tcp reassembly
Notification for packets dropped due to insufficient buffer space
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 53BRKSEC-200714465_04_2008_c2
Cisco Security Manager 3.1 Cisco IOS IPS Signature List View
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 54BRKSEC-200714465_04_2008_c2
Cisco IOS IPS and Auto Update
SDM CSM
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 55BRKSEC-200714465_04_2008_c2
Cisco IOS IPS Release 12.4(9)T
Cisco IOS IPS Release 12.4(11)T
Cisco IPS 42xx sensors, IDSM2, SSM-AIP, NM-CIDS modules
Signature Format 4.x 5.x/6.0 5.x/6.0
Signature Updates & Tuning using SDF using IDCONF using IDCONF
Signatures Supported Subset of 1700+ signatures (depends on router model/DRAM)
1900+ signatures selected by default
Recommended (pre-built or default) Signature Set
Basic or Advanced SDF
IOS-Basic or IOS-Advanced Category All signatures alarm-only
Day-Zero Anomaly Detection No Available in 6.0 release
Transparent (L2) IPS Yes Yes
Rate Limiting No Yes
IPv6 Detection No Yes
Signature Event Action Proc. No Yes Yes
Meta Signatures No Yes
Voice, Sweep & Flood Engines No Yes (H.225 for voice)
Event Notification Syslog & SDEE SDEE
Design ConsiderationIOS IPS and IPS Appliances/Modules
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 56BRKSEC-200714465_04_2008_c2
IPS Solutions on Cisco ISRs
Note: Only One IPS Solution May Be Active in the Router. All Other Must Be Removed or Disabled.
Cisco IOS IPS Cisco IPS AIM Cisco NM-CIDS
Dedicated CPU/DRAM for IPS No Yes Yes
Inline and Promiscuous Detection and Mitigation Yes Yes No, Promiscuous Mode
Only
Signature SupportedSubset of 2000+
Signatures, Subject to Available Memory
Full Set Signatures (2200+)
Full Set Signatures (2200+)
Automatic Signature Updates Yes Yes Yes
Day-zero Anomaly Detection No Yes Yes
Rate Limiting No Yes Yes
Cisco Security Agent and Cisco IPS Collaboration No Yes No
Meta Event Generator No Yes Yes
Event Notification Syslog, SDEE SNMP and SDEE SNMP and SDEE
Device Management CLI, SDM IOS CLI, IDM IPS CLI, IDM
System/Network Management CSM CSM CSM
Event Monitoring and Correlation IEV, CS-MARS IEV, CS-MARS, On-box Meta Event Generator
IEV, CS-MARS, On-box Meta Event Generator
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 57BRKSEC-200714465_04_2008_c2
Design Consideration Recommendation
New web and collateral content at http://www.cisco.com/go/iosips/
Use the latest T Train image: 12.4(15)T2Native support for Microsoft SMB and MSRPC signatures
Works with WAAS Module if Zone-Based FW also configured
Includes many bug fixes for SDM interoperability, etc.
