1 / 0

Cisco IPS 4300 Series

Cisco IPS 4300 Series. For Technical Decision Makers. Forward-Looking Statements.

bonita
Download Presentation

Cisco IPS 4300 Series

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Cisco IPS 4300 Series

    For Technical Decision Makers
  2. Forward-Looking Statements Many of the products and features described herein remain in varying stages of development and will be offered on a when-and-if-available basis. This roadmap is subject to change at the sole discretion of Cisco, and Cisco will have no liability for delay in the delivery or failure to deliver any of the products or features set forth in this document.
  3. Security Challenges Introducing the Cisco IPS 4300 Series Hardware Performance Scale Secure Architecture Management Deployment Options Cisco IPS 4300 Series Agenda
  4. Opposing Forces SECURITY IMPERATIVES BUSINESS IMPERATIVES Collaboration Threat Defense Business Agility Compliance Operational Efficiency Any Device
  5. Cisco IPS 4300 Series Threat Defense Compliance Any Device Collaboration| Business Agility | Operational Efficiency
  6. Exceptional Operational Efficiency Superior Performance Simplified, Enterprise Class Management Superior Investment Protection Proven Security Platform Confidence based on proven track-record Introducing Cisco IPS 4300 Series Next Generation IPS Context Aware Network Security Advanced Threat Protection to meet compliance
  7. Introducing Cisco IPS 4300 Series Next Generation IPS Superior Performance Context Aware IPS providing over 1 Gbps of throughput in a 1 RU form factor Hardware-accelerated IPS providing twice the performance density of competitors Industry’s highest port density in a 1RU from factor Lowest published energy consumption in it’s performance range Context Aware Network Security Industry’s first context aware IPS Industry’s first and only IPS with passive OS fingerprinting, and reputation driven mitigation decisions. Industrial Control Protection “SCADA” signatures available to protect infrastructure NSS recommended anti-evasion capabilities with additional evasion types available this year
  8. Introducing Cisco IPS 4300 Series Next Generation IPS Exceptional Scalability Scales to meet the performance requirements of a wide range of network deployments Additional security services can be enabled quickly and easily Visibility for focused security with low touch for reduced operational costs CSM is the only management plane that provides enterprise class scalability and visibility for all security and network devices Proven Security Platform Leverages the SecureX Framework for a context-aware, network-centric approach to security. The most widely deployed IPS in the industry with an install base of more that 150K IPS hardware modules and appliances globally 14 years of market-proven IPS capabilities
  9. Hardware

    State of the art hardware for superior performance
  10. Cisco IPS 4300 Series IPS 4345 IPS 4360 Power Button with LED Status LEDs
  11. Cisco IPS 4300 Series Under the Hood 1 RU Chassis Rack Space Ports 8 x 1 GigE data ports 1 Console Port 1 Dedicated Management Port Redundant Hot Swappable Power Supply Units (4360 only) Front to back air flow Regex Accelerator High Speed Inspection Security Service Processor Dedicated 64bit multi-core processor Parallel Multi-threaded packet processing SATA HD Bay Blank
  12. IPS 4300 Hardware Comparison
  13. Performance: Real World: 750 Mbps HTTP Transactional: 1.2 Gbps Platform Characteristics: 1 RU Multi-core enterprise-class CPU (4 Cores/4 Threads) 8 GB RAM Where to Deploy: Medium-large enterprises Branch – Internet Edge 750 Mbps “real-world” IPS throughput requirement Dedicated IPS requirement Cisco IPS 4345 Mgmt. Port Integrated I/O Status LEDs 8 GE Cu Serial Console Fan Power Supply
  14. Performance: Real World: 1.25 Gbps HTTP Transactional: 2 Gbps Platform Characteristics: 1 RU Multi-core enterprise-class CPU (4 Cores / 8 Threads) 16 GB RAM Redundant Power Supply option Where to deploy: Medium-large enterprises Internet Edge – Campus 1.25 Gbps Real World IPS throughput required Requirement for Redundant Power Supply. Dedicated IPS requirement Cisco IPS 4360 Mgmt. Port Integrated I/O Status LEDs 8 GE Cu Serial Console Redundant Hot Swappable Power Supply
  15. IPS 4345/60 versus IPS 4240/55/60 Key Changes Performance Superior IPS Throughput Faster regex processing Hardware Hardware Regex accelerator Higher port density Multi-core CPUs Significantly more memory 1 RU form factor Redundant Power Supply Option (4360) Architecture 64-bit SMP-enabled kernel to make use of the multi-core hardware
  16. Performance

