• Like
  • Save
Deploying Secure Branch and Edge Solutions (2012 San Diego)
 

Deploying Secure Branch and Edge Solutions (2012 San Diego)

on

  • 999 views

With Cloud adoption on the rise, Enterprises are embracing Cloud Infrastructures to support various services such as BYOD. According to Cisco's own research, 70% enterprises are deploying Cloud ...

With Cloud adoption on the rise, Enterprises are embracing Cloud Infrastructures to support various services such as BYOD. According to Cisco's own research, 70% enterprises are deploying Cloud infrastructures to host various applications like VDI, Video and Unified Communications. Virtual Desktop technologies, in particular are expected to save 50% in total cost of ownership (as estimated by VMware research). Video in the Branch is another application that 66% enterprises are expected to deploy. These cloud-based applications will have a significant impact on the network bandwidth utilization and the ability to remain compliant to various regulations (PCI, etc.) and therefore requires a different approach to offering secure solutions. This session will explore these challenges in details and these are addressed with innovative security solutions offered by Cisco ISR G2 series routers. Security technologies that will be covered include Cisco IOS Security, VRF Aware Zone-based Firewall, IOS IPS, ScanSafe cloud-based web security and context-aware Cisco TrustSec. This session targets Network and Security IT managers that need to implement security in the next-generation branch and WAN network.

Cisco Live 365: https://www.ciscolive365.com/connect/sessionDetail.ww?SESSION_ID=4365

Statistics

Views

Total Views
999
Views on SlideShare
998
Embed Views
1

Actions

Likes
1
Downloads
0
Comments
0

1 Embed 1

http://www.docseek.net 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Deploying Secure Branch and Edge Solutions (2012 San Diego) Deploying Secure Branch and Edge Solutions (2012 San Diego) Presentation Transcript

