Secure Borderless Enterprise Network Design · 2010. 11. 22. · © 2009, Cisco Systems, Inc. All...

© 2009, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

1

Secure Borderless Enterprise Network Design

Agenda

Borderless Network Overview

Approach OverviewApproach Overview

Internet Edge Design Overview

Enterprise Security

Enterprise IPS/IDS

Web Security

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 2

Email Security

Remote Access


2

Market Transitions

Mobility WorkplaceExperience Video

Mobile Devices

IT Resources

1.3 Billion new networked mobile devices in next three years

Blurring the borders:

Consumer ↔ Workforce; Employee ↔ Partner

Anyone, Anything, Anywhere,

Anytime

60% of all Cisco network traffic today is video


Anyone AnythingEmployee, Partner,Customer Communities

The New Borderless Organization

Person to Person, Person to Device,Device to DeviceDevice to Device


BorderlessExperience

AnytimeAnywhereAlways Works,Instant Access,

Instant Response

Work, Home, On the Go…

Securely, Reliably and Seamlessly


3

Borderless Network Questions…The 5 W’s (and 1 “H”)


The Goal is Proper Strategic Alignment

Business Strategy


Technology Strategy


4

What Does Misalignment Look Like?

We often see in our security customers a misalignment between policy and operational realityg p y p y

ExampleThe IT security team tells us they have a policy that mandates strong passwords and reduces riskThis policy may even be used as evidence of secure operations for PCI, HIPAA, or other auditsDuring a Security Posture Assessment we find that


g ysignificant ratios of passwords (40+ percent) are weak and easily guessed

Without effective, cross-functional analysis these two data points would never meet (until it breaks)…

Our Approach

Researched Across Theaters to Define: – Customer Characteristics?– Requirements?

Designed a Blueprint– Validated Design and Product Selection– Modified Based on Feedback . . . . .


Sell Ourselves on the Design– Customer Experience Lifecycle– “Out of the Box” Experience


5

Organization Problems: Overview

Enterprise design addresses requirements for Organizations that: Need to provide reliable access to Internet, Email, and Cloud services

Need flexible remote-access to allow users to access content from anywhere

Need to provide partner and customer access to corporate data

Ensure that all connections adhere to the security policy


Ensure that all connections adhere to the security policy regardless of origination

Must address regulatory compliance requirements (e.g. PCI)

Need to improve employee productivity and manage risk

Target Market

Internet Edge design addresses requirements for organizations that: Have 2K-10K connected employees

Have IT workers with CCNA or equivalent experience

Need a remote access VPN solution for employees and partners

Need to secure Internet facing services

Need to filter web and email services for employees for security and policy compliance


compliance

May need high availability for corporate Internet access

Address requirements for 80% of customer to get network up and running with a solid foundation

Advanced policy development is out of scope


6

Design Goals

Ease of deploymentA design that could be deployed consistently across all products included in the designdesign

Flexibility and ScalabilityDesigned to grow with the organization without being redesigned

Resiliency and SecurityKeep the network operating even when unplanned outages and attacks occur on the network

Ease of management


Ease of managementConfiguring devices to be managed by a Network Management System

Advanced technology readyNetwork foundation has the required baseline network services already configured

Internet Edge Design Overview



7

Organization Overview

Organizations’ demand for Internet connectivity has increased steadily in the last decade

Access to Internet-based services is a fundamental requirement for conducting day-to-day activity

Email, web access, remote-access VPN, and more recently, cloud-based business services are critical functions enabling businesses to pursue their missions

The Internet connection that supports these services must be designed to enable the organization to accomplish its Internet-based business goals

Three factors define the business requirements for an organization’s Internet connection:


Value of Internet-based business activity:

Revenue realized from Internet business

Savings realized by Internet-based services

Cost of outages for Internet connection

Capital and operational expenses for implementation and maintenance of various Internet connection options

Design Considerations

Connectivity speedWhat is the expected typical throughput requirement?

A h t b t f hi h l t ffi t d?Are short bursts of high-volume traffic expected?

Address space How many public facing devices are there?

Is the IP address space owned or provided by the ISP

Availability Can outages be tolerated?



