Upload
sandra4211
View
2.458
Download
4
Tags:
Embed Size (px)
Citation preview
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
พรบ ICT พ.ศ. 2550
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
Today agenda
Impact to Enterprise Business
Computer Related Crime Detail
Cisco Solution
Summary
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3
Impact to Enterprise Business
ผลกระทบจาก พรบ . ท� องค์�กรจะต้�องปฏิ�บ�ต้�ต้าม ปร�บปร�งมาต้ราการร�กษาค์วามปลอดภั�ยขององค์�กร
ป องก�นการโจมต้�จากภัายนอกองค์�กร
ป องก�นค์นภัายในองค์�กรออกไปโจมต้�ค์นภัายนอก
แสดงให้�เห้)นว*าองค์�กรให้�ค์วามใส*ใจในการป องก�นการกระท+าผ�ดท� อาจเก�ดข,-น และม�มาต้รการป องก�นท� เด*นชั�ด
ปร�บปร�งมาต้ราการการเก)บร�กษา Log file ให้�เป/นไปต้ามท� พรบ . ก+าห้นด
ป องก�นค์วามผ�ดจากการไม*ปฏิ�บ�ต้�ต้าม พรบ .เพ0 อเป/นห้ล�กฐานท� น*าเชั0 อถื0อในการเอาผ�ดผ3�กระท+าผ�ดต้*อ
องค์�กร
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 4
Computer Related Crime Act
โครงสรางของ พรบ. ว่�าด้ว่ยการกระทำ�าผิ�ด้เก��ยว่ก�บคอมพ�ว่เตอร�
ค์+าน�ยามต้*างๆท� ใชั�ใน พรบ.
ห้มวดท� 1 ค์วามผ�ดเก� ยวก�บค์อมพ�วเต้อร�
ห้มวดท� 2 พน�กงานเจ�าห้น�าท�
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 5
Computer Related Crime Act
ค์+าน�ยาม (มาต้รา 3) ระบบค์อมพ�วเต้อร� ข�อม3ลค์อมพ�วเต้อร� ข�อม3ลจราจรทางค์อมพ�วเต้อร� ผ3�ให้�บร�การ
ผ3�ให้�บร�การแก*ผ3�อ0 นในการเข�าส3*อ�นเต้อร�เน)ต้ ผ3�ให้�บร�การเก)บร�กษาค์อมพ�วเต้อร�เพ0 อประโยชัน�ก�บบ�ค์ค์ลอ0 น
ผ3�ใชั�บร�การ
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6
Computer Related Crime Act
ห้มวดท� 1 ค์วามผ�ดเก� ยวก�บค์อมพ�วเต้อร� การกระท+าต้*อค์อมพ�วเต้อร�
มาต้รา 5, 6, 7, 8, 9, 10, 12,
การใชั�ค์อมพ�วเต้อร�ในการกระท+าผ�ดมาต้รา 11,13,14,15,16
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 7
Computer Related Crime Act หมว่ด้ทำ�� 1 คว่ามผิ�ด้เก��ยว่ก�บคอมพ�ว่เตอร�
การกระท+าต้*อค์อมพ�วเต้อร� มาต้รา 5 Hacking
มาต้รา 6 Unauthorized Access to Computer system
มาต้รา 7 Unauthorized Access to Computer data
มาต้รา 8 Sniff Information data
มาต้รา 9 ท+าลาย แก�ไข เปล� ยนแปลง ข�อม3ลค์อมพ�วเต้อร� มาต้รา 10 Dos attack
มาต้รา 12 การกระท+าในมาต้รา 9 และ 10 ท� ก*อให้�เก�ดผลกระทบร�ายแรง
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 8
Computer Related Crime Act หมว่ด้ทำ�� 1 คว่ามผิ�ด้เก��ยว่ก�บคอมพ�ว่เตอร�
การใชั�ค์อมพ�วเต้อร�ในการกระท+าผ�ด มาต้รา 11 การรบกวนผ3�อ0 นโดยการส*ง Spam mail
มาต้รา 13 จ�ดจ+าห้น*าย เผยแพร* tools ท� ใชั�ในการกระท+าผ�ด มาต้รา 14 ปลอมแปลงข�อม3ล เผยแพร*เน0-อห้าไม*เห้มาะสม รวมท�-ง
การส*งต้*อ มาต้รา 15 ค์วามร�บผ�ดชัอบของผ3�ให้�บร�การ มาต้รา 16 การต้�ดต้*อภัาพท� ท+าให้�ผ3�อ0 นเส�ยห้ายและ เผยแพร*ต้*อ
สาธารณชัน
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 9
Computer Related Crime Actหมว่ด้ทำ�� 2 พนั�กงานัเจ้าหนัาทำ��
ผ3�ให้�บร�การ มาต้รา 26
ผ3�ให้�บร�การต้�องเก)บข�อม3ลจราจรทางค์อมพ�วเต้อร�ไว�ไม*น�อยกว*า 90 ว�น แต้*เจ�าห้น�าท� พน�กงานสามารถืร�องขอให้�ผ3�ให้�บร�การเก)บข�อม3ลจราจรทางค์อมพ�วเต้อร�ไว�เก�น 90 ว�นได� แต้*ไม*เก�น 1 ป7
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 10
Computer Related Crime Act
แผินัภู$ม�สร%ป พรบ
Source from MFEC
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 11
หลั�กเกณฑ์�ในัการเก+บร�กษาขอม$ลัการจ้ราจ้รทำางคอมพ�ว่เตอร�ของผิ$ใหบร�การ
ร*างประกาศกฏิกระทรวง ICT เร0 องการเก)บ Log ผ3�ให้�บร�การท� วไปแบ*งได�เป/น 4 ประเภัท
ผ3�ประกอบก�จการโทรค์มนาค์มผ3�ให้�บร�การเข�าถื,งระบบเค์ร0อข*ายค์อมพ�วเต้อร� ได�แก* ISP, ห้น*วยงานราชัการ, บร�ษ�ท, สถืาบ�นการศ,กษา, ผ3�ให้�บร�การในการเข�าถื,งระบบเค์ร0อข*ายในห้อพ�ก ร�านอาห้าร โรงแรมผ3�ให้�เชั*าระบบค์อมพ�วเต้อร� Hosting service provider
ผ3�ให้�บร�การร�าน internet
ผ3�ให้�บร�การในการเก)บร�กษาข�อม3ลผ3�ให้�บร�การข�อม3ลผ*าน Application
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 12
หลั�กเกณฑ์�ในัการเก+บร�กษาขอม$ลัการจ้ราจ้รทำางคอมพ�ว่เตอร�ของผิ$ใหบร�การ
