1 / 103

Internet Security ‘Internet and Intranet - meeting future business needs’

Internet Security ‘Internet and Intranet - meeting future business needs’ Cisco Systems Confidential Cisco Systems Confidential 0036_08F7_c2 34 Before we Begin......

libitha
Download Presentation

Internet Security ‘Internet and Intranet - meeting future business needs’

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Internet Security‘Internet and Intranet - meeting future business needs’ Cisco Systems Confidential Cisco Systems Confidential 0036_08F7_c2 34

  2. Before we Begin...... • Attendees agree that this information will be circulated on a very strict need-to-know basis as it is sensitive can cause security problems. • While the information in this document is not confidential, there is information that could be harmful if given to the wrong individuals. • The only way to understand security problems is to know what they are. This means that they may also be exploited by those who are untrustworthy.

  3. Netcom Credit Card Information Stolen CIA Web Site Hacked New Network Threats Cisco Systems Confidential 0603_02F7_c1 38

  4. Need for More Security … and the “Net” Has Changed! Original ARPAnet Today’s Internet Implications 1983:200 Core Nodes; Linear Growth 11.6 Million Core Nodes; Exponential Growth Shortage of Unique IP Network Numbers Imminent Large Time-Sharing Nodes, Mostly Educational Large and Distributed ISP-Connected Organizations CIDR NAT DHCP for Client Only IPv6 “Difficult” Security Underlying Technology Known to Few Numerous Untrusted Private Sector Hosts; Hackers Abound Firewalls Encryption

  5. Internetwork Small Business Consumers Internet Professional Office Enterprise

  6. Putting Things in Perspective • 75% of computer attacks are never detected. • Only 15% of all computer crimes are instigated by outsiders. • 80% - 85% are launched by insiders - people you thought you could trust.

  7. Where’s the Threat? …...Corporate Space 80% 20% Internet Terminal Server Employees

  8. Corporate Network Where’s the Threat? …….ISP Space 80% 20% Internet Terminal Server Customers

  9. Security Services Have You Experienced Computer or Network Security Breaches in the Last Year? No52% Yes48% Source: Computer Security Institute and FBI Computer Crime Division Fortune 500 Survey, 1995

  10. What are the Threats? “Trusted” Users Remember....80-85% of all break-ins are caused by people who are insiders. Amateurs Cyberpunks, Hackers, Vandals, Crackers, Jerks, etc Professionals No-Win Situation

  11. What are the Threats? “Trusted” Users • 80% - 90% of all break-ins are caused by people who work for the organizations they broke into! • Many are caught accidentally • Many are amateurs and are caught because they are careless • Most are quietly removed • Very few are reprimanded

  12. What are the Threats? “Trusted” Users • Extremely few are prosecuted by the legal system • Never at a financial institution • Never at a site with links possible harm to life or where there is a tie-in to public view • Some places there is little understanding about how to handle the legal problem • Most companies do not want publicity

  13. What are the Threats? “Trusted” Users • Most break-ins are either: • Greed-oriented • Revenge oriented • Malicious • Information Acquisition • Accidental initially, but an opportunity to the user of the system.

  14. What are the Threats? Amateurs • Amateurs usually leave a trail that is not too difficult to pick up • Amateurs will eventually screw-up • Amateurs do not know when to quit • Amateurs, with careful monitoring, may be found quickly • Most Internet Cyberpunks are Amateurs

  15. What are the Threats? Professionals • Professionals are rarely detected • Professionals are difficult to find • Professionals will usually originate from a break-in elsewhere • Professionals leave no traceback • Professionals know when it is time to leave • Professionals will take what they want, no matter what is done to safeguard information

  16. What are the Threats? Bottom Line....... • If someone wants the information bad enough, and he/she knows what they are doing, they will not be stopped and you may consider the information to be “history.”

