Security Strategy Update Self Defending Network Initiative Network Admission Control

1. Security Strategy Update Self Defending Network Initiative Network Admission Control February 5, 2004 Tempe, Arizona

2. Security Paradigm is Changing The burden on StateNet’s members to secure all aspects of the network and business is rapidly growing heavier • Assessing Security Risks • Defining & Authoring Security Policy • Designing & Implementing Security Infrastructure • Enforcement of Security Policy Self Defending Network Initiative (SDNI) will result in the network making intelligent admission and defense decisions while helping to enforce security policy compliance.

3. Threat Evolution Target and Scope of Damage Seconds Self Defending Network GlobalInfrastructureImpact RegionalNetworks MultipleNetworks IndividualNetworks IndividualComputer • Next Gen • Infrastructure hacking • Flash threats • Massive worm driven • DDoS • Damaging payload viruses and worms Minutes Integrated Security Days Point Products • 3rd Gen • Network DoS • Blended threat (worm + virus+ trojan) • Turbo worms • Widespread system hacking Weeks • 2nd Gen • Macro viruses • Email • DoS • Limited hacking • 1st Gen • Boot viruses 1980s 1990s Today Future

4. Cisco’s Security Vision Multi-phased initiative to dramatically improve the network’s ability to identify, prevent, and adapt to threats INDUSTRY COLLABORATION SYSTEM LEVEL SOLUTION INTEGRATED SECURITY Network AdmissionControl Program Dynamically identify, prevent, and respond to threats End-to-End Secure Connectivity Threat Defense Trust and Identity

5. Cisco Network Admission Control (NAC) • Cisco Network Admission Control (NAC) is Cisco-led, industry program focused on limiting damage from emerging security threats such as viruses and worms • NAC is a significant step forward in security policy compliance and enforcement • In NAC, customers can allow network access only to compliant and trusted endpoint devices (e.g. PCs, servers, PDAs) and can restrict the access of non-compliant devices • Initial NAC co-sponsors include Network Associates, Symantec, and Trend Micro • NAC is the first phase of the Cisco Self-Defending Network Initiative • These efforts are designed to dramatically improve the ability of networks to identify, prevent, and adapt to threats

6. Cisco NAC Solution Overview NAC Solution:Leverage the network to intelligently enforce access privileges based on endpoint security posture. The Cisco network helps force corporate security compliance. NAC Characteristics: Ubiquitous solution for all connection methods Validates all endpoints/hosts Endpoint Attempting Network Access Network Access Devices Leverages customer investments in Cisco network and AV solutions Policy Server Decision Points Cisco Secure ACS Policy (AAA) Svr AV Vendor Svr Quarantine & remediation services Credentials Credentials Credentials Deployment scalability RADIUS Access Rights Comply? NAC enforces the security policies as defined on the ACS by the user. It does not author the policies. Notification Cisco Trust Agent Enforcement

7. Anti- Virus client Cisco Security Agent Cisco Network Admission Control (NAC) Cisco Network Admission Control Cisco Secure ACS Policy/ AAA RADIUS Server Endpoints attempting Network Access Cisco Network Access Device AV Vendor Policy Server Security Credential Checking Cisco Trust Agent Permit, deny, quarantine, restrict Security Policy Enforcement Security Policy Creation AV Policy Evaluation • NAC is not yet shipping. The Cisco Business Unit is still determining how we will license and charge for NAC on the access devices. It is expected the end-point Trust Agent will be free.

8. Phase 1 Deployment ScenariosRouter-Based compliance enforcement • Branch office compliance • Focus first on less trusted/managed offices Branch Office Users Main Office • Extranet compliance • Partner hosts are patched and comply VPN Edge AAA & AV Svrs • Internet compliance • Ensure hosts are hardened prior to browsing VPN Edge Private WAN Data Center • Lab compliance • Production network access only for compliant devices Internet Internet Edge • Data center protection • Devices accessing protected servers must comply Lab Partner WAN Extranet Edge Partner

9. NAC Schedule (best efforts to accelerate) Phase 1 Q2 CY04 Phase 2 2HCY04 Phase 3 TBD IOS Routers 17xx – 72xx Security Devices VPN Concentrators Switches Wireless Access Points Network Devices Cisco Trust Agent Support Windows NT, 2000, XP IP Phones Cisco Appliances MAC OS, HPUX, AIX Windows 2003 Red Hat Linux Solaris AV Vendors OS Vendors Mgmt Vendors Industry Partners Broad Vendor Support HTTP/SSL? Device Communications Layer 3 EAP/UDP Layer 2 EAP/802.1x VPN Management System (VMS) will configure the NAC settings across access devices in masse. Secure Information Management System (SIMS) will be the management tool for reporting and monitoring. A “SIMS Lite” is being considered for small to medium customers. There are third party management software companies writing to NAC, so there will be options

10. Centralized security management • Security policy, security event monitoring and analysis • Threat validation and investigation • Embedded devicemanagement MANAGEMENT AND ANALYSIS COMPLETE COVERAGE Protecting Desktops, Servers and Networks Security Appliances Security Software FLEXIBLE DEPLOYMENT Switches Routers VPN / SSL SECURITY SERVICES Firewall IDS Identity Behavior SECURE INFRASTRUC- TURE Device Authentication, Port Level Security, Secure and Trusted Devices, Secure Access, Transport Security Cisco Integrated Security Portfolio ADVANCED SECURITY SERVICES

11. Summary Statement Industry collaboration in support of Cisco’s Self Defending Network Initiative will result in the network making intelligent admission and defense decisions while helping to enforce security policy compliance. Thank you for your time.