Professional Documents
Culture Documents
2.2 Cisco Mapping With ISO 27001 PDF
2.2 Cisco Mapping With ISO 27001 PDF
Solutions to
ISO 27001
Talhah Jarad
Business Development Manager - Security
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 1
Mapping Cisco Security
Solutions to
ISO 27001
Talhah Jarad
Business Development Manager - Security
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
• In this breakout session we will introduce the concept of
standards and frameworks
• This session will provide you with a background on the ISO
27001, its evolution, structure, and benefits
• This session will show you how to prepare your organization
for the standard by mapping Cisco technologies to the
controls
• We will also discuss the future challenges that need to be
taken in considerations
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
• Introductions to Standards and Frameworks
• Benefits of the Standards and Frameworks
• ISO 27001 Background
• Applying Cisco Technologies to ISO 27001 Controls
• Recommendations
• Current and Future Considerations
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Process
People
Technology (Products)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Framework: A set of best practices, a model
Standard: Reference point against which compliance can be
evaluated. Basis for comparison
Alignment: loosely following a framework
Compliance: Implementing a framework to the letter
- ISO 27002, ISO 17799
Certification: audited against a standard to be granted its
certification
- ISO 27001, ISO 20000
You are following a framework and you are being audited
against a standard
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Think “CIAA”
BRKSEC-2008
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
13678_05_2007_c2 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8
What are Controls?
A control is a mechanism (safety measure) that allows
delivering value through the management of risks
IT controls are like the brakes on a car.
Controls can generate positive results when done correctly.
Examples
Quality of Service (QoS)
Access rule on a firewall
Network Admission Control (NAC)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Effectiveness and efficiency of IT activities
Common Language for organization - everyone knows what
to do
Structured –an excellent structure that organizations can
follow.
Expertise - Cumulative years of experience reflected in the
models
Knowledge Sharing – user groups, Web sites, magazines,
books
Auditable – to effectively assess control
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
For Your
Reference
Avoiding re-inventing wheels
Overcoming vertical silos and nonconforming behavior
Reducing risks and errors
Improving quality
Improving the ability to manage and monitor
Cost reduction
Improving trust and confidence from management and partners
Improve the status and position of the organization
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
For Your
Reference
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
For Your
Reference
The ISO and IEC, published the international standard ISO 17799:
2000
This focused upon information security management systems,
rather than security controls themselves
Much more closely aligned with other ISO standards (ISO 9000)
In 2005, ISO 17799 was re-published to reflect changes in
technology.
Later in the same year, BS7799-2 also became an ISO standard:
ISO 27001
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
For Your
Reference
ISO/IEC 27001 was formerly known as BS7799-2.
Not a code of practice, like ISO 17799.
It is the Certifiable Standard
The Information Security Management standard is now in two (2)
updated parts:
ISO/IEC 17799: 2005 Code of Practice for Information Security
Management
ISO 27001: Information Security Management Systems (ISMS)
Specification
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
For Your
Reference
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
For Your
Reference
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
For Your
Reference
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
For Your
Reference
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
For Your
Reference
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
16 Sections
11 Security Control Clauses
–Annex A (5 – 15)
133 security controls
– must be covered and an evidence must be shown for each
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
1. Scope
2. Terms and Definitions
3. Structure of this Standards
4. Risk Assessment and Treatment
5. Security Policy
6. Organization of Information Security
7. Asset Management
8. Human Resources Security
9. Physical and Environmental Security
10. Communications and Operation Management
11. Access Control
12. Information Systems Acquisitions, Development & Maintenance
13. Information Security Incident Management
14. Business Continuity Management
15. Compliance
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
5. Security Policy (2)
6. Organization of Information Security (11)
7. Asset Management (5)
8. Human Resources Security (9)
9. Physical and Environmental Security (13)
10. Communications and Operation Management (32)
11. Access Control (25)
12. Information Systems Acquisitions, Development & Maintenance (16)
13. Information Security Incident Management (5)
14. Business Continuity Management (5)
15. Compliance (10)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
For Your
Reference
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
• The control name and number
• The Objective of the control
• The detailed control clauses numbered as per the standard.
• Cisco Solutions for the detailed control clauses
• Cisco Service will be presented for the controls that require
services
• Some non-Cisco will be offered, as deemed necessary
• We will delve in to some of the control clauses in details:
– Describe the clause, as per the standard
– Map the clause requirements to Cisco solutions and services
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
For Your
Reference
• A.5.1 Information Security policy
Objective: to provide management direction and support for information
security in accordance with business requirements and relevant laws and
regulations.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
For Your
Reference
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
For Your
Reference
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
For Your
Reference
Powered by Intellishield and IronPort SensorBase
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
For Your
Reference
Cisco IntelliShield Alert Manager
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
For Your
Reference
Cisco IntelliShield Cyber Risk Report (CRR)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
For Your
Reference
• Vulnerability Characteristics
• Mitigation Technique Overview
• Risk Management
• Device-Specific Mitigation
and Identification
Cisco IOS® Routers and Switches
Cisco IOS NetFlow
Cisco ASA, PIX®, and FWSM Firewalls
Cisco ACE Application Control Engine
Cisco Intrusion Prevention System
Cisco Security Monitoring, Analysis, and
Response System
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
http://www.cisco.com/go/cafe
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
SAFE Poster
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
• A.6.1 Internal organization
Objective: to manage information security within organization.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
For Your
Reference
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
• A.7.1 Responsibility for Assets
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Endpoints
Network
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Cisco Prime
Optimized Operations Day-One
Experience Device Support
Data Collaboration
Integrated Cisco Center Smart Interactions
Best Practices
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Optimized Integrated Complete Day-One Smart Physical
Operations Cisco Best Lifecycle Device Interactions and/or Virtual
Experience Practices Management Support Appliance
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
An enterprise LAN is comprised of myriad endpoint types.
Most are undocumented (think DHCP).
