Building Up Network Security: An Introduction

Building Up Network SecurityCatherine Paquet, MBA (MIS)

CCSI, CICSI, CCNP Sec, CCNP R&S

© Global Knowledge Training LLC. All rights reserved. 04/15/2023

About the presenter - Catherine Paquet

Cisco security instructorCisco Press authorCisco Systems emerging

countries guest speakerGraduate of Royal Military

College and York UniversityPreviously: DND WAN ManagerLives in Toronto


Topics: Building Up Network Security

Current state of Network SecurityFirewall IPS and Sourcefire Identity Services and Cisco ISENetwork Access ControlGuest Services and BYODProfiling and PosturingVPN and Site-to-SiteRemote Access VPN and AnyConnectEmail and Web Security

State of Network Security

FactsEvolution

ROSITopology


Cisco Annual Security Report 2015: Findings

Users unknowingly aiding cyber attacksEmail exploits

250% increase in spam and malvertising exploitsSnowshoe Spam: low volumes of email from a large set of IP addresses

Web exploitsLess common kits usedMalicious combinations: exploit over two files ex: flash + javascript

Source: www.cisco.com/go/securityreport

http://www.cisco.com/go/securityreport


Cisco Annual Security Report 2015 - Actions

Security must:support the businesswork with existing architecture – and be usablebe transparent and informativeenable visibility and appropriate actionbe viewed as a "people problem"

Source: www.cisco.com/go/securityreport

http://www.cisco.com/go/securityreport

Evolution of Security Philosophy


Recent Shift in Security Approach

Past → role-based control

Present → rule-based control

CONTEXT

Who, What, Where, When, How


CONTEXT IS EVERYTHING

Who: Jane Doe, member of the sales groupWhat: Corporate laptopWhere: HQ 2nd floorWhen: July 16th, 2016 at 13:27How: Wired Ethernet with 802.1X

IF….., THEN….., and sometimes, ELSE…...

User CustomLocationDevice Type TimePosture Access Method

Terminology


Glossary

AAA: Authentication, Authorization, Accounting

AD: Active Directory

AES: Advanced Encryption Standard

AMP: Advanced Malware Protection

AP: Access Point

ASA: Adaptive Security Appliance (firewall)

BYOD: Bring Your Own Device

CDA: Cisco Directory Agent

CWA: Centralized Web Authentication

DES: Digital Encryption Standard

DHCP: Dynamic Host Configuration Protocol

DMZ: Demilitarized Zone

DART: Diagnostic And Reporting Tool AnyConnect

DC: Domain Controller

ESA: Email Security Appliance

FSMC: FireSIGHT Mgmt Center (formerly SFDC)

IDS: Intrusion Detection System

IP: Internet Protocol

IPS: Intrusion Prevention System

ISE: Identity Services Engine

ISR: Integrated Services Router

LAN: Local Area Network

LDAP: Light Directory Access Protocol

MAB: MAC Authentication Bypass

MAC: Media Access Control

Malvertising: Malware hidden in advertisement

MD5: Message Digest 5

MDM: Mobile Device Management

NAC: Network Admission Control

NAD: Network Access Device

NIC: Network Interface Card

NGFW: Next Generation Firewall

NGIPS: Next Generation IPS

PKI: Public Key Infrastructure

RADIUS: Remote Authentication Dial-In User Service

ROI: Return on Investment

ROSI: Return on Security Investment

SaaS: Security-as-a-Service

SAML: Security Assertion Markup Language

SSID: Service Set Identifier

SF: Sourcefire

SFDC: Sourcefire Defense Center

SHA: Secure Hash Algorithm

SIO: Security Intelligence Operations (Cisco)

SSL: Secure Session Layer

SYN: Synchronization flag and stage of TCP

TALOS: Cisco SIO + Sourcefire VRT

TCP: Transmission Control Protocol

VPN: Virtual Private Network

VRT: Vulnerability Research Team (Sourcefire)

