Implementing Cisco Threat Controld2zmdbbm9feqrf.cloudfront.net/2014/usa/pdf/BRKCRT-2211.pdf · CCNP Security Track • 4 Exams –300-206 Implementing Cisco ... –300-207 Implementing

Implementing Cisco Threat Control Solutions (SITCS)

BRKCRT-2211

Sam Camarda

Consulting Systems Engineer

© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2211 Cisco Public

Agenda

• CCNP Security

• NGFW Services (CX)

• Web Security Appliance (WSA)

• Cloud Web Security (CWS)

• Email Security Appliance (ESA)

• Network Intrusion Prevention (IPS)

• Conclusion

3


CCNP Security Track

• 4 Exams

– 300-206 Implementing Cisco Edge Network Security Solutions (SENSS)

– 300-207 Implementing Cisco Threat Control Solutions (SITCS)

– 300-208 Implementing Cisco Secure Access Solutions (SISAS)

– 300-209 Implementing Cisco Secure Mobility Solutions (SIMOS)

• CCNA or CCIE prerequisite and valid for 3 three years

• Certification info available at learningnetwork.cisco.com

– Community Discussion Boards

– CCNP Security Study Groups

4

http://learningnetwork.cisco.com


Implementing Cisco Threat Control Solutions

• 90-minute exam consists of 65–75 questions and covers integration of Intrusion Prevention System (IPS) and context-aware firewall components, as well as Web (Cloud) and Email Security solutions.

• Refreshed January 2014

• Knowledge Allocations: • 22% Content Security

• 23% Threat Defense

• 16% Devices GUIs and Secured CLI

• 19% Troubleshooting, Monitoring and Reporting Tools

• 8% Threat Defense Architectures

• 12% Content Security Architectures

• http://www.cisco.com/web/learning/exams/list/spec_sitcs.html

5

ASA NGFW


ASA NGFW Features

• Application Visibility & Control

• URL Filtering including Custom Categories

• Web Reputation

• User Identification – Active & Passive

• User Device Identification – User Agent & AnyConnect VPN

• SSL/TLS Decryption

• IPS Threat Defense

• Rate Limiting

• Reporting / Event Monitoring

7


Cisco ASA NGFW

• Best positioned at the Internet Edge

• 2 Form Factors

– ASA 5500-X Software Module

– ASA 5585-X Hardware Module

• On-box or Off-Box Management

• Feature Licenses

– Application Visibility & Control

– Web Security Essentials

– Threat Defense

• Deployed Inline or Promiscuous

8


ASA NGFW Broad and Web AVC

• Broad AVC based on NBARv2: Multi-application support over many ports

• Web AVC—HTTP and HTTPS (decrypted) traffic—Example: Allow Facebook but deny Facebook games.

• Application types—Examples: Dropbox, Google Drive, Yahoo Messenger, Google Talk, and so on.

• Application signature updates are downloaded from Cisco Security Intelligence Operations (SIO) center every 5 minutes. Scanning engines also receive regular updates from Cisco SIO.

• Typically, the ASA NGFW scanning engine update is required only once every 3 months.

NBAR2 AVC

9


ASA NGFW Policy Types

• Identity Policies (Active or Passive)

– Which traffic requires authentication. (Default = Don't use user identity)

• Decryption Policies(TLS/SSL)

– Traffic is decrypted for inspection. (Default = Don't decrypt)

• Access Policies (Allow/Warn/Deny)

– Scope of traffic allowed through the machine. (Default = Allow all traffic)

• Threat Detection Policies (Inline/Monitor-only)

– Client traffic is inspected for threats

Who What Where When How

10


Compatibility with Existing Cisco ASA Features

• ASA Clustering and active/active failover are not currently supported.

• Active/standby failover, transparent firewall mode, and IPv6 are supported.

• ASA multiple context mode is supported in the 9.2.1 Supports traffic redirected from a single ASA context or from multiple ASA contexts.

• ASA NGFW 9.2.1 release requires the ASA 9.1.3 release running on the ASA.

• Do not to configure HTTP inspection or Cloud Web Security inspection or the Mobile User Security feature when using the ASA NGFW.