33% 33%
50% 50% Windows IP phones
Windows Other
33%
Other
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Printers IP Cameras Alarm Systems
Cisco NAC
Profiler
Endpoint Profiling
Discovery
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Categorization
Profiling Example
Cisco IP Phone
Profiler Collector
HP Printer
Discovery
Endpoint Profiling
Discover all network endpoints by type and Cisco
location. Surveillance
Camera
UPS
Monitoring
NAC Profiler
Device Monitoring
Maintain real-time and historical contextual Nonsupplicant-
data for all endpoints. Aware OS
Non-802.1X Devices
On Your Network
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Next Generation Solution Portfolio
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
• A.7.1 Responsibility for Assets
Objective: to achieve and maintain appropriate protection of
organizational assets.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Firewall
VPN
IPS
IPS AIM
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Integrated Security Configuration Management
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
• A.7.1 Responsibility for assets
Objective: to achieve and maintain appropriate protection of
organizational assets.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
A Powerful, Secure Web Gateway Solution
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Comprehensive Management and Visibility
• Flexible policy management
Per user, per group policies
Multiple actions, including
block, warn and monitor
Time-based policies
Custom categories and notifications
Guest Policies
• Visibility
Easy-to-understand reports
Extensive logging
Comprehensive alerting
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
A.7.2 Information classification
Objective: to ensure that information receives an appropriate level of
protection
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Internet
Internet
IronPort
SenderBase
APPLICATION-SPECIFIC
SECURITY GATEWAYS
ENCRYPTION EMAIL WEB
Appliance Security Appliance Security Appliance
CENTRALIZE Administration
PROTECT Corporate Assets
Data Loss Prevention
Security
MANAGEMENT
Appliance
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
• 30B+ queries daily
• 150+ Email and Web
parameters
• 25% of the World’s Traffic
• Cisco Network Devices
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Ubiquitous Path In and Out of Enterprise Networks
Growing business
web usage
FTP IM
Growing tunneled
SOAP Video
RPC apps usage
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
• Native control for HTTP, HTTPs, FTP applications
Software Tunneled
Collaboration
as a Service Applications
ftp://ftp.funet.fi/pub/
HTTP
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
For Your
Reference
• A.8.1 Prior To Employment
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
A.8.2 During Employment
Objective: to ensure that all employees, contractors, and third party users are
aware of the information security threats and concerns, their responsibilities and
liabilities, and are equipped to support organizational security policy I the course
of their normal work, and to reduced the risk of human error.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
For Your
Key Components Reference
Cisco Threat
Operations Center
• World’s biggest, • Dynamic updates
broadest and best and actionable
traffic monitoring • Global operation intelligence ensure
network provides high fast, accurate
responsiveness protection
and accuracy
Cisco Advanced
SensorBase Protection
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
For Your
Reference
Sophisticated Security Modeling and Remediation
• Advanced algorithms
Dynamic real-time scoring
Fast threat identification Product &
Global Customer
Automated rule and/or signature Correlation Feedback
creation
Human-aided rule creation Supervised Real-Time
Learning Anomaly
Detection
• White Hat engineers
Unsupervised
Penetration testing Learning
Botnet infiltration
Reputation
Malware reverse engineering Scoring
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Cisco Digital Media Signage
• The Cisco Digital Media System solution suite
comprises products for the creation,
management and access of digital media.
• Integrate the video surveillance system with the
Cisco Unified Communications system and
Cisco digital signage system
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
For Your
Reference
A.8.2 During Employment
Objective: to ensure that all employees, contractors, and third party users are
aware of the information security threats and concerns, their responsibilities and
liabilities, and are equipped to support organizational security policy I the course
of their normal work, and to reduced the risk of human error.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
A.8.3 Termination or Change of Employment
Objective: to ensure that employees, contractors, and third party users
exit an organization or change management in an orderly manner.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Identity Monitoring and
TACACS+ Protocols Admin Policy Troubleshooting
Stores
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Username:
admin
Password: *****
switch# conf t
Audit & report on network access Audit & report on configuration changes
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
For Your
Reference
Monitor
Provision
Trouble-
shoot and
Report
Integrate
Cisco Secure Identity Systems,
Infrastructure Access Control
Interact
Enforcement
and
Enforce
and NAC Profiler,
System (ACS) Query
Powerful, Visible, Simple
NAC Guest
Wireless,
ACCESS Wired or
Remote
Access Device
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
For Your
Reference
Alarms and
Notifications
Custom Triggers
Alerts via Email and
Syslog
Comprehensive
Reporting
Standard Reports
Templates
Customized Reports
Fully Configurable
Dashboard
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
• A.9.1 Secure Areas
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Video Encoders/IP Cameras Video and Application Servers
• Source of digital video over IP. • Linux servers for streaming video
• Compressed MJPEG, MPEG2, between cameras, storage and
MPEG4. viewers. May also run a Web
server or application sever for
delivering a Web application.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Cisco Physical Security Solution Components
Network
• TCP/IP network, typically on
Ethernet.
• Conventional switches and
routers.
Storage
• Redundant RAID storage
• Direct Attached, SAN or iSCSI
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Client Stations
• Windows PCs for video
decoding, display and control.
• Running Web browsers or
specialized Windows
applications.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Provides real-time
remote monitoring
w/virtual matrix switching
(VSVM)
Display live and archived
video streams with high
quality images.
PTZ control and presets
Review and clip archives
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
• A.9.1 Secure Areas
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Cisco Physical Access Gateways
• Connects door locks and readers to the IP
network
• Controls up to thousands of doors
• Directly configurable through a built-in Web
server
• Supports offline operations if network
connectivity is lost
• 250,000 credentials can be cached and
encrypted
• 150,000 events can be buffered by the door
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Cisco Physical Access Manager
• Management application for configuring Event Photos Module
hardware, monitor activity, and enroll Graphic Map Module
users
URL Actions & Controls
• Supports a comprehensive list of
access control policies
• Easy integration with other IT systems
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Cisco Physical Access Manager
• New Form factor
Software can be ordered on new MSP 1RU servers, simplifying
ordering & deployment
• Web Services API
Optional Web Services API to provide programmable access
from any client application
PSIM Integration: Integration with Proximex
Visitor Management Integration: API for easy integration with visitor
management applications
• Bulk Image upgrade
Allows flexible firmware upgrade for all or a group of hardware
devices, thereby lowering TCO
• Usability improvements
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Electronic Access Control architectures today….
