1 2003 Cisco Systems, Inc. All rights reserved.

NGC Security
Ricky Elias
Business Development Manager
Advanced Technology
Cisco Systems (USA) Pte Ltd
relias@cisco.com
The Self-Defending Network
Innovations in Meeting Tomorrows Blended Threats
222 2003 Cisco Systems, Inc. All rights reserved. NGC Security Exec
Top Security Issues for 2005
2
nd
CSO Interchange New York, December 2004
http://www.aspnews.com/news/article.php/3445521
Chief Security Officers from several top technology
firms and government agencies say computer worms,
viruses and regulatory compliance are likely to be the
hot button issues that will keep them awake at night in
2005
The need to quickly patch vulnerabilities is becoming
a major security pain point
Customers are considering using hyper-patching and
mass roll-out systems (push technology) to start
solving hyper-patching problems
333 2003 Cisco Systems, Inc. All rights reserved. NGC Security Exec
Security Threat Evolution
Increased Risk of Theft and Disruption
Global
Infrastructure
Impact
Regional
Networks
Multiple
Networks
Individual
Networks
Individual
Computer
Target and
Scope of
Damage
1st Gen
Boot viruses
1st Gen
Boot viruses
Weeks
2nd Gen
Macro viruses
Email
DoS
Limited
hacking
2nd Gen
Macro viruses
Email
DoS
Limited
hacking
Days
3rd Gen
Network DoS
Blended threat
(worm + virus+
trojan)
Turbo worms
Widespread
system
hacking
3rd Gen
Network DoS
Blended threat
(worm + virus+
trojan)
Turbo worms
Widespread
system
hacking
Minutes
Next Gen
Infrastructure
hacking
Flash threats
Massive
worm driven
DDoS
Damaging
payload
worms
Wide-spread
data theft
Next Gen
Infrastructure
hacking
Flash threats
Massive
worm driven
DDoS
Damaging
payload
worms
Wide-spread
data theft
Seconds
1980s 1990s Today Future
444 2003 Cisco Systems, Inc. All rights reserved. NGC Security Exec
The Year in Review
Bot, Phishing, Spyware, Blended Attack
Phishing
555 2003 Cisco Systems, Inc. All rights reserved. NGC Security Exec
The Year in Review
Increased Mobility
Even the most effective perimeter defense will not stop
piggy-back infections
It is not cost effective to manually check each laptop and
device as it comes in from the outside
WAN
Airports, Hotels,
WLAN Hotspots, etc.
HQ
Branches Teleworker
666 2003 Cisco Systems, Inc. All rights reserved. NGC Security Exec
The Year in Review
Emerging Threats in the Corporate Interior
Works for traffic within or outside
of a building
Attacker only needs to be attached
on same subnet as one victim
Tools easily downloadable and is
simpler than most video games
(GUI or CLI, your choice)
# ettercap NCsz [captures username/password
combinations- highlighted below]
ettercap 0.6.3.1 2001 AloR & NaGA
Your IP: 192.168.0.70 with MAC: 00:03:FF:BE:F0:52: eth0
Loading plugins Done.
Resolving 1 hostnames
Press h for help
Sniffing (IP based): ANY:0 < -- > ANY:0
TCP packets only (Default)
Collecting passwords
00:22:10 192.168.0.70:1107 < -- > 192.168.0.42:80 www
USER: root
PASS: hamhocks4#age
http://mail.victim.com/root.asp <- [the site where username and
password was entered]
Record
Data
Email
Server
Innocent User
Attacker with Simple
Network Access
Man-in-the-Middle
Attack
777 2003 Cisco Systems, Inc. All rights reserved. NGC Security Exec
Evolution of Security Requirements
A Collaborative Systems Approach
NEEDED NOW NEEDED NOW
Reactive Reactive
Automated, Proactive Automated, Proactive
PAST PAST
Standalone Standalone
Integrated
Multiple Layers
Integrated
Multiple Layers
Product Level Product Level System-level Services System-level Services
888 2003 Cisco Systems, Inc. All rights reserved. NGC Security Exec
A Logical Strategic Response
Self-Defending System
An integrated system
Endpoint security solutions know security context and posture
Policy servers know compliance/access rules
Network infrastructure provides enforcement mechanisms
Network-
Based
Security
Network Network- -
Based Based
Security Security
IDS IDS
VPN VPN
IDS IDS
FW FW
SSL
VPN
SSL SSL
VPN VPN
AD
IPS
DDOS
AD AD
IPS IPS
DDOS DDOS
APP
FW
APP APP
FW FW
FW +
VPN
FW + FW +
VPN VPN
End
System-
Based
Security
End End
System System- -
Based Based
Security Security
AV AV
HIPS HIPS
ID/
Trust
ID ID/ /
Trust Trust
Personal Personal
FW FW
VPN VPN
Behavior/
Anomaly
IPS/FW
Behavior Behavior/ /
Anomaly Anomaly
IPS IPS/ /FW FW
Intelligent Linkage of
Endpoint with Network
Identity
and
Trusted
Network
Identity Identity
and and
Trusted Trusted
Network Network
999 2003 Cisco Systems, Inc. All rights reserved. NGC Security Exec
F
i
r
e
w
a
l
l
I
P
S
Multiple Layers of Network Defense
Risk-ometer
High
Moderate
Low
Risk has been
minimized!
D
M
V
P
N
V
3
P
N
E
a
s
y