11


ASA NGFW - Software Model

• All Midrange models

– ASA5512, 5515, 5525, 5545, 5555

• NGFW or Traditional IPS

• Single or Dual 128G solid state drive

– Database, Application packages

– ASA used for Boot Image

• 200Mbps to 1.2Gbps performance

• Shared management interface - 192.168.1.2

• ASA software release 9.1(1) or later

ASA 5512-X

ASA 5515-X

ASA 5525-X

ASA 5545-X

ASA 5555-X

12


ASA NGFW - Hardware Model

• High Performance 5585X – 10Gbps Hardware

– SSP10, SSP20, SSP40, SSP60

• Occupies top slot - NGFW or Traditional IPS

• Single or dual 600G hard drive

• Data ports shared between ASA and NGFW

• ASA Software Release 8.4(4) or later

• Clustering compatible

• Dedicated management interface

• 2-13 Gbps throughput

13


ASA NGFW Management Architecture

• Prime Security Manager – HTMLv5

– Configuration / Monitoring / Licensing

– Change / Commit architecture

• On-box or Off-box – mutually exclusive

– UCS Appliance or VMware OVA

– Off-box: Multi-device control, additional logging, RBAC, ASA management

• RESTful XML over HTTPS

• Reliable Binary Logging – TCP Port 4466

• Support for high availability – v9.2

• Minimal CLI configuration / monitoring

14


PRSM CLI – Log Management


ASA NGFW CLI Commands

• delete – delete files (cores and package captures)

• setup – configure the IP addresses, hostname, domain, DNS, NTP

• system (reload | shutdown) – reboot or stop the blade

• system (upgrade | revert) – upgrade or downgrade the OS

• services (start | stop) – turn on and off the services including packet inspectors

• ping, nslookup, traceroute – management interface connectivity troubleshooting

• show interface – statistics for management interface

• show opdata – show operational data from the data plane

• show tech-support – outputs for Cisco support troubleshooting

• support tail log – watch the logs on the CLI

• support diagnostics – package and upload a collection of logs and debug info (including packet captures)

• config (backup | restore) – backup or restore the configuration. Backup requires FTP. Restore requires FTP or HTTP

16


Policy & Traffic Flow

• Interesting traffic is redirected via the ASA

– ASA Traffic Class and Policy Maps

– Configured via ASA or Off-Box PRSM

– Fail-Open or Fail-Close

• Policy Sets are configured for Access, Identity, Decryption, IPS, NAT

– Top down, first match

– Ends with default Permit Any

• Off-box PRSM management can manage ASA ACL, interface and NAT capabilities

• ASA Performs Active Identification (cut-though proxy)

17


Policy Objects

• Network Group (IPv4/IPv6)

• Service Group

• Identity Object

• URL Object

• Browser Agent Object

• Application Objects

• Secure Mobility Objects

• Application Service

• File Filtering

• Web Reputation

• Used in Policy Configuration

– Reusable

– One-Way Discoverable from ASA

– Supports REGEX

• Various types depending on policy need

18


Global Policy Definition

19


Global Policy Definition

20


Access Policy Creation

21


Troubleshooting

• PRSM Dashboard

– Statistical reporting

• Event Viewer

– Customizable Syslog viewer

• Packet Capture

– Capture raw data for off box analysis

• CLI

– Application

– Interface

– Identity

22

Web Security Appliance


Web Security Appliance

• Monitors \ mitigates any abnormal web activity between users and the Internet.

• Enterprise-class Proxy

– Explicit

– Transparent

• Functions

– Enforce Acceptable Use

– Content inspection

– Block malware, spyware and other threats

• HTTP, HTTPS and FTP over HTTP

• Appliance or Virtual Machine

24


Web Security Appliance Overview

WWW

Time of

Request

Time of

Response

Cisco® SIO

URL Filtering

Reputation Filter

Dynamic Content Analysis (DCA)

Signature-based Anti-Malware Engines

Advanced Malware Protection

Block

WWW

Block

WWW

Block

WWW

Allow

WWW Warn

WWW WWW Partial

Block

Block

WWW

Block

WWW

Block

WWW

25


WSA License Options

• Subscription Based Licensing

• License: Cisco Web Security Essentials

– Threat Intelligence, Layer 4 Traffic Monitoring, AVC Policy management, Actionable reporting, URL filtering, Third-party DLP integration via ICAP

• License: Cisco Web Security Premium

– Essentials plus Real Time Malware Scanning

• Cisco Anti-Malware License

• Sophos, Webroot or McAfee real-time malware scanning available as a single, a la carte license.