Door
Control
Panels
Up to 32 Serial /
RS485 IP
Networ
Network
k
Mgmt
Central Server
Controllers/
Access Panels
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Cisco Physical Access Control Overview
•A Comprehensive Solution for Electronic Access Control
•Leverages IP infrastructure, integrates with other Physical Security
applications
• Hardware:
Cisco Access Gateway connects existing door hardware (readers,
locks etc.) to the network
Additional doors can be managed by connecting expansion
modules to the Access Gateway
• Software
Cisco Physical Access Manager (Cisco PAM) is a Management
Appliance for configuration, monitoring and report generation.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Presentation_ID
Deployment Architecture
Cisco Physical
Access Gateway Layer 2
Switch
POE
Cisco
Physical
Access
LDAP / Microsoft
Manager Active Directory
IP
Network
LAN/WAN Other IT Apps
HR Database
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Cisco Physical Access Manager (Cisco PAM)
1 RU Appliance
Java Thin Client Architecture
Policy Support: Two-Door, Anti-Passback
Report Generator (Canned & Custom)
Badge Design & Enrollment
Microsoft Active Directory integration
Fine grained user rights
Global I/O
Device Pre-Provisioning Cisco PAM
Capacity & Feature Licenses
IP Network
IT Data integration
Warm Standby High Availability
Java Thin
Audit Trails
Clients
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Cisco PAM High Availability
Warm standby with database replication between two Cisco PAM instances
Virtual IP address for client transparency: both IP addresses bonded to a single virtual IP
address
Secondary server takes over when primary fails
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Cisco Video Surveillance Manager (VSM) integration
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
• A.9.1 Secure Areas
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Cisco IPICS
• Cisco Interoperability and Collaboration System is
an intelligent resource management application that
orchestrate resources, media, and information
• IPICS consists of
-IPICS Server
-Land Mobile Radio Gateways
-Push-to-Talk Media Clients
-Cisco IP Phone PTT Clients
-Cisco Policy Engine
• Effectively manage communications across
distributed radio systems, locations, and networks.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Cisco IP Phones and IPICS
• The IPICS XML IP-Phone client provides
Push-to-Talk service for Cisco IP phones
• Secure access to radio PTT talkgroups
and channels from anywhere in the UC
network
• Available on a wide range of IP-phones
including wireline and WiFi IP-phones
• Intuitive user interface with smooth
transition between telephony and radio
communications
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
For Your
Reference
• Cisco Interoperability and Collaboration
System (IPICS) takes incident response to
the next level
• IPICS allows multiple safety and security
organizations to quickly share vital incident
information, including live mobile video,
across previously isolated radio networks
• IPICS integrates with Cisco Video
Surveillance, Cisco Physical Access Control,
and third-party applications, further
enhancing situational awareness, response
time, operational efficiency and cross-agency
collaboration during a critical event.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
• New Form factor
Software can be ordered on new MSP 1RU servers, simplifying ordering
& deployment
• Radio pooling
Can pool serial and tone controlled radios so that dispatchers simply
select channels
Improved TCO/ ROI from fewer radio and networking resources
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
For Your
Reference
Unified Communications Command and Control
• Communicate with on-site
personnel using all media
• Push video, images and data to
first responders
• Collaborate with first
responders and other
organizations
• Use with any radio network for
smooth evolution to new radio
protocols (P25, Tetra)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
For Your
Situational awareness and collaboration Reference
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
For Your
Reference
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
For Your
Reference
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
For Your
Reference
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Cisco TAC investigates
problem and suggests
remediation including
shipping replacement
parts if necessary
Customer implements
remediation and replaces
faulty part (if applicable)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
For Your
Reference
• A.10.1 Operational Procedures and Responsibilities
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
For Your
Reference
• A.10.1 Operational Procedures and Responsibilities
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
• A.10.1 Operational Procedures and Responsibilities
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Employee
• Dynamic VLAN assignment Servers
Cisco Secure
ACS RADIUS
• Dynamic security policy assignment
using ACLs
• Identity Networking-based user/port
accounting
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
• Virtual firewall—when a single firewall device can
support multiple contexts
• A context defines connected networks and the policies
that the firewall enforces
• Security policies (ACL, NAT, app inspection)
IP address space (overlapping permitted across contexts)
An operational mode: either routed or transparent
• Virtual firewall allows a device to enforce many (up to
100s) policies between different networks
• Caveat is that virtual often means smaller as
processing power of all the virtual firewall
adds up to the original appliance
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
For Your
Reference
Context Hierarchy
Admin Context A
Remote Root Access
Admin
(Mandatory) (mandatory) B
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
For Your
Reference
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Mail DNS Finance
Internet Corporate
ISP Access DMZ Core Dev
Web Ops
Apps
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
DNS Email Finance
VLAN22 VLAN12
Web Ops
Apps
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
• Allows grouping of physical and virtual Supported Features
interfaces into zones Stateful Inspection
Application inspection: instant message,
• Firewall policies are applied to traffic POP, IMAP, SMTP/ESMTP, HTTP
traversing zones URL filtering
Per-policy parameter
• Simple to add or remove interfaces and
Transparent firewall
integrate into firewall policy
VRF-aware firewall
Private-DMZ
Policy DMZ
DMZ-Private
Public-DMZ
Policy
Policy
Private-Public
Policy
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
Extranet Business
Partner
Data Center
Corporate
Telecommuter Network
Wireless
LAN Internet
Extranet: Business
Partner Access
Corporate Office
Remote
Branch Office
Internal DMZ: Inbound Public
Remote Access Segmentation Internet Services
Users Outbound Client
Internet Access
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
1. vMotion moves VMs across
physical ports—the network policy
must follow
Port
Group
3. Need shared nomenclature and
collaboration for security policies
between network and server admin
vCenter
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
Industry’s most advanced software switch
VM VM VM VM
for VMware vSphere
Built on Cisco NX-OS
Compatible with all switches Nexus
1000V
Compatible with all servers on the VMware
Hardware Compatibility List vSphere
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
For Your
Reference
A.10.2 Third Party Service Delivery Management
Objective: to implement and maintain the appropriate level of information security
and service delivery in line with third party service delivery agreements
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
A.10.3 System Planning and Acceptance
Objective: to minimize the risk of systems failures
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Converges IT and facility networks
Innovative solution on Cisco Catalyst switching and routing portfolio
Enables reduction of greenhouse gas (GhG) emissions
Drives significant cost savings
Monitors, reports, and reduces energy usage across entire business
Manages PoE network devices as well as desktop and laptop
Provides compelling reports for policy optimization, troubleshooting, and
demonstration of energy
“Forrester analyst Doug Washburn said the “‘Going green has been an industry buzzword
initiative comes at a good time as companies for the past couple of years, but Cisco
are looking to go both green and also cut Systems …put its money where its mouth is to
help organizations chop energy costs and
costs. If they get on board, he said, there
reduce their carbon footprints with software
could be some significant savings beyond IT.” that can manage devices and systems that
gobble up power.”
