Chapter 2 Network Security Devices and Cloud Services

Instructor Materials
Chapter 1: Cybersecurity
and the Security
Operations Center
Cybersecurity Operations
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1
Chapter 2: Network
Security Devices and
Cloud Services
Cybersecurity Operations - SECFND
Chapter 2 - Sections & Objectives
 2.1 Network Security Systems
 2.2 Security Cloud-based Solutions
 2.3 Cisco Netflow
 2.4 Data Loss Prevention
2.1 Network Security
Systems
Network Security Systems
 Network Security devices include the following:
• Traditional and next generation firewalls
• Personal firewalls
• Intrusion Detection Systems (IDS)
• Traditional and Next-Gen Intrusion Prevention Systems (IPSs)
• Anomaly Detection Systems
• Advanced Malware Protection (AMP)
• Web Security Appliances
• Email Security Appliances
• Identity Management Systems
Traditional Firewalls
 Placed between a trusted and an untrusted network
 Personal firewalls run on end host
 Network firewalls used for perimeter security
 Processes used to allow or block traffic may include:
• Simple packet-filtering techniques
• Application proxies
• Network address translation
• Stateful inspection firewalls
• Next-generation context-aware firewalls
Packet Filtering Techniques
 Control access by inspecting traffic at the transport layer
 Inspection defined in ACL based on the five-tuples:
• Source address
• Destination address
• Source port
• Destination port
• Protocol
 ACLs are typically configured in firewall but can also be
configured in routers, WLC, L3-switches, etc
 A new ACE is appended to the end of an ACL
 ACE are evaluated in sequential order
 There is an implicit deny at the end of all ACL
 On ASA, each interface is assigned a security level, the
higher the security level the more secure
Packet Filtering Techniques
 On ASA, each interface is assigned a security level, the
higher the security level the more secure
 ACL must explicitly permit traffic traversing the security
appliance from lower to a higher security level interface
 ACL can control traffic through the security appliance as well
as to the security appliance
 Cisco ASA supports five different types of ACLs:
• Standard ACLs
• Extended ACLs
• IPv6 ACLs
• EtherType ACLs
• Webtype ACLs
Application Proxies
 Application proxies or proxy servers, are devices that
operate as intermediary agents on behalf of clients that are
on private or protected network
 Most Proxy firewalls work at the application layer
 They can cache information to accelerate their transactions
 They are considered a man-in-the-middle device
Network Address Translation (NAT)
 Layer 3 devices translates the internal host’s private (real) IP
addresses to a publicly routable (mapped) address
 Static NAT allows connection to be initiated bidirectionally
NAT Example
PAT Example
Stateful Inspection Firewalls
 Provide enhanced benefits compared to packet filtering FW
 Monitors the state of the connections (established, closed, reset,
or negotiated) and maintain a database called state table.
 Following mechanisms offer protection for network attacks
* Demilitarized Zones (DMZ)
 Network Segmentation
 High Availability
Active-Standby Failover Mode Active-Active Failover
 High Availability - Clustering
Cisco ASAs in a Cluster
 Virtual Firewalls – Firewalls can be deployed as virtual
machines, example is Cisco ASAv (not same as virtual
contexts on ASA devices
 Deep Packet Inspection – Firewalls can look at specific

Layer 7 payloads to protect against security threat
Next-Generation Firewalls
 Mobile devices proliferation and need to connect from
anywhere introduces unique challenge to the security
environment
 Cisco ASA family provides a very comprehensive set of
features and next-generation capabilities
 Cisco Firepower Threat Defense – a unified software that
includes Cisco ASA features, legacy FirePOWER services
and new features
 Cisco Firepower 4100 series – 1 RU appliances that run
Cisco FTD software and features
 Cisco Firepower 9300 series – designed for very large
enterprises or service providers
 Cisco FTD for ISR – FTD can run on ISRS via UCS blades
Personal Firewalls
 Personal firewalls are typically installed on end-user
machines or servers to protect them from security threats
Intrusion Detection System (IDS)

 IDS devices detect (in promiscuous mode) intrusion/security
compromise attempts from an attacker.
Intrusion Prevention System (IPS)
 IPS devices capable of not only detecting security threats but
also dropping malicious packet inline
 IPS may initially be placed in monitoring mode
IPS Example
IDS and IPS
 Different types of IPSs are:
• Traditional network-based IPSs (NIPSs)
• Next-generation IPS systems (NGIPSs)
• Host-based IPSs (HIPSs)
 Detection methodologies are:
• Pattern matching and stateful pattern-matching recognition
• Protocol analysis
• Heuristic-based analysis
• Anomaly-based analysis
• Global threat correlation capabilities
Next-Generation Intrusion Prevention Systems
 With SourceFire acquisition, Cisco expanded its NGIPS with
the following products
• Cisco Firepower 8000 series appliances
• Cisco Firepower 7000 series appliances
• Virtual next-generation IPS (NGIPSv) appliances for VMware
 Firepower Management Center
• It provides centralized management and analysis platform for Cisco
NGIPS appliances
• FMC models include:
- FS750: supports max of 10 managed devices
- FMC virtual appliance: supports max of 25 managed devices
Advance Malware Protection (AMP)
 The following are the most common types of malicious
software:
• Computer virus
• Worm
• Mailer or mass-mailer worm
• Logic bomb
• Trojan horse
• Back door
• Exploit
• Downloader
• Spammer
• Key logger
• Rootkit
• Ransomware
 More sophisticated software makes basic personal firewalls
and HIPS obsolete
 Cisco AMP for endpoint provides granular visibility and
control to stop advanced threat missed by other security
layers
 It provides advanced malware protection for many OS
including Windows, Mac OS X, Android, Linux
 It provides visibility that goes beyond point-in-time detection
 It uses threat intelligence from Cisco for analysis and
protection
 Cisco AMP for networks provides continuous analysis and
tracking of files and also retrospective security alerts
 Cisco AMP has the following connectors: AMP for Networks,
AMP for Endpoints and AMP for Content Security Appliances
 AMP for Networks connector examines, records, tracks, and
sends files to the cloud.
Web Security Appliance
 Web based threats are a huge problem for organizations
 Cisco has developed several tools and mechanisms to help
combat these threats
 Cisco solutions include:
- Cisco Web Security Appliance (WSA)