26


WSA Policy Types

• Access, Identity, Decryption

• Software as a Service (Google Apps, SalesForce, WebEx)

• Routing (traffic redirection, modification)

• Bandwidth

• Data Security (On-box and external)

• Malware Scanning

• SOCKS

• Policy Results

– Allow, Warn, Block, Redirect, Monitor

– First match (top-down order)

27


Global Policy Configuration

28


Global Policy Configuration

29


Application Policy Configuration

Controlling

behaviors within

known applications.

30


Decryption Policy Configuration

Decryption can be done via URL Category, Reputation or other

classification methods.

31


Policy Trace Tool - Troubleshooting

The WSA will

walk the user

/attributes

through the

policy tree.

32


Integrating WSA into the Network

• Explicit

– Web Proxy Auto Discovery Protocol (WPAD)

– Proxy Auto Configuration (PAC)

– Manually Defined

• Transparent

– Web Cache Control Protocol (WCCP) v2

– Policy Based Routing

– Layer 4 or 7 switch

• WSA relies on HTTP to capture client identity

– Explicit: HTTP407: Proxy Auth Request

– Transparent: HTTP307 Temporary Redirect followed by HTTP401 Auth Required

33


WSA Realms and Realm Sequences

• An authentication realm is a set of one or more authentication servers supporting a single authentication protocol.

• Only one NTLM realm can be configured (Basic/NTLMSSP).

• More than one LDAP realm can be configured (v2/v3/Secure).

• A realm sequence is an ordered sequence of realms.

• Cisco Context Directory Agent

– Standalone Virtual Machine

– Transparent with Active Directory

– Monitors Active Directory for logged in users and maps IP Address to Name

• Ability to define access controls for users who fail authentication.

34


Bandwidth Control

• The Cisco Application Visibility and Control engine allows administrators to control the amount of bandwidth used for particular application types.

• You can limit the bandwidth usage for media applications

– Cache or real-time

• Two limit types:

– Overall bandwidth limit

– User bandwidth limit

• The most restrictive option applies.

35


Web Reputation (WBRS)* Filtering

• Assigns a web-based reputation score to an URL for determining the likelihood that it contains URL-based malware.

– Information provided by the Cisco SIO

• Can be used with Access, Decryption, and Data Security Policies.

• Web Reputation Scores are associated with an action to take on a URL request.

• Available actions depend on the policy group type that is assigned to the URL

* Consists of: URL categorization data, presence of downloadable code, Presence of long, obfuscated EULAs, Global volume and changes in volume, URL categorization, Network owner information, URL History, URL Age, Presence on any allow/block lists, URL typos, Domain registrar information, IP address information.

36


Data Security Overview

• Control of sensitive data leaving the network (HTTP, HTTPS, FTP)

• Configured on the Cisco WSA using data security filters and policies

• Policy actions based on file metadata

– File type, size, and name

– WBRS

– URL category

• Applies to all POST and PUT requests over 4 KB

• Evaluated before access policies

• Alternatively achieved by integration with third-party DLP systems

37


External Data Loss Prevention

• Supported integration with:

– Vontu DLP

– RSA Tablus DLP

• Uses ICAP

– Standard for integrating off-box scanning with web proxies

– ICAP client: Cisco Web Security Appliance

– ICAP server: Vontu / RSA Tablus

• ICAP server provides reporting, logging, and quarantine feature

• Multiple DLP servers supported for load balancing and failover

38

Cisco Cloud Web Security


Cisco Cloud Web Security Overview

• CWS provides real time scanning of HTTP and decrypted HTTPS traffic and malware protection

• Data centers geographically spread across the globe

• Identity aware

• CWS can be integrated with:

– Cisco ASA

– Cisco ISR G2

– Cisco WSA

– AnyConnect Secure Mobility Client.