8

Borderless Network 2k-10k Overview


Internet Edge Designs

Two design optionsInternet Edge 5k, offers a single connection to one ISP

I t t Ed 10k ff d l I t t ti i A ti /St db dInternet Edge 10k, offers dual Internet connections in Active/Standby mode

Internet Edge 5k Internet Edge 10k

Outside Switch

CiscoESA

Internet

IE Router

ISP A

Outside Switch

IE Routers

CiscoESA

ISP A ISP B


CiscoWSA

Cisco ASA5520 IPS

Collapsed Core+Distribu

tion

InternetServers

DMZ Switch

Internal Network

CiscoWSA

Internet

Servers

Cisco ASA5540 + IPS

RA VPNCisco ASA5520/40

Collapsed Core+Distrib

ution

DMZ Switch

Internal Network


9

Feedback from Field, Customers, and Partners for 2K-5K Users

Majority (>75%) using ~10Mbps; some up to DS3 Majority of new service is Ethernet, same as smaller customers; existing base is split between Ethernet vs. Router Handoff

Most customers that buy Internet CPE use a 3800/3900

5520 Firewall; same hardware for RA-VPNLess than half with separate RA VPN

IPSec Client is prevalent

Some SSL full tunnel & web portal for terminal services and file sharing

One-third to two-thirds host corporate web onsite; Small minority have e-commerce apps


~50% filter Site-to-Site VPN with Internet firewalls – mostly to one VPN router

Customers in domestic market are moving toward cloud-based apps

All separate switches for outside, DMZ, and inside (no VRF)

Internet Edge A (2000-5000 Users)

Medium Design

Single ISP support

Internet

IE

ISP A

g pp

Static Route to ISP

Active/Standby Firewall with RA VPN for SSL and IPsec

Web and Mail filtering

Internet DMZ for public facing i

Outside Switch

Cisco ASA

CiscoESA

IE Router

DMZ Switc


services

Connects into LAN/Campus collapsed Distribution/Core

CiscoWSA

5520 IPS

Collapsed Core+Distributi

on

Internet

Servers

Switch

Internal Network


10

Feedback from Field, Customers, and Partners for 5K-10K Users

~20Mbps service, some as high as 100 MbpsAlmost no customer-managed CPE

Majority of new service is Ethernet same as smaller customers; existing base is splitMajority of new service is Ethernet, same as smaller customers; existing base is split between Ethernet vs. Router Handoff

Some dual ISP (~30%), lots of desire but lacking good technical solutions

5540/50 for internet

DMZ carries some corporate web presence; not much eCommerceLots of partner connectivity

50/50 go through IE firewalls for Site-to-Site VPN

VPN i t d f fi ll d t f t k


VPN is separated from firewall and rest of network gearOperational separation for RA VPN, all separate boxes on the high end

Physically separate switches for inside, outside, and DMZ

Small but growing group using SaaS ~5-10%

The majority of organizations are using a static default to the Internet

Internet Edge B (5000-10000 Users)

Large Design

Dual ISP support (No BGP)Interne

t pp ( )

Internet Edge Routing

Active/Standby Firewall

RA VPN for SSL and IPsec (standalone)

Web and Mail filtering

Outside

Switch

IE Routers

CiscoESA

ISP A

ISP B


Server Load-Balancing

Internet DMZ for public facing services

Connection to LAN Distribution/Core

CiscoWSA

Internet

Servers

Cisco ASA5540 + IPS



tion

DMZ Switch

Internal Network


11

Internet connection speeds and platforms

Number of connected users Internet connection speed2000-4500 20-50 Mbps3000-7000 35-75 Mbps6000-10000 75-150 Mbps

Platform Internet connection speed3925 Up to 100 Mbps3945 Up to 150 Mbps


3945 Up to 150 Mbps

Enterprise Security



12

Hardening the Edge SummaryCatalyst Integrated Security Features

00:0e:00:aa:aa:aa00:0e:00:bb:bb:bb00:0e:00:aa:aa:cc

Switch acts like a hub

DHCP ServerXEmail

ServerGateway = 10.1.1.1

MAC=A SiSi

Port Security prevents MAC flooding, port access and rogue network extension

Port Security

00:0e:00:bb:bb:ddetc132,000

Bogus MACs

“Use this IP Address !”

“DHCP Request”

DHCP DoS

“ Your email passwd is

‘joecisco’ !”