V
P
N
N
A
C
8
0
2
.
1
x
C
P
P
A
C
L
Open
Network
Medium
10 10 10 2003 Cisco Systems, Inc. All rights reserved. NGC Security Exec
You Can Protect The Interior
Keep the Insiders Honest
No Your
Not!
Im Your
Email Server
Catalyst Integrated Security
Features help administrators
prevent and track man-in-the-
middle attacks
Prevents DHCP starvation attacks
Prevents IP Spoofed DoS Attacks
Hardens the Ethernet standard
Layered Cisco Integrated Security
Prevents Common Attacks
Catalyst Integrated Security Features
IP Source Guard
Dynamic ARP Inspection
DHCP Snooping
Port Security
Protect the Interior
Email
Server
Innocent User
Im The
User
11 11 11 2003 Cisco Systems, Inc. All rights reserved. NGC Security Exec
M
u
ltip
le
W
L
A
N
V
L
A
N
s
C
o
r
p

W
L
A
N
V
L
A
N
=

3
3 G
u
e
s
t
V
L
A
N
=
9
9
802.11b
WLAN
S
a
l
e
s
V
L
A
N
=
9
9
E
n
g
V
L
A
N
=
9
9
Segment The Campus
Assign Access Based on Identity
Based upon users credentials via 802.1x
(user identity)
Guest users or those without 802.1x
running on their laptop can be denied or
placed into a guest VLAN
Unauthenticated User Is Blocked Access to the Network
Identity and Trust
12 12 12 2003 Cisco Systems, Inc. All rights reserved. NGC Security Exec
Network Admission Control
Detect and Remediate
BRANCH OR
CAMPUS
CAMPUS
2. PC is denied access to
the corporate Net
3. Quarantine area
and remediation
Quarantine Area Quarantine Area
Remediation
CTA
Corporate
Net
1. Non-compliant endpoint
attempts connection
NAD
Network Admission Device
CTA
Cisco Trust Agent
ACS
ACS
Access Control Server
NAD
Identity and Trust
13 13 13 2003 Cisco Systems, Inc. All rights reserved. NGC Security Exec
Multiple Layers of Endpoint
Behavior Protection
Distributed Firewall
O/S Hardening
Host IDS/IPS
File Monitoring
System Policy Control
Patch Management
Malicious Code Protection
Server
protected by
CSA
Probe phase
Ping scans
Port scans
Penetrate phase
Transfer exploit code to
target
Persist phase
Install new code
Modify configuration
Propagate phase
Attack other targets
Paralyze phase
Erase files
Crash system
Steal data
Desktop
protected by
CSA
Protect the Endpoints
14 14 14 2003 Cisco Systems, Inc. All rights reserved. NGC Security Exec
Self Defending Network Strategy
Endpoints + Endpoints +
Networks + Policies Networks + Policies
Services Services
Partnerships Partnerships
SECURITY
TECHNOLOGY
INNOVATION
SECURITY
TECHNOLOGY
INNOVATION
Endpoint Security Endpoint Security
Application Firewall Application Firewall
SSL VPN SSL VPN
Network Anomaly Network Anomaly
Detection Detection
INTEGRATED
SECURITY
INTEGRATED
SECURITY
Secure Connectivity
Threat Defense
Trust and Identity
Secure Connectivity
Threat Defense
Trust and Identity
Dramatically Improve the Networks Ability to
Identify, Prevent, and Adapt to Threats
SYSTEM-LEVEL
SOLUTIONS
SYSTEM-LEVEL
SOLUTIONS
SELF-DEFENDING
NETWORK
SELF-DEFENDING
NETWORK
15 15 15 2003 Cisco Systems, Inc. All rights reserved. NGC Security Exec
Questions?
16 2003 Cisco Systems, Inc. All rights reserved. NGC Security
Ricky Elias
Business Development Manager
Advanced Technology
Cisco Systems (USA) Pte Ltd
relias@cisco.com
The Self-Defending Network
Innovations in Meeting Tomorrows Blended Threats