• On-Premises and/or Off-Premises protection

SAN FRANCISCO

HONG KONG

TOKYO

CHICAGO

DALLAS

LONDON FRANKFURT

MIAMI

NEW YORK

SYDNEY

COPENHAGEN

SINGAPORE

SAO PAULO

TORONTO VANCOUVER

ZURICH

BANGALORE

JOHANNESBURG

PARIS

40


Cisco Web Security Provides Strong Protection

WW

W

Cisco® SIO

URL Filtering

Reputation Filter

Dynamic Content Analysis (DCA)

Signature-based Anti-Malware Engines

Real-time Sandbox Analysis

Block

WWW

Block

WWW

Block

WWW

Block

WWW

Allow

WW

W

Warn

WW

W WW

W

Partial

Block

Block

WW

W

cws

41


Cisco ScanCenter Management Overview

• Access the ScanCenter at https://scancenter.scansafe.com.

• The ScanCenter is the Cisco Cloud Web Security administration portal.

• Manage users and groups, set policy, monitor traffic, and generate reports.

• Policy-rule actions include block, allow, warn, authenticate and anonymize

• .


Policy Configuration

43


Policy Configuration

44


Cisco ASA Cloud Web Security Overview

• Supported in IPv4 routed mode (single or multi-context), but not supported in transparent mode or with clustering

• Can have one primary and one backup Cisco CWS proxy server

• Traffic can be locally whitelisted to bypass inspection

– Applications update, VPN, trusted locations

• Understands user and group information. Compatible with Cisco CDA

• Configured via CLI or GUI

• Keepalives – TCP 3-way handshake every 15 minutes

– Automatic revert back to primary

ASA Connector – 9.0 or later

ASA

45


Scanning & Zero Day Intelligence

• Content is first broken down into types, like PDF, EXE, GIF, Java, scripts, etc.

– 3rd party antivirus signature analysis. Analyzed for already known threats.

• Traffic that comes clean from this scan is delivered to Outbreak Intelligence. Content is again broken into types for further scanning

– Deep Content Analysis: Content is analyzed for suspicious anomalies, like executable code in image file, animated GIF file with only one frame etc.

– Structural Content Investigation: Content is controlled structurally for potentially harmful, hidden behavior.

– Virtualized Script Emulation: Very important part because it runs suspicious scripts in virtualized cloud infrastructure to check for hidden malicious behavior.

• After this scan, traffic content is determined to be safe or not.

• CWS will block part or all of the unsafe data

PDF Flasht Java Exe

46


Cloud Web Security Traffic Redirection Overview

• Two methods to redirect user HTTP and HTTPS traffic

– Connector approach leveraging a Cisco device (ASA/ISRG2/WSA/AnyConnect)

– Direct to cloud approach (explicit proxy)

• Redirected traffic is encrypted – requires 3DES/AES license

• CWS Account Verification (generated from ScanCenter)

– Company Authentication Key – 16 byte hex number used on all devices

– Group Authentication Key – unique on each Cisco device

• Key allows CWS to associate traffic to customer/policy

• Account verification can be done at http://whoami.scansafe.net

– Company name, Connector version, external IP and so on are displayed if traffic is being redirected to the CWS proxy service

47

http://whoami.scansafe.net


AnyConnect Web Security Module Overview

• Route HTTP and HTTPS traffic to Cisco Web Cloud for evaluation

– Widows only

• The AnyConnect Web Security module can be installed in two ways:

– ASA via an established SSLVPN connection

– Manual or Automatic Distribution

• Configuration is done via AnyConnect Profile Editor

– Standalone on Windows

– Web Security module on ASA

• XML Config file with .wso extension

– WebSecurity_ServiceProfile.wso is installed in the Profiles\websecurity folder

– Installed locally or from the CWS cloud

48

Cisco Email Security Appliance


Email Security Appliance Overview

• Secures the network edge by embedding multiple roles in a single system.

• Security services include: Reputation Filters, Message Filters, Anti-spam, Antivirus, Content Filters, Outbreak Filters, and DLP.

