Cybersecurity: TIO: Security Embedded in

the Network

Cyber security Landscape

Cisco Embedded Capabilities

What can your network do?

Cisco’s Turn It On Campaign

• Developed to provide best practices to customers for Cyber Security features

• 3 part Whitepaper series (1st published December 2010)

• Focused on key security features that customers already have within IOS.

• Effective features to enhance Cyber Security posture.

Embedded IOS Security features:

A word about “Turning the feature ON”

• Deployment Methodology• Performance considerations• Test, Test, Test, deploy.

Netflow and Cyber security

• A distributed sensor in the network• Anomaly, Discovery, Correlation• Security Information and Event Management

Systems (SIEMs)• Incident "live" usage - top talkers on CLI

Internet Protocol Service Level Agreement (IP-SLA) and Cyber security

• Validation of expected network performance• Proper deployment, posturing, configuration,

and placement of network related devices with respect to SLAs.

• Continuous validation of QoS policies throughout the network

• Embedded Event Manager (EEM)

Control Plane Processes (CoPP) and Cyber security

• Configured and Protected Command/Control channel for network infrastructure devices.

• Ensures access to devices to enforce security policies.

NBAR and Cybersecurity

• Classification engine that recognizes and classifies

• Guarantee bandwidth to critical applications• Limit bandwidth• P2P

Next Steps:

• Testing methodology in the lab• Cisco Services for deployment

CyberSecurity IOS Assessment & Enablement Engagement Activities

3 to 8 Days (on site) with a Cisco CyberSecurity Expert (Security Engineer level) Perform an Assessment reviewing the Cisco IOS security configurations Recommendations and actions to enable one or more of the following:

• Trust: IP-Service Level Agreements (SLA) & Control Plane Processes (CoPP) – [QoS assurance and DDOS Prevention]

• Visibility: Prevent and Detect Incidents with Cisco Netflow features - [Anomaly and Correlation – visibility]

• Resilience: Response /Recover/Report with:• Network Based Application Recognition (NBAR) – [QoS assurance and DDOS

Prevention]• Peer-To-Peer (P2P) Blocking – [blocks all P2P traffic with NBAR policy

mapping] Open discussion on other CyberSecurity customer challenges

Perf

orm

ance

and

Ser

vice

s D

ensi

ty

Cisco Router Security Portfolio

Embedded Wireless, Security, and Data

High Density and Performance for Concurrent Services

Embedded, Advanced Voice, Video, Data, and Security Services

800 Series

1800 Series

2800 Series

3800 SeriesService IntegrationScaled to Fit Every Size Branch Office

3200 Series

Rugged and Mobile Applications

Small Office and Teleworker

Medium toLarge BranchSmall Branch Medium

Branch Mobile/Rugged Branch

Cisco Router SecurityIndustry First

Leadership in Innovation

Cisco Integrated Services Router Innovations in Security Industry-leading integration of VPN, routing, and QoS:

DMVPN, GET VPN, SSL VPN, and Easy VPN Router-embedded security services: Application firewall, IPS,

and URL filtering Cisco® Router and Cisco Configuration Professional (CCP)

with one-touch lockdown and security audit Router-integrated voice and security Router-integrated wireless with advanced security Router-integrated switching; Layer 2/3 security Secure WAN backup over DSL, cable, 3G, or satellite

Only Cisco Router Security Delivers All This

CCP NetFlow IP SLARole-Based Access

Management and Instrumentation

Secure Network Solutions

Secure Voice ComplianceSecure

MobilityBusiness Continuity

Network Admission Control

Intrusion Prevention

Integrated Threat Management

Content Filtering 802.1x

Network Foundation Protection

Flexible Packet Matching

011111101010101011111101010101

Secure Connectivity

GET VPN DMVPN Easy VPN SSL VPN

Advanced FirewallAdvanced Firewall

GET VPN

Content Filtering

Cisco’s Turn It On CampaignFeature Capability Platform Value to Cyber WP

NetFlow Provides usage statistics of traffic flows traversing a given network device that

can be used for analysis.