WAN: Wide Area Network

WLAN: Wireless Local Area Network

WLC: Wireless LAN controller

WMI: Windows Management Instrumentation

WSA: Web Security Appliance

Security Roadmap

Topology

Firewall


Most Bang for Your Buck: The Firewall

Basic Moderate Comprehensive

Security Expenditure

Ris

k

$

} residual risk

More on the subject of synergistic controls:Business Case for Network Security, The: Advocacy, Governance, and ROIBy Catherine Paquet, Cisco Press, 2005. ISBN ISBN-10: 1-58720-121-6


ASA Firewall Capabilities

Stateful Firewall with AIC Botnet detection IPS built in capability with service module SYN flood protection Scanning threat detection and prevention Decryption and inspection of specific protocols Modular Policy Framework Remote-Access VPN: IPsec and SSL Site-to-Site VPN Identity-Based Firewall

DHCP server and client Dynamic Routing Static Route Tracking Transparent and Routed modes Redundant interfaces EtherChannel Multimode aka virtualization Clustering Strong management with AAA OOB Management Failover Zero Downtime Upgrade

Intrusion Prevention Systems

Sourcefire


Sourcefire Acquisition

Mid-2013$2.7BHardware and softwareBased on Snort IPSFile thumbprints, sandboxingProtection beyond point-in-timeVisibility through dashboardsAnalysis of behavioursContainment

Martin Roesch created Snort, on open-based IDS, in 1998 and founded Sourcefire in 2001


Integrated and Standalone Platforms

AMP applianceASA moduleESAWSACWSAMPfire (Desktop: AnyConnect 4.1 AMP Enabler)

Cisco AMP 8140 (hardware)

Cisco WSA with AMP (software)

HQ-ASA# show module sfr details Getting details from the Service Module, please wait... Card Type: FirePOWER Services Software ModuleModel: ASA5515Hardware version: N/ASerial Number: FCH180278XU

Cisco ASA with Sourcefire (software)


The Sourcefire Advantage

AMP* everywhere, with real before, during, after

* Advanced Malware Protection


Sourcefire Visibility and Management

FireSIGHT Management Center*

* formerly Sourcefire Defense Center


Network File Trajectory

Identity Services

ISE


ISE Capabilities

Authentication*802.1XMABWeb Authentication

Authorization*Guest Services

BYODMDM

ProfilingPosturingCA server

ISE

Source: Cisco Blog > Security> BYOD Presentations at Cisco Live Cancun 2012* ISE is a RADIUS server

Network Access Control

802.1X / MABWeb Authentication


Authentication and Authorization: ISE RADIUS server

ISE


802.1X / MAB Authentication


Centralized Web Authentication

Source: Cisco Identity Services Engine User Guide, Release 1.2

Guest Services and BYOD


Guest Services


Guests: Access to Internet

ISE


BYOD: For employees not visitors

Source: Cisco SISE 1.1 Courseware

Before BYOD:

With BYOD - Onboarding:

ISE recognizes that an employee authenticated on AD through Guest Portal1. CA Certificate installation2. Device Registration3. Certificate Enrollment4. WIFI Profile installation

Profiling and Posturing


Advantages of Profiling

Discover and locate endpoints Maintain a learnt inventoryDetermine endpoint capabilities and identity group

Attributes are used in authentication and authorization conditions

Source: Cisco SISE 1.1 courseware


Profiling

If Device: Apple-iPad, then apply Authorization Policies: TabletsSource: Cisco SISE 1.1 courseware


Profiling Results: Endpoints database in ISE


ISE Posturing policies

Provisioning

Posturing


MDM: Posturing for Mobile Devices

Source: Cisco Identity Services Engine Administrator Guide, Release 1.4

VPN

Site-to-Site


VPN

Confidentiality: EncryptionAES3DES

Integrity: HashingMD5SHA

Authenticity: Authentication Pre-shared KeyPKI


VPN

Site-to-Site

Remote Access IPsec

SSL Client

Clientless

Client VPN Client (legacy)

