security architecture - cisco.com · 2 presentation_id © 2009 cisco systems, inc. all rights...
TRANSCRIPT
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
Security Architecture
Haider Pasha, CISSPSSEM, Emerging CentralArchitectural [email protected]
2
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Traditional Corporate Border
Corporate Border
Branch Office
Applications and Data
Corporate Office
Policy
Attackers CustomersPartners
3
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Mobility and CollaborationIs Dissolving the Internet Border
Corporate Border
Branch Office
Applications and Data
Corporate Office
Policy
Attackers Customers
Home Office
Coffee Shop
Airport
Mobile User Partners
4
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Cloud Computing Is Dissolving the Data Center Border
Corporate Border
Branch Office
Applications and Data
Corporate Office
Policy
Attackers
Home Office
Coffee ShopCustomers
Airport
Mobile User Partners
Platformas a Service
Infrastructureas a Service
Xas a Service
Softwareas a Service
5
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Customers Want Business Without Borders
Corporate Border
Branch Office
Applications and Data
Corporate Office
Policy
Attackers
Home Office
Coffee ShopCustomers
Airport
Mobile User Partners
Platformas a Service
Infrastructureas a Service
Xas a Service
Softwareas a Service
6
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Cisco’s Network Security ArchitectureB
orderlessD
ata Center
3
BorderlessInternet
2
Borderless
End Zones
1
Policy
Corporate Border
Branch Office
Applications and Data
Corporate Office
Policy(Access Control, Acceptable Use, Malware, Data Security)4
Home Office
AttackersCoffee ShopCustomers
Airport
Mobile User Partners
Platformas a Service
Infrastructureas a Service
Xas a Service
Softwareas a Service
7
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Cisco Security Architecture For Enterprise (SAFE)
Security Reference ArchitectureFree Technical Design and Implementation Guide
• Collaboration between security and network devices
• Uses network intelligence• Fully tested and validated• Speeds implementation• Modular design• Unifies security policy
8
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
SAFE Strategy
DataCenter
LAN/Campus
WANEdge Branch Internet
EdgeE-comm-erce
CiscoTeleworker
VirtualUser
PartnerSites
Policy and Device Management
Security Solutions
PCIDLPThreat Control
NetworkDevices
RoutersServersSwitches
IdentifyMonitor
Correlate
HardenIsolate
Enforce
Visibility Control
Secured Mobility, Unified Communications, Network Virtualization
Network Foundation Protection
Security DevicesVPNsMonitoring
Admission ControlIntrusion Prevention
FirewallEmail Filtering
9
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
SAFE Security Architecture Modules
Partner
WAN Edge
Internet Edge
E-Commerce
Core
Data Center
Management
Teleworker
Branch
SiSi
SiSi
SiSi
SiSi
SiSi
SiSi
ExtranetSiSi
SensorBase
LAN/CampusWAN
Internet
10
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Securing the LAN
11
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Campus/LANAccess
SiSi
SiSi
SiSi
SiSi
Core
Distribution
Catalyst Integrated Security Features
Threat Detection and Mitigation
Network Foundation Protection
Edge Protection
Network Access Control
Enhanced Availability and Resiliency
Secure Unified Communications
Secure Unified Wireless Network
Endpoint Security
12
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
SAFE Threat Response
Service Disruption Unauthorized Access Data LeakageData Disclosure and Modification Network Abuse Identity Theft and Fraud
Increasing Visibility for the LANIdentify Monitor Correlate
LAN/port AuthenticationUser AuthenticationFirewall Deep Packet InspectionTraffic Classification
Intrusion DetectionNetwork ManagementEvent MonitoringNetwork TelemetrySyslog
Event Analysis and Correlation
Increasing Control for the LANHarden Isolate Enforce
Network Foundation ProtectionOS HardeningCISFEndpoint SecurityLink and System Redundancy
VLANsNetwork Access ControlIPSFirewall Access Control
Stateful Firewall Access ControlACLs, uRPF, AntispoofingDHCP SnoopingPort SecurityIntrusion PreventionQoS EnforcementNetwork Access Control
13
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Protecting the Network DevicesSecure Device Access - Protecting Device Access
Servers
Users
Management
Management Segment
OOB Mgmt Net
Inband, Clear
Inband, Secure
OOB, Secure
In-band, in the Clear (not recommended)
–Telnet, HTTP, FTP –TFTP, SNMPv2c
In-band, Secure (recommended)
–SSH, SSL, IPSec, –SNMPv3, SFTP
1. Out-of-band management, (most secure)
–Dedicated interfaces & Network–Logically separate (VLAN, VRF)–Strongest security
14
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Protecting the Network DevicesDevice Resiliency & Survivability
Disable Unnecessary Services– Identify open ports
– Disable unneeded open ports
– Disable CDP on interfaces where it may pose a risk (e.g. data-only user ports in the campus)
– Ensure directed broadcasts are disabled on all interfaces
– Disable MOP, IP redirects, and proxy ARP on access lines
Implement Redundancy– Backup and redundant interfaces
– Redundant processors and modules
– Active-standby, active-active failover
– Topological redundancy
SiSi SiSi
SiSiSiSi
15
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Protecting the LinksQoS Trust Boundary
Endpoints CoreAccess Distribution WAN Agg.