- Cisco Security Management Appliance (SMA)
- Cisco Cloud Web Security (CWS)
 Cisco WSA uses cloud-based intelligence from Cisco
 Cloud-based intelligence includes web (URL) reputation and
zero-day intelligence from Talos Cisco security intelligence
and research group
 WSA can be deployed in explicit proxy mode or as a
transparent proxy using Web Cache Communication
Protocol (WCCP)
Explicit Proxy Configuration
Transparent Proxy Configuration

 Cisco WSA runs the Cisco AsyncOS operating system
 Supported features that help mitigate web-based threats
includes:
• Real-time antimalware adaptive scanning
• Layer 4 traffic monitor
• Third-party DLP integration
• File reputation
• File sandboxing
• File retrospection
• Application visibility and control
Email Security Appliance
 Most common email based threats are:
• Spam
• Malware attachments
• Phishing, Spear phishing, whaling
 Cisco Email security Appliance (ESA) runs the AsyncOS
 Supported features that help mitigate email-based threats
includes:
• Access control
• Anti-spam
• Network antivirus
• Advanced Malware Protection (AMP)
• Data Loss Prevention (DLP)
• Email encryption
• Email authentication and outbreak filters
Web/Email Security Appliance
 Cisco Security Management Appliance (SMA) centralizes the
management and reporting of one or more Cisco ESAs and
WSAs.
Cisco SMA
Cisco Identity Services Engine (ISE)
 Cisco ISE is a comprehensive security identity management
solution designed to function as a policy decision point for
network access
 It is the central policy management platform in the Cisco
TrustSec solution
 ISE provides Network Admission Control (NAC) features,
including posture policies
 ISE supports the following agent types for posture:
• Cisco NAC web agent
• Cisco NAC Agent
• Cisco AnyConnect Secure Mobility Client
Security Cloud-based Solutions
 Cisco provides the following cloud-based security services:
• Cisco Cloud Web Security (CWS)
• Cisco Cloud Email Security (CES)
• Cisco AMP Threat Grid
• Cisco Threat Awareness Service
• OpenDNS
• CloudLock
Cisco Netflow
 Netflow is a Cisco technology that provides comprehensive
visibility into all network traffic that traverses a supported
Cisco device
 Initially created for billing and accounting
 Netflow now used as a network security tool because its
reporting can provide nonrepudiation, anomaly detection, etc
 Netflow support both IPv4 and IPv6
 Netflow records are usually exported via UDP port 2055
 Internet Protocol Flow Information Export (IPFIX) was
created by IETF based on Netflow version 9
 UDP port 4739 is the default port used by IPFIX
Cisco Netflow
 A flow is a unidirectional series of packets between a given
source and destination
 A flow is different from a session. All traffic in a flow is going
in the same direction
Cisco Netflow vs Packet Capture
 Netflow is like collecting metadata on all transactions/flows
traversing the network
 The cost and amount of data that needs to be analyzed is
much higher with packet captures
 The three types of Netflow cache are as follows:
• Normal cache – default cache type in many infrastructure devices
enabled with Netflow. Entries are removed based on configured timeout
• Immediate cache – flow accounts for a single packet. Desirable for

real-time monitoring and DDOS detection
• Permanent cache – used to track a set of flows without expiring the

flow from the cache
Data Loss Prevention (DLP)
 The ability to detect any sensitive emails, documents or
information leaving your organization
 Several Cisco products integrates with third-party products to
provide this type of solution
 Cisco CloudLock is also another DLP solution
 Data Loss is not always due to an external attack; many data
loss are as a result of internal (insider) attacks
 Hence, maintaining visibility into what is coming in as well as
what is leaving the organization is highly important

Chapter 2 Network Security Devices and Cloud Services

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 2 Network Security Devices and Cloud Services

Uploaded by

Copyright:

Available Formats

Instructor Materials

Cybersecurity Operations - SECFND

* Demilitarized Zones (DMZ)

Active-Standby Failover Mode Active-Active Failover

Cisco ASAs in a Cluster

 Deep Packet Inspection – Firewalls can look at specific

Intrusion Detection System (IDS)

- Cisco Web Security Appliance (WSA)

Explicit Proxy Configuration

Transparent Proxy Configuration

• Immediate cache – flow accounts for a single packet. Desirable for

• Permanent cache – used to track a set of flows without expiring the

You might also like