    • Deploying Secure Branch and Edge Solutions BRKSEC-2031BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012 2
    • About Jerry Lin…  Security Consulting Systems Engineer, Enterprise West  Joined Cisco as Systems Engineer in 1998  R/S CCIE#6469, CISSP 73414, etc  Co-authored; “NAC Appliance: Enforcing Host Security with CleanAccess”, Ciscopress 2007  Masters of Science degree in Mechanical Engineering ‒ University of California, Irvine  Family, Runner, marathoner…BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012 3
    • BRKSEC-2031 Session Target Session Level: Intermediate Audience: Network and Security IT Managers who need to implement security in the next generation branch.BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012 4
    • Additional Security Relates Sessions BRKSEC-2030, Deploying IPS BRKSEC-3007, Advanced IOS Security Features BRKSEC-3013, Advanced IPSec with FlexVPN and IKEv2 BRKSEC-3053, Deploying GET to Secure VPNs BRKSEC-4054, DMVPN Deployment Models And a few more…BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • Agenda Security Challenges/Top-of-minds Today and Tomorrow‟s Secure Branch/Edge Available Technologies ‒ EasyVPN, GetVPN, DMVPN, FlexVPN ‒ Zone-Based Firewall(with Security Group Tagging (SGT )) ‒ IOS IPS ‒ Identity-Based Access Control (TrustSec) ‒ Application Visibility (Flexible Netflow and NBAR2) ‒ Scansafe Web Security Summary =New feature BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • Traditional Enterprise Network HEADEND BRANCH THE NETWORK DATA CENTER Architected to Meet Capacity© 2011 Cisco and/or its affiliates. All rights reserved. BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • Next-generation WAN Guest HEADEND BRANCH THE NETWORK DATA CENTER / CLOUD BRANCH Vendor Architected to Meet Capacity Overwhelming Complexity© 2011 Cisco and/or its affiliates. All rights© 2011 Cisco and/or its affiliates. All rights reserved. reserved. BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • Security Challenges and Top-of-Minds Compliance Vendors/Guest/Team (PCI/HIPPA) Member Access Control Security Staying Secure Ease of (Malware,Zero-day Monitoring/Management attacks,etc) BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • How Do They Map To Cisco Solutions? Cisco Validated Network Segmentation Cisco PCI 2.0 Solution TrustSec Security TrustSec, Switches/Router ISE/ CSM/NCS for Integrated Security, Management and Scansafe Monitoring BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • PCI DSS 2.0 Solution for Retail For Your Store Mobile POS POS Manager PC IP Phone Surveillance Reference Available on CCO POS Server Private WAN Data Center IOS WAN Aggregation Ecommerce/Internet Edge/Service Provider Edge Partner Edge (Demilitarized Zone) Firewall (Demilitarized Zone)Partner Core Public Internet WAN WAN Aggregation Services Access Server Farm Storage Management Authentication Monitoring Encryption Cisco Security Cisco EMC Ionix EMC Ionix RSA Cisco Unified Comm. Cisco Cisco Cisco RSA Authentication Cisco Active RSA HyTrust RSA RSA Data Protection Manager Prime NCS NCM UIM Archer Manager VSOM PAM NAC/ISE Manager ACS Directory Secure ID Appliance enVision Manager BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • Cisco Router Security Portfolio ISR / ASR Secure Routers Secure WAN Aggregation Integrated Threat Control Performance and Scalability ASR 1006/1013 ASR 1002/1004 (40 Gbps, 200K cps) Application Intelligence, Control, & Routing (10-40 Gbps, 200K cps) ISR 2900/3900, ASR 1001 (Up to 2.5Gbps,100K cps) ISR 8xx/1900 SOHO Branch Office Internet Edge WAN/Campus Edge VPN, Zone Based Firewall, Integrated Threat Defense BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • Cisco ISR G2 Series Router Portfolio 3925E, 3925 2901, 2911, 3945E, 3945 2921, 2951 1921, 1941, 1941W860, 880, 890 Virtual Secure Customizable Secure Scalable Rich- Office Mobility Applications Collaboration Media Services Enhancing the Borderless Experience BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • ISR-G2 Technical OverviewServices Performance Multi-Core Multi Gigabit Fabric NG DSP ModulesEngine (3900) Network Processor • Module to module • Video ready DSP modules• Upgradeable engines • 5x–7x communications • 4x increase in audio conferencing• SPE-200 and SPE-250 performance