Attacker = 10.1.1.25 Victim = 10.1.1.50

“Hey, I’m 10.1.1.50 !”


y p g p gDHCP Snooping prevents Rogue DHCP Server attacks and DHCP starvation attacksDynamic ARP Inspection uses DHCP snooping table to prevent ARP Spoofing Attacks & MiTM attacksIP Source Guard uses DHCP snooping table to mitigate IP Spoofing, impersonation attacks & unauthorized access

00:0e:00:aa:aa:aa00:0e:00:bb:bb:bb

Only 3 MAC Addresses

Allowed on the Port: Shutdown

Port SecurityMAC Flood Protection

Port Security limits MAC flooding attack, locks down port and sends an SNMP Trap

132,000 Bogus MACs

P bl

Solution:


locks down port and sends an SNMP Trap

Port Security Actions = Protect, Restrict, Shut Down

Problem:

Hacking tools enable attackers to flood switch CAM tables with bogus MACs.

Turns VLAN into a “Hub”eliminating privacy.

Switch CAM table limit is finite number of MAC addresses.

switchport port-security switchport port-security maximum 3 switchport port-security violation shutdown switchport port-security aging time 2 switchport port-security aging type inactivity


13

ClientTrustedUntrusted

DHCP Snooping-EnabledDHCPREQ

DHCP SnoopingRogue DHCP Server Protection

NO!

DHCPServer

Rogue Server

Untrusted

BAD DHCP Responses:

offer, ack, nak

OK DHCP Responses:

offer, ack, nak

Global Commandsip dhcp snooping vlan 100,110,120no ip dhcp snooping information optionip dhcp snooping


By default all ports in the VLAN are untrusted

DHCP Snooping Untrusted Client

Interface Commandsno ip dhcp snooping trust (Default)ip dhcp snooping limit rate 15 (pps)

ip dhcp snooping

DHCP Snooping Trusted Serveror UplinkInterface Commandsip dhcp snooping trust

ClientTrustedUntrusted

DHCP Snooping-EnabledDHCPREQ

DHCP SnoopingRogue DHCP Server Protection

NO!

DHCPServer

Rogue Server

Untrusted

BAD DHCP Responses:

offer, ack, nak

OK DHCP Responses:

offer, ack, nak

DHCP Snooping Binding Table


Table is built by “snooping” the DHCP reply to the clientEntries stay in table until DHCP lease time expires

sh ip dhcp snooping bindingMacAddress IpAddress Lease(sec) Type VLAN Interface----------------- ------------ ---------- ------------- ---- -------------------00:22:64:88:63:6E 10.240.100.2 62960 dhcp-snooping 100 GigabitEthernet2/21


14

10.240.200.1MAC ASiSi

Gratuitous ARP10.240.200.3=MAC_B

Global Commandsip dhcp snooping vlan 200,210,220no ip dhcp snooping information optioni dh i

Dynamic ARP InspectionARP Spoofing Protection

10.240.200.3MAC C

10.240.200.2MAC B

Gratuitous ARP10.240.200.1=MAC_B

ip dhcp snoopingip arp inspection vlan 200,210,220ip arp inspection log-buffer entries 1024ip arp inspection log-buffer logs 1024 interval 10Interface Commandsno ip arp inspection trust (default)ip arp inspection limit rate 15 (pps)

Protects against ARP poisoning (ettercap dsnif arpspoof)


Protects against ARP poisoning (ettercap, dsnif, arpspoof)

Uses the DHCP snooping binding table

Tracks MAC to IP from DHCP transactions

Rate-limits ARP requests from client ports; stop port scanning

Drop BOGUS gratuitous ARPs; stop ARP poisoning/MiTM attacks

Gateway10.240.200.1SiSi

Hey, I’m 10.240.200.3 ! Global Commands

ip dhcp snooping vlan 200,210,220i dh i i f ti ti

IP Source GuardIP Spoofing Protection

Victim10.240.200.3

Attacker10.240.200.2

no ip dhcp snooping information optionip dhcp snoopingInterface Commandsip verify source vlan dhcp-snooping

IP source guard protects against spoofed IP addresses


IP source guard protects against spoofed IP addresses

Uses the DHCP snooping binding table

Tracks IP address to port associations

Dynamically programs port ACL to drop traffic not originating from IP address assigned via DHCP


15

Internal Segmentation

Segment high profile areas of the network 1. IPSEC or SSH

Access to FW-

NMSEnterprise ServersCompliance Driven

Determine traffic flows

Tune policy based on business requirements

Access NMS network

2. Telnet or SSH to NMS

3. SSH or Telnet to network infrastructure devices from NMSInfrastructure devices

only accept access from

User managing infrastructure device


y pNMS Segment

Internal Network NMS Segment

Firewall - Topology Overview

Internet

ISP A

ISP B

Outside

Switch

IE Routers

CiscoESA

DMZ

A


CiscoWSA

Internet

Servers

Cisco ASA5540 + IPS



tion

DMZ Switch

Internal Network


16


Perimeter of the corporate network

Major threats to network performance, availability and data securityWorm, virus, and botnet infiltration Network profiling and attempts at unauthorized access attempts