  17. IT Issues Internet Traffic Load/Traffic • Enterprise information becoming more valuable/vulnerable Connectivity IT Spending<10% Growth Business Value/Importance Today Time

  18. The Security Dilemma More than 200 Fortune 1000 companies were asked if they had detected attempts from outsiders to gain computer access in the past 12 months • Security is complicated to implement • Security cannot be implemented uniformly • Internet connection is a security risk Don’tKnow30% No12% Yes58% If “yes”, how many successfulaccesses were detected? 41-505% 31-4010% 21-3016% 50+2% 11-2025% 1-1042% Source: Warroom Research Cisco Systems Confidential 0595_02F7_c1 3

  19. SolutionsBefore you Begin....... • On-Site Security Policy • Host Security (UNIX/VMS) • Workstation Security(X, MS , MAC, OS/2) • Network Security • Password Policies • Application Security • Tools to Track Attacks • Ability to lock ‘em up (every security policy needs a hammer)

  20. Creating Cisco Solutions Internet BU Products Firewalls Translation GWs Traffic Directors Client Software Server Software WorkgroupProducts Core Products AccessProducts InterWorksProducts Integration withCisco IOS™ Software End-to-End SecuritySolutions End-to-End Multimedia Solutions Internet/Intranet Connectivity and Security for Novell, and DEC Customers Scalable “Plug-and-Play” TCP/IP Environments Scalability for Global and Enterprise WWW Applications

  21. Perimeter Detector (Door Entry) Engine Kill (Theft) Locator/Detector (Theft) Lock Nuts (Wheels) Sound Detector (Glass Entry) Motion Detector (Wheels/Entry) Security Is a System Physical Security Example “What Are You Trying to Protect?”

  22. Technical Requirements • Authentication • Who it is • Authorization • What is permitted • Accounting • What was done • Data integrity • Data is unaltered • Confidentiality • No unauthorized review • Assurance • Everything operates as specified

  23. Cisco Security Today TACACS+/ RADIUS TACACS+/ RADIUS TACACS+/ RADIUS Logging NAT PAP/CHAP Token Card Support GRE Tunnels Route Filtering CiscoSecure™ Privilege Levels Access Control Lists Certificate Authority Certificate Authority Lock-and-Key Kerberos Kerberos Cut-Through Proxy Encryption L2F Encryption Dial Firewall Network Infrastructure Cisco Systems Confidential 0603_02F7_c1 24

  24. SolutionsBefore you Begin....... Security is an ATTITUDE!

  25. Security Objective: Balance Security Access Connectivity Performance Transparency Authentication Authorization Accounting Assurance Confidentiality Data Integrity Every Customer’s Needs will Be Different!

  26. Host Security If a host is not secure, then neither is the network File SharingAnonymous FTP Guest Login Mail

  27. User Authentication SecureRouting AddressTranslation Multiprotocol Tunnels AccessControl Enterprise Gateways Event Logging Legacy Integration Encryption Network Security Options • No Internet connection • Packet filtering with Access Control List (ACL) • Firewalls • Privacy with encryption

  28. Definition of a Firewall Firewalls are perimeter security solutions, deployed between a trusted and untrusted network, often a corporate LAN and an Internet connection

  29. Firewall Architecture Cisco IOS 11.2 1. Access lists 2. Packet filtering 3. Network Address Translation 4. Encryption Internet Cisco IOS Firewall PacketFiltering PublicWWW PublicFTP DNSMail

  30. Firewall Architecture Internet • Cisco PIX Firewall Dedicated PublicWWW PublicFTP DNSMail

  31. Demilitarized Zone (DMZ) Internet PublicWWW PublicFTP DNSMail

  32. Proxy Servers Outbound Only Outbound Only Internet ProxyServer PublicWWW PublicFTP DNSMail

  33. Firewall with Address Translation • Cisco PIX Firewall - dedicated • Cisco IOS 11.2- NAT in software Private IPs 10.0.0.0 Internet CiscoSecureAccess Router OR PublicWWW PublicFTP DNSMail Registered IPs 192.128.234.0

  34. Encryption “2$3B9F37” Internet “YOUR Text” “YOUR Text” PublicWWW PublicFTP DNSMail Cipher Text

  35. Scaling Internet Firewalls Link speed • Small office • All in one • Costs less Fractional E1/T1 • Gateway router and firewall encryption performance = E1/T1 Internet • Gateway router and firewalls • Scalable encryption performance > DS3/45 Mbps