AnyConnect

Port Forwarding

Plug-ins

Smart Tunnels

Thin client

IPsec*

** AnyConnect 3.x offers IPSec IKEv2

* On Cisco Routers, Site-to-Site VPN can also be achieved with DMVPN and GET

IKEv2

VPN Technologies


Site-to-Site VPN

Source: Cisco SIMOS courseware

Remote-Access VPN

AnyConnect


VPN

Site-to-Site

Remote Access IPsec

SSL Client

Clientless

Client VPN Client (legacy)

AnyConnect

Port Forwarding

Plug-ins

Smart Tunnels

Thin client

IPsec*

** AnyConnect 3.x offers IPSec IKEv2* On Cisco Routers, Site-to-Site VPN can also be achieved with DMVPN and GET

IKEv2

VPN Technologies


What comes to mind when you hear AnyConnect?

SSL VPN IPsec

AnyConnect replaces: VPN Client Secure Services Client AnyWhere+ NAC Agent

Host Scan Phone Home DART AMP*

Cloud Web Security

Network Access Manager

ISE Posture NEW: next slide

* Released with AnyConnect 4.1


AnyConnect for ISE Posture

No need for NAC client anymore

Email and Web Security


Cisco and Email/Web Security

Cisco is not commonly known for a focus on proxies

In 2007, Cisco paid $830M for IronPort Application Security Gateways:Email Security ApplianceWeb Security Appliance


The Artist Formerly Known as: Ironport

So, why paying so much for server?SenderBase – Reputation Score

SensorBase

SIO

TALOS


Hygiene Pipeline of Cisco ESA

Source: Cisco SESA 2.1 courseware


Web Security

Old adage: HTTP is the new TCP Many applications and services now run overtop HTTP and HTTPS

Filtering and inspecting web traffic is becoming a requirement:CompliancePeace of mind


WSA Acceptable Usage Policies

URL filteringAnti-malware securityBandwidth controlsApplication controls

Identity-based securityHTTPS inspectionData Loss protectionSaaS Access Control

Conclusion


Cisco Security Courses

CCNA Security e-Camp IINS - Implementing Cisco IOS Network Security SAEXS - Cisco ASA Express Security SENSS - Implementing Cisco Edge Network Security

Solutions SIMOS - Implementing Cisco Secure Mobility

Solutions SISAS - Implementing Cisco Secure Access

Solutions SITCS - Implementing Cisco Threat Control Solution

ASA Lab Camp v9.0 SASAA - Implementing Advanced Cisco ASA Security SASAC - Implementing Core Cisco ASA Security ACS - Cisco Secure Access Control System SISAS - Implementing Cisco Secure Access

Solutions

SISE - Implementing and Configuring Cisco Identity Services Engine

SESA - Securing Email with Cisco Email Security Appliance

SWSA - Securing the Web with Cisco Web Security Appliance

Cisco FirePOWER Services and Cloud Web Security Workshop v1.0

SSFAMP - Securing Cisco Networks with Sourcefire FireAMP Endpoints

SSFIPS - Securing Cisco Networks with Sourcefire Intrusion Prevention System

SSFRULES - Securing Cisco Networks with Snort Rule Writing Best Practices

SSFSNORT - Securing Cisco Networks with Open Source Snort


Sources

Cisco Security BlogCisco SAFE Design GuideCisco Identity Services Engine User GuideCisco PKI Service for Large Scale IPsec Aggregation Design GuideCisco Live presentations (CCO login required)

BRKSEC-1030 San Diego 2015Cisco courseware SIMOS / SISE / SESA / SWSA / SASAA / SASAC

http://blogs.cisco.com/security

http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-security/landing_safe.html

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide.html



http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/PKI-security.html




https://www.ciscolive.com/online/connect/search.ww


GK Cisco Training Exclusives

6 months of Anytime access to Cisco Practice Labs Anytime Access to Boson Practice Exams On-Demand Access to Searchable Class Recordings of Your Virtual Class Unlimited Retakes of Your Class Free Cisco Certification Exam Voucher


Find Out More

www.globalknowledge.ca

On-demand & live webinars, white papers, blog...

www.globalknowledge.ca/security

Courses

Building Up Network Security: An Introduction

Technology

Transcript of Building Up Network Security: An Introduction