ว่�ธี�การ เก+บร�กษาขอม$ลัจ้ราจ้รทำางคอมพ�ว่เตอร�โด้ยการใช้ว่�ธี�การทำ��ม��นัคงปลัอด้ภู�ย
Media Integrity และระบ�ต้�วบ�ค์ค์ล (Identification ) ท� เข�าถื,งส0 อด�งกล*าวได�
ไม*ให้�ผ3�ด3แลระบบสามารถืแก�ไขข�อม3ลท� เก)บร�กษาไว�ได� เชั*น Centralized Log Server or Data Archive or Data Hashing
Authentication บน Proxy Server, (NAT) ห้ร0อบร�การ free internet ห้ร0อ บร�การ 1222
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 13
หลั�กเกณฑ์�ในัการเก+บร�กษาขอม$ลัการจ้ราจ้รทำางคอมพ�ว่เตอร�ของผิ$ใหบร�การ
การเทำ�ยบเว่ลัา (Time Setting)
ผิ$ใหบร�การตองด้�าเนั�นัการเทำ�ยบเว่ลัาประเทำศไทำยใหตรงก�บเคร0�องใหบร�การเว่ลัา (Time Server )ทำ��เป1ด้ใหบร�การสาธีารณะก�บเว่ลัาอางอ�ง Stratum 0 โด้ย ผิ�ด้พลัาด้ไม�เก�นั 10 ms
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 14
ต้�วอย*างข�อม3ลจราจรทางด�านค์อมพ�วเต้อร� ท� ใชั�อ�ปกรณ� Cisco ในการท+างานและเก)บ เพ0 อให้�ถื3กต้�องและสอดค์ล�องก�บ พรบ ICT พ.ศ. 2550
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 15
Agenda
ข�อม3ลจราจรทางด�านค์อมพ�วเต้อร�ข�อม3ลอ�นเต้อร�เน)ต้ท� เก�ดจากการเข�าถื,งระบบ
เค์ร0อข*ายข�อม3ลอ�นเต้อร�เน)ต้บนเค์ร0 องผ3�ให้�บร�การจดห้มาย
อ�เล)กทรอน�กส�ข�อม3ลอ�นเต้อร�เน)ต้บนเค์ร0 องผ3�ให้�บร�การเว)บ
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 16
ขอม$ลัจ้ราจ้รทำางด้านัคอมพ�ว่เตอร�
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 17
ต�ว่อย�างของ Cisco IOS NetFlow 6500>sh mls NetFlow ip detail
Displaying NetFlow entries in Supervisor Earl
DstIP SrcIP Prot:SrcPort:DstPort Src i/f:AdjPtr
--------------------------------------------------------------------
Pkts Bytes Age LastSeen Attributes
---------------------------------------------------
QoS Police Count Threshold Leak Drop Bucket Use-Tbl Use-Enable
-----------+------------+---------+-----------+----+-------+-------+----------+
172.87.19.217 171.70.154.90 tcp :10112 :www 1023: 0
3 144 10 00:07:11 L3 - Dynamic
0x0 0 0 0 NO 48 NO NO
171.101.24.123 171.69.89.39 tcp :1303 :139 400 : 0
0 0 39 00:06:42 L3 - Dynamic
0x0 0 0 0 NO 48 NO NO
202.56.200.22 172.19.61.10 icmp:0 :0 1028: 0
26 2028 383 00:07:05 L3 - Dynamic
0x0 0 0 0 NO 78 NO NO
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 18
ต�ว่อย�าง ขอม$ลัจ้ราจ้รทำางคอมพ�ว่เตอร� (NetFlow) บนั CS-MARS
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 19
ขอม$ลัอ�นัเตอร�เนั+ตทำ��เก�ด้จ้ากการเขาถึ3งระบบเคร0อข�าย
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 20
อ%ปกรณ� Cisco ทำ��รองร�บ TACACS+ หร0อ RADIUS
Cisco Router product
Cisco LAN Switch product
Cisco Security product
Cisco WLAN product
Cisco Storage product
Etc.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 21
รายลัะเอ�ยด้บางอย�างของ AAA log บนั Cisco ACS
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 22
ต�ว่อย�าง Accounting log ของ Cisco ACSSun Aug 6 03:59:28 2000
Acct-Status-Type = Start
NAS-IP-Address = 172.18.124.157
Login-IP-Host = 172.18.124.114
Login-TCP-Port = 23
Acct-Session-Id = 0x00000004
User-Name = cse
Vendor-Specific = Source-IP=172.18.124.114
Vendor-Specific = Source-Port=35937
Vendor-Specific = Destination-IP=99.99.99.2
Vendor-Specific = Destination-Port=23
Sun Aug 6 03:59:32 2000
Acct-Status-Type = Stop
NAS-IP-Address = 172.18.124.157
Login-IP-Host = 172.18.124.114
Login-TCP-Port = 23
Acct-Session-Id = 0x00000004
Username = cse
Acct-Session-Time = 4
Acct-Input-Octets = 101
Acct-Output-Octets = 143
Vendor-Specific = Source-IP=172.18.124.114
Vendor-Specific = Source-Port=35937
Vendor-Specific = Destination-IP=99.99.99.2
Vendor-Specific = Destination-Port=23
User ID, Source, destination
Byte count and session duration
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 23
ต�ว่อย�าง log ของ NAC Appliance (User/Usage)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 24
ต�ว่อย�าง log ของ NAC Appliance (User/Usage)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 25