Firewall security must: Protect information assets Meet the need for secure, reliably available networks Apply policy to manage employee productivityAddress regulatory compliance requirements


Address regulatory compliance requirements

Firewall security policy must not interfere with access to Internet-based applications, or hinder connectivity to business partners’ data via extranet VPN connections

Technology Overview

This design employs a pair of Cisco ASA 5500s for Internet Edge firewall security

Configured for active/standby high availabilityConfigured for active/standby high availabilityConfigured in routing mode for greatest flexibilityContain NAT and firewall policy, and host IPS-SSMs

Two deployment options are discussedThe Internet-5K firewall design uses a single Internet connection,

Remote Access VPN aggregation in the same device pair that provides firewall

The Internet-10K firewall design uses a dual Internet connection for resiliency of access to the Internet


access to the Internet Remote Access VPN aggregation is implemented on a different pair of ASAs, to provide for operational flexibility

A good portion of the configuration described is common to both the Internet-5K and Internet-10K designs

Firewall sizing is based off of traffic from inside, outside, dmz and Internet


17

Design – Failover

Define failover interface and addresses

Tune failover poll timesFailover Interface

Use tracking in 10K design

Configure a static route for tracked item

Failover Policy


Design – Routing

If no high availability for Internet access is required (Internet-5K design), the ASAs’ physical interface is used

If resilient Internet access is required (Internet-10KInternet

Primary Secondary Probe If resilient Internet access is required (Internet 10K design), the ASAs’ outside physical interface is configured as a VLAN trunk to the outside switch

Define routes to the two Internet CPE addresses with object tracking

EIGRP is enabled on the Inside interfaceStatic Route with Tracking

IP-SLA Probes

Outside Switch

Secondary ISP Router

ISP ISP

ASAASA

PrimaryISP Router

VLAN 16172.16.0.0

VLAN 17172.17.0.0

VLAN 16&17Trunked to

ASA

Destination10.194.112.65


ASA Standby

ASA Primary


18

Design –DMZ

The Firewall’s DMZ (De-Militarized Zone) is a portion of the network where traffic to and from other parts of the network is tightly restricted

Physical Interface

Network services placed in a DMZ for exposure to the Internet

Typically not allowed to initiate connections to the ‘inside’ network, except for specific circumstances

Trunked Interface


Design – Address Translation

Use address-family names and object-groups

Enable names

Static NAT

Network Objects

Enable names

Configure the interface that will be used for the outside (global) addresses

Enable static translations for hosts that need to be accessed from the Internet



19

Design - Policy Configuration

Network security policies can be broken down into two basic categories: ‘whitelist’ policies and ‘blacklist’ policies

Blacklist

policies

Whitelist policies offer a stronger implicit security posture,

Blacklist policies offer reduced operational burden

Whitelist


Design – Monitoring and Authentication

Enable logging to a syslog server

Enable and configure SNMP

SNMP

Use AAA for authenticating users and administrators

AAA Server



20

SensorBase Overview


SensorBase NetworkBreadth

SpamCop, SpamHaus (SBL), NJABL, Bonded

MessageComposition

Data

Message size, attachment volume, attachment types, URLs, host names

Spam TrapsSpamCop, ISPs, customer contributions

IP Blacklists &Whitelists

( ), ,Sender

CompromisedHost Lists

Downloaded files, linking URLs, threat heuristics

Web siteComposition

Data

SORBS, OPM, DSBL

ComplaintReports

Spam, phishing, virus reports

Spamvertized URLs, phishing URLs, spyware sites

Domain Blacklists& Safelists


Global VolumeData

Over 100,000 organizations, email

traffic, web traffic

Other Data

Fortune 1000, length of sending history, location,

where the domain is hosted, how long has it

been registered, how long has the site been upFirst to combine email & web data

Over 100 email and 20 web parameters tracked


21

Cisco SensorBase

Threat Operations

Center

DynamicUpdates

Cisco Security Intelligence Operations

Security Infrastructure Dynamically Protects Against the Latest Threats Through:


The Most Comprehensive Vulnerability and Sender

Reputation Database

A Global Team of Security Researchers, Analysts,

and Signature Developers

Dynamic Updates and Actionable Intelligence

Cisco SensorBase Threat Operations Center Dynamic Updates

Powered by Global Correlation

What Is Reputation?Is All Reputation the Same?