• Physical/Virtual, Cloud and Hybrid Solutions

– Cloud for Inbound, Local for Outbound

• Advanced cloud based email encryption key service through Cisco Registered Envelope Service (CRES)

• Active Directory / LDAP Integration

• Threat Database updated every 3-5 minutes

• Policy Trace and Message Tracking

50


Email Security Appliance Flow

Cisco® SIO

SenderBase Reputation Filtering

Anti-Spam & Spoofing Prevention

AV Scanning & AMP

Real-time URL Analysis

Deliver Quarantine Re-write URLs Drop

Drop

Drop/Quarantine

Drop/Quarantine

Quarantine/Re-write

51


Email Security Appliance Flow Summarized

Queue Up for Worker Threads

To Perform Slower Tasks

LDAP Lookups

Filter and Scan Messages

Enqueue for Delivery

Process Mail

(Work Queue)

Accept Mail

(SMTP server)

Listen for SMTP Connections

Receive Mail

Enforce SMTP Policies

LDAP Lookups

En-queue / Message

Release Inbound Connection,

MTA Responsible for Message

Connect to Destination

MX Host

Enforce Delivery Policies

Deliver Message

Release Connection

and Message

Possibly Bounce

Deliver Mail

(SMTP client)

Accept Mail Deliver Mail

SMTP Receive

Process Mail

SMTP Delivery

52


ESA General Setup

• ESA factory defaults – recommended to change both

– IP Address 192.168.42.42

– Username admin, password ironport

• Single or Dual Interface configuration to process mail traffic

– Single Listener or dual Listeners

– Public (MX/SMTP) and/or Private (IMAP/MAPI/POP)

• Listener components – Controlling Email

– HAT: Defines which remote hosts are allowed to connect and sets constraints for the incoming connections from the remote hosts

– RAT: Specifies local domains for which the ESA will accept incoming email for

• HAT and RAT control inbound email. HAT also controls outbound mail

Email Security Appliance

Internet

Users

53


Single Listener Deployment Mail Server

MTA Relay

ESA

LDAP

Server

DMZ

Internal

Network

M Series

Management IPS

ASA

Firewall

Public IP

xxx.xxx.xxx.xxx

NAT

Single physical interface w/one

IP address. Single listener handles

Incoming and Outgoing mail

54


Dual Listener Deployment Mail Server

Data 2

RFC1918

LDAP

Server

DMZ

Internal

Network

M Series

Management IPS

ASA

Firewall

Public IP

xxx.xxx.xxx.xxx

NAT

Interface for sending and

Receiving mail from the Internet

Interface for receiving and

Sending mail from the Intranet

Data 2

RFC1918

55


Incoming / Outgoing Mail – Host Access Table

• The HAT controls mail policy for the SMTP server/client.

– Permit mail from all external sources

– Allow only designated internal sources

Single HAT Example

56


Incoming Mail – Recipient Access Table

• Controls whether the ESA will accept mail for a given recipient/domain.

– Analyzes the Recipient To: field in the SMTP transaction

57


Mail Policies

• Rules for managing email flow within the organization.

– Matches mail with ESA analysis tools

• Separate Incoming and Outgoing policies

Cisco

Anti-Spam

Where

58


Anti-Spam Overview

• Processed after reputation filters – Cisco Senderbase

• Content Adaptive Scanning Engine (CASE)

• CASE combines who, how, what, where, to derive a score 1-100

– Positive Spam: score > 90

– Suspect Spam: 50 < score ≤ 89

• Identified Spam can be delivered, dropped, quarantined, or bounced

• Quarantine can be stored locally, centrally or be disabled

• Users can verify, create Safelists, Blacklists

59


Reporting

• Reporting is done in a drill-down fashion.

– Inbound and outbound emails

– Policy and threat blocked emails

– Content, spam virus, invalid recipients, etc.

• Reports can be:

– Run for specific time ranges

– Scheduled to be run off hours

– Automatic delivery to recipients

60

Cisco Intrusion Prevention Systems


Cisco IPS Overview

• Provides filtering of known network worms and viruses, DoS traffic, and directed hacking attacks.

