Professional Documents
Culture Documents
Chapter 2 Network Security Devices and Cloud Services
Chapter 2 Network Security Devices and Cloud Services
Chapter 1: Cybersecurity
and the Security
Operations Center
Cybersecurity Operations
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1
Chapter 2: Network
Security Devices and
Cloud Services
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
Chapter 2 - Sections & Objectives
2.1 Network Security Systems
2.2 Security Cloud-based Solutions
2.3 Cisco Netflow
2.4 Data Loss Prevention
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4
2.1 Network Security
Systems
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5
Network Security Systems
Network Security Systems
Network Security devices include the following:
• Traditional and next generation firewalls
• Personal firewalls
• Intrusion Detection Systems (IDS)
• Traditional and Next-Gen Intrusion Prevention Systems (IPSs)
• Anomaly Detection Systems
• Advanced Malware Protection (AMP)
• Web Security Appliances
• Email Security Appliances
• Identity Management Systems
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6
Network Security Systems
Traditional Firewalls
Placed between a trusted and an untrusted network
Personal firewalls run on end host
Network firewalls used for perimeter security
Processes used to allow or block traffic may include:
• Simple packet-filtering techniques
• Application proxies
• Network address translation
• Stateful inspection firewalls
• Next-generation context-aware firewalls
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7
Network Security Systems
Packet Filtering Techniques
Control access by inspecting traffic at the transport layer
Inspection defined in ACL based on the five-tuples:
• Source address
• Destination address
• Source port
• Destination port
• Protocol
ACLs are typically configured in firewall but can also be
configured in routers, WLC, L3-switches, etc
A new ACE is appended to the end of an ACL
ACE are evaluated in sequential order
There is an implicit deny at the end of all ACL
On ASA, each interface is assigned a security level, the
higher the security level the more secure
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8
Network Security Systems
Packet Filtering Techniques
On ASA, each interface is assigned a security level, the
higher the security level the more secure
ACL must explicitly permit traffic traversing the security
appliance from lower to a higher security level interface
ACL can control traffic through the security appliance as well
as to the security appliance
Cisco ASA supports five different types of ACLs:
• Standard ACLs
• Extended ACLs
• IPv6 ACLs
• EtherType ACLs
• Webtype ACLs
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
Network Security Systems
Application Proxies
Application proxies or proxy servers, are devices that
operate as intermediary agents on behalf of clients that are
on private or protected network
Most Proxy firewalls work at the application layer
They can cache information to accelerate their transactions
They are considered a man-in-the-middle device
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10
Network Security Systems
Network Address Translation (NAT)
Layer 3 devices translates the internal host’s private (real) IP
addresses to a publicly routable (mapped) address
Static NAT allows connection to be initiated bidirectionally
NAT Example
PAT Example
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11
Network Security Systems
Stateful Inspection Firewalls
Provide enhanced benefits compared to packet filtering FW
Monitors the state of the connections (established, closed, reset,
or negotiated) and maintain a database called state table.
Following mechanisms offer protection for network attacks
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12
Network Security Systems
Stateful Inspection Firewalls
Network Segmentation
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13
Network Security Systems
Stateful Inspection Firewalls
High Availability
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14
Network Security Systems
Stateful Inspection Firewalls
High Availability - Clustering
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15
Network Security Systems
Stateful Inspection Firewalls
Virtual Firewalls – Firewalls can be deployed as virtual
machines, example is Cisco ASAv (not same as virtual
contexts on ASA devices
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16
Network Security Systems
Next-Generation Firewalls
Mobile devices proliferation and need to connect from
anywhere introduces unique challenge to the security
environment
Cisco ASA family provides a very comprehensive set of
features and next-generation capabilities
Cisco Firepower Threat Defense – a unified software that
includes Cisco ASA features, legacy FirePOWER services
and new features
Cisco Firepower 4100 series – 1 RU appliances that run
Cisco FTD software and features
Cisco Firepower 9300 series – designed for very large
enterprises or service providers
Cisco FTD for ISR – FTD can run on ISRS via UCS blades
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17
Network Security Systems
Personal Firewalls
Personal firewalls are typically installed on end-user
machines or servers to protect them from security threats
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18
Network Security Systems
Intrusion Prevention System (IPS)
IPS devices capable of not only detecting security threats but
also dropping malicious packet inline
IPS may initially be placed in monitoring mode
IPS Example
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19
Network Security Systems
IDS and IPS
Different types of IPSs are:
• Traditional network-based IPSs (NIPSs)
• Next-generation IPS systems (NGIPSs)
• Host-based IPSs (HIPSs)
Detection methodologies are:
• Pattern matching and stateful pattern-matching recognition
• Protocol analysis
• Heuristic-based analysis
• Anomaly-based analysis