    Redefining performance for better scaling
  17. Real World Testing Methodology Determine maximum throughput with a mixture of various protocols and packet sizes. Average of 5 tests is used for rating Traffic mixes vary depending on network type and location. Provides better guidance to customers Easily reproducible by customers Tests independent of Cisco
  18. Real World Testing Methodology 5 BreakingPoint profiles: Enterprise Datacenter Enterprise Applications Service Provider Higher Education Small/Medium Business IPS: Default Signature Configuration Global Correlation Enabled Anomaly Detection Disabled
  19. BreakingPointHigher Education Represents edge of a “Higher Education” network Large percentage of traffic consists of P2P traffic including Bittorrent and Edonkey HTTP makes up for about 30% of the bandwidth.
  20. BreakingPoint Service Provider Representative for a Service Provider Network Statistics collected from a well-known service provider Mostly http, followed by peer-to-peer traffic. HTTP text/data, with a fair amount of music and video transfers. HTTP and Peer-to-peer make up close to 90% of the traffic
  21. BreakingPoint Small Business Internet Edge of a Small Business Network Mostly HTTP with voice, database connections and file transfers
  22. BreakingPoint Enterprise Applications Representative for traffic used by various applications on an enterprise network Wide distribution of protocols, including SMTP, SMB, RTP and others.
  23. BreakingPoint Enterprise Datacenter Datacenter specific Most traffic is either file transfer (SMB,FTP), database connection, or HTTP(s)
  24. IPS 4300 Inline Performance Maximum Throughput (Mbps)
  25. IPS 4300 Performance Comparison
  26. Scale

    Cisco IPS 4300 Series, part of the Industry’s most complete IPS offering
  27. Cisco Standalone IPS Family IPS 4360 Performance, Scalability, Adaptivity IPS 4270 IPS 4345 IPS 4260 IPS 4255 IPS 4240 Securing Internet-Edge and Campus Networks SOHO Branch Office Internet Edge Campus Enhancing the Customer Experience
  28. Cisco IPS 4300 Performance Positioning Real World IPS Performance 2Gbps NEW 1.5 Gbps IPS 4360 1 Gbps Throughput IPS 4345 500 Mbps 250 Mbps Branch Office Internet Edge Campus
  29. Cisco IPS Performance Positioning HTTP Transactional IPS Performance NEW 5Gbps NEW 3 Gbps 2 Gbps Throughput 1.5 Gbps 1Gbps 500 Mbps 250 Mbps 150 Mbps Branch Office Internet Edge Campus Data Center
  30. Architecture