– Ryan Kim, San Francisco Chronicle – Andrew Hickey, CRN Canada Online
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Presentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 120
For Your
Reference
A.10.3 System Planning and Acceptance
Objective: to minimize the risk of systems failures
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
• A.10.4 Protecting Against Malicious and Mobile Code
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
Botnet Traffic Filter on ASA 5500 Series
• Monitors malware traffic
Scans all traffic, ports & protocols
Detects infected clients by tracking rogue Command and
“phone home” traffic Control
• Highly accurate
Identifies100,000s of malware connections per
week
Automatic DNS lookups of addresses Cisco ASA
Infected Clients
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
Top Botnet Sites, Ports and Infected Endpoints
Live Dashboard
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
Significantly Increasing Accuracy
Powerful preventive defense
Blocks 20% of threats before attacks occur
Cisco
(micro to macro) Intrusion Prevention
Two-way policy decision Solution
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
Remote/Branch Office
Data Center
Management Network
Internet
Connections
Corporate Network
Internet
Corporate
LAN Business
Remote Access Partner
Systems Access
Extranet
Connections
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
Remote/Branch Office
Data Center
Endpoint Protection
Infection remediation:
STOP desktop anti-virus;
Management Network Microsoft and other anti-
GO spyware SW
Internet
Connections
Corporate Network
Internet
STOP Network-Based
Corporate Content Control
LAN Business
GO Remote Access Multi-function
Partner
Systems Accesssecurity devices
GO
Network Admission Firewalls
STOP
Control Extranet
IPS
GO Connections
Ensure endpoint Web Security / Proxy
policy compliance Email Security
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
Global Correlation in Action
Network IPS to Global IPS
For Your
08:00 GMT Reference
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
• A.10.4 Protecting Against Malicious and Mobile Code
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
For Your
Reference
A.10.5 Back-up
Objective: to maintain the integrity and availability of information and
information processing facilities
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
For Your
Reference
A.10.6 Network Security Management
Objective: to ensure the protection of information in networks and the protection of
the supporting infrastructure
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
Industry’s Most Proven Firewall
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
Cisco Architecture for the
Advanced Next Generation Firewall
Secure
Access Protocol Threat Secure
Unified
Control Inspection Protection Connectivity
Communications
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
Powerful Market-Proven Capabilities
Secure
Access Protocol Threat Secure
Unified
Control Inspection Protection Connectivity
Communications
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
Enterprise-Class Availability
Maximizing Uptime
Existing Network
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 138
For Your
A.10.7 Media Handling Reference
Objective: to prevent unauthorized disclosure, modification, removal or destruction
of assets, and interruption to business activities
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 139
For Your
A.10.7 Media Handling Reference
Objective: to prevent unauthorized disclosure, modification, removal or destruction
of assets, and interruption to business activities
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 140
A.10 Communication and Operations
Management (Cont’d)
• A.10.8 Exchange of Information
Objective: to maintain the security of information and software exchanged
within an organization and with any external entities
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
Application Layer Protection
Unified Database & OS
Communications Services
SIP Oracle/SQL*Net
• Application-aware inspection (V1/V2)
SCCP (Skinny)
Strong security H.323 v1–4 Microsoft
RPC/DCE RPC
GTP (3G Mobile
Granular policy controls Wireless) NFS
MGCP ILS/LDAP
• Application-layer controls TRP/RTCP/RTSP Sun RPC/NIS+
Perform conformance checking TAPI/JTAP
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
A.10 Communication and Operations
Management (Cont’d) For Your
Reference
• A.10.8 Exchange of Information
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
A.10 Communication and Operations
Management (Cont’d)
A.10.9 Electronic Commerce Services
Objective: to ensure the security of electronic commerce services, and their secure
use
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 144
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 145
A.10 Communication and Operations
Management (Cont’d)
A.10.9 Electronic Commerce Services
Objective: to ensure the security of electronic commerce services, and their secure
use
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 146
A.10 Communication and Operations
Management (Cont’d) For Your
Reference
A.10.10 Monitoring
Objective: to detect unauthorized information processing activities
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 147
A.10 Communication and Operations
Management (Cont’d) For Your
Reference
A.10.10 Monitoring
Objective: to detect unauthorized information processing activities
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 148
A.10 Communication and Operations
Management (Cont’d)
A.10.10 Monitoring
Objective: to detect unauthorized information processing activities
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 149
A.10 Communication and Operations
Management (Cont’d)
A.10.10 Monitoring
Objective: to detect unauthorized information processing activities
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 150
• Synchronize time across all devices
• When security event occurs, data must have
consistent timestamps
From external time source (Upstream ISP, Internet, GPS,
atomic clock)
From internal time source
Router can act as stratum 1 time source
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 151
• Authenticate NTP messages
• NTP access controls
http://www.cisco.com/warp/public/707/cisco-sa-20020508-ntp-
vulnerability.shtml#workarounds
• Disable NTP on interfaces that don’t need it
ntp authenticate
ntp authentication-key 1 md5 <value>
ntp trusted-key 1
ntp access-group {query-only | serve-only | serve |
peer} <ACL number>
Interface fa0/0
ntp disable
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 152
• A.11.1 Business requirement for access controls
Objective: to control access to information
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 153
For Your
Reference
A.11.2 User Access Management
Objective: to ensure authorized user access and to prevent unauthorized
access to information systems.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 154
A.11.2 User Access Management
Objective: to ensure authorized user access and to prevent
unauthorized access to information systems.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 155
Cisco TrustSec is a security solution that provides
Policy-based access control
Identity-aware networking, and
Data integrity and confidentiality services
The term TrustSec has been expanded to include several methods for securing
network access and control, including:
• Switch infrastructure solutions
• Identity-Based Networking Services
• 802.1X
• Security Group Tags (SGTs)
Appliance-based solutions:
• Network Admission Control
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 156
Policy-based access Identity-aware Data integrity and
control for networking confidentiality
Users Identity information Securing data
Endpoint devices for granular controls path in the switching
(posture) environment
Role-based business
Networking service delivery IEEE 802.1AE
infrastructure standard encryption
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 157
Mitigate New
Unknown
Support and Remote
or Guest Contractors, Changing Site
Partners, Threats
Partners
Guests Data
Employees
Si Center EWAN
Wired/Wireless
Subcontractor
LAN Disparate AccessMethods
and User, Device Types Support
boundaryless
Consultant
Corporate Si
Enterprise Workforce
Provide Network
LAN
Employee
Accountability
DMZ
Meet Public
Corporate Internet
Compliance
& Regulation Business
Partners
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 158
Common questions organizations ask
Custom
er
Common access rights Can this work in wireless Can I determine what
when on-premises, at and wired? they are?