increase • Packet prioritization and transcoding and shaping • Configurable power savings modes GE PortsEHWIC • 4 on 3900E• 2x performance increase • 3 on 2911+• HWIC/WIC/VWIC/VIC • SFP slots on 2921 support natively and above• EPoE capableService Modules Internal Services Module USB• 3x–7x increase in service module • 3x increase in service module performance • Console over USB performance • Configurable power savings mode • Convenience storage• Existing NM support through adapter • Not available on 3900E and 1941W • Security credentials• EPoE capable BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • Secure BranchSecuring the Branch:Branch office threats include malicious activity by branch clients, including malware proliferation, botnet detection, network and application abuse, and other malicious or non-compliant activity; WAN transit vulnerabilities such assniffing and man-in-the-middle (MITM) attacks; attacks against the infrastructure itself, such as unauthorized access, privilege escalation, and denial-of-service (DoS) attacks. Web and email threats, such as malicious web sites,compromised legitimate web sites, spam, and phishing exist if split-tunneling is enabled to provide local Internet access directly from the Branch.AnyConnect Secure Mobility Client: Edge Protection: Secure Access Control:Always on, persistent mobile security includes IPSec, Traffic filtering, routing security, firewall integration and IP spoofing Cisco TrustSec services and Identity Services Engine (ISE) control of local access switches and WLCs forSSL, 802.1X supplicant, and ScanSafe web security. protection to discard anomalous traffic flows, prevent unauthorized 802.1x, MAB, Guest Services, Device Profiling, and NAC. Active Directory Integration for user/group access and block illegitimate traffic. authentication to ScanSafe portal allows granular identity-based acceptable-use policy to be enforced where requiredSecure WAN Connectivity:Data confidentiality and integrity with IPSec-based VPN Access Edge Security:with PKI, DMVPN, GET-VPN for MPLS, 3DES/AES iACLs, STP security, DHCP protection, ARPEncryption and IP spoofing protection, MAC and traffic flooding protection, QoS policy enforcement. Network Foundation MPLS, WAN, Internet Protection: Connector Control and Management Plane Policing, NBAR, Autosecure Catalyst Integrated Security Head ISR G2 Features: Office Port Security, DHCP Snooping, ARP Inspect, IP Source Guard, Device Profiling IOS Zone Based Firewall: Local threat detection and WAN Internet mitigation: Integrated stateful firewall with Layer 7 Inspection Backup engines for voice, video, and data protocols. AVC Integrated IPS Module for full hardware based engine for visibility and control of over 1000 IDS/IPS appliance services or IOS software applications. based IDS/IPS Connecto Internet r Connecto r Secure Unified Communication: Secure WLAN: Web Security: ScanSafe Active Directory Integration: Secure data, voice, video and mobile applications CAPWAP AP‟s to a central or local WLC for secure ISR ScanSafe integration provides direct Branch access to Active Directory Integration for user/group authentication to across the network. Secure call processing, voice and authentication, encryption w/IPS, rogue AP detection, secure web cloud services (ScanSafe) with intelligent ScanSafe portal allows granular identity-based acceptable- video encryption services, dynamic and granular Clean Air spectrum analysis. Data confidentiality and connector -All Local Internet traffic can be clean/secure use policy to be enforced where required. Flexible access control, network security policy enforcement integrity provided by IPSec-based VPN and PKI. without back-haul to nearest ScanSafe scanning tower management & redundancy through GPO, (hosted) PAC BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • ISR G2 Performance BaselineBRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012 17