ต�ว่อย�าง log ของ Cisco Router IOS Firewall
Output log:*Mar 17 11:03:02.595: %IPNAT-6-NAT_CREATED: Created icmp 192.168.2.1:5 10.68.116.12:5 64.104.66.123:5 64.104.66.123:5
*Mar 17 11:03:08.899: %IPNAT-6-NAT_CREATED: Created icmp 192.168.1.1:6 10.68.116.12:6 10.68.116.1:6 10.68.116.1:6
*Mar 17 11:03:16.191: %IPNAT-6-NAT_DELETED: Deleted icmp 192.168.2.1:4 10.68.116.12:4 64.104.66.123:4 64.104.66.123:4
*Mar 17 11:03:27.679: %IPNAT-6-NAT_CREATED: Created icmp 192.168.2.1:7 10.68.116.12:7 64.104.66.97:7 64.104.66.97:7
*Mar 17 11:03:55.507: %IPNAT-6-NAT_CREATED: Created tcp 192.168.1.1:24714 10.68.116.12:24714 10.68.116.1:23 10.68.116.1:23
*Mar 17 11:04:02.783: %IPNAT-6-NAT_DELETED: Deleted icmp 192.168.2.1:5 10.68.116.12:5 64.104.66.123:5 64.104.66.123:5
*Mar 17 11:04:08.927: %IPNAT-6-NAT_DELETED: Deleted icmp 192.168.1.1:6 10.68.116.12:6 10.68.116.1:6 10.68.116.1:6
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 26
ต�ว่อย�าง log ของ Cisco PIX/ASA Firewall%ASA-6-106100: access-list inside_access_in permitted udp inside/192.168.1.200(1563) ->
outside/10.16.151.94(1029) hit-cnt 1 first hit [0xa925365e, 0x0]
%ASA-6-305011: Built dynamic UDP translation from inside:192.168.1.200/1563 to outside:142.77.67.190/1644
%ASA-6-302015: Built outbound UDP connection 3602 for outside:10.16.151.94/1029 (10.16.151.94/1029) to inside:192.168.1.200/1563 (142.77.67.190/1644)
%ASA-6-302016: Teardown UDP connection 3544 for outside:171.68.10.143/1029 to inside:192.168.1.200/1530 duration 0:02:02 bytes 0
%ASA-6-305012: Teardown dynamic TCP translation from inside:192.168.1.200/1558 to outside:142.77.67.190/2470 duration 0:00:30
%ASA-6-106100: access-list inside_access_in permitted udp inside/192.168.1.200(1563) -> outside/171.70.156.234(1029) hit-cnt 1 first hit [0xa925365e, 0x0]
%ASA-6-302015: Built outbound UDP connection 3603 for outside:171.70.156.234/1029 (171.70.156.234/1029) to inside:192.168.1.200/1563 (142.77.67.190/1644)
%ASA-6-305012: Teardown dynamic UDP translation from inside:192.168.1.200/1520 to outside:142.77.67.190/1638 duration 0:02:35
%ASA-6-302016: Teardown UDP connection 3545 for outside:171.70.156.234/1029 to inside:192.168.1.200/1530 duration 0:02:04 bytes 0
%ASA-6-106100: access-list inside_access_in permitted tcp inside/192.168.1.200(1564) -> outside/171.70.156.234(1029) hit-cnt 1 first hit [0xa925365e, 0x0]
%ASA-6-305011: Built dynamic TCP translation from inside:192.168.1.200/1564 to outside:142.77.67.190/2475
%ASA-6-302013: Built outbound TCP connection 3604 for outside:171.70.156.234/1029 (171.70.156.234/1029) to inside:192.168.1.200/1564 (142.77.67.190/2475)
%ASA-6-302014: Teardown TCP connection 3596 for outside:171.70.156.234/1029 to inside:192.168.1.200/1559 duration 0:00:30 bytes 0 SYN Timeout
%ASA-6-305012: Teardown dynamic TCP translation from inside:192.168.1.200/1549 to outside:142.77.67.190/2462 duration 0:01:00
Built and Teardown connection log
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 27
ขอม$ลัอ�นัเตอร�เนั+ตบนัเคร0�องผิ$ใหบร�การจ้ด้หมายอ�เลั+กทำรอนั�กส� (cont.)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 28
ขอม$ลัอ�นัเตอร�เนั+ตบนัเคร0�องผิ$ใหบร�การจ้ด้หมายอ�เลั+กทำรอนั�กส� (cont.)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 29
ต�ว่อย�าง log ของ IronPort C Series
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 30
ขอม$ลัอ�นัเตอร�เนั+ตบนัเคร0�องผิ$ใหบร�การเว่+บ
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 31
ขอม$ลั log ของ IronPort S-Series
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 32
ต�ว่อย�าง log ของ IronPort S-Series
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 33
Cisco Solution Mapping
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 34