– Over 5500 Signatures

– Anti-evasion technology

– Zero-day protection

• Hardware appliance, hardware module, software module

– Standalone, ASA, NGFW, IOS

• Flexible Deployment Modes

– Inline with Blocking and Reporting capability

– Promiscuous with Reset, Monitoring and Reporting capability

• Support for up to 4 virtual sensors per IPS

62


Cisco IPS Overview

Forensics

Capture

Before Attack

During Attack

After Attack

Inspection

Engines Vulnerability

Exploit

Behavioral Anomaly

Protocol Anomaly

Risk-based

Policy Control

Calibrated “Risk Rating”

computed for each event

Event Action policy based

on risk categories (e.g.

High / Med / Low)

Filters for known benign

triggers

Optional Network

Participation

Attack

De-obfuscation Normalize inbound

traffic to remove

attempts to hide an

attack

On-box

Correlation

Engine

Meta Event Generator

for event correlation

Mitigation and

Alarm “Threat Rating” of event

indicates level of residual

risk

Virtual Sensor

Selection Traffic directed to

appropriate sensor

IN OUT

Reputation

Filtering Known-bad hosts are

dropped

Atomic Inspection Single-packet (Atomic)

attacks detected

Signature

Updates

Engine

Updates Cisco Security

Intelligence Operations

Global

Correlation

63


IPS Management Options

• IPS Device Manager (MDM)

– Configure, administer, and monitor individual IPS sensors

• IPS Manager Express (IME)

– System health, events, and collaboration monitoring in addition to reporting and configuration for up to ten sensors.

• Adaptive Security Device Manager (ASDM)

– Tabbed interface similar to IDM. Single application to manage Firewall and IPS

• Cisco Security Manager (CSM)

– Comprehensive management solution that enables advanced management and rapid troubleshooting of multiple security devices. Enables operational efficiency

• Command Line (CLI)

64


IPS Sensor Deployment Modes

• Promiscuous mode – Single Interface

– Sensor receives a copy of network traffic for analysis

– No production traffic impact for performance or failure

– Limited threat containment (TCP Reset, Shunning)

• Inline interface pair – Dual Interface

– Bump in the wire

– Impact for performance and possibly failure

– Superior threat containment

• Inline VLAN pair – Single interface, dual VLAN on single switch

• Inline VLAN group – Single interface, multi-VLAN on dual switches

• Similar to a firewall, avoid asymmetric traffic flows

65


IPS Integration with the Cisco ASA

• Traffic flowing through the ASA can be redirected to the IPS module

• Selective traffic monitoring

– Controlled via an Access Control List

– Traffic can also selected via user identity options (username/Active Directory group)

• Inline or Promiscuous

• Fail-open or Fail-close capability

66


IPS Signatures

• Three Signature types supported

– Default – Built into and downloaded to the sensor

– Tuned - Built-in that have been modified

– Custom – Locally created signatures

• Signature Engines

– A signature engine is a traffic inspection function that analyzes a particular aspect (protocol, traffic pattern, and so on) of network traffic.

– Each Cisco IPS signature is controlled by a particular signature engine.

– Signature engines process traffic in parallel.

• Custom Signatures

– Signature numbers 60,000 and higher

67


Threat Prevention Profiles

• Simplify the signature tuning effort with preset groups of signatures designed for specific network locations.

• Use Case Profiles

– SCADA – Industrial Control Systems

– Edge - client protection for the Internet edge

– Web Applications – server farm environments

– Data Center – overall protections for the data center

• Implemented in 7.3(1) code

• Available on the 43xx and 45xx IPS appliances

68


Cisco Signatures Configuration

69


Risk Rating (RR)

• Quantitative measure of your network's threat level before IPS mitigation.

