32
© 2002, Cisco Systems, Inc. All rights reserved. Cisco SAFE Networking For Higher Education Network Security Team Cisco Systems, inc

© 2002, Cisco Systems, Inc. All rights reserved. Cisco SAFE Networking For Higher Education Network Security Team Cisco Systems, inc

  • View
    226

  • Download
    2

Embed Size (px)

Citation preview

© 2002, Cisco Systems, Inc. All rights reserved.

Cisco SAFE NetworkingFor Higher Education

Network Security Team Cisco Systems, inc

Education Today

We are educating our children more than ever before on the value of Technology.

The Challenge: To improve student academic achievement through the use of technology.

The Solution: Teach children how to use the technological tools available to them and integrate that technology into the curriculum to improve student achievement.

HOW TECHNOLOGY CAN WORK WELL IN SCHOOLSNo Child Left Behind focuses on how teachers and students can use technology Previous federal programs focused on increasing access to more technology. In an effort to improve student achievement through the use of technology, U.S. Secretary of Education Rod Paige announced a new Enhancing Education Through Technology (ED Tech) initiative. The goals of Education Technology are to:

•Improve student academic achievement through the use of technology in elementary schools and secondary schools. •Assist students to become technologically literate by the time they finish the eighth grade. •Ensure that teachers are able to integrate technology into the curriculum to improve student achievement.

Percentage of students who reported using a computer at school at least once a week, by grade.

The Facts About...21st-Century Technology

US DepartmentOf EducationNo child left behind program

Technologies and Procedures to Prevent Student Access to Inappropriate Material

on the Internet

•Among schools using technologies or procedures to prevent student access to inappropriate material on the Internet, 91 percent reported that teachers or other staff members monitored student Internet access .

•Eighty-seven percent used blocking or filtering software, 80 percent had a written contract that parents have to sign, 75 percent had a contract that

students have to sign, 46 percent used monitoring software, 44 percent had honor codes, and 26 percent used their intranet12. As these numbers suggest, most of the

schools (96 percent) used more than one procedure or technology as part of their Internet use policy

•Since 99 percent of public schools were connected to the Internet in 2001, most schools had the capability to make information available to parents and students directly via e-mail or through a Web site. This section presents key

findings on the availability of school-sponsored e-mail addresses and on school Web sites.

National Center for Education StatisticsOffice of Educational Research &

Improvement, U.S. Dept. of Education

Security and the Evolving Enterprise Needs

Sophistication of Hacker Tools

19901980

Packet Forging/ SpoofingPacket Forging/ Spoofing

Password GuessingPassword Guessing

Self Replicating CodeSelf Replicating Code

Password CrackingPassword Cracking

Exploiting Known Vulnerabilities

Exploiting Known Vulnerabilities

Disabling AuditsDisabling Audits

Back DoorsBack DoorsHijacking SessionsHijacking Sessions

SweepersSweepersSniffersSniffers

Stealth DiagnosticsStealth Diagnostics

Technical Knowledge Required

High

Low2000

What’s the Impact of Not Properly Securing Your Network ?

• Cost—directly affects the school’s budgetHow do you budget for a system outage?

• Credibility—end-user perceptionIs the children’s information safe?

• Productivity—ability to use your systemDowntime is lost time and productivity

• Viability—can ultimately affect your networkWhat are the staffing requirements?

• Liability—are you responsible?If you don’t take actions to stop outbound attacks, are you liable for damages inflicted on others?

* FBI and Computer Security Institute(CSI)―2002

© 2002, Cisco Systems, Inc. All rights reserved.

Intrusion Prevention: Security Without

Signatures

Proactive Security for Desktops and

Servers

© 2002, Cisco Systems, Inc. All rights reserved.

“Signature-based detection methods, which are already showing signs of extreme strain under current malicious code trends, will not be able to keep up with the new set of malicious-code risks created by the pervasive adoption and use of Web services and active content.”

John Pescatore and Arabella Hallawell, Gartner Research Note, 8/31/01

OKENA Aggregates Multiple Endpoint Security Functions

OKENAOKENA

Conventional Distributed

Firewall

Conventional Distributed

Firewall

Block Incoming Network RequestsBlock Incoming Network Requests

Stateful Packet AnalysisStateful Packet Analysis

Detect /Block Port ScansDetect /Block Port Scans

Detect /Prevent Malicious ApplicationsDetect /Prevent Malicious Applications

Detect/Prevent Known Buffer OverflowsDetect/Prevent Known Buffer Overflows

Detect/Prevent Unauthorized File ModificationDetect/Prevent Unauthorized File Modification