    Software Architecture supporting next generation IPS Features
  31. Cisco IPS Architecture Cisco Security Intelligence Operations Signature Updates Engine Updates ICP GC NormalizerModule Modular Inspection Engines On-BoxCorrelationEngine Risk-BasedPolicy Control Reputation Filter Virtual SensorSelection ForensicsCapture Mitigation and Alarm OUT IN
  32. Virtual Sensors What are Virtual Sensors? A Virtual Sensor allows for multiple instances of a sensor to exist on one IPS device Up to 4 virtual sensors are supported Sensor (VS0) Network A Attackers Network B Sensor (VS1) Sensor (VS2) Network C
  33. Cisco IPS Architecture Cisco Security Intelligence Operations Signature Updates Engine Updates ICP GC NormalizerModule Modular Inspection Engines On-BoxCorrelationEngine Risk-BasedPolicy Control Reputation Filter Virtual SensorSelection ForensicsCapture Mitigation and Alarm OUT IN
  34. ... 58.65.232.0/21 58.83.8.0/22 58.83.12.0/22 62.122.32.0/21 ... Preprocessing IPS Reputation Filters Signature Inspection Signature Inspection DecisionEngine GlobalCorrelation Reputation Filter Cisco IPS Reputation Filter: Drops packets from a known malicious source before signature based inspection. Reputation Filter Database is continuously updated Protects against attacks from known botnets Mitigation based on Context (Source), not just content Faster than traditional signature-only methods Anomaly Detection
  35. Cisco IPS Architecture Cisco Security Intelligence Operations Signature Updates Engine Updates ICP GC Modular Inspection Engines On-BoxCorrelationEngine Risk-BasedPolicy Control NormalizerModule Reputation Filter Virtual SensorSelection ForensicsCapture Mitigation and Alarm OUT IN
  36. Normalizer Module Additional inspection function designed to: Prevent abnormal traffic from passing the sensor Prevent obfuscation of attacks (anti-evasion) “Backup” the other signature actions during prolonged attacks
  37. Normalizer Module How does the Normalizer achieve this ? Strict tracking of TCP state Strict tracking of sequence numbers Tracking of un-acked inspected content Verification of checksums and invalid flags Ability to modify TTL …
  38. Anti-Evasion Traffic Cleansing GET http://…552F2A436F6E2A2F4E492F2A66757365642A2F4F4E0D0A GET http://…U/*Con*/NI/*fused*/ON Signature Analysis GET http://…UNION
  39. Cisco IPS Architecture Cisco Security Intelligence Operations Signature Updates Engine Updates ICP GC On-BoxCorrelationEngine Risk-BasedPolicy Control ModularInspectionEngines NormalizerModule Reputation Filter Virtual SensorSelection ForensicsCapture Mitigation and Alarm OUT IN
  40. Modular Inspection Engines What are Inspection Engines ? A component of the sensor that supports a category of signatures Each engine has a set of legal parameters that have allowable ranges and sets of values Configurable engine parameters allow you to optimize/tune signatures or create new signatures. Signature Engine Types AIC Atomic Flood Meta Multi String Normalizer Service State Sweep Traffic Anomaly Trojan …
  41. Signature Based Detection An IPS signature matches a distinctive characteristic of traffic Signatures are associated with an engine New signatures are being released and signatures are updated continuously. Cisco allows customers to write their own “custom” signatures Cisco signatures are Vulnerability-based
  42. String-XL Engine Unique to platforms with Hardware Regex acceleration String engines are pattern based matching inspection engines for ICMP, TCP and UDP New “string-xl” engine introduced: -string-xl-tcp -string-xl-udp -string-xl-icmp
  43. IPv6 Support Most engines support IPv4 and IPv6 equally Exceptions are: - modify-packet action for normalizer - ICMP specific engines - AIC engine - Block host, Block connection, and Rate limiting - Anomaly Detection
  44. Cisco IPS Architecture Cisco Security Intelligence Operations Signature Updates Engine Updates ICP GC Modular Inspection Engines On-BoxCorrelationEngine Risk-BasedPolicy Control ModularInspectionEngine NormalizerModule Reputation Filter Virtual SensorSelection ForensicsCapture Mitigation and Alarm OUT IN
  45. On-Box Correlation Engine The Meta Engine Defines related events that occur within a sliding time interval Processes events rather than packets Generates a signature event after all requirements (components) for the event are met The META Engine
  46. Cisco IPS Architecture Cisco Security Intelligence Operations Signature Updates Engine Updates ICP GC Modular Inspection Engines On-BoxCorrelationEngine Risk-BasedPolicy Control ModularInspectionEngine NormalizerModule Reputation Filter Virtual SensorSelection ForensicsCapture Mitigation and Alarm OUT IN
  47. Global Correlation Innovations in Threat Management IPS Reputation Filters Block worst global attackers DecisionEngine Block, Alert, Permit, Limit Traffic Cleansing and Signature Inspection Identify known behaviors Global Inspection Increase Risk Rating for known bad actors