Email Security IPS

Web Security

Firewall

Reputation is the history of both the actions and qualities of a specific IP address or network. It is calculated using some of the hundreds of different types of data found in Cisco SensorBase.

For different types of devices, different parameters can mean more or less for the reputation of a device.


Ex:The fact of sending spam is highly relevant to the reputation of an email device and less so to an IPS sensor.


22

Cisco Global CorrelationCisco SensorBase: World’s Largest Traffic-Monitoring Network

Largest Footprint | Greatest Breadth | Full Context Analysis

Cisco SensorBase


Cisco Global CorrelationExceptional Breadth


Email Security IPS


Web Security Firewall

Identifying a Global Botnet Requires Complete Visibility Across All Threat Vectors


23

Global CorrelationFull Context Analysis: Seeing the Whole Picture


Who? Reputation of Counterparty

What? Content


How? Propagation and Mutation Methods

Where? Geographic and Vertical Trends

Enterprise Intrusion Detection/Prevention



24

Understand traffic patterns and bandwidth requirements

Data Center Design Overview

IDS/IPS can be deployed at entry point network segments

Deploy in high risk areas

Syslog

SNMP


SNMP

System Admin

Other Servers

IPS/IDS Internet Edge - Topology Overview

Traffic inspected by ASA firewall policy

If denied by firewall policy traffic is dropped

Permitted traffic matching inspection policy sent to IPS module

Traffic matching reputation filter list or with a GC adjusted risk rating of 90+ i d d


is dropped

Clean traffic is sent back to ASA

VPN access policies applied if present then traffic sent forward onto network


25


Services on the internet have become a key component to many businesses today

Need to understand key requirements:Provide internet access in a secure way while at the same time controlling access to non business related contentHave a web presence up and available for partners and clients to access basic information about the organizationManage the risk of inadvertent exposure of data or attack on the public facing dataP t t i t th t h i d b t t


Protect against threats such as worms, viruses, and botnets

IPS is complementary to a firewall and inspects the traffic that is permitted by the firewall policy for attacks

If an IPS detects an attack the offending traffic is dropped and an alert is sent

Technology Overview

This design employs Cisco Adaptive Inspection Prevention Security Service Module (AIP-SSM) modules for IPS services

The design offers se eral options based off of performance req irements of o rThe design offers several options based off of performance requirements of your organization

For BN Internet Edge 5k the ASA 5520 with AIP-SSM-20 For larger networks like Internet Edge 10k the ASA 5540 with AIP-SSM-40The Internet edge firewall and IPS throughput requirements are much higher than just the speed of the Internet connection

Internal traffic to servers in the DMZWireless guest traffic


Site-to-site VPNRemote access VPN

IPS modules rely on the ASA for high availability services


26

Cisco IPS 7.0 with Global CorrelationChanging Network IPS to Global IPS

CoverageTwice the effectiveness of signature-gonly IPS

AccuracyReputation analysis decreases false positives

Timeliness100 times faster than traditional signature-only methods


Harnessing the Power of Cisco Security Intelligence Operations

Results Averaged over 2-Week Period in

Prerelease Deployments

Packet Flow in Cisco IPS Version 7.0

IPS reputation filters Preprocessing

pblock access to IPs on stolen zombie networks or networks controlled entirely by malicious organizations.

IPS ReputationFilters

Signature Inspection

Anomaly Detection

GlobalCorrelation

DecisionEngine

SignatureInspection


Global Correlation inspection raises the risk rating of events when the attacker has a negative reputation, allowing those events to be blocked more confidently and more often than an event without a negative reputation.


27

Global Correlation Inspection:How Much Does the Risk Rating Change?

Global Correlation inspection adjusts the risk rating of events based on the reputation of the attacker and the

Reputation Effect on Risk RatingStandard Mode Reputation of Attacker

Blue Deny Packet Red Deny Attackeroriginal risk rating.

The formula used to calculate the change is complex and statistical in nature. It is also subject to change for fine-tuning (so this chart can change).

