A Communications Security Approach for Uncertain Times

Salo Fajer

Senior Systems Engineer

2

Security Incidents are Increasing

The number of reported Virus incidents has grown from 21,000 in 2000 to 130,000 in 2003

The worldwide cost of Worms & Viruses is now estimated at $180 Billion per year

The Corporate IT Forum (UK) calculates that each security incident cost £122,000 (~ $230,00)0

500

1,000

1,500

2,000

2,500

3,000

3,500

4,000

4,500 Total Vulnerabilities Reported to CERT Coordination Center 1995 - 2003

Total Vulnerabilities Reported to CERT Coordination Center 1995 - 2003

Source: Carnegie Mellon University

•Reported Security Events have increased dramatically year over year

•Unreported events are many times more than this number

3

The Security Management Challenge

2001

Code Red

2003

SQL Slammer

Infection Rate / Hour 1.8 hosts 420 hosts

Time to Double # Infected PCs 37 mins 8.5 secs

Time to infect all targets 24 hours 30 minutes

• Speed and effectiveness of internet viruses has improved dramatically in just 2 years

• It is expected that massive Denial of Service will be possible in just minutes in 2005 and beyond

4

INTELLIGENCE

Escalating Concerns AreDemanding More of The Network

Capacity

Connectivity

Co

nti

nu

ity

Co

nte

xt

Co

ntr

ol

Co

mp

lian

ce

Co

nso

lidat

ion

Cost

21st Century Networking

TraditionalNetworkingFocus

Security

The 5C’s

5

The Challenge

Business Appliances

Household Appliances

Internet & Intranet

Sub-Contractors

Customers

Visitors

Suppliers

Partners

Viruses

Worms

Denial of Service

Intellectual Property Theft

Regulated Compliance

Reputation

TechnologyIs Converging

Users AreConverging

Threats Are Converging

Value Propositions Are Converging

MakeSecurityPervasive

Storage Over IP

Video Over IP

Voice Over IP

End systems

Appliances

Software

Network

Compliance

Consolidation

Control

Context

Continuity

Capacity

Connectivity

Cost

6

ProblemSpace

The Security Incident Problem Space

Known Unknown

Slow

Fast

Type of Attack

Sp

eed

of

Pro

pag

atio

n /

Sp

eed

of

Re

spo

ns

e

DetectionPrevention

Response

Minimize Problem Space via• Granular control• Automated Response• Risk mitigation• End to end visibility

The goal of Secure Networks is to minimize the “problem space”

7

Secure Networks Technical Vision

8

Secure Networks

NetSight Policy Mgr

REMOTE OFFICE

BRANCH OFFICE

CORE

Matrix N7

Matrix N7

Matrix E1

RoamAbout R2

Matrix N7

NIDS

Dragon Server

XSR1800

RoamAbout R2

NIDS

XSR 3100NIDS

X-Pedition ER16

HIDS

GLOBAL DISTRIBUTION POLICY IDENTITY DRIVEN DYNAMIC RESPONSE

VPN

NetSight RSM Manager

CORE POLICY

Built in system-wide security

Hacker

9

“Inside Threats” Security Paradigm Shift

Internet

Enterprise Switches

WAN Router

Corporate Network

Servers

“Inside Threats” can Attack on Every Port in the Entire Network

“Outside Threats” can Attack only on a Single Known Port

10

Vulnerability of Present Day Networks

Branch/Remote Office

CORE

INTERNET

Data Center

VPN

DMZ

SOHO/Mobile Office

Anti-Virus/Personal Firewall VPN Firewall IDS

• CODE RED

• SO BIG .F

• NIMBDA

• BLASTER

• SLAMMER

11

Secure DNA: Enterasys Product Offerings

End-to-end product portfolio uniquely focused on building secure enterprise data networks

LAN EDGE LAN CORE NETWORK MANAGEMENT

REMOTE & BRANCH LOCATIONS

LAN DATA CENTER

MatrixN-Series & E-Series

StandaloneMatrix E-Series C & V-Series

WANStackableMatrix C & V-Series

RoamAboutWireless

X-Pedition

MatrixN-Series & E-Series

X-Pedition

MatrixN-Series & E-Series

RegionalXSR

MatrixN-Series & E-Series

StandaloneMatrix E-SeriesC & V-Series

StackableMatrix C & V-Series

RoamAboutWireless

Dragon ServerNetSight AtlasPolicy ManagerInventory ManagerSecurity ManagerConsole

