Escolar Documentos
Profissional Documentos
Cultura Documentos
BRKSEC-2007
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 2
Security as an Option
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 4
DDoS on
Router
Attack on DMZ
Attacks on branch
servers QFP
Internet
Head Quarter
Web surfing
Branch Office
Worms/Viruses Wireless attacks
Voice
attacks
Branch Office
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 5
Branch Office
Network
Secure Internet
Foundation
Protection
access to branch,
DDoS on without the need
Application
Router
for additional
Firewall
Integrated devices
Attacks on HQ Firewall
Control worms
branch servers QFP
congesting
WAN
Regulate
conserve WAN
URL surfing
Voice Wireless
bandwidth
Filtering Security Security Wireless
Voice
attacks
attacks Protect the router
itself from hacking
and DoS attacks
Branch Office
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 6
QFP
Role Based
GET VPN DMVPN SSL VPN IPsec VPN SDM NetFlow IP SLA
Access
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 8
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 9
http://www.cisco.com/go/iosfw
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 10
Private-DMZ
Policy DMZ
DMZ-Private
Public-DMZ
Policy
Policy
Private-Public
Policy
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 11
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 12
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 13
192.168.1.3
Wireless
Fa 0/0
Internet
VLAN 1
Transparent
192.168.1.2 Firewall
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14
0111111010101010000111000100111110010001000100100010001001
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 17
Protect router
and local network Stop attacks
from DoS attacks before they fill
up the WAN
Branch Office
http://www.cisco.com/go/iosips
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 18
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 19
Comprehensive, Scalable
IPS Management IPS
Integrated, Collaborative Security for the Branch
Full range of management options:
Cisco SDM 2.5 † provides full IPS provisioning and monitoring for single router
Cisco Security Manager 3.1† / CS-MARS for Enterprise IPS
CLI option supports automated provisioning and signature update†
Cisco Configuration Engine for MSSP—scales to thousands of devices‡
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 20
192.168.1.3
Wireless
Fa 0/0
Internet
VLAN 1
Transparent
192.168.1.2 IPS
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 21
Control downloads of
Branch Web
objectionable or offensive Office Surfing
material, limit liabilities
Cisco IOS supports static whitelist
and blacklist URL filtering
External filtering servers such as
Websense, Smartfilter can be
used at the corporate office, with
Cisco IOS static lists as backup
SDM 2.3 supports configuring
static lists and importing .csv files
for URL lists
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 23
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 24
http://www.cisco.com/go/nfp
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 25
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 26
Input Output
to control plane from control plane
CEF/FIB Lookup
Cisco.com/go/nfp
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 28
Secure Connectivity
Secure Connectivity
GET VPN DMVPN Easy VPN SSL VPN
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 30
Infrastructure Network Public Internet Transport Public Internet Transport Private IP Transport
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 31
GET VPN Simplifies Security Policy and GET VPN Uses IP Header Preservation
Key Distribution to Mitigate Routing Overlay
Group
Original IP packet
Group
Member Member IP IP Header IP Payload
Subnet 1 Packet
Subnet 3
Supports dynamically
addressed spokes
Zero touch configuration for
addition of new spokes WAN
Spoke C
Internet Internet
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 36
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 37
Cisco Security
MARS
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 38
Design
Consideration
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 40
Manageability
Provisioning firewall policies:
CLI, Cisco Security Manager, SDM and Config Engine
Monitoring firewall activity:
Syslog, snmp, screen-scrapes from "show" commands
Modifying Security policies
SDM supports zone-based Firewall
Interoperate
Cisco IOS Firewall interoperate with other features: NAT, VPN,
Intrusion Prevention System (IPS), WCCP/WAAS, proxy, URL Filtering and QoS
Memory Usage
Single TCP or UDP (layer3/4) session takes 600 bytes of memory
Multi-channel protocol sessions use more than 600 bytes of memory
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 41
Design Consideration
Cisco IOS Firewall
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 42
Addressing
Firewall policies can be made much more efficient with a well thought-out IP
address scheme
Performance Consideration
Cisco IOS Firewall Performance Guidelines for ISRs (800-3800)
http://www.cisco.com/en/US/partner/products/ps5855/products_white_
paper0900aecd8061536b.shtml
ASR1000 TCP/ICMP/UDP Inspection Performance (Up to 10G) with select ALGs
(SIP UDP, active FTP, DNS, H.323v2, SCCP)
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 43
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 44
Design Consideration
Cisco IOS Flexible Packet Matching IOS FPM
ISR ASR1000
Functionality ACL
12.4(15)T2 RLS 2.2
# of ACEs per interface Unlimited Unlimited 60,000
# of match criteria/ ACE 4 Unlimited 2
Depth of Inspection 44 Bytes Full Pkt 256 B
Raw offset No Yes Yes
Relative offset (fixed header length No Yes Yes
support)
Dynamic offset (variable header No Yes No
length support)
Nested policies No Yes Yes
Nested class-maps No Yes Yes
Regex match No Yes Yes
String match No Yes Yes
Match string pattern window No Full Pkt Full Pkt
Protocol Support IPv4, TCP, UDP, IPv4, TCP, UDP, IPv4, TCP, UDP,
ICMP ICMP, Ethernet, GRE, ICMP, Ethernet
IPsec
Actions supported permit, deny, log permit, count, drop, log, permit, count, drop, log,