• Global threat correlation capabilities
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20
Network Security Systems
Next-Generation Intrusion Prevention Systems
With SourceFire acquisition, Cisco expanded its NGIPS with
the following products
• Cisco Firepower 8000 series appliances
• Cisco Firepower 7000 series appliances
• Virtual next-generation IPS (NGIPSv) appliances for VMware
Firepower Management Center
• It provides centralized management and analysis platform for Cisco
NGIPS appliances
• FMC models include:
- FS750: supports max of 10 managed devices
- FS2000: supports max of 70 managed devices
- FS4000: supports max of 300 managed devices
- FMC virtual appliance: supports max of 25 managed devices
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21
Network Security Systems
Advance Malware Protection (AMP)
The following are the most common types of malicious
software:
• Computer virus
• Worm
• Mailer or mass-mailer worm
• Logic bomb
• Trojan horse
• Back door
• Exploit
• Downloader
• Spammer
• Key logger
• Rootkit
• Ransomware
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 22
Network Security Systems
Advance Malware Protection (AMP)
More sophisticated software makes basic personal firewalls
and HIPS obsolete
Cisco AMP for endpoint provides granular visibility and
control to stop advanced threat missed by other security
layers
It provides advanced malware protection for many OS
including Windows, Mac OS X, Android, Linux
It provides visibility that goes beyond point-in-time detection
It uses threat intelligence from Cisco for analysis and
protection
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23
Network Security Systems
Advance Malware Protection (AMP)
Cisco AMP for networks provides continuous analysis and
tracking of files and also retrospective security alerts
Cisco AMP has the following connectors: AMP for Networks,
AMP for Endpoints and AMP for Content Security Appliances
AMP for Networks connector examines, records, tracks, and
sends files to the cloud.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24
Network Security Systems
Web Security Appliance
Web based threats are a huge problem for organizations
Cisco has developed several tools and mechanisms to help
combat these threats
Cisco solutions include:
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27
Network Security Systems
Email Security Appliance
Most common email based threats are:
• Spam
• Malware attachments
• Phishing, Spear phishing, whaling
Cisco Email security Appliance (ESA) runs the AsyncOS
Supported features that help mitigate email-based threats
includes:
• Access control
• Anti-spam
• Network antivirus
• Advanced Malware Protection (AMP)
• Data Loss Prevention (DLP)
• Email encryption
• Email authentication and outbreak filters
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 28
Network Security Systems
Web/Email Security Appliance
Cisco Security Management Appliance (SMA) centralizes the
management and reporting of one or more Cisco ESAs and
WSAs.
Cisco SMA
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 29
Network Security Systems
Cisco Identity Services Engine (ISE)
Cisco ISE is a comprehensive security identity management
solution designed to function as a policy decision point for
network access
It is the central policy management platform in the Cisco
TrustSec solution
ISE provides Network Admission Control (NAC) features,
including posture policies
ISE supports the following agent types for posture:
• Cisco NAC web agent
• Cisco NAC Agent
• Cisco AnyConnect Secure Mobility Client
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 30
Network Security Systems
Security Cloud-based Solutions
Cisco provides the following cloud-based security services:
• Cisco Cloud Web Security (CWS)
• Cisco Cloud Email Security (CES)
• Cisco AMP Threat Grid
• Cisco Threat Awareness Service
• OpenDNS
• CloudLock
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 31
Network Security Systems
Cisco Netflow
Netflow is a Cisco technology that provides comprehensive
visibility into all network traffic that traverses a supported
Cisco device
Initially created for billing and accounting
Netflow now used as a network security tool because its
reporting can provide nonrepudiation, anomaly detection, etc
Netflow support both IPv4 and IPv6
Netflow records are usually exported via UDP port 2055
Internet Protocol Flow Information Export (IPFIX) was
created by IETF based on Netflow version 9
UDP port 4739 is the default port used by IPFIX
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 32
Network Security Systems
Cisco Netflow
A flow is a unidirectional series of packets between a given
source and destination
A flow is different from a session. All traffic in a flow is going
in the same direction
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 33
Network Security Systems
Cisco Netflow vs Packet Capture
Netflow is like collecting metadata on all transactions/flows
traversing the network
The cost and amount of data that needs to be analyzed is
much higher with packet captures
The three types of Netflow cache are as follows:
• Normal cache – default cache type in many infrastructure devices
enabled with Netflow. Entries are removed based on configured timeout
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 34
Network Security Systems
Data Loss Prevention (DLP)
The ability to detect any sensitive emails, documents or
information leaving your organization
Several Cisco products integrates with third-party products to
provide this type of solution
Cisco CloudLock is also another DLP solution
Data Loss is not always due to an external attack; many data
loss are as a result of internal (insider) attacks
Hence, maintaining visibility into what is coming in as well as
what is leaving the organization is highly important
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 35
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 36
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 37