1. A device can be trusted if it correctly classifies packets2. For scalability, classification should be done as close to the edge as possible3. The outermost trusted devices represent the Trust Boundary4. 1 and 2 are optimal, 3 is acceptable (if access switch cannot perform
classification)
SiSi
SiSi
SiSi
SiSi
11
22
33Trust BoundaryTrust Boundary
16
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Linecard Linecard
Ingress Control Plane
Forwarding ASICs
Applying Policy
Pre-configured System Traffic Types
User Configurable Traffic Types
Switch CPU
1. Hardware-based mechanisms2. Rate limit CPU bound traffic3. Protect from DoS attacks4. Control Plane Policing ensures routing
stability, reachability, & packet delivery5. Filters and rate limits traffic headed to
Control Plane
Data traffic is switched
by Forwarding
ASICs
Control pkts, and the pktsdestined to
CPU
Pkts conform to control-
plane service-policy
Protecting the Control PlaneControl Plane Policing - Incoming Traffic
17
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
1. Inspect a packet’s 7 key fields and identify the values. 2. If the set of key field values is unique create a flow record or cache entry.3. When the flow terminates export the flow to the collector.
NetFlowExport
Packets
Reporting
NetFlow’s 7 Key Fields
1
2
3
Monitoring and TelemetryNetFlow
NetFlow Benefits
Distributed traffic monitoring
Track each data flow that appears in the network (establish baseline)
Detect anomalies by analyzing traffic characteristics and deviations from baseline
18
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Internal Perimeter Access Control and Security – NAC
1.Recognizes users, their devices, and their roles in the network
2.Evaluates whether machines are compliant with security policies
3.Enforces security policies by blocking, and isolating noncompliant machines
NAC Benefits:
NAM NAS
NAC Appliance Components
1. NAS
2. NAM
3. CCA
CCA
19
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Internal Perimeter Access Control and Security – CISF
1.Port Security prevents MAC flooding, port access, rogue network extension, and DHCP starvation attacks.
2.DHCP Snooping prevents Rogue DHCP Server attacks and DHCP starvation attacks.
3.Dynamic ARP Inspection used with DHCP snooping to prevent ARP Spoofing Attacks & MiTM attacks.
4.IP Source Guard uses DHCP snooping table to mitigate IP Spoofing, impersonation attacks & unauthorized access.
00:0e:00:aa:aa:aa00:0e:00:bb:bb:bb00:0e:00:aa:aa:cc00:0e:00:bb:bb:ddetc132,000
Bogus MACs
Switch acts like a hub
DHCP Server
“Use this IP Address !”
X“DHCP Request”
DHCP DoS
Email Server
“ Your email passwd is
‘joecisco’ !”
