end-point protection for servers & desktops - cisco · complete endpoint security defends...
TRANSCRIPT
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1
End-point Protection for Servers & Desktops
Ricky Elias
Security Architect
Advanced Technology (Security)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2
Cisco Security Agent Comprehensive, “Always Vigilant” Endpoint Security
� Single Integrated Client, Simplified Management
� Protection against persistent and evolving threats
• Prevent loss of sensitive information
• Enforce appropriate use policies
• Enhance security through network collaboration
• Address corporate and regulatory compliance mandates
� Empower IT to address Business risks
� Enforce policies and protect business critical assets
� Decrease IT administrative burden
� Reduce expenses
Business Benefits:
CSA
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
Intercepting Actions on the Endpoint
� Application calls to the operating system are intercepted in real-time
� Dynamic decisions are made to allow/deny actions
� “Zero Update”architecture –means you don’t need a new signature to stop the next attack
FileInterceptor
Application
Real-Time
Decision
NetworkInterceptor
ConfigurationInterceptor
Rules Engine
Execution Space
Interceptor
Correlation Engine
StateRules andPolicies
Allow Deny
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4
Cisco Security AgentAlways Vigilant Comprehensive Endpoint Security
“Zero Update”Protection Stops Malicious Mobile Code, Worms, Rootkits, Day-Zero and Targeted Attacks
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5
Complete Endpoint Security
Defends endpoints against sophisticated day zero attacks
Enhances the Cisco Self Defending Network
AntivirusAntivirus
AntispywareAntispyware
FirewallFirewall
Intrusion Intrusion PreventionPrevention
Threat Threat VisibilityVisibility
De
vic
e C
on
trol
Ap
plica
tio
n C
on
tro
l
Anti BotnetAnti Botnet
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6
Zero-Day Attack Prevention
� CSA has a proven track record of stopping brand new exploits, botnets, targeted attacks, worms, and viruses over past 7 years:
2001 – Code Red, Nimda (all 5 exploits), Pentagone (Gonner)
2002 – Sircam, Debploit, SQL Snake, Bugbear,
2003 – SQL Slammer, So Big, Blaster/Welchia, Fizzer
2004 – MyDoom, Bagle, Sasser, JPEG browser exploit (MS04-028), RPC-DCOM exploit (MS03-039), Buffer Overflow in Workstation service (MS03-049)
2005 – Internet Explorer Command Execution Vulnerability, Zotob
2006 – USB Hacksaw, IE VML exploit, WMF, IE Textrange, RDS Dataspace
2007 – Rinbot, Storm Trojan, Big Yellow, Word(MS07-014), MS ANI 0Day, MS DNS 0Day
No signatures, reconfiguration or binary updates required
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7
� ClamAV virus scanning engine packaged with CSA, as single installable agent
� Protects Windows desktops & servers at no additional cost
accurately identifies malware
prevents malware execution
quarantines or deletes malware
� CSA Management Center manages agent policies, signature updates
� Provides a true single agent - single console endpoint security solution
Integrated Agentwith ClamAV™ Open Source Antivirus
All other trademarks mentioned in this document are the property of their respective owners.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8
Source: Shadowserver.org wild testing
� ClamAV is widely deployed on UNIX/Linux e-mail servers
Scrubs e-mail traffic for malware
Protects millions of Windows desktops
Database contains over 200,000 unique signatures
Integrated Agentwith Clam Antivirus
Shadowserver Foundation independent research: ClamAV™ has high degree of malware detection accuracy.