Example: An event is triggered with RR = 85 and an attacker reputation of 5; the sensor raises the risk

-1 -2 -3 -4 -5 -6 -7 -8 -9 -10

Initial 80 80 87 92 95 98 99 100 100 100 100Risk 81 81 87 92 96 98 100 100 100 100 100Rating 82 82 88 93 96 98 100 100 100 100 100

83 83 88 93 96 99 100 100 100 100 10084 84 89 94 97 99 100 100 100 100 10085 85 90 94 97 99 100 100 100 100 10086 86 90 94 97 99 100 100 100 100 10087 87 91 95 98 100 100 100 100 100 10088 88 91 95 98 100 100 100 100 100 10089 89 92 96 98 100 100 100 100 100 10090 90 92 96 99 100 100 100 100 100 10091 91 93 97 99 100 100 100 100 100 10092 92 93 97 99 100 100 100 100 100 100


of –5; the sensor raises the risk rating to 99 and, in Standard mode, applies the Deny Packet action due to reputation. Note that this event would not have been blocked on a sensor without Global Correlation.

93 93 94 97 100 100 100 100 100 100 10094 94 95 98 100 100 100 100 100 100 10095 95 95 98 100 100 100 100 100 100 10096 96 96 99 100 100 100 100 100 100 10097 97 97 99 100 100 100 100 100 100 10098 98 98 100 100 100 100 100 100 100 10099 99 99 100 100 100 100 100 100 100 100100 100 100 100 100 100 100 100 100 100 100

IPS Reputation FiltersBlocking the Worst Traffic

Some networks on the Internet are owned wholly by malicious organizations

...

58.65.232.0/21

58.83.8.0/22

58.83.12.0/22

62.122.32.0/21 by malicious organizations or are hijacked zombie networks

Reputation filters block access to these networks like an ACL

Individual IP addresses do not go on this list because

...



Gl b l D i i

SignatureInspection

Preprocessing


of things they do (an IP address does not go from –1 to –9 to being put on this list)

Anomaly Detection

GlobalCorrelation

DecisionEngine


28

1. New attacker hits the IPS

2 Attacker without a reputation

Local Inspection Will Always Matter Example 1: Unknown Attacker

2. Attacker without a reputation

3. Signatures or anomaly detection identify activity

4. The attack is handled according to the security policy implemented on the sensor (deny if risk rating reaches threshold)

5. Information about the attacker is sent back to Cisco Security I t lli O ti (SIO) t



A l

GlobalCorrelation

DecisionEngine

SignatureInspection

Preprocessing


yIntelligence Operations (SIO) to track the attacker’s reputation (if configured)

Cisco SIO

Cisco IPS

AnomalyDetection

Global Correlation InspectionExample 2: Suspicious Attacker

1. Suspicious attacker attacks

2 Attacker has medium reputation

Identified Through Local Inspection, Denied Due to Global Correlation

2. Attacker has medium reputation

3. Signatures identify suspicious activity and give this attacker a medium risk rating

4. Global Correlation adds context of attacker reputation to risk rating

5. Decision engine blocks attack



A l

GlobalCorrelation

DecisionEngine

SignatureInspection

Preprocessing


6. Information on new reputation is sent back to Cisco SIO

Cisco SIO

Cisco IPS

AnomalyDetection


29

Global Correlation Network Participation:“My Sensor Is Sending Data Back to Cisco?”

Event data is parsed into reputation update data on the sensor and buffered for transmission to Cisco

Cisco SIO

transmission to Cisco SensorBase

Every 10 minutes, on average, network participation data is sent to Cisco over HTTPS

This data does not include private addresses

Network participation

Internet

Sensor Connects to Cisco SensorBase

over HTTPS to Report Attack Data

HTTPS://208.90.57.73


p pimproves overall security as well as your own by adding attacker data specific to your site.

Cisco IPS

Global Correlation Network Participation“What Is My Sensor Sending to Cisco?”

Network participation is entirely voluntary and on an opt-in basis (turned off by default)by default)

No actual packet content data is ever sent

Partial participation sends attacker IP, port, signature ID and risk rating, some protocol attributes, and summary IPS performance


summary IPS performance data

Full mode adds victim IP and port

Private IP addresses are removed before sending


30

Design - General

Set up basic networking such as IP address, gateway, DNS, and access

Network Setup

gateway, DNS, and access lists to allow remote access to the GUI

Main Configuration Screen


Add Global PolicyDecision must be made for sensor mode

–Inline (IPS)

–Promiscuous (IDS)

Inspection Mode

Create a global policy to capture traffic from the ASA

Traffic Allocation



31

IPS rules

IPS is configured to drop traffic

Rules Overrides Screen

drop traffic

Policy can be changed based upon business requirements

Rules Risk Category


Enterprise Web Security



32

WSA - Topology Overview

User Community

Distribution Layer

Internet

CiscoW b S it

Internet Edge Firewall/IPS

RemoteAccess VPN


Web Security Appliance


Web access is a requirement for many modern organizations’ day-to-day functions. A challenge exists to maintain an organization’s collective web access while minimizing unacceptable or risky useminimizing unacceptable or risky use. A solution is needed to control policy-based web access to ensure employees work effectively, and assure personal web activity will not waste band-width, affect productivity, or expose the organization to undue risk.