send-response, nested- send-response
policy redirect, rate limit
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 46
Design Consideration
Migrating to Cisco IOS IPS 5.x (12.4(11)T2)
Manageability
Provisioning IPS policies:
CLI, Cisco Security Manager, SDM and Config Engine
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 49
Design Consideration
Provisioning and Monitoring Options
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 50
Performance Consideration
Performance of router is not effected by adding more signatures
Memory Usage
Signature compilation process is highly CPU-intensive while the
signatures are being compiled. The number of signatures that
can be loaded on a router is memory-dependent
Fragmentation
Cisco IOS IPS uses VFR (Virtual Fragmentation Reassembly)
to detect fragmentation attacks
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 51
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 52
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 53
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 54
Signature Updates & Tuning using SDF using IDCONF using IDCONF
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 55
Note: Only One IPS Solution May Be Active in the Router. All Other Must Be Removed or Disabled.
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 56
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 57
Agenda
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 58
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 59
QFP QFP
QFP QFP
Internet
Branch Branch
Office Office
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 60
Security Services
Cisco IOS Firewall
Cisco IOS IPS
Infrastructure Protection
ACLs
Branch
Office
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 61
QFP
Backup: Internet (ADSL)
with VPN or UMTS
Private Head Quarter
Wan Internet access is via split-
tunneling
Internet
Failover: Routing protocol
with EOT (Enhanced
Security Services
Cisco IOS Firewall
Object Tracking)
Cisco IOS IPS
Infrastructure Protection
ACLs
Branch
Office
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 62
Security Services
Cisco IOS Firewall
Cisco IOS IPS
Infrastructure Protection
ACLs
Branch
Office
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 63
Branch
Office
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 64
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 65
Real World
Use Cases
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 66
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 67
Employees can
access corporate
network via
encrypted tunnel
IPsec
Employees Tunnel
QFP
192.168.1.x/24
Internet
Branch Office
Router Inspect Head Quarter
Internet
Guests can traffic
access
Wireless Guests Internet only
192.168.2.x/24
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 68
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 69
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 70
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 71
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 72
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 73
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 74
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 75
IPsec
Employees Tunnel
192.168.1.x/24
Internet
Branch Office
Router Head Quarter
Wireless Guests
192.168.2.x/24
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 76
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 77
Security Zones:
interface fastethernet 1
zone security private
description dmz interface
zone security public
zone-member security dmz
zone security dmz
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 78
Cisco IOS Firewall, NAT, and URL-filtering policies are virtual route
forwarding (VRF) aware, providing support for overlapping address space,
which simplifies troubleshooting and operations
Photo Shop
192.168.1.x/24
VRF A
Photo Shop Head
Retail Store Cash Register VRF B Quarter
192.168.2.x/24
VRF C
Internet
Store Router IPsec
Tunnel
Supports
overlapping
address space Retail Store
Internet Services
Head Quarter
192.168.2.x/24
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 79
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 80
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 81
Internet
Branch Office
Router Head Quarter
Wireless Guests
192.168.2.x/24
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 82
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 83
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 85
Servers
192.168.3.14-16/24
WAN Load Balancing
Multi-Home NAT
Destination Based Load
Balancing
Zone Based Firewall
ISP-1 IPsec
Employees Tunnel
192.168.1.x/24 QFP
Internet
Branch Office ISP-2
Router Head Quarter
Wireless Guests
192.168.2.x/24
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 86
ISP-1 IPsec
Employees Tunnel
192.168.1.x/24 QFP
Internet
Branch Office ISP-2
Router Head Quarter
Wireless Guests
192.168.2.x/24
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 89
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 90
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 91
Case Study
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 92
School T1
URL Filtering
T1
Private WAN QFP
School
T1
URL Filtering
School
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 93
Education—Decentralized Deployment
Backup
School
DSL
Illegal
T1 surfing
DSL
Internet T1
Private WAN
School District School
T1
Backup Building
DSL
Apply IPS on traffic from
Schools to kill worms
from infected PCs
Secure Internet
Advanced Layer School
3-7 firewall
Web usage control
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 94
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 95
Summary
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 96
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 97
Recommended Reading
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 99
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 100
BRKSEC-2007
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 101
BRKSEC-2007
Cisco.com/go/securitycert
14465_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 102