VPN

NIDS

NIDS

Branch XSR

Servers

Anti-Virus/Personal Firewall VPN Firewall IDS

12

Value of Enterasys Secure Networks

Branch/Remote Office

CORE

INTERNET

Data Center

VPN

DMZ

SOHO/Mobile Office

Anti-Virus/Personal Firewall VPN Firewall IDS • CODE RED

• SO BIG .F

• NIMBDA

• BLASTER

• SLAMMER

13

Challenges with Traditional Access Control

Extended Edge

Core

Servers

Edge

Distribution

“Blue” VLAN

“Green” VLAN

“Red” VLAN

ACLs are complex to configure, are tied to “interfaces”, and are typically “permit/deny” only*

VLANs are complex to configure and troubleshoot, and provide no

protection within VLAN * Separate configuration is required for authentication, QoS, rate limiting, etc.

14

Enterasys’ Policy-based Network Overview

Dramatically reduces the time/resources required to implement infrastructure security (versus ACLs and

VLANs) at the network edge

The foundation of Enterasys’ Secure Networks™

Core

Servers

Edge

Distribution

Policy

Bill

15

Secure Networks™ Solutions

Acceptable Use Policy

• A security policy solution for

acceptable use of network resources

Secure Application Provisioning

• A Role-based security policy solution for

business application usage

Secure Guest Access

• A security driven visitor networking solution

Single Sign-On

• A consolidated user credential solution for network and application access

Dynamic Intrusion Response

• An automated security response solution for identified threats to the enterprise network

16

A Process for Dynamic Intrusion Response

Introducing Dynamic Intrusion Response

BusinessService

NetworkInfrastructure

Martix™Access DeviceClient SystemUser

Response – The specific response for the security breach is enforced at the exact source (Disable port, enforce Quarantine policy, etc.)

NetSight Atlas™Policy Manager

Quarantine Policy Creation – Central administration of a quarantine security policy role and distribution to the enterprise network infrastructure.

Dragon™Intrusion Detection

Intrusion Detection – A Security event that penetrates the network infrastructure is immediately identified.

NetSight Atlas™Console

WithAutomated Security

Manager

Event Notification – The security breach event is passed to the Automated Security Manager application where pre-defined actions are configured.

Location and Enforcement – The exact physical source of the security event is located, and the pre-defined response is enforced to the source network port.

17

Enterasys’ Flow Setup Throttling

Core

Servers

Edge

Flow Setup Throttling (FST) provides an alarm and then disables a port as a result of a spike in new flows caused by network threats

Matrix N-Series is the Only Enterprise Switch based on a Flow-based Design

Matrix N-Series

Distribution

18

Solution: Dynamic Intrusion Response

Enterasys’ Dynamic Intrusion Response provides UNC with:

• Sensors throughout the network to identify and alert UNC of any suspicious activity or intrusion

• Centralized management to quickly apply security policies across the entire campus network with a single click

• Role-based policy management to prevent unauthorized use of network resources by students, faculty and staff

• A network that provides the highest level of security---without negatively impacting productivity

Challenge:

Enterasys Solution:

Value Impact:

University of North Carolina, Chapel Hill

Ensure high network availability and information assurance—campus wide—in the face of emerging known and unknown security threats

UNC needs to provide continuity to support a complex user community of students, faculty and staff. It also required the control and context to identify any suspect user, application or device, and quickly isolate the problem before it affects the rest of the network

Secure Network Requirements:

UNC’s network must be able to handle the outbreak of various viruses and worms (e.g., Blaster and Slammer) through centralized management and real-time intrusion defense to minimize downtime, protect assets and ensure users have access to the appropriate resources

When the Blaster worm hit, Dynamic Intrusion Response alerted UNC of the attack and enabled them to quickly apply Layer 4 filters to the edge, containing the threat before it spread – realized through Matrix N-Series switches – Dragon intrusion defense system – NetSight Atlas management

19

University of North Carolina, Chapel Hill

20

University of North Carolina, Chapel Hill

21

Secure Network Attributes

Deployable Today Across Entire Product Line

- People- Security Events

- Network

Total Visibility

- Who, What, When, Where, Why?

- Users, Devices, Departments, Protocols, Applications

- Deploy and Enforce Security Policy Throughout Enterprise

- Simple Management of Complex Tasks

- Automated Assessment, Detection, Response and Prevention

- Entire network infrastructure

- Complements existing security measures

Identity & Context Intelligence

Distributed Policy Enforcement

Centralized, Granular Control

Open Interoperability

Single Action System-LevelManagement

Dynamic Response and Protection

- Standards based

Thank You