As part of a company’s corporate security policy, decisions will need to be made about acceptable use

As the monetary gain for malicious activities on the Internet has grown and developed, the number of ways vectors used to effect these malicious and or illegal activities has grown and become more sophisticated


activities has grown and become more sophisticated.

Likely the top threat that exists in the Internet today is that of malicious Internet servers (mostly web) being used to host content that then attacks innocent users browsers as they view the content.


33

Web Business Challenges

Acceptable Use Violations

Data L

MalwareI f iChallenges


Loss InfectionsChallenges

The Dark Web80% of the web is uncategorized, highly dynamic or unreachable by

web crawlers– Botnets– Dynamic content– Password protected sites

Malware

– User generated content– Short life sites


The Known Web20% covered by URL lists Acceptable Use Violations


34

Malware Threats & the Dark Web

300%

350%

2008 Volume Ratio Change(Malware Blocks Relative to All Requests)

300% yearly volume increase in

0%

50%

100%

150%

200%

250%

01‐Jan‐08 01‐Mar‐08 01‐May‐08 01‐Jul‐08 01‐Sep‐08 01‐Nov‐08

300% yearly volume increase in 2008

Exploits and iframes up 1,731%

4,995% increase in data theft trojans in two years


Botnets on the ProwlZeus and Clampi: Botnets that steal online account credentials with a focus on bank accounts

Zeus Trojan is estimated to have infected 3.6 million computers as of October 2009The newer Clampi Trojan is estimated to have infected hundreds of thousands of computers

Technology Overview

The Cisco ASA redirects HTTP and HTTPS connections using the Web Cache Control Protocol (WCCP) to the WSA.

Determine how web traffic will be sent to the WSA – Explicit or Transparent modeDetermine how web traffic will be sent to the WSA Explicit or Transparent mode

Determine what type of physical topology will be used

Most common method is to combine management and proxy services onto the management interface

Internet

Cisco

1. User initiates web request2. ASA Firewall redirects request to

Cisco WSA3. WSA checks request, replies with

denial if request violates policy4 5


User Community

Cisco WSA

Cisco ASA

q p y4. WSA initiates new connection to the

Web if request is acceptable5. Web Server replies with content which

is sent to WSA6. WSA checks content for objectionable

material and forwards content to originating user if no issues are encountered

1Campus

2

3

4 5

6


35

Deployment - General

Initial Setup Options

System Update(s) and Feature Keys

Log Subscriptions

Web Usage Controls

Logging

Custom URL Categories

Access Policies

Web Reputation and Anti-Malware

Optional Deployment: WCCP


Optional Deployment: WCCP Custom URL Category Filtering

Deployment – Basic Continued

Web Reputation and Anti-Malware

Optional Deployment: WCCP

Access Policies – Reputation and Anti-Malware

ASA WWCP

WSA WCCP



36

Deployment - HTTPS

Enable HTTPS proxy connections

Generate a certificate for the WSA to use on the client side of the proxy connectionconnection

Configure what the WSA is supposed to do when the server it is connecting to has an invalid certificate

HTTPS Proxy Settings


Deployment – HTTPS Continued

Create new custom URL categories

Apply categories to the decryption polic

Decryption Policies Custom Categories

policy

Decryption Policies URL Categories



37

Deployment - Authentication

Determine type of authentication

LDAP/NTLM

NTLM Realm

LDAP/NTLM

Determine subnets not to authentication

Subnet Policy


Deployment – Authentication Continued

Determine client applications not to authentication

Agent Policy

Enable authentication

Global Authentication



38

Deployment – Error Pages

Common expected client messages


Enterprise Email Security



39

ESA - Topology Overview

Internet

ESA on DMZ

ASA


Inside Network


There are two major problems with email in networks todayFloods of unsolicited and unwanted emails (spam) Large numbers of emails use phishing

Email is a critical business service - can be as important as telephone service

Solutions for this problem include hosted services that provide filtering as part of the email solution or network solutions that are installed in front of a local email server

The goal of the solution is to filter out positively identified spam and quarantine or discard emails sent from untrusted or potentially hostile locations


locations.