All other trademarks mentioned in this document are the property of their respective owners.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
Cisco Security AgentAlways Vigilant Comprehensive Endpoint Security
Corporate
Acceptable Use
Regulatory
Compliance (PCI)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10
Acceptable Usage Policies
� Some types of user behavior is not malicious but has potential exploitation risks
Music sharing via Peer-to-Peer (p2p) applications
Instant messaging using non-corporate IM servers
Access to sensitive data
Removable media usage: USB memory, multimedia devices
Use of unauthorized applications, or unauthorized versions of apps
� Prebuilt Acceptable Usage Policies offer easy way to influence “good” user behavior
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11
Policy Control – Application Trust Levels
� CSA monitors & controls all applications and processes
� Trust Levels offer flexible, easy to manage control
White List : Trusted Business Apps (permissive controls)
Grey List: Permitted Applications (more restrictive controls)
Black List: Undesired Applications (block use)
� Provides robust security without sacrificing ease of management & deployment
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12
Regulatory ComplianceBenefits for PCI Compliance
� Provides compliance solution for 9 out of 12 PCI requirements
� Predefined PCI Policies offer ease of management & audit
26 Rule Modules, 150 rules
� Validated by Cybertrust (official PCI auditor)
� Runs on Servers, Point-Of-Sale terminals, desktops and laptops
� CSA can be customized for other compliance mandates
http://www.cisco.com/go/retail
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13
PCI Compliance & CSA Benefits
PCI Data Security Standard Requirements
Percentage of
Assessment Failures*
Build and Maintain a Secure Network
1. Install & maintain a firewall configuration to protect data 66%
2. Do not use vendor-supplied defaults for system passwords and other security parameters 62%
Protect Cardholder Data 3. Protect stored data 79%
4. Encrypt transmission of cardholder data and sensitive information across public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications 56%
Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data 71%
11. Regularly test security systems and processes 74%
Maintain an Information Security Policy
12. Maintain a policy that addresses information security60%
*Source: VeriSign
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14
Predefined CSA PCI Policies
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15
Cisco Security AgentAlways Vigilant Comprehensive Endpoint Security
Identify and Control Sensitive
Information
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16
Data Loss Prevention Management ProcessVisibility and Control for Sensitive Information
� Classification
� Credit card, Social Security #s
� Intellectual property definitions
� Reporting
� Track the location and usage of sensitive data
� Enhanced user education
� Query user and audit
� Updated enforcement controls
� Block printing
� Flexible clipboard control
� NAC quarantine
Discover
Educate
Enforce
Monitor
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17
Identify Sensitive Data – Content or Context
File Content – certain data patterns are recognized
File Context – data written by certain applications is known to be sensitive
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18
Removable Media Controls
� Controls for USB drives, CD, iPod
� Monitor usage
� Confidential file controls
� Authorized user controls
� Location-based controls
Consolidated
event reporting
End user Business
Justification for audits
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19
Cisco Security AgentAlways Vigilant Comprehensive Endpoint Security
NAC
NIPS
Wireless
Traffic Marking
Event Correlation
Data Loss Prevention
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20
Leveraging the Value of Existing NetworkIncreases Network Device Security Effectiveness
PER-APPLICATION QoS
Optimize network performance
EnhanceNetwork
Value
WIRELESS POLICY CONTROLS
Increases security & network bandwidth utilization efficiency
NAC POLICY VERIFICATION
Ensure host security and health
NAC Policy for DLP hosts
INFORM NIPS OF HOSTILE HOSTS
Stop attacks in the network before they reach other hosts
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21
Inform NIPS of Hostile Hosts
1. Hacker scans internal servers for vulnerabilities
3. All connection attempts by the hacker to CSA protected devices are dynamically blocked
4. CSA collaborating with Cisco IPS is able to dynamically elevate the Risk Rating threshold for attacks coming from the hacker
2. Global Correlation is invoked and the CSAMC updates all the CSA agents with threat information
CSA MC
Servers
Desktops
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 22
DesktopDesktop
DSCP Marking by Application or OSDSCP Marking by Application or OS
Per-Application QoS
Example: CSA and QoS
Internet Explorer
BitTorrent
Cisco IP Communicator
FTP Client
DSCP Marking by CSA
DSCP Marking by CSA
Default
AF11
EF
Default
AF11
Default
EF
AF11
�Class-Based Weighted Fair Queuing (CB-WFQ)
�Low-Latency Queuing (LLQ)
�Class-Based Weighted Fair Queuing (CB-WFQ)
�Low-Latency Queuing (LLQ)
AF11: 50% (CB-WFQ)EF: 15% (LLQ)Default: 10% (CB-WFQ)
AF11: 50% (CB-WFQ)EF: 15% (LLQ)Default: 10% (CB-WFQ)
� “Bad” software can mark packets to:
� Get a better service from the network
� To perform an attack (e.g. flooding with EF-marked packets can cause DoS for IP telephony)
� Use CSA to remark packets according to QoS design
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23
Wireless Policy Control
� Disable communication over wireless NIC when wired is active
� Prevent wireless to wireless connections (ad-hoc) & non-corporate SSID association
� Require VPN connection when out of the office, ensure corporate network protections are not bypassed
� Per-application QoS prioritization, optimize network bandwidth
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24
Cisco Security AgentAlways Vigilant Comprehensive Endpoint Security
Corporate
Acceptable Use
Regulatory
Compliance (PCI) POS Protection
Laptop – DesktopProtection
Server Protection
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential13068_10_2006_c1 25
Up Next: WLAN Update