1 / 23

Cisco IP Solution Center Scalable Security Management

Cisco IP Solution Center Scalable Security Management. Challenges Managing Scalable Security Deployments. Security Management Scope in the 90’s Network Silos & Point Protection Security Solution. FINANCE. Anti Virus Application. ERP. Individual applications Created/used by individual

calder
Download Presentation

Cisco IP Solution Center Scalable Security Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cisco IP Solution Center Scalable Security Management

  2. Challenges Managing Scalable Security Deployments

  3. Security Management Scope in the 90’s Network Silos & Point Protection Security Solution FINANCE Anti Virus Application ERP Individual applications Created/used by individual departments Lease Line PARTNERS MANUFACTURING ISDN Anti Virus Application Anti Virus Application MRP Reached mostly by phone/fax PSTN NAT Protection HR Anti Virus Application HR Apps Lease Line Intrusion Detection CUSTOMER Headquarters Remote offices

  4. Security Management Scope Today Connected Networks & Complex Security Technologies HR apps ERP MRP PARTNERS VPN VPN Sales Automation Fire Wall Headquarters IDS VPN VPN IDS FINANCE Fire Wall firewall VPN Reached mostly by Web/Extranet MANUFACTURING VPN VPN VPN SALES Fire Wall VPN IDS VPN HR Departmental applications available throughout Fire Wall Fire Wall REMOTE OFFICE CUSTOMER TELEWORKER

  5. Complex Security Policy Management • Centralized definition of network wide security policies • Integrated management of VPN, FW, NAT and QOS policies • Global modification of security policies • Real time policy audit • On going policy monitoring and alerting Real Time Security Rules Verification Dynamic Access Point Policy Mgmt access-list outside icmp access-list outside permit access-list outside permit access-list outside permit access-list outside permit access-list outside permit access-list outside gre host access-list outside ah host access-list outside permit ah High Level Security Policies VPN Encryption Policy FW policy rules

  6. Scalable And Cost Efficient Deployment • Management of hundreds of thousands of security access points • Mass deployment of security policies • Move of devices, addition of new devices • Simultaneous multiple client access Back End Scalability Front End Scalability

  7. Technical Support Design Team External Customers Distributors Deployment Force Suppliers Role Based Access Control • Different service view into the same network • Different administration role with different access privileges • Support of multiple portioning, multiple groups and end users • Physical/logical inventory, internal/external access management Sales Force Internal Users Telecommuters Partners

  8. Cisco Scalable Security Management Solution Cisco IP Solution Center Security Management

  9. Cisco IP Solution Center Integrated IP Service Life Cycle Management

  10. Security Policy Definition Vulnerability Assessment Configuration & Provisioning Reporting Security Policy Audit Security Alarm Cisco IP Solution Center (ISC) Security Management Solution Security Policy Definition ISC:SM provides policy based security service design tool allowing users to efficiently design security policies for Firewall, NAT, IDS or IPsec VPN services Vulnerability Assessment ISC:SM enables customers to proactively secure their IT Infrastructure through our VA partners automated real-time security risk analysis tool Configuration & Provisioning ISC: SM analyze current network configuration, dynamically generate the security device configurations and manage the large scale security deployment Reporting ISC:Security Management provides tunnel report, VPN testing report along with SIM partner’s security event analysis report ISC: MSS Security Policy Audit ISC: SM delivers high volume security policy auditing capability to ensure the policy integrity Security Alarm ISC:SM provides comprehensive Security soft alarm management feature along with partner’s security alarm management capability

  11. Cisco IP Solution Center Integrated System Design Centralized system resource management • Integrated resource pool • Inventory management • Topology tool • Device view • Device Group • Internal/External Customer • Provider view • Logical Partitioning • Work flow control • Monitoring • Scheduling • Open interface

  12. IP Solution Center Technical Support Design Team External Customers Distributors Cisco IP Solution CenterRole Based Access Control Model Internal Users Sales Force

  13. Cisco IP Solution CenterScalable System Architecture Scalable Front End Scalable Back End

  14. Cisco IP Solution CenterSecurity Management Overview ISC: Security Mgmt Integrated VPN, FW, IDS(IOS) and NAT Mgmt • Policy based security management framework • Technology abstraction allows for multi-type (ie. IOS, PIXs, VPN3K) Cisco device support • New device support requires only development of new device adapter • Cross linked models in a single store allow for Integration of technologies • Open XML/HTTP interfaces allow for security ISV partner integration • CNS: Config engine allows for zero touch security mgmt Logical Network Topology Device Inventory Customer Inventory RBAC Data Store Service Data Store Service Relationship Technology abstraction layer • Site to Site VPN • Remote Access VPN • EZVPN • DMVPN • Firewall • NAT • IDS(IOS) • Network Based IPsec IOS device driver Pix device driver VPN3k device driver IOS PIX VPN3K