home, on the road? Can I control their access?
How do I monitor guest
Endpoints are healthy? activities? Are they being spoofed?
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 159
Identity Other Authorization
Information Conditions (Controlling Access)
NAC Appliances 802.1x/Infrastructure
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 160
Provision: Guest accounts
via sponsor portal
NAC Guest Server
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 161
Many endpoint devices are
undocumented and cannot
NAC Profiler authenticate to the network
Alarm
IP Cameras
Device Identification Control and Audit Systems
Fax
Determine device type Authorize based on Machines
Turnstiles
device role
Centralized device Cash
Registers
HVAC
Systems
discovery and inventory Monitor and audit to
prevent spoofing Video
Uses network device Conference
Printers
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 162
Appliance Policy Components
NAC Manager
Admin, Reporting, Posture, Services,
NAC Server OR ACS
Identity & 802.1x
+ NAC Profiler
Profiles Non-
NAC Guest
Full-Featured Guest
and Policy Store and Enforcement Access Policy System Authenticating Devices Provisioning Server
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 163
For Your
Reference
Benefits
Provides topology-independent policy
Flexible and scalable policy based on user role
Centralized policy management for dynamic policy provisioning
Egress filtering results to reduce TCAM impact
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 164
Security Group Security Group
User (Source) (Destination) Servers
SGACL D1
S1 MGMT A D2
(SGT 10)
Sales SRV
(SGT 500)
S2
MGMT B D3
(SGT 20)
S3 HR SRV D4
(SGT 600)
HR Rep
(SGT 30)
S4 D5
Finance SRV
IT Admins D6
(SGT 700)
(SGT 40)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 165
Cisco’s End-to-End Portfolio Highlights
Solution Expertise
Business Reduced Vendor Support
Value Cisco Stability
© 2010 Cisco and/or its affiliates. All rights reserved. Reduced operational cost Cisco Public 166
For Your
Reference
A.11.2 User Access Management
Objective: to ensure authorized user access and to prevent unauthorized
access to information systems.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 167
• password: sets a password for a line and user EXEC mode
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 168
A.11 Access control For Your
Reference
A.11.3 User Responsibilities
Objective: to prevent unauthorized user access, and compromise or theft of
information and information processing facilities
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 169
A.11 Access control
A.11.4 Network Access Control
Objective: to prevent unauthorized access to networked services
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 170
Ruleset Updates
Policy NAC Manager
Scheduled automatic rulesets for ACS
Centralized management,
anti-virus, Microsoft hot-fixes and RADIUS-based
configuration, reporting, and
other applications access policy for
policy store
802.1X termination
NADs
ASA VPN Wireless Switch
NAC Agent or
Endpoints Web Agent 802.1X Supplicant
No-cost client for device- 802.1X supplicant via
based scans. CSSC or native OS
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 171
Identity + Posture
Guest Lifecycle
Management
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 172
Simplifies Management for AV and AS Applications
Cisco NAC Manager AutoUpdates
Hotfixes
Service Packs
Windows Updates
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 173
A.11 Access control For Your
Reference
A.11.4 Network Access Control
Objective: to prevent unauthorized access to networked services
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 174
A.11 Access control For Your
Reference
A.11.4 Network Access Control
Objective: to prevent unauthorized access to networked services
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 175
Integrated spectrum intelligence
Detects, classifies, locates and mitigates RF interference
Self-heals and optimizes wireless performance
Purpose-built radio chipset for spectrum intelligence, not software based
Cisco Aironet 3500 Series Access Points
Secures against non Wi-Fi threats and enforces policy automatically
“This capability has been at the top of my wish “The integration of spectrum analysis and
list for spectral-assurance tools since... The building this intelligence into the infrastructure
potential benefits in performance, reliability, itself is a significant game changer… A self-
security, integrity, and risk management healing WLAN able to work around the
various sources of interference is fast
(regulatory and related) are enormous.”
becoming a requirement…”
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 176
176
For Your
Reference
• Canonical method of obtaining real time information from
network devices
• SNMP Version 3 (SNMPv3) provides authentication, encryption
• MIBs support polling of statistics ranging from interface bandwidth to CPU
utilization to chassis temperature
• Both a pull model for statistical polling and a push model for trap generation
based on events such as link up/down
• Many open-source and commercial collection systems, visualization tools
• Easiest way to get into profiling of general network characteristics
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 177
For Your
Reference
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 178
A.11 Access control For Your
Reference
A.11.4 Network Access Control
Objective: to prevent unauthorized access to networked services
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 179
A.11 Access control For Your
Reference
A.11.4 Network Access Control
Objective: to prevent unauthorized access to networked services
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 180
A.11 Access control For Your
A.11.4 Network Access Control Reference
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 181
A.11 Access control
A.11.4 Network Access Control
Objective: to prevent unauthorized access to networked services
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 182
Configure Routing Authentication
Campus
Signs Route Verifies
Updates Signature
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 183
• A variety of Cisco IOS protocols support MD5 authentication
including BGP, OSPF, LDP, RIPv2, IS-IS, HSRP, EIGRP,
and MSDP
Configured Shared Key = X Configured Shared Key = X
If MAC1 = MAC2,
Then Routing
Advertisement
MAC1 + Routing Authenticated.