  48. Global Correlation Influence of GC on Risk Rating Global Correlation Inspection adjusts the Risk Rating of events based on the reputation of the attacker and the original Risk Rating.
  49. Global Correlation Understand the Attackers for better security. Not just the attack. Same “grey” SMB signature firing More context about the attacker Better Verdicts
  50. Industrial Control Protection Known Industry List of Industrial Control Vulnerabilities
  51. Industrial Control Protection Direct / Indirect Threat Vectors Modbus Purdue Reference Model, ISA-95 ISA-99 Level 5 Enterprise Network Root Kit Enterprise Zone Level 4 E-Mail, Intranet, etc. Site Business Planning and Logistics Network Firewall Terminal Services Patch Management AV Server Web E-Mail CIP DMZ Application Mirror Web Services Operations ApplicationServer Firewall FactoryTalk Application Server FactoryTalk Directory Engineering Workstation Domain Controller Manufacturing Zone Level 3 Site Manufacturing Operations and Control Area Supervisory Control Root Kit FactoryTalkClient FactoryTalkClient Level 2 Operator Interface Engineering Workstation Operator Interface Modbus Cell/Area Zone Basic Control ContinuousProcess Control Level 1 Batch Control Discrete Control Drive Control Safety Control Level 0 Process Sensors Drives Actuators Robots
  52. Industrial Control Protection ICS Patching Dilemma Cisco ICP Provides Cost Effective Protection Minimize risk of unplanned outages due to cyber attack Significant cost savings through batching of patch-roll out to field New Vulnerability Patch Available ? Y (rare) N (typical) Patch ASAP ? Remain Vulnerable ? N Y Cost / Time / Effort Risk of outage Remain Vulnerable ?
  53. Industrial Control Protection The Cisco Solution Special class of Industrial Control signatures Delivered within the normal weekly signature update Separate license for use based on platform Most of coverage is common across as wide range of industrial environments (i.e. MODBUS)
  54. Industrial Control Protection Industrial Foci What industries benefit ? Horizontal Protections General Industrial Controls Covered Initial Vertical: Oil and Gas Both Upstream and Downstream Will continue to stream out signatures over time Next Utilities – Energy Distribution Manufacturing Mining / Agriculture (including Timber) All types of equip. SCADA DCS PLC SIS EMS All major vendors Schneider Siemens Rockwell GE, ABB Yokogawa Motorola Emerson Invensys Honeywell SEL and growing..
  55. Cisco IPS Architecture Cisco Security Intelligence Operations Signature Updates Engine Updates ICP GC Modular Inspection Engines Risk-BasedPolicy Control On-BoxCorrelationEngine ModularInspectionEngine NormalizerModule Reputation Filter Virtual SensorSelection ForensicsCapture Mitigation and Alarm OUT IN
  56. Risk-Based Policy Control Risk Rating (RR) Risk Rating Calibrated Risk Rating (RR) computed for each event Event Action Policy based on risk categories Filters for known benign triggers Event Severity Urgency of threat? Signature Fidelity How Prone to false positive? + Important to attack target? Attack Relevancy + Asset Value of Target How critical is this destination host? + What additional risk information is available? Network Context + = Risk Rating
  57. Cisco IPS Architecture Cisco Security Intelligence Operations Signature Updates Engine Updates ICP GC Modular Inspection Engines Risk-BasedPolicy Control On-BoxCorrelationEngine ModularInspectionEngine NormalizerModule Reputation Filter Virtual SensorSelection ForensicsCapture Mitigation and Alarm OUT IN
  58. Forensic Capture Risk Rating (RR) Risk Rating Calibrated Risk Rating (RR) computed for each event Event Action Policy based on risk categories Filters for known benign triggers Event Severity Urgency of threat? Signature Fidelity How Prone to false positive? + Important to attack target? Attack Relevancy + Asset Value of Target How critical is this destination host? + What additional risk information is available? Network Context + = Risk Rating
  59. Cisco IPS Architecture Cisco Security Intelligence Operations Signature Updates Engine Updates ICP GC Modular Inspection Engines Risk-BasedPolicy Control On-BoxCorrelationEngine ModularInspectionEngine NormalizerModule Reputation Filter Virtual SensorSelection ForensicsCapture Mitigation and Alarm OUT IN
  60. Mitigation and Alarm Risk Rating (RR) Risk Rating Calibrated Risk Rating (RR) computed for each event Event Action Policy based on risk categories Filters for known benign triggers Event Severity Urgency of threat? Signature Fidelity How Prone to false positive? + Important to attack target? Attack Relevancy + Asset Value of Target How critical is this destination host? + What additional risk information is available? Network Context + = Risk Rating
  61. Management