Attacker = 10.1.1.25 Victim = 10.1.1.50
Gateway = 10.1.1.1MAC=A SiSi
“Hey, I’m 10.1.1.50 !”Port Security
20
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Distributed SecurityInfrastructure Protection & Monitoring
SiSi SiSi
Access
Dist
Core
Mngt
SiSiSiSi
Infrastructure Protection & Monitoring
1.QoS Trust Boundary
2.Scavenger Class
3.Secure Management
4.NBAR
5.NetFlow
6.Control Plane Policing
7.Network Time Protocol
8.ACS
9.Cisco MARS
10.Syslog
21
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Securing the Internet Edge
22
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Enterprise Internet EdgeService Breakdown
DMZ - Network Services Application Segment
• Public facing services•FTP, DNS, NTP etc.
Corporate Internet Access
Firewall Based Teleworker
Branch Office WAN Backup
• Internet access for campus and branch users• Web browsing, email & other common internet services, web and email security
• Teleworker access to corporate resources• Internet access via headquarters firewall• Basic IP telephony service
• Internet backup for branches• Access to corporate resources• Web browsing, email & other common internet services
23
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Internet Edge
Distribution
Corporate Access/DMZ
Edge
CVO termination
Remote Access VPN
SiSiSiSi
Core
EmailSecurityGateway
Web SecurityGateway
HTTP-ServicesDNS
ISP A
ISP BISP B
ISP A
RemoteClient
Branchesw/ Voice Svcs
Internet Backup
SiSi SiSi
Internet
24
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Firewall Design Considerations
DMZ
• Firewall Security Design Considerations– Firewall rules to implement
network security– Integrating Email and Web
Security Appliance with firewall
– Configuring and implementing Infrastructure Security
– Implementing and designing a secure public facing DMZ
– Enabling features for optimum monitoring and management
Internet
SP1
Firewalls
SP2
Data Center, Corporate Network
25
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Firewall Design
Corporate Network
Corporate User
Email Security
Appliance
Email Server
Email Traffic
Web Traffic
Web Security
Appliance
Remote User
Public User
Internet
26
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
IPS at the Internet Edge
1.FW in active/standby stateful FO
2.IPS selection based on STP
3.Requires STP tuning
4.Required bandwidth satisfied with single IPS and FW
InternetSP
SiSi
SiSi
SiSi
SiSi
SiSi
SiSi
CorporateAccess/DMZ
Distribution
Core
27
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Remote Access
Public Internet
ASA 5500
Clientless SSL VPN
Clientless SSL VPN
Client-based SSL or IPSec VPN
Partners / Consultants
Controlled access to specific resources and applications
Mobile Workers
Easy access to corporate network resources
Roamers
Seamless access to applications from unmanaged endpoints
Day Extenders / Home Office
Day extenders and mobile employees require consistent LAN-like, full-network access, to corporate resources and applications
Client-based SSL or IPSec VPN
28
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Web Appliance (IronPort example)Consolidated Web Gateway
Web Proxy & Caching
Anti-Spyware
Anti-Virus
Anti-Phishing
URL Filtering
Policy Management
Internet
Firewall
IronPortL4 Traffic Monitor
IronPortPolicy Filters
Internet
Firewall
Consolidated Functionality IronPort Web
Security Appliance
Lower TCOHigher Accuracy
Users
Users
29
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Securing the Data Center
30
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Data Center Today: End-to-End Architecture
Security Services LayerFirewallEnforce Per-zone segmentation of servers
Virtual Contexts enable scale
IPSThreat mitigation and Hypervisor protections
Network SegmentationPer zone, enforced in Services Layer
Virtual Access Layer VisibilityFlow visibility in the vSwitch
Layer 2 SecurityConsistent protections in virtual and physical switch
Secure Server Access Layer
Enterprise and DC EdgeSaaS Gateway in WSAAccess Control for Software as a Service Apps
FirewallCoarse Inbound Filtering