  15. Cisco IP Solution Center Integrated VPN Management • Site-to-Site VPN • EZVPN, DMVPN, Network Based IPsec • VPN topologies: Hub-and-spoke, full mesh, and partial mesh • Automatic generation of unique pre-shared keys • Templates for certificate enrollment • Provisioning routing protocols over GRE tunnels: OSPF, EIGRP, RIP • Remote Access VPN • VPN Reporting and Monitoring VPN connectivity test report • VPN policy audit report • VPN SLA report via SAA • CNM views

  16. Cisco IP Solution Center Firewall Management • Policy-based firewall management • Common firewall policy for multi-type (ie. IOS, PIXs, VPN3K) Cisco device support • Hierarchical policies • High-level policy rules: Support for both filter rules and inspect rules • URL Filtering • Authentication Proxy: http, https, ftp, telnet • Inheritance in device containment hierarchy • CNM views for customer policy • Can be used as an independent service or in conjunction with another service such as IPsec VPN, QoS, MPLS VPN…etc IP Solution Center

  17. Cisco IP Solution Center Quality of Service Control • Policy Associated with QoS Service Classes • Implemented using MQC & non-MQC commands – Rate Limiting • All classes contained in the DiffServ architecture are supported (DSCP - 64 classes, IP Prec - 8 classes) • Default Policy shall support 3 classes – VoIP, Business-Data, & Best-Effort • Link-level QoS policy

  18. Cisco IOS VPN Routers or Cisco Client 3.x Cisco IP Solution Center Enabled Network-Based IPsec A Solution To The N Square Limitation Cisco IP Solution Cetner: SM Hybrid VPN - IPSec To MPLS BranchOffice Access CorporateIntranet SP Shared Network Cisco IOS Router MPLS/Layer 2 Based Network SOHO Provider Networks VPN A Customer A head office PE PE Local or Direct Dial ISP VPN B One or Two Box Network Based IPsec Solution Customer B PE Cable/DSL/ISDN ISP PE VPN C Remote Users/ Telecommuters Customer C Customer A branch office IP IPsec Session IP, MPLS or Layer 2 based VPN IP

  19. Other Integrated Security Management Tools Cisco IP Solution Center NAT Management Tool • Support for multi-type (ie. IOS, PIXs, VPN3K) Cisco device support • Support for static translation: Network based, Host based or Port based • Support for dynamic translation: Standard or PAT • Support for overlapping address space • Can be used as an independent utility or in conjunction with another technology such as IPsec VPN Cisco IP Solution Center CERT Management Tool • Templates for cert enrollment on one or more routers • Verify presence of the root cert & device cert for a given trust point’s cert chain • Verify re-enrollment of certifications according to the auto-enroll percentage parameter • Summary report indicating cert enrollment status or expiration status on desired VPN routers • Routine verification or certification update

  20. Branch 2 Branch n Self Managed Large Scale Security DeploymentTruck Roll Saving, Plug & Play 1. Cisco ship out the router directly to customer end site with bootstrap configuration 5. Each device informs ISC of success deployment Complex security policy deployed Cisco CNS Cisco CNS HQ Branch 1 Internet 2. Define security policy 3. Upon connectivity device events IP Solution Center via Cisco CNS IP Solution Center + Cisco CNS Cisco CNS 4. IP Solution Center dynamically configure the security device 6. Periodic security policy audit Cisco CNS

  21. Operations(OSS & Staff) Operations(OSS & Staff) Operations(OSS & Staff) OPEX OPEX OPEX OPEX Operations(OSS & Staff) Self Managed Large Scale Security DeploymentTCO Analysis – Cisco IP Solution Center Solution IP Security TCO Cisco ISC - Reduced Op TCO Operations(OSS & Staff)40% • ISC: manages the complexity of security technologies • Efficient security policy audit to guarantee the security integrity • Self managed zero touch deployment environment • Multi-disciplined expertise required (VPN, Firewall, NAT, QoS…) • Heavy applications duplicate effort and investment • Can’t hire and train enough people to manage the deployment and changes of security policies OPEX EquipmentNetwork60% Cisco PoweredNetwork

  22. Cisco IP Solution CenterSummary • Single Application for VPN, Firewall, NAT, QoS and IDS (IOS) for heterogenous platforms • Integrated policy-based management • Scalable 4-tier architecture • Industry leading VPN feature set support • L2, L3 and VPN topology views • Intelligent provisioning and auditing engine • Open interfaces

More Related