CRCA Mapping with Cisco Solutionตาม พรบ (Optional)
Item Description
Netflo
w (all)
NT
P (all )
AC
S
AS
ISG
/SC
E
NA
C
Firew
all
CS
C (A
nti-
X)
IPS
/IDS
CS
A
VP
N
CS
M
CS
-MA
RS
Iron
Po
rtM
ail
Iron
Po
rt W
eb
3 Data Traffic
5-7 Unauthorized access
8 Eavesdrop
9 Hacking, Malware
10 DoS attack
11 Spam mail, web
14 – 16
Improper Content
SMB Enterprise ISP All
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 35
CRCA Mapping with Cisco Solutionตามประกาศกฏกระทำรว่ง (Mandatory)
Item Description
Netflo
w (all)
NT
P (all)
AC
S
AS
ISG
/SC
E
NA
C
Firew
all
CS
C (A
nti-
X)
IPS
/IDS
CS
A
VP
N
CS
M
CS
-MA
RS
Iron
Po
rtM
ail
Iron
Po
rt W
eb
7(2) Internet Access Log
Email Log
FTP/Web Log
8(1) Logging Media
8(2) Logging System
9 Time Sync
SMB Enterprise ISP All
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 36
Internet
Cisco ISR,7x00
ASA
CiscoCatalyst
6500Cisco 4200
IPS Sensor or AIM module
CSA
WebServers
EmailServers
FileServers
AccessControlServer
CS-MARS
Applying CRCA to the NetworkSec 26/8(9) - Time Synchronization
NACAppliance
CSM
NAC, CSA
IronPort Web Security
IronPort Email Security
CSA
ASAw/ CSC
ISR
1.Synchronize clock to a trusted public NTP server2.Enable NTP on all devices
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 37
Time Synchronization
When dealing with network telemetry, it is important that dates and times are both accurate and synchronized
NTP is supported in all Cisco gear, as well as in many if not all operating systems
NTP is crucial for:Accurate logging
Validating certificates
Kerberos tickets
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 38
CSA
Internet
Cisco ISR,7x00
ASA
CiscoCatalyst
6500Cisco IPS4200
CSA
WebServers
EmailServers
FileServers
AccessControlServer
CS-MARS
Applying CRCA to the NetworkSec 26/7(2) - Internet Access Log
NACAppliance
CSM
NAC, CSA
IronPort Web Security
IronPort Email Security
ASAw/ CSC
ISR
2. Collect traffic log from gateway firewall or Netflow
1. Authenticate users through firewall or on NAC Appliance
3. Export logs or netflow to CS-MARS for analysis and archive
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 39
Cisco Identity Based Networking Service
Cut-through proxy authentication on Firewall
dot1x authentication using network infrastructure
NAC Appliance for authentication and endpoint policy control
Web authentication for guest access with Wireless Controller
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 40
Authenticated User Access through the Firewall
Authentication Proxy
Cut Thru Proxy
Access Methods FTP, Telnet, HTTP, HTTPS
FTP, Telnet, HTTP, HTTPS
Platform Cisco IOS FW ASA, FWSM
Authentication Methods
RADIUS/TACACS+
RADIUS/TACACS+
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 41
Cut Through-Proxy (HTTPS)
Internal/External
User
IS Resource
1. The User Makes a Request to an IS Resource
2. The ASA Firewall Intercepts the Connection
3. At the Application Layer, the ASA Firewall Prompts the User for a Username and Password; It Then Authenticates the User Against a RADIUS or TACACS+ Server and Checks the Security Policy (Local DB )
5. The ASA Firewall Directly Connects theInternal or External User to the IS Resource via ASA; Communication Then Takes Place at a Lower Level of the OSI Model
4. The ASA Firewall Initiates a Connection from the ASA Firewall to the Destination IS Resource
CiscoSecureRADIUS
PIX FirewallUsername and Password Required
Enter username for CCO at www.com
User Name:
Password:
OK Cancel
student
123@456
3.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 42
IEEE 802.1x Authentication
ACS - AAAServer
23
802.1x is a client-server-based access control and authentication protocol that restricts unauthorized devices from connecting