To use IOS IPS with WAAS (WAN Optimization) Module:You must use 12.4(11)T2/T3 or 12.4(15)T2 image
If IPS is applied on the optimized WAN interface, you must also configure Zone-Based Firewall for a zone including that interface
ASR1000 introduces this fix-up in RLS 2.2 for IOS Firewall
If working with an image prior to 12.4(11)T or any Mainline image:Use the latest Basic (128MB.sdf) and Advanced (256MB.sdf) signature files at http://www.cisco.com/cgi-bin/tablebuild.pl/ios-sigup/
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 58BRKSEC-200714465_04_2008_c2
Agenda
Drivers for IOS Security
Technology Overview
Design Considerations
Deployment Models
Real World Use Cases
Case Study
Summary
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 59BRKSEC-200714465_04_2008_c2
Deployment Models
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 60BRKSEC-200714465_04_2008_c2
Enterprise Branch and HQ Profiles
Branch Office
Head Quarter
Security ServicesCisco IOS Firewall Cisco IOS IPSInfrastructure ProtectionACLsIPsec VPNs
Single Router Model
Branch Office
Head Quarter
Dual Router Model
Security ServicesCisco IOS Firewall Cisco IOS IPSInfrastructure ProtectionACLsIPsec VPNs
Internet
Private Wan Private
WAN
QFPQFP
QFPQFP
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 61BRKSEC-200714465_04_2008_c2
Branch Office
Head Quarter
Security ServicesCisco IOS Firewall Cisco IOS IPSInfrastructure ProtectionACLs
Single Router Model
Enterprise Branch and HQSingle Router Model
Primary: Internet with IPSec VPN - IPVPN
Backup: None
Internet access is via split-tunneling
Internet
QFPQFP
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 62BRKSEC-200714465_04_2008_c2
Enterprise Branch and HQ ProfileSingle Router Model
Primary WAN Services: Lease line/E1/Fiber or IP VPN
Backup: Internet (ADSL) with VPN or UMTS
Internet access is via split-tunneling
Failover: Routing protocol with EOT (Enhanced Object Tracking)
Branch Office
Head Quarter
Security ServicesCisco IOS Firewall Cisco IOS IPSInfrastructure ProtectionACLs
Single Router Model
Internet
Private Wan
QFP
QFP
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 63BRKSEC-200714465_04_2008_c2
Branch Office
Head Quarter
Security ServicesCisco IOS Firewall Cisco IOS IPSInfrastructure ProtectionACLs
Single Router Model
Enterprise Branch and HQ ProfileSingle Router Model
Primary WAN Services: Lease line/E1/Fiber
Backup: Leased line/E1/Fiber
Internet access policy enforced via Head Quarter
Failover: Routing ProtocolPrivate
Wan
QFP
QFP
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 64BRKSEC-200714465_04_2008_c2
Enterprise Branch and HQ ProfileDual Router Model
Primary WAN Services: Lease line/E1/Fiber
Backup: Leased line/E1/Fiber
Internet access policy enforced via Head Quarter
Stateful Firewall (Stateful Failover)
Branch Office
Head Quarter
Security ServicesCisco IOS Firewall Cisco IOS IPSInfrastructure ProtectionACLs
Dual Router Model
Private WAN
QFPQFP
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 65BRKSEC-200714465_04_2008_c2
Agenda
Drivers for IOS Security
Technology Overview
Design Considerations
Deployment Models
Real World Use Cases
Case Study
Summary
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 66BRKSEC-200714465_04_2008_c2
Real World Use Cases
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 67BRKSEC-200714465_04_2008_c2
Real World Use Cases
1. Protect the Inside LAN and DMZ at Branch Office and HQ with NetFlow Event Logging
2. Protect Servers at Branch Office and HQ3. Virtual Firewall and IPS at the Branch Office4. Blocking Peer-to-Peer and Instant Messaging
Applications at the Branch5. Load Balancing and Failover with two Providers
a. Load Balancingb. Failover
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 68BRKSEC-200714465_04_2008_c2
1. Protect the Inside LAN at Branch Officewith Split Tunneling Deployed
Cisco IOS Firewall and IPS Policies:Allow authenticated users to access corporate resourcesRestrict guest users to Internet access onlyControl peer-to-peer and instant messaging applications
Internet
Head Quarter
IPsec Tunnel
Guests can access Internet only Wireless Guests
192.168.2.x/24
Employees192.168.1.x/24
Employees can access corporate network via encrypted tunnel
Branch Office Router Inspect
Internet traffic
Advanced Firewall
QFP
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 69BRKSEC-200714465_04_2008_c2
1. Firewall Configuration Snippet at Branch
Security Zones:zone security privatezone security public
Security Zone Policy:zone-pair security zone-policy source
private destination publicservice-policy type inspect firewall-policy!interface VLAN 1description private interfacezone-member security private!interface fastethernet 0description public interfacezone-member security public
Classification:class-map type inspect match-any protocols
match protocol dnsmatch protocol httpsmatch protocol icmpmatch protocol imapmatch protocol pop3match protocol tcpmatch protocol udp
Security Policy:
policy-map type inspect firewall-policyclass type inspect protocolsinspect
Order of match statement is important
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 70BRKSEC-200714465_04_2008_c2
1. Firewall Configuration Snippet at HQSecurity Zones:zone security publiczone security dmz
Security Zone Policy:zone-pair security zone-policy source
public destination dmzservice-policy type inspect firewall-policy!interface G0/1/0description public interfacezone-member security public!interface g0/1/1description dmz interfacezone-member security dmz
Classification:class-map type inspect match-any fw-class
match protocol udpmatch protocol tcp
policy-map type inspect fw-policyclass type inspect fw-classinspect logclass class-default
parameter-map type inspect firewall-policylog dropped-packetslog flow-export v9 udp destination 1.1.28.199
2055log flow-export template timeout-rate 30
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 71BRKSEC-200714465_04_2008_c2
1. Cisco IOS Zone-Based Firewall (SDM) for ISRs
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 72BRKSEC-200714465_04_2008_c2
1. IPS Configuration SnippetCisco IOS IPS Configuration (Con’t)retired false
interface fast Ethernet 0 ip ips ips-policy in
Load the signatures from TFTP servercopy tftp://192.168.10.4/IOS-S289-CLI.pkg idconfLoading IOS-S259-CLI.pkg from 192.168.10.4 :!!!