Anti-virus (AV) scanning is applied to emails and attachments from all servers to remove known malware.


40

Technology Overview

Acts as a Mail Transfer Agent (MTA)

Can be deployed with a single physical interface

Uses reputation-based and context-based filters

Uses Virus Outbreak Filters and AVinterface

1) Sender sends email [email protected]

Internet DNS Server

2) What is IP for CompanyXMail Server (MX and Arecord DNS lookup)?

3) IP address for CompanyXemail is a.b.c.d (Cisco CSeries appliance atCompany X)4) Send the

email

Uses Virus Outbreak Filters and AV signatures to fight viruses


Cisco Email Security Appliance

Internet DNS Server

5) After inspection, theemail is sent to the central Email Server

Email Server

6) Employee retrievescleaned email


Configure system settingsInterfaces/DNS

Network Setup

Hostname/PasswordMessage Security

Message Security



41

Deployment - Policy

Default policy is generally used to get started

Bounce Verification

Enable Anti-Spam configured to drop

Enable Bounce Verification

Anti-Spam


Enterprise Remote Access



42

Remote Access Topology Overview

InternetISP A ISP B

3560G/ 3750G

3945/ ASR1002

DMZ Switch

Cisco ASA5540 + IPS


InternetServers

6500 Core

RA VPN3750G

Distribution


Many Internet-connected businesses need to offer connectivity to their data network resources for mobile users.

Employees, contractors, and partners may need to access the network when traveling or working from home or from other off-site locations.

The remote-access connectivity should support a wide variety of endpoint devices and provide seamless access to networked data resources.

The remote-access connectivity should support authentication and li l h i i h h b i ’ h i i


policy control that integrates with the business’s authentication resources.

This connectivity should also use cryptographic security to prevent the revelation of sensitive data to unauthorized parties who accidentally or intentionally intercept the data.


43

Technology Overview

The Cisco ASA supports IPsec, web portal, and full tunnel SSL VPNs for client-based remote access and IPsec for hardware client or site-to-site VPN.and IPsec for hardware client or site to site VPN.

IPsec VPN requires the user to have client software installed

SSL access is more flexible and is likely to be accessible from more locations than IPsec

The Smart Business Architecture Borderless Network for Enterprise offers two different remote-access VPN designs:


Remote-Access VPN integrated with firewall Cisco ASA pair for Internet-5K design. Remote-Access VPN deployed on a pair of stand-alone Cisco ASA for the Internet-10K design.


VPN Pools

Group policy VPN PoolGroup policy

AD user/group setup

G P li C fi

AD User Attributes


Group Policy Config


44

Deployment - Authentication

AAA

LDAP Mapping

AAA Config

LDAP Mapping

Group Policy

NAT Exemption

LDAP Mapping

Group Policy Profile


Design – IPsec

Site-to-Site

Client

Group Policy Config

Client

IPsec policies

Client Config IPsec Crypto Maps



45

Design - AnyConnect

Upload Client Image

Global Webvpn Configuration

SSL Client Upload

G oba eb p Co gu at o

SSL Configuration

Client Configuration

SSL VPN Client Page

Group Policy Config


Summary - Organization

Business demands are changing - Access from anyone, anything, anywhere, anytime

Understand business requirements and security policies – Remember the 5 W’s 1 H

Organizations need to provide users access to Internet services (email and web)

Users need access to services inside the organization from remote locations

Organizations need to provide controlled access to data and/or services for the public, partners, and customers


Organizations need to improve employee productivity by controlling Internet web access to work related locations

Organizations need to manage security risk associated with Internet connectivity

For more information please visit http://www.cisco.com/go/sba


46

Summary - Technology

Firewalls deployed on Internet edge and key internal segments using a “White list” or “Black list” policy

IPS/IDS should be deployed in high risk areas - Internet, Internal module entry/exit points

Web security provides protection from malicious sites and helps to enforce the Acceptable Use Policy

Email security provides protection against non-business email use and helps to mitigate threats (spam, phishing etc.)

Remote Access provides different ways to access the internal corporate network


network

For more information please visit http://www.cisco.com/go/sba

Questions & Comments



47

Secure Borderless Enterprise Network Design · 2010. 11. 22. · © 2009, Cisco Systems, Inc. All...

Documents

Transcript of Secure Borderless Enterprise Network Design · 2010. 11. 22. · © 2009, Cisco Systems, Inc. All...