  36. Dial Security • Centralized security with TACACS+ / RADIUS • Lock and Key

  37. Centralized Security Authentication Authorization Accounting CiscoSecure—TACACS+ RADIUS TACACS+ TACACS+ or RADIUS Dial client

  38. Lock and Key • Enables dynamic Access Control Lists • Single user on a LAN • Per-user authorization and authentication Internet X CiscoSecure X Authorized User Non-Authorized User

  39. Virtual Private Dial Networks • Encrypted access • Multiprotocol — IP, IPX, SNA, AppleTalk Internet CiscoSecure TACACS+ Server

  40. Virtual Private Networks • IOS • PIX

  41. Virtual Private Networks • Replace private WAN with public network access • Intracompany traffic is private and authenticated • Internet access is transparent Corporate LAN Remote Office Public Network Remote Office

  42. Encryption Alternatives Application-Layer Encryption ApplicationLayers (5–7) Network-Layer Encryption Transport/Network Layers (3–4) Link/PhysicalLayers (1–2) Link-LayerEncryption Link-LayerEncryption

  43. Application Encryption • Encrypts traffic to/from interoperable applications • Specific to application, but network independent • Application dependent • All users must have interoperable applications • Examples: S/MIME, PEM, Oracle Securenet, Lotus cc:Mailand Notes.

  44. Network Encryption A to HR Server—Encrypted All Other Traffic—Clear HR Server A E-Mail Server B D • Encrypts traffic between specific networks, subnets,or address/port pairs • Specific to protocol, but media/interface independent • Does not need to supported by intermediate network devices • Independent of intermediate topology • Example Cisco IOS and PIX

  45. Link Encryption • Encrypts all traffic on a link, including network-layer headers • Specific to media/interface type, but protocol independent • Topology dependent • Traffic is encrypted/decrypted on link-by link basis • All alternative paths must be encrypted/decrypted

  46. Cisco IOS Encryption Services • Policy by network, subnet, oraddress/port pairs (ACL) • DSS for device authentication Diffie-Hellman for session key management • DES for bulk encryption • DES 40 bit—generally exportable • DES 56 bit—restricted • Hardware assist—VIP2 service adapter Clear A to C, D Encrypt B to C, D C A E-Mail Server HR/FinancialServer B D Private WAN To Public Internet

  47. Cisco IOS Encryption Options Cisco 7000 and 7500 • Cisco IOS software on 100X, 25xx, 4xxx, 7xxx series routers • On Cisco RSP 7000 and 7500 series encryption services are performed • Centrally on master RSP and/or • Distributed on VIP2-40 • Encryption service adapter for Versatile Interface Processors (VIP) • Provides higher performance encryption for local interfaces • Tamper-proof Route Switch Processors Master RSP Slave RSP IP VIP IP VIP VIP Versatile Interface Processor Port Adapter Encryption Service Adapter

  48. PIX Private Link High-Performance Hardware Encrypted Virtual Private Networks! PIX Private Link Frame MAC IP UDP IP Data CRC Encapsulation Header Encrypted Information IP Data IP Data PIX/Private Link PIX/Private Link Network A Network B IP Data IP Data Public Network Internet PIX/Private Link PIX/Private Link Network C Network D Cisco Systems Confidential 0482_12F7_c1 33

  49. PIX Private Link Benefits • Secures data communication between sites • Reduces high monthly cost of dedicated leased lines • Complete privacy • Easy installation—two commands, no maintenance • Compliant to IETF IPSEC—supports AH/ESP (RFC 1826) (RFC 1827) • Adds value to your Internet connection • Augment and back up existing leased lines

  50. Internet Internet Intranet Private Link Private Network—Satellite Division 10.0.0.0 PIX B 171.68.10.4 DMZ 171.69.236.2 PIX A Engineering Marketing Executive TACACS+ Server RADIUS Server 172.17.0.0 172.18.0.0 172.19.0.0 SMTP Gateway UNIX DB Gateway Cisco Systems Confidential 0482_12F7_c1 35

More Related