Operating System LockdownOperating System Lockdown

Conventional Host-based

IDS

Conventional Host-based

IDS

Detect/Prevent Unknown Buffer OverflowsDetect/Prevent Unknown Buffer Overflows

Block Outgoing Network RequestsBlock Outgoing Network Requests

Detect /Block Network DoS AttacksDetect /Block Network DoS Attacks

XX

XX

XX

XX

XX

XX

XX

XX

XX

XX

XX

XX

XX

XX

XX

Desktop/Laptop ProtectionDesktop/Laptop Protection XX XX

XX

XX

XX

XX

XX

OKENA ComplementsTraditional Desktop AV

OKENAOKENA Anti-VirusAnti-Virus

Malicious Code ProtectionMalicious Code Protection

XXStop Known Virus/Worm PropagationStop Known Virus/Worm Propagation

Stop Unknown Virus/Worm PropagationStop Unknown Virus/Worm Propagation

Scan/Detect Infected FilesScan/Detect Infected Files

“Clean” Infected Files“Clean” Infected Files

Identify Viruses/Worms by NameIdentify Viruses/Worms by Name

No Signature Updates RequiredNo Signature Updates Required

Distributed Firewall FunctionalityDistributed Firewall Functionality

Operating System LockdownOperating System Lockdown

Correlates Events Across EndpointsCorrelates Events Across Endpoints

XX

XX

XX

XX

XX

XX

XX

XX

XX

SECURE

MONITORandRESPOND

TEST

MANAGEand

IMPROVE

A Continual, Multistage ProcessFocused on Incremental Improvement

Security Philosophy:The Security Wheel

Top Ten Security Policies Today

1. Have a policy on virus updates and scanning.

2. Email policy – size limit and attachments.

3. Remote Access – Who should have it and what type of access.

4. Client side software images – Understand what needs to be loaded.

5. Firewall rule sets – Understand applications and port calls.

6. URL filtering – Understand the pro’s of this system.

7. VLAN the network – Key to removing assets from public view.

8. Host based policy – Server hardening techniques combined with HIDS.

9. Wireless – Have a clear policy and standard on how to deploy wireless

10. Change control process for policy review.

Legacy Security Solutions

• Most security designed when networks were simple and static

• Primarily single-point products (access-control) with no network integration or intelligence

• Such legacy products are still seen as default security solutions (a “cure-all”)

• Today, there are serious drawbacks to relying on such “overlay” security to protect sophisticated networks and services

Internet connections have dramatically increased as a frequent point of attack (from 59% in 2000 to 70% in 2001.) Of those organizations reporting attacks, we learn:

27% say they don't know if there had been unauthorized access or misuse

21% reported from two to five incidents in one year

58% reported ten or more incidents in a single year – something isn’t working!

Computer Security Institute & FBI ReportMarch, 2002

Case in Point…

Trends / Predictions

• Security is going MainstreamFundamental issue to e-education—not an afterthought

• Security is going to Main StreetEvery small school will be moving towards e-education

Increased outsourcing of solutions and services

• Security extends everywhereThe Classroom, remote students, and teachers

• The Bar will continue to be raisedCriticality of e-education applications

Increased regulation

• Organized Crime activities on the rise - Gambling• Student information – higher target risk

• Security is going MainstreamFundamental issue to e-education—not an afterthought

• Security is going to Main StreetEvery small school will be moving towards e-education

Increased outsourcing of solutions and services

• Security extends everywhereThe Classroom, remote students, and teachers

• The Bar will continue to be raisedCriticality of e-education applications

Increased regulation

• Organized Crime activities on the rise - Gambling• Student information – higher target risk

© 2002, Cisco Systems, Inc. All rights reserved. 18Presentation_ID © 1999, Cisco Systems, Inc. www.cisco.com

Security Protection : IDS & Connection

Solutions

Deploy Proven Technologies

•Firewalls – PIX 501, 506, 515, 525, 535, and FSM blade

•IDS – Network based intrusion systems

•Event correlation technology for SYSLOG reporting

•HIDS – Host based intrusion to protect the Kernel.eve

Cisco VPN 3000 Series

Number of UsersNumber of UsersEncryptionEncryption

WAN CapabilityWAN Capability

PerformancePerformance

MemoryMemory

SEPsSEPsUpgradableUpgradableSupports Dual PSSupports Dual PSRedundancyRedundancy

Site-to-Site SessionsSite-to-Site Sessions

30053005 30153015 30303030 30603060 30803080

100100 100100 15001500 50005000 10,00010,000SWSW SWSW HWHW HWHW HWHW

YesYes YesYes YesYes YesYes YesYes

4 Mb/s4 Mb/s 4 Mb/s4 Mb/s 50 Mb/s50 Mb/s 100 Mb/s100 Mb/s 100 Mb/s100 Mb/s

32 MB32 MB 128 MB128 MB 128 MB128 MB 256 MB256 MB 256 MB256 MB

00 00 11 22 44NoNo YesYes YesYes YesYes N/AN/ANoNo YesYes YesYes YesYes YesYesNoNo YesYes YesYes YesYes YesYes

100100 100100 500500 10001000 10001000

Remote Access Wireless VPN

Aironet Client

Aironet ClientCisco VPN 3000

ClientMobileCerticom

Client

Main Office

InternetCisco VPN 30xx

PIX Firewall Product Line Overview

Model

Market

MSRP

Licensed Users

Max VPN Peers

Size (RU)

Processor (MHz)

RAM (MB)

Max. Interfaces

Failover

Cleartext (Mbps)

3DES (Mbps)