show ip ips signature countTotal Compiled Signatures:338 -Total active compiled signatures
Download Cisco IOS IPS Files to your PC http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup
IOS-Sxxx-CLI.pkgrealm-cisco.pub.key.txt
Configure Cisco IOS IPS Crypto Keymkdir ipstore (Create directory on flash)Paste the crypto key fromrealm-cisco.pub.key.txt
Cisco IOS IPS Configurationip ips config location flash:ipstore retries 1ip ips notify SDEEip ips name ips-policyip ips signature-categorycategory allretired truecategory ios_ips basic
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 73BRKSEC-200714465_04_2008_c2
1. Cisco IOS IPS Signatures and Categories (SDM) for ISRs
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 74BRKSEC-200714465_04_2008_c2
1. Deploying IOS Firewall Split Tunneling (CSM) on ISRs
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 75BRKSEC-200714465_04_2008_c2
1. Deploying IOS IPS (CSM) on ISRs
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 76BRKSEC-200714465_04_2008_c2
2. Protect Servers at Branch Office
Cisco IOS® Firewall and IPS policies applied to DMZ protect distributed application servers and Web servers hosted at remote sites
Internet
Head Quarter
IPsec Tunnel
Wireless Guests192.168.2.x/24
Branch Office Router
Servers hosted separately in DMZ
Servers192.168.3.14-16/24
Employees192.168.1.x/24
Advanced Firewall
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 77BRKSEC-200714465_04_2008_c2
2. IPS Configuration Snippetd. Cisco IOS IPS Configuration (Con’t)retired false
interface fast Ethernet 1 description DMZ interfaceip ips ips-policy out
e. Load the signatures from TFTP servercopy tftp://192.168.10.4/IOS-S289-CLI.pkg idconfLoading IOS-S259-CLI.pkg from 192.168.10.4 :!!!
show ip ips signature countTotal Compiled Signatures:338 -Total active compiled signatures
a. Download Cisco IOS IPS Files to your PC http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup
IOS-Sxxx-CLI.pkgrealm-cisco.pub.key.txt
b. Configure Cisco IOS IPS Crypto Key mkdir ips5 (Create directory on flash)Paste the crypto key fromrealm-cisco.pub.key.txt
c .Cisco IOS IPS Configurationip ips config location flash:ips5 retries 1ip ips notify SDEEip ips name ips-policyip ips signature-categorycategory allretired truecategory ios_ips basic
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 78BRKSEC-200714465_04_2008_c2
2. Firewall Configuration SnippetSecurity Zone Policy:zone-pair security zone-policy source
public destination dmzservice-policy type inspect firewall-policy!interface VLAN 1description private interfacezone-member security private!interface fastethernet 0description public interfacezone-member security public
interface fastethernet 1description dmz interfacezone-member security dmz
Classification:class-map type inspect match-all web-dmz
match protocol httpmatch access-group 199
access-list 199 permit tcp any host 192.168.10.3
Security Policy:policy-map type inspect firewall-policyclass type inspect web-dmzInspect
Security Zones:zone security privatezone security publiczone security dmz
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 79BRKSEC-200714465_04_2008_c2
3. Virtual Firewall and IPS
Cisco IOS Firewall, NAT, and URL-filtering policies are virtual route forwarding (VRF) aware, providing support for overlapping address space, which simplifies troubleshooting and operations
Internet
Photo Shop Head Quarter
IPsec Tunnel
Internet Services192.168.2.x/24
Store Router
Photo Shop192.168.1.x/24
Retail Store Cash Register192.168.2.x/24
Retail Store Head Quarter
Supports overlapping address space
Separate IPsec tunnels for Photo Shop and Retail Store traffic
VRF A
VRF BVRF C
IPsec Tunnel
Advanced Firewall
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 80BRKSEC-200714465_04_2008_c2
3. Firewall Configuration SnippetClassification:class-map type inspect retail-hqmatch protocol ftpmatch protocol httpmatch protocol smtp extended
class-map type inspect hq-retailmatch protocol smtp extended