Advertisement
Else Routing
2 Advertisement
Discarded.
Routing Advertisement + Routing Advertisement +
Shared Key Shared Key 4
MD5 MD5
MAC1 MAC1
Hash Hash
1 3
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 184
• CLI command that automates the configuration of security features and
disables certain features enabled by default that could be exploited for
security holes
Router#auto secure [management | forwarding] [no-interact |
full] [ntp | login | ssh | firewall | tcp-intercept]
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 185
Auto Secure Options
• Management–Secures only Management Plane
• SSH–Enables SSH
• TCP-intercept–Enables tcp-intercept
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 186
A.11.5 Operating system access control
Objective: to prevent unauthorized access to operating systems
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 187
• Console and VTY
• SSH—encrypted access
• Local passwords
Usernames configured on the router with MD5 passwords
• External AAA
TACACS+, RADIUS, Kerberos
• HTTP/HTTPS
• SNMP
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 188
• Differentiate staff authority on the router
Help desk
Operations
Second-level/third-level support
Router
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 189
• Set level of privilege for each user class
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 190
Comprehensive, Granular Controls
Secure
Access Protocol Threat Secure
Unified
Control Inspection Protection Connectivity
Communications
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 191
Application and User-Centric Security for
ASA
Access Control for Modern Networks
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 192
A.11.5 Operating system access control
Objective: to prevent unauthorized access to operating systems
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 193
A.11.5 Operating system access control
Objective: to prevent unauthorized access to operating systems
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 194
• To mitigate the risk associated with idle user sessions:
exec-timeout: disconnects incoming user sessions after a specific period of
idle time
ip http timeout-policy idle: disconnects idle HTTP (or HTTPS) client
connections after a specific period of idle time
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 195
A.11 Access control For Your
Reference
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 196
A.11.7 Mobile Computing and Teleworking
Objective: to ensure information security when using mobile computing
and teleworking facilities
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 197
Web Security with Next Generation Remote Access
Choice
Diverse Endpoint
Support for Greater
Flexibility
199
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 199
For Your
Tunneling (Microsoft Windows Mobile) Reference
Touch-screen devices
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 200
200
For Your
Reference
Tunneling (Apple iPhone)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 201
201
A Next Generation Solution
Combined Solution
End-to-End Seamless Security
Information Sharing
Between Cisco ASA
and Cisco WSA News Email
AnyConnect
ASA
Cisco Web
Security Appliance
Corporate AD
• More Security
Always-On VPN administrative control
Quarantine capability
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 203
Internal SAML enabled
Users gateway SAML
Remote Users
AD / User Dir
Enterprise
Edge
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 204
A.11 Access control
A.11.7 Mobile Computing and Teleworking
Objective: to ensure information security when using mobile computing and
teleworking facilities
A.11.7.2 Teleworking
–Cisco AnyConnect
–CVO (Cisco virtual office)
–VPN (SSL, IPSec)
– Cisco NAC /ISE
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 205
Single phone line
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 206
Unified
Security Communications
Mobility Management
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 207
For Your
Reference
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 208
For Your
Reference
Corporate Corporate
Campus Campus
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 209
Cisco Virtual Office Use Cases For Your
Reference
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 210
For Your
Reference
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 211
For Your
The Virtual Office Solution for Teleworkers Reference
Mobile
User
Extend Trusted Network to
Home and Branch Offices
with CVO and ISR
AnyConnect AnyConnect
Secure Mobility Client
CVO/ISR Cellular
Public Internet
Wi-Fi
Wired
Purpose-Optimized Corporate
Head Ends: ASA Network
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 212
For Your
Reference
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 213
A.12 Information Systems Acquisition,
Development and Maintenance
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 214
Protocol Depth and Breadth
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 215
Protocol Depth and Breadth
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 216
A.12.2 Correct processing in applications
Objective: to prevent errors, loss, unauthorized modification or misuse of
information in applications
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 217
Easy for the Sender…
CISCO REGISTERED
ENVELOPE SERVICE
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 218
Easy for the Recipient...
1. Open Attachment
2. Enter password
3. View message
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 219
For Your
Reference
A.12.2 Correct processing in applications
Objective: to prevent errors, loss, unauthorized modification or misuse of
information in applications
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 220
A.12.3 Cryptographic controls
Objective: to protect confidentiality, authenticity, or integrity of information
by cryptographic means.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 221
• Provides strong 128-bit AES-GCM* encryption (NIST** Approved)
Benefits
• Protects against man-in-the-middle attacks (snooping, tampering,
replay)
• Network service amenable to hop-by-hop approach compared to
end-to-end approach (e.g., IPsec enforcement)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 222
Next-Generation Security
Clear Data and Video Encrypted, Tamper-Proof
Streams in LAN Transactions
D D D D D D D D D D D D D D D D D D
V V V V V V V V V V V V V V V V V V
Malicious
Guest User
Is My Network Ready for Current and
Future Regulatory Requirements?