wwwwww
ASA 5500 or FWSM
IPS
WSA ASA 5500
Nexus 1000v
Zone 1 Zone 2 Zone 3
CSM
Operations
31
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Secure Borderless Data Center:Tomorrow’s Architecture
Security Services LayerFirewall and IPSIdentity-based policies
Service chaining connects physical to virtual
Virtual Layer 2 through 7 SecurityNexus 1000v and virtual firewall platform
Secure Virtual Access Layer
Cloud Services Security LayerEnterprise- or Cloud-ProvidedSecurity for applications in the Cloud
Cloud EdgeProtecting the Cloud Provider Network
Enterprise and Data Center EdgeSaaS Gateway - In WSA
Firewall—Coarse Filtering
wwwwww
WSA
ASA 5500 with IPS
Nexus 1000v
ASA 5500 with IPS
Virtual FW
ASA Virtual
Context
Trust Zones via TrustSec
Operations
Virtual FW
ASA Switch Modules:
Catalyst and Nexus
CSM AAA & Policy
32
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
Real World Customer Example
FWSM
Catalyst 6513 Catalyst 6513
FWSMVFW1 VFW2 VFW2
DATABASESERVERS
DMZ-2FRONT-ENDWEB SERVERS
APPLICATIONSERVERS
VFW1
IDSM IDSMACE ACE
Fiber ChannelStorage Array
Fabric BFabric A
Cisco Nexus
FC, FICON
FC, FICON iSCSI
Management Servers1. NAC Manager2. Security Manager3. Security MARS4. Call Manager/Cisco Unity5. Cisco ACS
Global Site SelectorGSS 4492
Global Site Selector
GSS 4492
Management Servers
Layer 3 Switches in High Availability ModeFirewall Services Module (FWSM) to protect against Layer 2 to Layer 7 attacks FWSM set in Virtual Firewall Mode. VFW1 to protect Management Servers and VFW2 to protect Data Center ServersNetwork Intrusion Detection/Prevention for MonitoringApplication Control Engine (ACE) used for Load Balancing, SSL Offloading, and Layer 7 Deep inspectionACE Module to be used for all Front-End Web and Application server SSL Offloading and Load Balancing (after Layer 7 Firewall)Traffic flow moves from Yellow, to Blue, to Orange VLANsPrivate VLAN design to be implemented within each Server farm to segment against DOS/DDOS and Network attacks. Cisco Security Agent to be used on each server to protect against Day Zero attacks like Worms/viruses and DOS/DDOS attacks.NAC Appliance Manager for network wide policy enforcementCisco Security Manager to manage security devicesCisco Security MARS for event correlation, Dynamic Threat Mitigation, and Incident LoggingCisco Call Manager/Unity for Voice ServicesCisco Access Control Server for AAA and TACACS+ servicesFCIP Server backup with Disaster Recovery and Backup SiteDHCP Snooping, IP Source Guard, Dynamic ARP Inspection, Port Security & Advanced Security via ACL Catalyst Rate Limiting for Blasting Worm Protection/RemediationOptimized Routing Protocols Multicast Subsecond Convergence First Hop Redundancy ProtocolsSpanning Tree, EtherChannel/GigEChannel with Core switches in Campus ModuleSupervisor/Power Supply Redundancy Etc.HSRP for redundant gateway servicePath Diversity Documentation Layer 3 Switching utilizing IGP Load balancing & Fast convergence Provide first-hop redundancyProtects the Core from High Density Peering Aggregates the Access Layer elementsPolicy Enforcement QoS, ToS, IP PrecedenceEfficient handling of multicastsNetwork Trust or Policy BoundaryDual active links to Core switches in Campus ModuleWire-Rate Application-Aware using ACE and FWSMIOS-Based Intelligent Network Services in SupervisorTraffic Detection/Classification using NETFLOWIP Multicast SupportAdmission control & Traffic PolicingAdvanced Security via Access Control ListsLoad Balancing & Fast convergence Scalable High-Speed servicesNo unnecessary features10 Gigabit Scalability Normal Operations: ~20*C (68* F)
Data Center Module Features
MAN/WANFCIP
33
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID
SAFE Resources
Cisco SAFE and Design Guide:
http://www.cisco.com/go/safehttp://www.cisco.com/en/US/docs/solutions/Enterprise/Security/SAFE_RG/SAFE_rg.html
Cisco Design Zone:
http://www.cisco.com/go/cvd
Cisco Security Lifecycle Services:
http://www.cisco.com/go/services/security
Cisco’s Security Products:
http://www.cisco.com/go/security