to a LAN through publicly accessible ports
41
1 User activates link (ie: turns on the PC)
2 Switch requests authentication server if user is authorized to access LAN
3
4
Authentication server responds with authority access
Switch opens controlled port (if authorized) for user to access LAN
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 43
NAC Framework Architecture
AAA Server Vendor
Servers
Hosts Attempting
Network Access
Network Access Devices (NAD) Policy Server
Decision Points
Credentials Credentials
EAP/UDP,
EAP/802.1x
RADIUS
Credentials
HTTPS
Access RightsNotificatio
ndot1x
11
Comply?
Enforcement
66 44
22 2a2a
33
55
• Ubiquitous solution for all connectivity methods
• Embedded intelligence in NAC-capable Cisco infrastructure
• Architectural extension of RADIUS solution
• Leverage existing network and security management software
• 802.1x integration with Meetinghouse Supplicant
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 44
Cisco NAC Appliance
Authenticate & Authorize
Enforces authorization policies and privileges
Supports multiple user roles
Update & Remediate Network-based tools
for vulnerability and threat remediation
Help-desk integration
Quarantine & Enforce
Isolate non-compliant devices from rest of network
MAC and IP-based quarantine effective at a per-user level
Scan & Evaluate Agent scan for required
versions of hotfixes, AV, etc
Network scan for virus and worm infections and port vulnerabilities
First, establish ACCESS POLICIES. Then:
NO COMPLIANCE = NO NETWORK ACCESS
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 45
NAC Appliance Use Cases
INTERNET
Endpoint ComplianceNetwork access only for compliant devices
Guest ComplianceRestricted internet access only for guest users
IPSec
802.1Q
CAMPUS BUILDING 1
Wireless ComplianceSecured network access only for compliant wireless devices
WIRELESS BUILDING 2
CONFERENCE ROOMIN BUILDING 3
VPN User ComplianceIntranet access only for
compliant remote access users
Intranet Access ComplianceEnsure hosts are hardened prior to connecting to ERP, HRIS, BPM, etc.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 46
Legal Disclaimer – Acceptable Use Policy
Mandate acceptance of an Acceptable Use Policy before access is allowed
Different Acceptable Use Policy (AUP) per User/Group
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 47
Logging Levels and EventsLog
LevelAlert Event Messages
0 Emergencies Not used, only for RFC compliance
1 Alerts Mostly failover-related events
2 Critical Denied packets/connections
3 ErrorsAAA failures, CPU/memory issues, routing
issues, some VPN issues
4 WarningsDenied conns due to ACL, IDS events,
fragmentation, OSPF errors
5 NotificationsUser and Session activity and firewall
configuration changes
6 InformationalACL logging, AAA events, DHCP activity,
TCP/UDP connection and teardown
7 DebuggingDebug events, TCP/UDP request handling,
IPSEC and SSL VPN connection information
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 48
A Typical Log File%ASA-6-106100: access-list inside_access_in permitted udp inside/192.168.1.200(1563) ->
outside/10.16.151.94(1029) hit-cnt 1 first hit [0xa925365e, 0x0]
%ASA-6-305011: Built dynamic UDP translation from inside:192.168.1.200/1563 to outside:142.77.67.190/1644
%ASA-6-302015: Built outbound UDP connection 3602 for outside:10.16.151.94/1029 (10.16.151.94/1029) to inside:192.168.1.200/1563 (142.77.67.190/1644)
%ASA-6-302016: Teardown UDP connection 3544 for outside:171.68.10.143/1029 to inside:192.168.1.200/1530 duration 0:02:02 bytes 0
%ASA-6-305012: Teardown dynamic TCP translation from inside:192.168.1.200/1558 to outside:142.77.67.190/2470 duration 0:00:30