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 223
User: steve
User: bobencryption
Policy:
Policy: encryption
Campus
Network
AAA
Wiring Closet
Non- Switch
MACSec
enabled
• MACSec-ready hardware:
Intel 82576 Gigabit Ethernet Controller
Intel 82599 10 Gigabit Ethernet Controller
Intel ICH10 - Q45 Express Chipset (1Gbe LOM)
(Dell, Lenova, Fujitsu, and HP have desktops shipping with this LOM.)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 225
For Your
Reference
N7K-1 N7K-3
ASR-1 ASR-3
EoMPLS
vPC vPC
Psuedowires
ASR-2 ASR-4
N7K-2 N7K-4
802.1AE Frame
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 226
Cisco Wireless Security Overview
Integrated Proactive Collaborative
Infrastructure MFP
Authentication Malware Posture
Auth/Privacy Clean RF
Mitigation Assessment
Automated Vulnerability
Management & Reporting Monitoring Unified Security Management
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 227
Cisco ASA Phone Proxy
Remote Access and Voice/Data Segmentation
Trusted (Un-secured) Un-trusted
Unencrypted/encrypted
Encrypted (TLS/SRTP) Cisco IP
Internet phone
(remote)
Cisco IP
Phone
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 228
Industry-First Encrypted Voice Security Solution
New
in 8.0!
TLS
signaling
Internet
Edge
GM GM
IPsec IPsec KS KS
WAN
Edge
Remote
Access
Internet/
Shared MPLS/Private
Network Network
EzVPN
Spoke
DMVPN DMVPN
Spoke Spoke GET GM GET GM GET GM
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 230
A.12.3 Cryptographic controls
Objective: to protect confidentiality, authenticity, or integrity of information
by cryptographic means.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 231
Routing Member
Key Server • Forwarding
Key Server • Replication
• Validate Group Members • Routing
• Manage Security Policy
• Create Group Keys
• Distribute Policy / Keys
Group
Member
Routing
Members
Group
Member
Group
Group Member Member
• Encryption Devices
• Route Between Secure / Unsecure
Regions Group
• Multicast Participation Member
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 232
For Your
Reference
Traffic Encryption
Key (TEK)
Group
Member
Routing
Members
Group
Member
Group
Member
RFC3547:
Group Domain of
Interpretation Group
(GDOI) Member
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 233
For Your
Reference
GM5
GM1
GM6
GM9 KS
GM8 GM7
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 234
For Your
Reference
GM3
GM4
GM2
GM5
GM1
GM6
GM9 KS
GM8 GM7
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 235
For Your
Reference
GM3
GM4
GM2
GM5
GM1
GM6
GM9 KS
GM8 GM7
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 236
For Your
A.12.4 Security of system files Reference
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 237
For Your
A.12.5 Security in Development and Support Processes Reference
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 238
For Your
Reference
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 239
For Your
Reference
• A.13.1 Reporting Information Security Events and Weaknesses
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 240
A.13.2 Management of Information Security Incidents and Improvement
Objective: to ensure a consistent and effective approach is applied to the
management of information security incidents
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 241
• Packet capture is like a wiretap
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 242
Internal Threat Information Resource
router (config-if)# ip flow ingress
router (config)# ip flow-export destination 172.17.246.225 9996
Header
• Sequence number Flow Flow
• Record count
• Version number Record … Record
NetFlow Cache
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 243
Internal Threat Information Resource
Traffic classification
Flow Summary
Detail
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 244
• Networks and network enabled devices
constantly create traffic. However, this
traffic follows certain patterns according to
the applications and user behaviour
• Analyzing these patterns allows us to see
what is NOT normal
• The key is to collect traffic information
(Netflow) and calculate various statistics.
These are then compared against a
baseline and abnormalities are then
analyzed in more detail.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 245
For Your
Reference
• Cisco NetFlow home
http://www.cisco.com/en/US/tech/tk812/tsd_technology_support_protoco
l_home.html
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 246
For Your
Reference
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 247
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 248
For Your
Reference
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 249
• A.15.1 Compliance with legal requirements
Objective: to avoid breaches of any law, statutory, regulatory or contractual
obligations, and of any security requirements
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 250
Email Remains a Primary Loss Vector
Social Security
Numbers 30%
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 251
Simple Set Up
• Easy “3 click” set-up using
content filters
• Use pre-defined content
categories or create /
customize your own
• Can be applied to specific
users under specific conditions
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 252
Integrated Scanning
Compliance
Custom Content Filters Dictionaries
Users
Outbound Mail
Smart Identifiers
Weighted Content
Dictionaries
Attachment Scanning
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 253
Integrated Remediation
Remediation:
Notification
Users
Outbound Mail
Encrypt the Message
Remediation:
Quarantine
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 254
• Business Needs determine sensitive content
Exchange.charlie.com
172.20.0.10
Internet
If Body or
Attachment contains
"Confidential"
Then
Quarantine
Policy
Quarantine
Human Resources
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 255
• A.15.1 Compliance with legal requirements
Objective: to avoid breaches of any law, statutory, regulatory or contractual
obligations, and of any security requirements
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 256
• A banner serves as a legal notice, such as
“no trespassing” or a “warning” statement. A proper legal notice
protects you such that it enables you to pursue legal actions
against unauthorized users.
• EXEC banner: specifies a message (or EXEC banner) to be
displayed when an EXEC process is created
• MOTD banner (message-of-the-day): specifies a MOTD to be
displayed immediately to all user sessions and when new users
first connect to the router
• Incoming banner: specifies an incoming banner to be displayed
for incoming reverse Telnet sessions
• Login banner: specifies a login banner to be displayed before
username and password prompts
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 257
For Your
Reference
banner login ^
Authorised access only
This system is the property of Galactic Internet
Disconnect IMMEDIATELY if you are not an authorised user!
Contact noc@isp.net 555-1212 for help.
^
banner motd ^
Notice: all routers in $(domain) will be upgraded beginning July 1
^
banner exec ^
PLEASE NOTE - THIS ROUTER SHOULD NOT HAVE A DEFAULT ROUTE!
It is used to connect paying peers. These ‘customers’ should not be able to
default to us. The config for this router is NON-STANDARD
Contact Network Engineering 555-1212 for more info.