class-map type inspect photo-hqmatch protocol httpmatch protocol rtsp
class-map type inspect hq-photomatch protocol h323
Security Policypolicy-map type inspect retail-hqclass type inspect retail-hqinspect
class class-defaultdrop log
Security Policy (Continued):
policy-map type inspect hq-retail
class type inspect hq-retail
inspect
class class-default
drop log
policy-map type inspect photo-hqclass type inspect photo-hqinspect
class class-defaultdrop log
policy-map type inspect hq-photo-class type inspect hq-photoinspect
class class-defaultdrop log
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 81BRKSEC-200714465_04_2008_c2
3. Deployed Firewall Configuration Snippet (SDM)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 82BRKSEC-200714465_04_2008_c2
4. Blocking Peer-to-Peer and Instant Messaging Applications
Cisco IOS Firewall can block/rate-limit instant messaging (IM) applications like MSN, AOL and Yahoo.
Internet
Head Quarter
IPsec Tunnel
Wireless Guests192.168.2.x/24
Branch Office Router
Servers192.168.3.14-16/24
Employees192.168.1.x/24
Blocking the Instant Messengers e.g. MSN
Advanced Firewall
QFP
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 83BRKSEC-200714465_04_2008_c2
4. Firewall Configuration SnippetVirtualization (Virtual Routing and Forwarding)interface FastEthernet0/1.10encapsulation dot1Q 10ip vrf forwarding retailzone-member security retail-LAN
!interface Tunnel0ip vrf forwarding retailzone-member security retail-VPN
interface FastEthernet0/1.20encapsulation dot1Q 20ip vrf forwarding photozone-member security photo-LAN
!interface Tunnel0ip vrf forwarding photozone-member security photo-VPN
Security Zones:zone security retail-LANzone security retail-VPNzone security photo-LANzone security photo-VPN
Security Zone Policy:zone-pair security retail-VPNsource retail-LAN destination retail-VPN
zone-pair security VPN-retailsource retail-VPN destination retail-LAN
zone-pair security photo-VPN source photo-LAN destination photo-VPN
zone-pair security VPN-photosource photo-VPN destination photo-LAN
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 84BRKSEC-200714465_04_2008_c2
4. Deployed Firewall Configuration Snippet
Servers List:parameter-map type protocol-info msn-serversserver name messenger.hotmail.comserver name gateway.messenger.hotmail.comserver name webmessenger.msn.com
parameter-map type protocol-info aol-serversserver name login.oscar.aol.comserver name toc.oscar.aol.comserver name oam-d09a.blue.aol.com
Classification:class-map type inspect match-any IMmatch protocol msnmsgr msn-serversmatch protocol aol aol-servers
class-map type inspect match-all IMsmatch class-map IM
IM-Blocking Policy:policy-map type inspect IM-blockingclass type inspect IMsdrop log
Security Zoneszone security publiczone security privateZone Policyzone-pair security IM-Zone-policy source
private destination publicservice-policy type inspect IM-blocking
interface VLAN 1description private interfacezone-member security private
interface fastethernet 0description public interfacezone-member security public
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 85BRKSEC-200714465_04_2008_c2
4. Blocking Instant Messaging MSN/AOL (SDM)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 86BRKSEC-200714465_04_2008_c2
5a. Load Balancing with Two Providers
Cisco IOS Firewall supports WAN Load balancing
Internet
Head Quarter
IPsec Tunnel
Wireless Guests192.168.2.x/24
Branch Office Router
Servers192.168.3.14-16/24
Employees192.168.1.x/24
WAN Load Balancing Multi-Home NATDestination Based Load BalancingZone Based Firewall
ISP-2
ISP-1
Advanced Firewall
QFP
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 87BRKSEC-200714465_04_2008_c2
5a. Configuration SnippetClassification:
class-map type inspect match-any internetmatch protocol httpmatch protocol httpsmatch protocol dnsmatch protocol smtpmatch protocol icmp
!!policy-map type inspect privateclass type inspect internetinspect
class class-default
WAN Load balancing Configs
ip route 0.0.0.0 0.0.0.0 Dialer1ip route 0.0.0.0 0.0.0.0 Dialer0!