    • ISR G2 Performance Summary 75% CPU, IMIX (64byte(7), 594byte(4), 1518byte(1)) 1921 – 3945E Baseline: 15.0(1)M 1921 1941 2901 2911 2921 2951 3925 3945 3925E 3945EIP Test case Mbps Mbps Mbps Mbps Mbps Mbps Mbps Mbps Mbps Mbps IP (CEF) 617 723 761 867 1,048 1,300 1,817 L/R L/R L/R NAT 93 100 101 114 138 275 418 496 1,334 1,064 NAT+ACL 83 93 90 107 124 245 356 418 N/T N/T NAT+ACL+QoS 58 67 63 73 86 117 168 200 534 668 QoS 150 168 165 200 229 438 677 780 L/R L/R HQoS 110 120 125 125 168 293 455 572 1,368 1,704 HQOS+ L2TPv3 100 108 113 113 156 269 389 509 1,152 1,440 HQOS+ NBAR+ QinQ 55 61.2 60 60 84 139 204 301 518 648 L2TPv3 throughput 1,337 1,735 ZBFW (Stateful) 204 237 180 265 328 418 755 873 L/R L/R ZBFW + NAT (Stateful) 85 94 98 110 131 160 232 334 808 1,005 ZBFW + NAT+ ACL+QOS (Stateful) 68 31 77 81 105 114 165 223 N/T N/T ZBFW + NAT + IOS IPS (Stateful) 25 26 23 30 31 29 41 50 195 258 IOS IPS only 28 35 26 27 33 33 49 57 235 304 SSL (Mbps) 100 user - RC4-MD5 17 18 18 20 24 27 37 43 N/T N/T SSL (Mbps) 100 user - 3DES-SHA1 10 11 10 9.8 13 34 45 55 N/T N/T IPSEC/AES-Single Tunnel 48 52 53 61 72 103 154 179 477 670 IPSEC/AES-100 Tunnel 42 43 45 52 61 86 125 139 420 599 IPSEC/3DES-Single Tunnel w/SHA 43 46 47 54 64 96 143 172 477 658 IPSEC/3DES-100 Tunnel w/SHA 37 40 40 45 53 82 116 132 438 590 IPSec/AES multi-tunnel (Mbps) (with SHA) 36 39 38 46 51 70 103 105 N/T N/T IPSEC+QoS+GRE (V3PN) 29 31 31 37 44 53 74 86 271 355 Inter VLAN (SVI to FE/GE) & HWIC-4ESW L/R L/R L/R L/R L/R L/R L/R L/R L/R L/R Inter VLAN (SVI to SVI) 2 HWIC-4ESW L/R L/R L/R L/R L/R L/R L/R L/R L/R L/R SVI: L3 IOS FW + IP ACL + NAT + QoS (HWIC-4ESW) 67 L/R 66 74 87 102 102 102 N/T N/T N/T – Not Tested L/R – Line rate reached BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • ISM-VPN-x9 (19/29/39)High Performance VPN Module for ISR G2 Available today! IOS Requirement: 15.2(1)T or later Supported Platform: 1941, 2901, 2911, 2921, 2951, 3925, 3945 Features Plug and play Internal Service Module (ISM) for VPN acceleration 3X – 5X throughput and 2X more VPN tunnels over onboard crypto engine Add hardware support for IKEv2 and Suite B crypto algorithm Suite B Standard Suite B for IPSec VPN is defined in RFC 4869 U.S. DoD requirement BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • Suite B  Suite B was originally designed by the NSA and is now an approved RFC 4869  It is required by customers worldwide  It requires both hardware AND software support to work  These requirements overlap with DoD, are already required by governments, and will move into financial institutions  Requests for SHA-2 support coming from other customers BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • Suite B, IOS support Platform Software Support Hardware Support ISR G1 Not supported Not supported 880, 1800, 2800, 3800 890 15.1(2)T 2H CY2012 ISR G2 1900, 2901-2921 15.1(2)T 2H CY2012 (Cavium ISR G2 ) ISR G2 2951, 3925, 3945 15.1(2)T 15.1(3)T (Freescale, ISR G2) ISR G2 ISM-VPN-x9 - 15.2(1)T (1900 to 3900E ISR G2) ISR G2 15.1(2)T CC (end 2012) 3925E, 3945E BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • ISM-VPN-x9: Overall System Performance With ISM-VPN QoS+FW+NAT+ACL With On-board With On-board With ISM-VPN IPSec only ISR G2 Router aka Services IPSec only IPSec + services IPSec + Services (IMIX @75%) (IMIX @75%) (IMIX @75%) (IMIX @75%) (IMIX @75%) 3x On-board IPSecModule Cavium ISM-VPN-191941 Performance 75 Mbps 41 Mbps 41 Mbps 100 Mbps 75 MbpsModule Cavium ISM-VPN-292901 Performance 75 Mbps 41 Mbps 41 Mbps 100 Mbps 75 Mbps2911 Performance 81 Mbps 43 Mbps 43 Mbps 125 Mbps 81 Mbps2921 Performance 107 Mbps 51 Mbps 51 Mbps 150 Mbps 107 Mbps2951 Performance 145 Mbps 78 Mbps 78 Mbps 225 Mbps 145 MbpsModule Free-scale ISM-VPN-393925 Performance 203 Mbps 94 Mbps 94 Mbps 300 Mbps 203 Mbps3945 Performance 234 Mbps 105 Mbps 105 Mbps 350 Mbps 234 Mbps BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • SecureWAN ReviewBRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012 23
    • Cisco VPN Solutions DMVPN GETVPN Easy VPN•On-demand point to multipoint Encrypted VPNs •Tunnel-less Encrypted VPNs •LAN-like Encrypted VPN experience for a diverse•Integrated voice, video, and data encryption with •Any-to-Any VPN connectivity suitable for IP VPNs set of VPN clients including software clientsreduced TCO •No overlay routing •Uses existing basic crypto technologies•Simplified branch to branch connectivity solutions •Simplified QoS integration with Crypto •Enhances interoperability by consolidating tunnels•OPEX reduction using zero-touch deployment •Reduced latency and jitter due to direct from teleworkers, retail stores, or branch offices•Resilient