^
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 258
For Your
Reference
• A.15.1 Compliance with legal requirements
Objective: to avoid breaches of any law, statutory, regulatory or contractual
obligations, and of any security requirements
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 259
For Your
Reference
A.15.2 Compliance with Security Policies and Procedures, and Technical
Compliance
Objective: to ensure compliance of systems with organizational security policies
and standards.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 260
For Your
Reference
A.15.3 Information Systems Audit Considerations
Objective: to maximize the effectiveness of and to minimize interferences to/from
the information systems audit process
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 261
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 262
How Best to Implement Frameworks
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 263
How Best to Implement Frameworks
Planning
Set up an organizational framework with clear responsibilities and
objectives and participation from all interested parties
Manage risk areas
Analyze current capability and identify gaps
Develop a maturity capability assessment
Measure results, establish a scorecard mechanism for measuring
current performance and monitor the results of new improvements
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 264
How Best to Implement Frameworks
Open and Strong Support by Senior Management
Ideally, the top senior management should take ownership of IT
governance
Continuous communication with senior management
Alignment of IT initiatives with business needs & risks
Performance measurement and reporting
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 265
How Best to Implement Frameworks
For Your
General Recommendations Reference
Treat the implementation initiative as a project with phases
Create awareness of the business purpose and benefits of practices
Cultural Change
Manage expectations
Focus on quick wins
Framework, processes and procedures should be agile and flexible, to
adapt to changes (new technologies, Org change, new demands, etc.)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 266
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 267
New Trends Change the Face of the Data Center
Cloud
Private and Public; Elasticity & Scale
Virtualization
Consolidation; Optimization; Agility
Openness
Secure Access for Mobile Users, Partners, Outsourcers
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 268
Request a Resource Pay as You Use Resource Pool
Capacity
Suitability
Performance
Need It – Normalization
Get It Instantly
Don’t Need it –
Give It Back Green
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 269
IT Resources and Services that
Are Abstracted from the Underlying
Infrastructure and Provided
“On Demand” and “At Scale” in a
Multitenant and Elastic Environment
A Style of Computing Where
Massively Scalable IT-Enabled
Capabilities Are Delivered
“As a Service” to Multiple External
Customers Using Internet
Technologies
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 270
A New
Utility
Cloud Computing Is a 4th Utility
Water
Virtualization (lower cost)
Low Complexity
Electricity Scalability
Elasticity (economies of scale)
Phone
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 271
Physical Integrated
Access Switch Nexus 1000V
Virtual
Switch
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 272
• Includes Key Cisco Network
and Security features
• Addressing Issues for:
VM Isolation
Separation of Duties
VM Visibility
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 273
• Toll fraud • Fake identity
Unauthorized or unbillable • Media tampering
resource utilization
• Denial of service
• Eavesdropping
Hanging up other
Listening to another’s call people’s conversations
Contributing to other
• Learning private information DOS attacks
caller ID, DTMF
password/accounts, • Impersonating others
calling patterns
• Hijacking calls
• Session replay • SPAM
Replay a session, such as a SPIM, SPIT, and more SPAM
bank transaction
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 274
Building A Secure UC System For Your
Protecting all elements of the UC system Reference
Infrastructure Endpoints
Secure connectivity Authenticated IP phones, soft
and transport clients and other devices
Unified
Communications
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 275
For Your
Reference
Systems Approach in Action
Infrastructure Applications
VLAN segmentation Multi-level administration
Layer 2 protection
Firewall Toll fraud protection
Internet Intranet
Intrusion detection Secure management
QoS and thresholds Hardened platforms
Secure VPN
h.323 and SIP signaling
Wireless security
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 276
For Your
Reference
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 277
Mobile voice and collaboration
Delivers high quality voice services over the wireless LAN
CCX enabled with intelligent QoS, fast secure roaming, and enhanced
power management
Supported on single or dual mode Wi-Fi and CCX enabled phones
Cisco Aironet 1140, 1250, 1260 and 3500 Series Access Points
Reduces cell phone costs and supports dual-mode applications like
Cisco Mobile 8.0 for iPhone and Cisco Nokia Call Connect
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 278
278
Mobile Devices
↔
IT Resources
1.3 Billion New 60% of All Cisco
Networked Mobile Network Traffic
Devices in Next Mobility Video Today Is Video
3 Years
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 279
Changing Business Over the Next
CIO Priorities
Demographics 3 Years
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 280
Video done right
Extends
Offers new
theintelligent
boundaryrouting features
of networks plus architectural
to include alternatives
the endpoints to scale, to
guard against
optimize the risk of
and enhance thequality degradation
performance due to network congestion
of video.
Simplifies
Reserves resources
deployments across
and the entirethe
reduces network in order
ongoing to assure
operational a of
costs
predictable and controlled
rich media applications andQuality of Experience for each rich media
end points.
session
Offers intelligent routing features plus architectural alternatives to
guard
Reduces trafficthe
against to risk
the Cisco WebEx
of quality cloud, optimizing
degradation the branch
due to network
experience
congestion
Reduces
Performance Routing
traffic automatically
to the Cisco WebEx routes
cloud, media via the
optimizing theoptimal
branch route
as configured by the customer
experience
“Video Stream is a great step in the right “Medianet is the right technology at the right
time on how we can offer tools to manage
direction…and it’s only a matter of time before
video.”
video becomes our primary form of
communication. Cisco's strategy seems to be
to drive the business by providing customers
with high-bandwidth/video applications. Not a
bad thing at all.”
–
– Craig
Craig Mathias,
Mathias, Farpoint
Farpoint Group
Group – Nick Lippis, The Lippis Report, Podcast
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 281
Presentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 281
Media-Ready wireless LAN
Delivers high quality, scalable multicast video over the wireless LAN
Prioritizes QoS for critical video content
Scales effectively with client admission policy control
Cisco Aironet 1140, 1250, 3500, 1260 Series Access Points
Access point converts multicast streams to unicast
“The software update also integrates other new “Cisco announced software for its Wi-Fi
features to enhance the quality of experience products to improve video performance,
for streaming video over wireless LAN, reliability and scaling on 802.11n wireless
delivering a more ‘holistic’ solution than networks. … VideoStream, compensates for
Wi-Fi weaknesses that degrade video quality
competitors do.” as the number of streams and clients grow.”
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 282
282
Borderless Experience
Anyone Anything
Anywhere Anytime
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 284
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 285
Thank you.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 287