ip nat inside source route-map dsl0 interface Dialer0 overload
ip nat inside source route-map dsl1 interface dialer1 overload
WAN Load balancing Configs(Con’t)
route-map dsl1 permit 10
match ip address 121match interface Dialer1
route-map dsl0 permit 10match ip address 120match interface Dialer0
access-list 120 permit ip 192.168.10.0 0.0.0.255 any
access-list 121 permit ip 192.168.10.0 0.0.0.255 any
Policy Based Routing
route-map IPSEC permit 10match ip address 128match interface Dialer1
access-list 128 permit esp 192.168.10.0 0.0.0.255 any
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 88BRKSEC-200714465_04_2008_c2
5a. Configuration SnippetSecurity Zones Configszone security trustzone security untrust
zone-pair security firewall source trust destination untrust!service-policy type inspect privateInterface Configs:interface Dialer0zone-member security untrustip nat outside !interface Dialer1zone-member security untrustip nat outside!interface BVI1 zone-member security trustip nat inside
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 89BRKSEC-200714465_04_2008_c2
5b. Failover with Two Providers
WAN Object Tracking
Internet
Head Quarter
IPsec Tunnel
Wireless Guests192.168.2.x/24
Servers192.168.3.14-16/24
Employees192.168.1.x/24
WAN Failover Object TrackingFail OverZone Based Firewall
ISP-2
ISP-1
Branch Office Router
Advanced Firewall
QFP
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 90BRKSEC-200714465_04_2008_c2
5b. Configuration Snippet—Private Zone Policy
Interface Configurations:Interface Dialer 0description WAN-Backup interfaceip address negotiatedip nat outside
NAT Configuration:ip nat inside source route-map fixed-nat
interface Dialer0 overloadip nat inside source route-map dhcp-nat
interface FastEthernet0 overload
route-map fixed-nat permit 10match ip address 110match interface Dialer0
!route-map dhcp-nat permit 10 match ip address 110match interface FastEthernet0
Tracking Configuration: (Object Tracking)track timer interface 5!track 123 rtr 1 reachabilitydelay down 15 up 10
ip sla 1icmp-echo 172.16.1.1 source-interface Dialer0timeout 1000threshold 40frequency 3
ip sla schedule 1 life forever start-time now
Interface Configurations:interface FastEthernet0description WAN-1 Interfaceip address dhcpip nat outside
ip dhcp client route track 123
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 91BRKSEC-200714465_04_2008_c2
5b. Configuration Snippet—Private Zone Policy
Security Zones Configszone security trustzone security untrust
zone-pair security firewall source trust destination untrust!