VPN solution combining both crypto and communication with no central hub •Centralized policy and management controlrouting control plane •Eliminates p2p IKE relationship with group encryption keys •High availability to avoid key server as single point of failure BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • VPN Technology Positioning EzVPN DMVPN GET VPNInfrastructure Network Public Internet Transport Public Internet Transport Private IP Transport Hub-Spoke Any-to-Any Any-to-Any Network Style (Client to Site) (Site-to-Site) (Site-to-Site) Dynamic routing on Dynamic routing on IP Routing Reverse-route Injection tunnels WAN Stateful Hub Crypto Route Distribution ModelFailover Redundancy Route Distribution Model Failover + Stateful Virtualization Yes Yes No Multicast replication at Multicast replication at Multicast replication in IP IP Multicast hub hub WAN network BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • VPN Technology Positioning (2) EzVPN DMVPN GET VPNForward/Backward yes yes no Access Control PFS yes yes Only with group-key pull DPD Routing + DPD NoneRecovery methods (min 15s) (min 15s) (key lifetime) • IP address Authorization IKE Profile based IKE Profile based • ID based management (crypto map)  Unlimited  Unlimited  3000 GM’s total Scalability  3000+ Client/Srv.  3000+ Spoke/Hub  1000 GM/KS Encryption Style Per peer keys Per peer keys 1 key for allBRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • Comparison Conclusions GET VPN is simple in simple cases ‒ If network permits, this is an easy solution to deploy ‒ No need for an overlay or additional routing protocol ‒ No “preferred position” in the network (no “hub”) DMVPN and Easy VPN have other advantages ‒ Scalability is better ‒ Security is better (PFS, per-peer keying, access control) ‒ Enhance the transport network (QoS, mcast etc.) ‒ IPv6 over IPv4 and vice versaBRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • SecureWAN “What‟s New!”BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • What is FlexVPN? •Unified VPN Solution Complete the convergence of EasyVPN and DMVPN •Connect any type of clients: Standard based clients and routers, AnyConnect Essentials, Cisco Remote routers with value add services •Transitions EasyVPN with Unity client extensions to IETF standard implementation with IKEv2 •Leverages Enhanced EasyVPN: •Infrastructure to provide value add and differentiations •Utilize DVTI and Virtual Access Interfaces with RRI for IPSec Proxy •Applies Cisco IOS Services during tunnel instantiation: QoS, NAT, ZBFW, Etc •Leverages DMVPN: •ALL DMVPN Topologies: Dynamic Spoke to Spoke, Hub-to-Spoke and Policy Based DMVPN •Support all routing protocols and direct integration of dynamic routing with customer networks •Includes: Zero Touch Deployment, Secure Device Provisioning, Network Virtualization (VRF), IPSec HA, and IPSec MIB, IPv4 and IPv6, Multicast, and Cloud Services Access BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • FlexVPN Advantages Training is easier – about ⅓rd of the normal time ‒Customers, Developers, System Engineers, AS, Support ‒Clean architecture, clean CLI (p2p interfaces are caveat free) Easier Management – RADIUS as a management console Facilitates Head end Transition ‒DVTI Solution enabler for transition from C6K 7600 7200 Facilitates Spoke Transition ‒IKEv2 and IPv6 offer a good transition timing ‒Does not break anything Flex VPN is Cisco‟s IKEv2 ecosystem unifying all overlay VPN‟s under a single umbrella BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    •  One VPN to develop and position Everything works – Simplify Deployment and Operation BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • FlexVPN Hub & Spoke Network DiagramSample configuration from BRKSEC-3013 192.168.100.0/24 .1 .254 192.168.101.0/24 172.16.0.1 .1 BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • Hub & Spoke – Spoke configuration Same as when hub uses local database 192.168.100.0/24 .1 .254 192.168.101.0/24 172.16.0.1 .1 aaa authorization network default local crypto ikev2 profile default match certificate HUBMAP Spoke config identity local fqdn R3-Spoke.cisco.com unchanged authentication remote rsa-sig authentication local pre-shared access-list 99 permit 192.168.101.0 0.0.0.255 keyring local KR pki trustpoint