Majority of IOS Routers and Switches as well as the ASA.

Provides network telemetry that greatly increases your cybersecurity visability

1

NBAR Cisco’s NBAR is a powerful classification engine that recognizes and classifies a

wide variety of applications. NBAR ensures performance for mission-critical applications by intelligently classifying applications, providing

absolute priority and a guaranteed amount of bandwidth. In addition,

NBAR limits the bandwidth consumed by less critical applications.

IOS Routing & Switching Platforms In a Denial of Service (DoS) or Distributed Denial of Service (DDoS) attack someone is trying to overwhelm your network capacity, which in effect prevents your

mission-critical applications from functioning. By turning on NBAR, an attack is mitigated because critical applications have priority over the traffic generated by the attack. Critical applications continue to send traffic, while NBAR drops selective packets to avoid congestion.

This limits the amount of traffic your network will dedicate to the attacker’s request for data. By setting up

NBAR you further mitigate the ability of a DoS/DDoS attack to be successful on Day 0.

1

CoPP The Control Plane Policing feature allows you to configure a QoS filter that

manages the traffic flow of control plane packets to protect the control

plane of Cisco IOS routers and switches.

IOS Routing & Switching Platforms CoPP protects against reconnaissance and Denial-of-Service (DoS) attacks. By turning on this feature, you can maintain packet forwarding and protocol states

despite an attack or heavy traffic load on the router or switch.

1

IP-SLA/QOS IP SLA can be used as a verification toolset to ensure proper deployment,

posturing, configuration, and placement of network related devices

with respect to SLAs.

Majority of IOS Routers and Switches as well as the ASA.

IP SLA provides the capability to continually verify reachability and performance level of a mission critical

application during a cyber security DDOS attack.

1

OER: Application Aware Routing: PBR

The OER Application-Aware Routing: PBR feature introduces the capability to optimize traffic based on portions of an

IP packet, other than the destination address.

IOS Routing & Switching Platforms The OER Application-Aware Routing: PBR feature allows the user to route application traffic based on

information other that desitnation ip address. This allows the administrator to ensure that mission critical applications remain available during a network attack.

3

IOS FW Feature Set: Router Initiated traffic

This feature allows any traffic initiate by the router to be included in the IOS FW

state table, thus ACLs are no longer needed for this type of traffic.

IOS Routing Platforms This allows simplification of router ACL configurations since baseline traffic such as NTP are not inspected via

the FW Feature set.

3

Layer 2 Security Various features that protect the network infrastructure from Layer 2 attacks against services such as ARP,

DHCP, and VLANs.

IOS Switching Platforms These features protect network assets as well as proect the network from DOS as well as man in the middle

attacks.

2

Cisco Router Security Certifications

cisco.com/go/securitycert

FIPS Common Criteria

140-2,Level 2 IPSec (EAL4) Firewall

(EAL4)

Cisco® 870 ISR

Cisco 1800 ISR

Cisco 2800 ISR

Cisco 3800 ISR

Cisco 7200 VAM2+

Cisco 7200 VSA ---

Cisco 7301 VAM2+

Cisco 7600 IPSec VPN SPA ---

Catalyst 6500 IPSec VPN SPA ---

Cisco 7600

Integrated Threat Control Overview

Branch Office

Small Office and Telecommuter

Corporate Office

Internet

Access branch office has secure Internet access and no need for additional devices

Solution controls worms, viruses, and spyware right at the remote site; conserves WAN bandwidth

Solution protects the router itself from hacking and DoS attacks

Branch Office

Illegal Surfing

Malware Prevention• Integrated IPS for

distributed defense and rapid response

• Control of wired and wireless user access and noncompliant devices

Content Security• Advanced Layer

3–7 firewall• P2P and IM control• Reputation based

content filtering

Router Protection• Automated router lockdown• Router availability during DoS

Hacker

Worms Choking

WAN

011111101010101011111101010101

Industry-Certified Security Embedded Within the Network