service-policy type inspect private
interface FastEthernet0description WAN- InterfaceMember security zone untrust
Interface Dialer0description Backup-Interfacemember security zone untrust
interface Vlan1member security zone trust
NAT Configuration (Con’t): access-list 110 permit ip 192.168.108.0 0.0.0.255
any
Routing Configurationip route 0.0.0.0 0.0.0.0 dialer 0 track 123ip route 0.0.0.0 0.0.0.0 dhcp 10
Classification:class-map type inspect match-any internet
match protocol httpmatch protocol httpsmatch protocol dnsmatch protocol smtpmatch protocol icmp
!!policy-map type inspect privateclass type inspect internetinspect
class class-default
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 92BRKSEC-200714465_04_2008_c2
Case Study
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 93BRKSEC-200714465_04_2008_c2
Education—Centralized Deployment
T1
T1
T1
School
School
School
Apply Intrusion Prevention System (IPS) on traffic from Schools to kill worms from infected PCs
URL Filtering
URL Filtering
URL Filtering
Private WAN
Internet
QFP
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 94BRKSEC-200714465_04_2008_c2
T1
T1
T1
School
School
School
Apply IPS on traffic from Schools to kill worms from infected PCs
URL Filtering
DSL
DSL
DSL
Backup
Backup
Secure InternetAdvanced Layer 3-7 firewallWeb usage control
Internet
Internet
Education—Decentralized Deployment
District School Building
Illegal surfing
Private WAN
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 95BRKSEC-200714465_04_2008_c2
Summary
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 96BRKSEC-200714465_04_2008_c2
Summary
There is an established and increasing trend of integrated services in routing industry
Integrated Services Edge has become more common deployment over distributed architecture
Cisco IOS network security technologies enable new business applications by reducing risk, as well as helping to protect sensitive data and corporate resources from intrusion
Consolidation of branch office equipment for lowering OPEX is giving rise to integrated security as evident from the real world use cases
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 97BRKSEC-200714465_04_2008_c2
Q and A
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 98BRKSEC-200714465_04_2008_c2
Recommended Reading
Continue your Cisco Live learning experience with further reading from Cisco Press
Check the Recommended Reading flyer for suggested books
Available Onsite at the Cisco Company Store
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 99BRKSEC-200714465_04_2008_c2
Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes. Winners announced daily.
Receive 20 Passport points for each session evaluation you complete.
Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Don’t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008.
Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 100BRKSEC-200714465_04_2008_c2
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 101BRKSEC-200714465_04_2008_c2
Appendix
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 102BRKSEC-200714465_04_2008_c2
Cisco Security Router CertificationsFIPS Common Criteria140-2,Level 2 IPsec (EAL4) Firewall
(EAL4)
Cisco® 870 ISR Q3CY07
Cisco 1800 ISR Q3CY07
Cisco 2800 ISR Q3CY07
Cisco 3800 ISR Q3CY07
Cisco 7200 VAM2+ Q3CY07
Cisco 7200 VSA Q4CY07 Q3CY07 ---
Cisco 7301 VAM2+ Q3CY07
Cisco 7600 IPsec VPN SPA Q3CY07 ---
Cisco ASR1000 Series CY08 CY08 CY08
Catalyst 6500 IPsec VPN SPA Q3CY07 ---
Cisco 7600 Q3CY07
Cisco.com/go/securitycert
© 2006, Cisco Systems, Inc. All rights reserved.14465_04_2008_c2.scr
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 103BRKSEC-200714465_04_2008_c2
Cisco IOS Network Foundation ProtectionData Plane Feature Function and Benefit
NetFlow Macro-level, anomaly-based DDoS detection through counting the number of flows (instead of contents); provides rapid confirmation and isolation of attack
Access Control Lists (ACLs)
Protect edge routers from malicious traffic; explicitly permit the legitimate traffic that can be sent to the edge router's destination address
Flexible Packet Matching (FPM)
Next generation “Super ACL” – pattern matching capability for more granular and customized packet filters, minimizing inadvertent blocking of legitimate business traffic
Unicast Reverse Path Forwarding (uRPF)
Mitigates problems caused by the introduction of malformed or spoofed IP source addresses into either the service provider or customer network
Remotely Triggered Black Holing (RTBH)
Drops packets based on source IP address; filtering is at line rate on most capable platforms. Hundreds of lines of filters can be deployed to multiple routers even while the attack is in progress
QoS Tools Protects against flooding attacks by defining QoS policies to limit bandwidth or drop offending traffic (identify, classify and rate limit)
Control Plane Function and BenefitReceive ACLs Control the type of traffic that can be forwarded to the processor
Control Plane Policing Provides QoS control for packets destined to the control plane of the routersEnsures adequate bandwidth for high-priority traffic such as routing protocols
Routing ProtectionMD5 neighbor authentication protects routing domain from spoofing attacksRedistribution protection safe-guards network from excessive conditionsOverload protection (e.g. prefix limits) enhances routing stability
Management Plane Function and BenefitCPU and Memory Thresholding Protects CPU and memory of Cisco® IOS® Software device against DoS attacks
Dual Export Syslog Syslog exported to dual collectors for increased availability
NetworkFoundationProtection