Cisco SAFE

Cisco SAFE A Security Blueprint for Enterprise Networks Özay UYANIK Cisco Systems TURKEY

Vote Purchase Bank Travel Medicate The Internet is Changing… Everything

Internet Presence E-Learning CustomerCare WorkforceOptimization Supply Chain Management E-Commerce CorporateIntranet Internet Access The Security Dilemma Internet Business Value Explosion in E-Business!! Expanded Access Heightened Security Risks

Worm Blaster Strikes Worldwide —— CNN Several Web Sites Attacked Following Assault on Yahoo! —— New York Times AOL Boosts Email Security After Attack — C/NET Internet Threats Driving Security Awareness Information Theft Virus Attacks Denial of Service Unauthorized Entry Data Interception Unprotected Assets

E-Learning CustomerCare WorkforceOptimization Supply Chain Management E-Commerce Internet Critical e-Business Solutions An Intelligent and Secure Network Infrastructure is Required for E-Business!!

65+% vulnerable Internet Internal Exploitation Dial In Exploitation External Exploitation 75% vulnerable; 95+% vulnerable externally with secondary exploitation 100% vulnerable Are You Secure?

“ ” 100% Security The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete bunker, and is surrounded by nerve gas and very highly paid armed guards. Even then, I wouldn’t stake my life on it…. Gene Spafford—Director, Computer Operations, Audit, and Security Technology (COAST), Purdue University

CiscoSAFE Cisco SAFE is a flexible framework that empowers companies to securely take advantage of the Internet Economy

Secure Connectivity Perimeter Security Security Monitoring Identity Security Management Key Components of a SAFE Module

Intrusion Detection Intrusion Detection IDS Manager Intrusion Detection Card Key Security Manager Authentication Server Firewall Firewall Security Is… SecurityCamera Guard Traditional Locks Security Office

SAFE Enterprise Network Design Guide Cisco SAFE Architecture Goal: • Security • Resilience • Performance • Scalability • QoS Awareness User Access Distribution Frame / ATM Module WAN Module Management Distribution Core PSTN Module VPN&Remote Access ISP A Module Corporate Internet Server E-Commerce Module ISP B Module Enterprise Campus Enterprise Edge ISP Edge

Enterprise SAFE Network User Access SAFE Axioms • Routers are targets • Switches are targets • Hosts are targets • Networks are targets • Applications are targets • Secure management & reporting are required Distribution Management Distribution Core PSTN Module VPN&Remote Access ISP Module Server E-Commerce Module Enterprise Campus Enterprise Edge ISP Edge

Routers are Targets • Potentially a hacker’s best friend • Protection should include: • - constraining telnet access • - SNMP read-only • administrative access with TACACS+ • NTP authentication • - turning off unneeded services • - logging unauthorized access attempts • - authentication of routing update

Switches are Targets • Protection needs are similar to routers • VLANs are an added vulnerability: • - remove user ports from auto-trunking • - use non-user VLANs for trunk ports • - set unused ports to a non-routed VLAN • do not depend on VLAN separation • Private VLANs

ARP Spoof Mitigation: Private VLANs Only One Subnet! PromiscuousPort PromiscuousPort Primary VLANCommunity VLANCommunity VLAN Isolated VLAN • PVLANs Isolate traffic in specific communities to create distinct “networks” within a normal VLAN • Note: Most inter-host communication is disabled with PVLANs turned on x x x x Community‘A’ Community‘B’ IsolatedPorts http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_7_1/conf_gd/vlans.htm#xtocid854519

Networks are Targets • DDoS (ICMP Flood, TCP SYN Flood, UDP Floods) attacks cannot be stopped by the victim network alone • RFC1918 addresses or local addresses should originate locally • IP address spoofing can mitigated by filtering non-registered addresses

Egress from Internet interface Serial n ip access-group 120 in ip access-group 130 out ! access-list 120 deny ip142.142.0.0 0.0.255.255 any access-list 120 permit ip any any ! access-list 130 permit 142.142.0.0 0.0.255.255 any access-list 130 deny ip any any • Egress packets cannot be fromand to customer • Ensure ingress packets are valid RFC 2267 Filtering interface Serial n ip access-group 101 in ! access-list 101 permit 142.142.0.0 0.0.255.255 any access-list 101 deny ip any any • Ingress packets must be from customer addresses CustomerNetwork: ISPNetwork 142.142.0.0/16 Ingress to Internet