CA crypto ikev2 authorization policy default Activate config- aaa authorization group cert list default default [route set interface] exchange route set access-list 99IP address assigned interface Tunnel0 by hub ip address negotiated crypto ikev2 keyring KR tunnel source FastEthernet0/0 peer HUB Tunnel initiates tunnel destination 172.16.0.1 address 172.16.0.1 automatically tunnel protection ipsec profile default pre-shared-key local xyz BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • Hub & Spoke – Hub configuration 192.168.100.0/24 .1 .254 192.168.101.0/24 172.16.0.1 .1 aaa authorization network default group radius aaa accounting network default start-stop ikev2-password-remote=xyz … group radius interface-config=ip unnumbered loopback0 interface-config=policy-map PM out crypto ikev2 profile default framed-ip=10.0.0.1 match identity remote fqdn domain cisco.com ipsec:route-set=interface identity local dn ipsec:route-set=prefix 0.0.0.0/0 authentication local rsa-sig ipsec:route-accept=anyPSK on RADIUS authentication remote pre-sharedActivate config- ` keyring aaa default name-mangler extract-host aaa group server radius radius pki trustpoint CA exchange aaa authorization user psk cached server-private 192.168.100.254 virtual-template 1 auth-port 1812 acct-port 1813 key cisco123 interface virtual-template1 type tunnel crypto ikev2 name-mangler extract-host ip unnumbered loopback0 fqdn hostname tunnel protection ipsec profile default BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • Offering Release Benefits FlexVPN Spoke to Spoke 15.2(2)T Integrated VPN solution with Any to Any type of connectivity Policy based DMVPN 15.2(2)T Customizable topology for DMVPN and EEM integration GETVPN for IPv6 networks 15.2(3)T IPv6 over IPv6 Data plane support for private networks FlexVPN for IPv6 networks 15.2(3)T IPv6 connectivity for remote sites with FlexVPN Complete Suite B support on Fixed and platforms 15.2(4)M 800 series, Cavium and 39x5E support for suite B with Embeded crypto ISM-VPN-x9 support with IPv6 15.2(4)M Accelerated performance for IPv6 VPN services IKEv2 Load Balancer 15.2(4)M Enhanced scalability with seamless load balancing Note: 15.2(3)T (March 12), 15.2(4)M (July 12)BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • Infrastructure Protection  Turning off unnecessary services  Enabling logging  Enabling SSH  Enabling HTTPS  Enabling VTY, console and AUX timeouts, and ACLs  Password managementhttp://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/IPSNGWAN.html BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012 36
    • Antispoofing: unicastReversePathForwarding(uRPF)Router(config-if)# ip verify unicast source reachable-via ? any Source is reachable via any interface rx Source is reachable via interface on which packet was receivedRouter(config-if)# ip verify unicast source reachable-via any ? <1-199> IP access list (standard or extended) <1300-2699> IP expanded access list (standard or extended) allow-default Allow default route to match when checking source address allow-self-ping Allow router to ping itself (opens vulnerability in verification)BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012 37
    • Antispoofing: Strict uRPF check Is the Source Address reachable via the ingress interface ? Arriving Packet S: 10.1.1.200 D: 172.16.201.254 Fast2 Fast4 10.1.1.0/24 172.16.202.0/24 .254 R2 .254 172.16.201.0/24 .1 R1interface FastEthernet2 R2# show ip route | begin Gateway Gateway of last resort is not set ip address 172.16.202.254 255.255.255.0 172.16.0.0/24 is subnetted, 2 subnets ip verify unicast source reachable-via rx C 172.16.201.0 is directly connected, FastEthernet4 C 172.16.202.0 is directly connected, FastEthernet2 R2# show ip cef 10.1.1.0 255.255.255.0 10.0.0.0/24 is subnetted, 2 subnets 10.1.1.0/24 C 10.254.254.0 is directly connected, Loopback0 nexthop 172.16.201.1 FastEthernet4 D 10.1.1.0 [90/28416] via 172.16.201.1, 00:30:21, FastEthernet4 CEF-Drop: Packet from 10.1.1.200 (Fa2) to 172.16.201.254, uRPF feature BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • Antispoofing: Loose uRPF check Is the Source Address reachable via any of the router interfaces ? Arriving Packet S: 10.2.2.2 D: 172.16.201.254 Fast2 Fast4 172.16.202.0/24 .254 R2 .254 172.16.201.0/24 .1 R1interface