%ASA-6-106100: access-list inside_access_in permitted udp inside/192.168.1.200(1563) -> outside/171.70.156.234(1029) hit-cnt 1 first hit [0xa925365e, 0x0]
%ASA-6-302015: Built outbound UDP connection 3603 for outside:171.70.156.234/1029 (171.70.156.234/1029) to inside:192.168.1.200/1563 (142.77.67.190/1644)
%ASA-6-305012: Teardown dynamic UDP translation from inside:192.168.1.200/1520 to outside:142.77.67.190/1638 duration 0:02:35
%ASA-6-302016: Teardown UDP connection 3545 for outside:171.70.156.234/1029 to inside:192.168.1.200/1530 duration 0:02:04 bytes 0
%ASA-6-106100: access-list inside_access_in permitted tcp inside/192.168.1.200(1564) -> outside/171.70.156.234(1029) hit-cnt 1 first hit [0xa925365e, 0x0]
%ASA-6-305011: Built dynamic TCP translation from inside:192.168.1.200/1564 to outside:142.77.67.190/2475
%ASA-6-302013: Built outbound TCP connection 3604 for outside:171.70.156.234/1029 (171.70.156.234/1029) to inside:192.168.1.200/1564 (142.77.67.190/2475)
%ASA-6-302014: Teardown TCP connection 3596 for outside:171.70.156.234/1029 to inside:192.168.1.200/1559 duration 0:00:30 bytes 0 SYN Timeout
%ASA-6-305012: Teardown dynamic TCP translation from inside:192.168.1.200/1549 to outside:142.77.67.190/2462 duration 0:01:00
Built and Teardown connection log
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 49
Capturing Traffic Information
Accounting or syslog from gateway Firewall
Netflow from Router or L3 Switch
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 50
Collect traffic information with NetFlow
Packet capture is like a wiretap
NetFlow is like a phone bill
This level of granularity allows NetFlow to scale for very large amounts of traffic
We can learn a lot from studying the phone bill!
Who’s talking to whom, over what protocols and ports, for how long, at what speed, for whatduration, etc.
NetFlow is a form of telemetry pushed from the routers/switches — each one can be a sensor
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 51
What Constitutes a Flow?
1. Inspect a packet’s 7 key fields and identify the values 2. If the set of key field values is unique, create a new
flow record or cache entry3. When the flow terminates, export the flow to the
collection/analysis system
NetFlowExport
PacketsReporting
NetFlow Key Fields
1
2
3
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 52
NetFlow Key Fields CreatingFlow Records
Inspect Packet
Key Fields Packet 1
Source IP 1.1.1.1
Destination IP 2.2.2.2
Source port 23
Destination port 22078
Layer 3 Protocol TCP - 6
TOS Byte 0
Input Interface Ethernet 0
Source IP Dest. IP Dest. I/F Protocol TOS … Pkts
1.1.1.1 2.2.2.2 E1 6 0 … 11000
1. Inspect packet for key field values
2. Compare set of values to NetFlow cache
3. If the set of values are unique create a flow in cache
4. Inspect the next packet
Inspect Packet
Key Fields Packet 2
Source IP 3.3.3.3
Destination IP 2.2.2.2
Source port 23
Destination port 22078
Layer 3 Protocol TCP - 6
TOS Byte 0
Input Interface Ethernet 0
Source IP Dest. IP Dest. I/F Protocol TOS … Pkts
3.3.3.3 2.2.2.2 E1 6 0 … 11000
1.1.1.1 2.2.2.2 E1 6 0 … 11000
Add new flow to the NetFlow CacheCreate Flow Record in the Cache
Example 1 Example 2
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 53
Internet
Cisco ISR,7x00
ASA
CiscoCatalyst
6500Cisco 4200
IPS Sensor or AIM module
CSA
WebServers
EmailServers
FileServers
AccessControlServer
CS-MARS
Applying CRCA to the NetworkSec 26/8(1,2) - Secured and Reliable Logging Infrastructure
NACAppliance
CSM
NAC, CSA
IronPort Web Security
IronPort Email Security
CSA
ASAw/ CSC
ISR
1. Consolidate and archive log using CS-MARS
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 54
Cisco Security MARSMonitoring for Superior Visibility
Cisco Security MARS answers the question WHAT, WHEN and HOW?