RFC 1918 Filtering interface Serial n ip access-group 101 in ! access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 permit ip any any CustomerNetwork ISPNetwork Ingress to Internet

Hosts are Targets • High Visibility makes them easy target • Ensure that various host components are compatible and at the latest version • - hardware platform/devices • - operating system and updates • - standard applications and patches • - shareware scripts

Applications are Targets • Complexity of applications makes them open to human error vulnerabilities • Host and Network based IDS focus on recognizing attack signatures and taking action: • - shunning/blocking • - alarm/warning • - simply logging

Secure Management and Reporting • Logging levels • NTP • Out-of-Band management • Ipsec, ssh or ssl • SNMP • Change Management

Cisco SAFE Enterprise Network Design Modules Enterprise Campus Enterprise Edge SP Edge Building Building Distribution E-Commerce Edge Distribution ISP B Management Corporate Internet ISP A Core Server VPN andRemote Access PSTN WAN Frame/ ATM

Campus Network Section - Management Module - Building Access and Distribution - Core and Server Modules - Edge Distribution Module

Management Module • Out of Band Management • - separate physical networks • - separate address space (192.168.25x.xxx) • - use IPSec if physical separation is not possible • Firewall between management subnet and managed-device subnet

Management Module - cont’d • Isolate managed ports to minimize impact of compromised device • NIDS and HIDS on the management subnet • One-time Passwords for authentication of administrators • SNMP read-only • snmp-server community Txo~QbW3XM RO 98 • access-list 98 permit host 192.168.253.51

Attack Mitigation Roles for Management Module OOB Config Management OTP Server Two-Factor Authentication X6 Term Server (IOS) Access Control Server To All Device Console Ports AAA Services Network Monitoring Read-Only SNMP eIOS-91 Comprehensive Layer 4-7 Analysis IDS Director eIOS-21 Encrypted In-Band Network Management Syslog 1 Network Log Data Stateful PacketFiltering IPSec Terminationfor Management X6 Switch Syslog 2 System Admin SSH Where Possible Config and ContentManagement Out-of-Band Network Management Private VLANs Hosts IDS for Local Attack

Enterprise Campus Detail Management Module Building Module (Users) OTP Server Access Control Server Term Server (IOS) To eCommerce Module Network Monitoring Building Distribution Module Edge Distribution Module IDS Director To Corporate Internet Module Syslog 1 Syslog 2 Core Module To VPN/ Remote Access Module System Admin Server Module Cisco Call Manager To WAN Module Corporate Server Internal Email Dept. Server

Inter Subnet Filtering RFC2827 Filtering Attack Mitigation Roles for Building and Distribution Modules Host Virus Scanning VLANs To Core Module

Attack Mitigation Roles for Core and Server Modules To Building Distribution Module To Edge Distribution Module NIDS for Server Attacks Private VLANs for Server ConnectionsRFC2827 Filtering Internal Email Dept. Server Call Manager Host IDS for Local Attack

Attack Mitigation Roles for Edge Distribution Module Layer 3 Access Control RFC2827 Filtering To eCommerce Module To Corporate Internet Module To Core Module To VPN/Remote Access Module To WAN Module

Edge Network Section - Corporate Internet Module - Remote Access and VPN Module - WAN Module - E-Commerce Module - ISP Filtering

Enterprise Edge - Detail eCommerce Module ISP A Module To Edge Distribution Module ISP A ISP B Module Corporate Internet Module ISP B To Edge Distribution Module To VPN/ Remote Access Module

Broad Layer 4-7 Analysis Attack Mitigation Roles for Corporate Internet Module Host IDS Local Attack Mitigation SMTP Content Inspection Spoof Mitigation Basic Filtering Focused Layer 4-7 Analysis ISP A To Edge Distribution To VPN/Remote Access Focused Layer 4-7 Analysis Spoof Mitigation (D)DoS Rate-Limiting Inspect Outbound Traffic For Unauthorized URLs Stateful Packet Filtering Basic Layer 7 Filtering Host DoS Mitigation