    Scalable solutions for device and event management
  62. Cisco IPS 4300 Series Software Support IPS 7.1.(4)E4 Release CSM 4.3 IPS Device Manager 7.1(4) IME 7.2.1
  63. Cisco Security Manager 4.3 Single Integrated Application Unified graphical interface for managing policy and troubleshooting of Firewall, IPS and VPN devices Enterprise Class Security Device Management Manages hundreds of Cisco security devices Part of CSM managed device family with CSM 4.3 release Health and Performance Monitoring (ASA/IPS) Image Management (ASA) Docked Policy Object Manager and Global Object Search
  64. CSM Policy-Based ManagementIntuitive Policy Model for Ease of Management Support for IPS Sensors, modules and IOS IPS Automatic policy based IPS Sensor software and signature updates Signature Update Wizard allowing easy review/editing prior to deployment
  65. CSM Tactical Reporting 20+ Predefined Reports Customizable Graph & Data Export to PDF / Excel Automated Schedule User defined reports
  66. CSM Integrated Event ManagementSimplified Troubleshooting Experience Real-time monitoring Historical tracking Event-to-policy navigation Consolidated logs Quick filters and sorting Predefined and customizable views Intuitive time scale High performance
  67. CSM Health Performance Management Real-time device monitoring ASA and IPS CPU, Memory, Interfaces,… Predefined and customizable views Email Alerting on device health Graphs
  68. IPS 4300 Deployment Options
  69. IPS 4300 Deployment Options Basic Deployment Modes Promiscuous interface Promiscuous VLAN groups Inline Interface Pairs Inline VLAN Pairs
  70. IPS 4300 Deployment Options Promiscuous Interface Promiscuous Mode designs send only copies of the packets to the sensor as the traffic goes by. Interface itself assigned to a Virtual Sensor Detection, not prevention Separate device must send copies of the packets Span (or monitor) from a switch VACL capture from a switch Network Taps Promiscuous Interface SPAN Destination Port Ethernet Switch Data Flow SPAN Source Ports or Source VLAN
  71. IPS 4300 Deployment Options Promiscuous VLAN groups Interface is divided into subinterfaces Packets must be tagged with 802.1q headers Different VLAN groups can be assigned to different virtual sensors Promiscuous Interface SPAN Destination Port Ethernet Switch Data Flow SPAN Source Ports or Source VLAN
  72. IPS 4300 Deployment Options Inline Interface Pairs Promiscuous Mode designs send only copies of the packets to the sensor as the traffic goes by. Interface itself assigned to a Virtual Sensor Detection, not prevention Separate device must send copies of the packets Span (or monitor) from a switch VACL capture from a switch Network Taps Sensor sits between two physical ports on a switch Data Flow Transparent InterfacesSensor is Layer 2 Bridge
  73. IPS 4300 Deployment Options Inline VLAN Pairs Promiscuous Mode designs send only copies of the packets to the sensor as the traffic goes by. Interface itself assigned to a Virtual Sensor Detection, not prevention Separate device must send copies of the packets Span (or monitor) from a switch VACL capture from a switch Network Taps Promiscuous Interface SPAN Destination Port Ethernet Switch Data Flow SPAN Source Ports or Source VLAN
  74. 1 RU Form Factor Over 1 Gig Performance Hardware Accelerated Real World Performance Cisco IPS4345and 4360
  75. Additional Resources Cisco IPS 4300http://www.cisco.com/en/US/partner/prod/collateral/xx IPSPediahttp://ipspedia.cisco.com/index.php/Main_Page Cisco.com Security Sitehttp://cisco.com/go/security
  76. Cisco IPS 4300 Series

    Backups Slides
  77. Hardware

  78. IPS 4255 versus IPS 4345 Key Changes Performance X IPS Throughput Hardware Multi-core instead of Single-core CPUs 8X Memory Dedicated Management port
  79. IPS 4260 versus IPS 4360 Key Changes Performance IPS Throughput Hardware Multi-core instead of Single-core CPUs 8X Memory Dedicated Management port
  80. Performance

    Redefining IPS Performance to provide a Real World, realistic measurement
  81. REGEX Accelerator Hardware accelerated inspection
More Related