A threat control appliance that monitors logs from multi-vendor network sources including:
Routing and switching infrastructure withNetflow
Firewall log data
IDS/IPS
AAA authentication servers
Host and server logs
Correlates, reduces, and categorizes events enabling users to validate incidents
Breadth of information collected (Netflow, topology) provides the most complete and accurate story of network activity
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 55
Cisco Security Monitoring, Analysis, and Response System (CS-MARS)
MARS provides multi-vendor security event monitoring and threat mitigation
Telemetry sources: SYSLOG, SNMP Traps, Log Files, Device API/CLI and NetFlow
Near real time incident detection – minimize window of vulnerability/attack
Superior flow based correlation technology “sessionization” reduce false positives and false negatives – saves precious security operations time
Built-in regulatory compliance reports Archives log data from all network devices Provides immediate threat identification and mitigation for
networks subject to regulations Improves the ability of Network and Security Operations to
respond to attacks
Security Information and Event Monitoring
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 56
Collected information can be used to generate specific compliance reports
Cisco Security MARS Report Grouping for Compliance Reports
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 57
Retrieve Raw Messages from CS-MARS
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 58
Internet
Cisco ISR,7x00
ASA
CiscoCatalyst
6500Cisco 4200
IPS Sensor or AIM module
CSA
WebServers
EmailServers
FileServers
AccessControlServer
CS-MARS
Applying CRCA to the NetworkSec 11 – Prevent Spam Mail
NACAppliance
CSM
CSA
IronPort Web Security
IronPort Email Security
CSA
ASAw/ CSC
ISR
2. Using IronPort or ASA w/ CSC moduleto filter SPAM for both inbound and outbound
1. Control policy on firewall to only allow SMTP from IronPort
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 59
Internet
Cisco ISR,7x00
ASA
CiscoCatalyst
6500Cisco 4200
IPS Sensor or AIM module
CSA
WebServers
EmailServers
FileServers
AccessControlServer
CS-MARS
Applying CRCA to the NetworkSec 14-16 – Filter improper Content
NACAppliance
CSM
CSA
IronPort Web Security
IronPort Email Security
CSA
ASAw/ CSC
ISR
1. Control filtering and control using IronPort Web Security or ASA w/ CSC
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 60
CSA
Internet
Cisco ISR,7x00
ASA
CiscoCatalyst
6500Cisco 4200
IPS Sensor or AIM module
CSA
WebServers
EmailServers
FileServers
AccessControlServer
CS-MARS
Applying CRCA to the NetworkSec 26/7(2) – Email, Web, File Server Log
NACAppliance
CSM
NAC, CSA
IronPort Web Security
IronPort Email Security
ASAw/ CSC
ISR
2. Collect Email, Web, File Access Log from Server
1. Collect email, web/file access log on content gateway
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 61
IronPort Perimeter Security Appliances
Internet
EMAILSecurity
Appliance
WEBSecurity
Appliance
Security MANAGEMENT
Appliance
IronPortSenderBase
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 62
Product Consolidation at the Network Perimeter For Security, Reliability and Lower Maintenance
Anti-Spam
Anti-Virus
Policy Enforcement
Mail Routing
Before IronPort
IronPort Email Security Appliance
Internet
Firewall
MTAs
Groupware
Users
After IronPort
Internet
Users
Groupware
Firewall
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 63
Innovative Security Platform
L4 Traffic Monitor• Layer 4 Traffic Monitor for network layer
inspection of all traffic, at wire speed• Session aware
• Layer 4 Traffic Monitor for network layer inspection of all traffic, at wire speed
• Session aware
Web Proxy
• Full application proxy powered by IronPort’s AsyncOS Web Security Platform
• Application layer inspection of Web traffic• Deep content analysis• Integrated Authentication• Integrated Caching
• Full application proxy powered by IronPort’s AsyncOS Web Security Platform
• Application layer inspection of Web traffic• Deep content analysis• Integrated Authentication• Integrated Caching
IronPort Web Security Appliance
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 64
Low Total Cost of Ownership
Scalable, Extensible Solution
Proxy
Yesterday
Users
Firewall
Anti-Virus / Anti-SpywareICAP
Internet
Policy Enforcement
Today
Users
Firewall
Internet
IronPort Web Security
ApplianceURL Filtering
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 65
Intelligent Message HygieneEffective Removal of Unsolicited Email
Highly Effective Anti-Spam Capabilities
Integrates heuristic anti-spam engine with a spam signature database and blacklist/whitelist address table to yield accurate detection and low false-positives
Filters spam from SMTP and POP3 traffic
Blocks or tags spam at the Internet edge before it reaches the desktop
Prevents spammers from using your mail server as a relay point for spam
The volume of spam has increased exponentially and is leaving lost productivity, company liability
and increased IT expenses in its wake.