• A value between 0 and 100 that represents a numerical quantification of the risk associated with a particular event on the network

– Range 90 to 100 - add the Deny Packet action to the Default Signature action(s)

– Value less than 90 just apply the Default Signature action(s)

• Add event actions globally without having to modify each signature individually

• Reputation data is also factored in RR calculation

RR = ASR * TVR * SFR

10,000 + ARR – PD

RR = ASR * TVR * SFR

10,000 + ARR – PD

70


Understanding Threat and Risk Rating Component IPS Variable Source Values

Potential damage Attack Severity

Rating (ASR)

Preconfigured in a

signature, tunable

Informational (25)

Low (50), Medium

(75), High (100)

Target asset value Target Value Rating

(TVR)

Manually configured Zero (50), Low (75)

Medium (100), High

(150), Mission

Critical (200)

Signature accuracy Signature Fidelity

Rating (SFR)

Preconfigured in a

signature, tunable

0–100

Promiscuous

Delta (PD)

Preconfigured in a

signature, tunable

0–30

Attack relevancy Attack Relevancy

Rating (ARR)

Collected or

manually configured

Relevant (10)

Unknown (0)

Not Relevant (–10)

71


Custom IPS Signatures

• Help to address specific threats in your environment

• Create signature ID and Name

• Identify the IPS Engine - Protocol

• Match Conditions

– Header content

– Payload characteristics

• Identify thresholds and counters

• Correlation

• Simplified with the Custom Signature Wizard


Custom IPS Signatures


Anomaly Detection

• Learns network traffic patterns and identifies behavior deviations

• Finds worms as they attempt to spread

• Identifies worm-infected hosts by their behavior as scanners

• Provides zero-day detection

• Analyzes TCP, UDP and ICMP traffic

• Does not detect email, instant messaging, or file sharing-based worms

• Customizable zones for improved efficacy

– Internal, External, Illegal

• Actions – specific signatures created for anomaly detection

74

http://images.google.com/imgres?imgurl=http://www.ehs.washington.edu/images/BIOSGN2.jpg&imgrefurl=http://www.ehs.washington.edu/Manuals/BSManual/AppendixA.pdf&h=1028&w=850&sz=124&tbnid=HeNi2BPYUAgJ:&tbnh=149&tbnw=124&start=14&prev=/images?q=biohazard&hl=en&lr=&safe=off








Global Correlation & Reputation Services

• Reputation filters

– First line of defense

– List of IP addresses downloaded from Cisco SensorBase for blocking

• Global correlation

– Adjustment of the event risk rating

– Based on the reputation score

• Participating IPS devices

– Send data to the global correlation database.

– Receive threat updates


Reputation and Correlation Flow

• Reputation Filters block access to IP’s on stolen ‘zombie’ networks or networks controlled entirely by malicious organizations

• Global Correlation raises the Risk Rating of events when the attacker has a negative reputation allowing those events to be blocked more confidently

76

Summary


Implementing Cisco Threat Control Solutions

• The attack surface is wide and long

– Email Threats, Web Threats, Network Threats, Mobile Threats

• Security is receiving more attention than ever before

• Cisco Security Solutions help to secure networks and reduce risk

• Security Engineers are in high demand

• Other Cisco security solutions, such as the Cisco Identity Services Engine, work hand-in-hand with the Cisco Threat Protection product sets

• Security requires an architectural, integrated approach

78


Participate in the “My Favorite Speaker” Contest

• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)

• Send a tweet and include

– Your favorite speaker’s Twitter handle <@SamCamarda>

– Two hashtags: #CLUS #MyFavoriteSpeaker

• You can submit an entry for more than one of your “favorite” speakers

• Don’t forget to follow @CiscoLive and @CiscoPress

• View the official rules at http://bit.ly/CLUSwin

Promote Your Favorite Speaker and You Could be a Winner

79

http://bit.ly/CLUSwin


Complete Your Online Session Evaluation

• Give us your feedback and you could win fabulous prizes. Winners announced daily.

• Complete your session evaluation through the Cisco Live mobile app or visit one of the interactive kiosks located throughout the convention center.

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

80

https://www.ciscolive.com/online


Continue Your Education

• Demos in the Cisco Campus

• Walk-in Self-Paced Labs

• Table Topics

• Meet the Engineer 1:1 meetings

• CCNP Study Group

– https://learningnetwork.cisco.com/groups/ccnp-security-study-group

81

Documents

Implementing Cisco Threat Controld2zmdbbm9feqrf.cloudfront.net/2014/usa/pdf/BRKCRT-2211.pdf · CCNP Security Track • 4 Exams –300-206 Implementing Cisco ... –300-207 Implementing