VPN/Remote Access - DetailDetail VPN/Remote Access Module To Corporate Internet Module To Edge Distribution Module PSTN Module PSTN Frame/ATM Module WAN Module To Edge Distribution Module FR/ATM

Attack Mitigation Roles for Remote Access VPN Module Allow only IPSec Traffic To Internet Via the Corporate Internet Module Authenticate Users Terminate IPSec Focused Layer 4-7 Analysis Broad Layer 4-7 Analysis To Edge Distribution Module Stateful Packet Filtering Basic Layer 7 Filtering PSTN Authenticate Remote Site Terminate IPSec Authenticate Users TerminateAnalog Dial

Enterprise Edge - Detail VPN/Remote Access Module To Corporate Internet Module To Edge Distribution Module PSTN Module PSTN Frame/ATM Module WAN Module To Edge Distribution Module FR/ATM

Classic WAN Module: Detail and Attack Mitigation eIOS-61 To Edge Distribution Module FR/ATM eIOS-62 Layer 3 Access Control Classic WAN not often addressed in security context. Man-in-the-middle attacks can be mitigated by several IOS features: - Layer 3 access-control - IPSec encryption (optional)

Enterprise Edge - Detail eCommerce Module ISP A Module To Edge Distribution Module ISP A ISP B Module Corporate Internet Module ISP B To Edge Distribution Module To VPN/ Remote Access Module

E-Commerce Traffic Flow E-Commerce Module Edge Distribution Module ISP Module DB Apps Web Apps L5-7 L4 Incoming Requests L1-3

Attack Mitigation Roles for E-Commerce Module Focused Layer 4-7 Analysis Host IDS for Local Attack Mitigation Focused Layer 4-7 Analysis To Edge Distribution Spoof Mitigation(D)DoS Rate Limiting Layer 4 Filtering Stateful Packet Filtering Basic Layer 7 Filtering Stateful Packet Filtering Basic 7 Layer Filtering Host DoS Mitigation Broad Layer 4-7 Analysis Wire Speed Access Control Focused Layer 4-7 Analysis

ok x x Ports: 80443 Source: Attacker Destination: Public Services Port: 23(Telnet) Source: DDoS Agent Destination: Public Services Port: UDP Flood Service Provider Filtering • Best in e-commerce environments • DDoS mitigation • Bandwidth optimization • RFC 1918,2827 Public Services Internal Users Customer Attacker DDoS Agent Internal Services

Limit outbound ping to 8 Kbps Limit inbound TCP SYN packets to 256 Kbps CAR Rate Limiting interface xy rate-limit output access-group 102 8000 8000 8000 conform-action transmit exceed-action drop ! access-list 102 permit icmp any any echo access-list 102 permit icmp any any echo-reply interface xy rate-limit input access-group 103 256000 8000 8000 conform-action transmit exceed-action drop ! access-list 103 deny tcp any host 142.142.42.1 established access-list 103 permit tcp any host 142.142.42.1

CiscoSAFEEcosystem:Security & VPN Associates Secure Connectivity Application Security Perimeter Security SecurityManagement & Monitoring Identity Cisco.com/go/securityassociate

Cisco SAFE

Cisco SAFE

Presentation Transcript

Safe or Not Safe?

Feeling Safe, Being Safe

CISCO

Giovanni Martinelli, Cisco (*) Moustafa Kattan , Cisco Gabriele Galimberti , Cisco

CISCO

BITES 2006 Cisco Systems sijones@cisco

CISCO

Cisco

Cisco

Safe streets Safe city

Safe Kitchen, Safe Food

Cisco UCS Training, Cisco UCS Basics, Cisco UCS Ar

www.webroot.com/safe | webroot safe | webroot.com/safe"

www.webroot.com/safe – Activate Webroot Safe | Webroot.com/Safe

Webroot.Com/Safe, Www.Webroot.Com/Safe, Webroot Com Safe

#Cisco Switches | Cisco Dubai | Cisco Supplier In Dubai | Cisco Dubai | catalyst 2960

Safe People – Safe Places

Safe People – Safe Places

Safe streets Safe city

CISCO

webroot.com/safe - webroot safe