Internet
Anti-Spam
EmailServer
WebServer
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 66
Advanced Content FilteringURL / Content Filtering and Anti-Phishing
Blocks inappropriate and non-work-related content
Controls email traffic containing key words or phrases and attachments with flagged file types
Guards against identity theft and protects confidential company information by blocking outbound data
Internet
Desktop
Desktop
Desktop
ASA 5500 and CSC-SSM
Key Benefits
• Vigilant UpdatesEver-expanding database of known phishing sites, spyware sites, and disease vectors
• Increases Employee Productivity
Prevents distractions and non work related use of resources
• Recaptures Network Resources
Rids the network of superfluous traffic
• Reduces LiabilityMinimizes risk of identity theft, information leakage and inappropriate use
“At least 130 reported breaches have exposed more than 55 million Americans to potential ID theft this year” – USA Today, 1/06 Anti-PhishingURL & Content
Filtering
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 67
URL / Content Filtering and Anti-PhishingComprehensive Content and Message Compliance
URL Filtering Restricts employee Internet usage by category, group, time of day,
day of week, and bandwidth quotas Filters Web content through an ever-expanding database with millions
of URLs categorized to block inappropriate websites Employs dynamic rating technology to classify requested Web sites
that are not already in the database
Content Filtering Filters inbound and outbound email to ensure message compliance Enables IT managers to construct rules using Boolean and regular
expressions for complex content filtering Reduces legal liability by adding company-specific legal disclaimers to
outgoing email based on message characteristics
Anti-Phishing Detects and blocks known phishing sites using PhishTrap technology
ContentFiltering
Internal Users
Database of URLs
Web Sites
• Company-prohibited• Not work related• Research topics• Business function
URL Filtering• Keyword• True file types• Attachment names• File sizes
Content Filtering
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 68
Internet
Cisco ISR,7x00
ASA
CiscoCatalyst
6500Cisco 4200
IPS Sensor or AIM module
WebServers
EmailServers
FileServers
AccessControlServer
CS-MARS
Applying CRCA to the NetworkSec 5-7 Protect from Unauthorized Access
NACAppliance
CSM
CSA
IronPort Web Security
IronPort Email Security
CSA
ASAw/ CSC
ISR
1. Stop unauthorized access from outside on gateway firewall
2. Authenticate users before allow network access with NAC and ACS
3. CSA to enforce data access policy on client
4. Monitor network activity with CS-MARS
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 69
Internet
Cisco ISR,7x00
ASA
CiscoCatalyst
6500Cisco 4200
IPS Sensor or AIM module
CSA
WebServers
EmailServers
FileServers
AccessControlServer
CS-MARS
Applying CRCA to the NetworkSec 8 Preventing Man-in-the-Middle (Eavesdrop)
NACAppliance
CSM
CSA
IronPort Web Security
IronPort Email Security
CSA
ASAw/ CSC
ISR
1. Enable infrastructure protection on Catalyst switch to prevent spoofing attack
3. Enable SMTP SSL for email with business partners
2. IPSec to secure WAN and remote access connection
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 70
ISR
Internet
Cisco ISR,7x00
ASA
CiscoCatalyst
6500Cisco 4200
IPS Sensor or AIM module
CSA
WebServers
EmailServers
FileServers
AccessControlServer
CS-MARS
Applying CRCA to the NetworkSec 9 - Protecting from Hacker and Malware
NACAppliance
CSM
CSA
IronPort Web Security
IronPort Email Security
ASAw/ CSC
CSA
1. Filter unauthorized access on Firewall
2. Identify network threat with IPS
3. CSA for endpoint protection from zero-day attack
4. Block virus/worm from web/email with IronPort or ASA w/ CSC
3. NAC to enforce security policy on endpoint
6. Monitor security event with CS-MARS
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 71
Summary
ผลกระทบจาก พรบ . ท� องค์�กรจะต้�องปฏิ�บ�ต้�ต้าม ปร�บปร�งมาต้ราการร�กษาค์วามปลอดภั�ยขององค์�กร
ป องก�นการโจมต้�จากภัายนอกองค์�กร
ป องก�นค์นภัายในองค์�กรออกไปโจมต้�ค์นภัายนอก
แสดงให้�เห้)นว*าองค์�กรให้�ค์วามใส*ใจในการป องก�นการกระท+าผ�ดท� อาจเก�ดข,-น และม�มาต้รการป องก�นท� เด*นชั�ด
ปร�บปร�งมาต้ราการการเก)บร�กษา Log file ให้�เป/นไปต้ามท� พรบ .ก+าห้นด
ป องก�นค์วามผ�ดจากการไม*ปฏิ�บ�ต้�ต้าม พรบ .เพ0 อเป/นห้ล�กฐานท� น*าเชั0 อถื0อในการเอาผ�ดผ3�กระท+าผ�ดต้*อองค์�กร
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 72
Q and A
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 73