ROBO

$1,695

Unlimited

25

1

300

32

2 10BaseT

No

20

16

SMB

$7,995

Unlimited

2,000

1

433

64

6

Yes

188

63

Enterprise

$18,495

Unlimited

2,000

2

600

256

8

Yes

360

70

Ent.+, SP

$59,000

Unlimited

2,000

3

1 GHz

1 GB

10

Yes

1.7 Gbps

95

SOHO

$595 or $1195

10 or 50

5

< 1

133

16

1 10BT + 4 FE

No

10

3

506E 515E-UR 525-UR 535-UR501

GigEGigEEnabledEnabled

• Complements firewalls analyzing permitted traffic: shun sessions, send alarms back to central mgmt. console

• Watch for unauthorized activity in real time

• Implement in front of firewall to audit attacks against network

• Implement behind firewall approving traffic by firewall packets leaving corporate network

IDS: Real Time Alerts

Overview – Intrusion Detection Drivers

NASDMZ Servers

Data Center

Users

Internet

Corporate Office

Business Partner

Intranet/Internal IDS

Protects Data Centers and Critical Assets from Internal Threats

Intranet/Internal IDS

Protects Data Centers and Critical Assets from Internal Threats

Internet IDS

Complements FW and VPN by Monitoring Traffic for Malicious Activity

Internet IDS

Complements FW and VPN by Monitoring Traffic for Malicious Activity

Extranet IDS

Monitors Partner Traffic Where “Trust” is Implied But Not Assured

Extranet IDS

Monitors Partner Traffic Where “Trust” is Implied But Not Assured

Remote Access IDS

Hardens Perimeter Control by Monitoring Remote Users

Remote Access IDS

Hardens Perimeter Control by Monitoring Remote Users

Cisco IDS Solutions

• Cisco IOS firewall with IDS

Embedded software solution

WAN-based

• Cisco Secure IDS

Dedicated IDS appliance

High-performance

Scalable

• Catalyst 6000 IDS Module

Integrated security module

Investment protection

• Linkage to host-based and application monitoring

Action Plan:Implementing a Process1. Develop a comprehensive security policy

Based on assessment of assets, threats, vulnerabilities

2. Implement itFocus on key exposuresBuild defense in depth Security and network experts engageIn-source or out-source

3. Monitor and auditIt’s what you don’t know...Be selective

4. React—according to planRecovery needs to be rapid and organizedStick to the plan!!!

5. Repeat Cycle!Continuous improvement to address new threats

Prediction 2004... IT Security

• Focus of IT security will shift from the “Three As” (authentication, authorization, administration) to network continuity

• Physical and IT security will be integrated

• Focus of IT security will shift from the “Three As” (authentication, authorization, administration) to network continuity

• Physical and IT security will be integrated

Prediction:

Rationale:

• Higher ED’s are looking more into security as a operational requirement.

• Higher ED’s are looking more into security as a operational requirement.

Source: IDC 2002; * Security Authorization, Authentication, AdministrationSource: IDC 2002; * Security Authorization, Authentication, Administration

Cisco Security Directions

Mission

• Educate you the client on security

Strategy

• Embrace integration into e-education infrastructure and technology initiatives

• Provide most comprehensive security/solution

• Utilize solutions and services ecosystems/partners

Mission

• Educate you the client on security

Strategy

• Embrace integration into e-education infrastructure and technology initiatives

• Provide most comprehensive security/solution

• Utilize solutions and services ecosystems/partners

• Integrates security and network issues

• Includes specific configurations for Cisco and partner solutions

• Based on existing, shipping capabilities

• Over 3,000 hours of lab testing

• Currently, five SAFE white papers:SAFE for Enterprise, SAFE for SMB, SAFE Blueprint for IP Telephony, Wireless LAN Security in Depth, Combating Internet Worms

• Integrates security and network issues

• Includes specific configurations for Cisco and partner solutions

• Based on existing, shipping capabilities

• Over 3,000 hours of lab testing

• Currently, five SAFE white papers:SAFE for Enterprise, SAFE for SMB, SAFE Blueprint for IP Telephony, Wireless LAN Security in Depth, Combating Internet Worms

SAFE Security Blueprint

More Information

• www.cisco.com/go/security

• www.cisco.com/go/safe

• www.cisco.com/go/evpn

• www.cisco.com/go/securitypartners

• www.cisco.com/go/csec

• www.cisco.com/go/netpro

• www.cisco.com/go/securitytrng

• www.cert.org

• www.incidents.org

• www.infosecuritymag.com

• Internet Vital to Core of education systems

• Security Fundamental to Health of Internet

• Attacks Increasing Dramatically – Targeted at New Network and Internet Services

• Security Must be Part of Network Infrastructure

• Partnership (education and Government) Critical to a Global Security Strategy

• Best Practices is the Security of the future

• Internet Vital to Core of education systems

• Security Fundamental to Health of Internet

• Attacks Increasing Dramatically – Targeted at New Network and Internet Services

• Security Must be Part of Network Infrastructure

• Partnership (education and Government) Critical to a Global Security Strategy

• Best Practices is the Security of the future

In Summary...

32© 2001, Cisco Systems, Inc. All rights reserved.