FastEthernet2 R2# show ip route 10.2.2.0 255.255.255.0 % Subnet not in table ip address 172.16.202.254 255.255.255.0 ip verify unicast source reachable-via any R2# show ip interface f2 | include verif R2# show ip cef 10.2.2.0 255.255.255.0 IP verify source reachable-via ANY %Prefix not found 5 verification drops 0 suppressed verification drops 0 verification drop-rate CEF-Drop: Packet from 10.2.2.2 (Fa2) to 172.16.201.254, uRPF feature BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • Antispoofing: uRPF and Default RouteArriving Packet interface FastEthernet2 S: 10.2.2.2 ip address 172.16.202.254 255.255.255.0D: 172.16.201.254 ip verify unicast source reachable-via any Fast2 Fast4 172.16.202.0/24 .254 R2 .254 172.16.201.0/24 .1 R1 ip route 0.0.0.0 0.0.0.0 172.16.201.1 R2# show ip route 0.0.0.0 Routing entry for 0.0.0.0/0, supernetR2# show ip route 10.2.2.0 255.255.255.0 Known via "static", distance 1, metric 0, candidate default path% Subnet not in table Routing Descriptor Blocks:R2# show ip cef 10.2.2.0 255.255.255.0 * 172.16.201.1%Prefix not found Route metric is 0, traffic share count is 1 CEF-Drop: Packet from 10.2.2.2 (Fa2) to 172.16.201.254, uRPF feature ** If you want to change this behavior… interface FastEthernet2 ip verify unicast source reachable-via any allow-default BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • TrustSec 2.0 -Security Group Tag(SGT) -Security Group Access (SGA) -Security eXchange Protocol (SXP)BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012 41
    • Security Group Tag  Unique 16 bit (65K) tag assigned to unique role SecurityGroup Tag  Represents privilege of the source user, device, or entity  Tagged at ingress of TrustSec domain  Filtered (SGACL) at egress of TrustSec domain SGACLSG  No IP address required in ACE (IP address is bound to SGT)  Policy (ACL) is distributed from central policy server (ACS) or configured locally on TrustSec device SGT Value is generated automatically on ACS/ISE BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012 42
    • Layer 2 SGT Frame FormatLayer 2 SGT Frame and Cisco Meta Data Format Authenticated Encrypted DMAC SMAC 802.1AE Header 802.1Q CMD ETYPE PAYLOAD ICV CRC CMD EtherType Version Length SGT Opt Type SGT Value Other CMD Options Cisco Meta Data  802.1AE Header CMD ICV are the L2 802.1AE + TrustSec overhead  Frame is always tagged at ingress port of TrustSec capable device  Tagging process prior to other L2 service such as QoS  SGT namespace is managed on central policy server (ACS 5.x/ISE )  No impact IP MTU/Fragmentation  L2 Frame MTU Impact: ~ 40 bytes = less than baby giant frame (~1600 bytes with 1552 bytes MTU) BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012 43
    • IP-SGT Binding Exchange with SXP TCP-based SXP is established between Non-TrustSec capable User A User C and TrustSec-Capable devices  User is assigned to SGT 10 30  Switch binds endpoint IP address and assigned SGT Non TrustSec Switch builds capable device binding table  Switch uses SXP to send binding table to TrustSec capable device SXP SXP  TrustSec capable device tags packet based on source IP address when packet appears on forwarding tablePackets are tagged with TrustSecSGT based on source IP Address capable device IP-SGT Binding Table IP-SGT Binding Table SXP IP Address SGT IP Address Interface SGT Source Data Center 10.1.10.1 10 Gig 2/10 Once SGT is tagged, 10.1.10.1 10 SXP peer 10.1.50.2 then SGACL can be 10.1.30.4 30 Gig 2/11 applied ACS/ISE 10.1.30.4 30 SXP peer 10.1.50.2 User A User C Server A Server B Server C Directory Service Untagged Traffic Untagged Traffic 111 222 333 CMD Tagged Traffic CMD Tagged Traffic BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012 44
    • SGACL Cisco TrustSec Solution MACSec Consistent Policies for Wired/Wireless Users SGT L2 FrameTrustSec Branch Features ISE: Policy and Integrated Security services Wired Identity: • AAA services • Baseline Identity features (802.1X, flex auth, web auth) • Profiling – categorization of devices • SGT carried via SXP • Posture – assurance of compliance Wireless Identity: • Guest – guest management • CoA and profiling Guest Server ISE Posture AP WLC ProfilerVendor/Partner/Guest//Employees SXP Nexus 5000/2000 Campus Network Catalyst® Switch Catalyst 6500 AnyConnect Nexus 7000 Data Center SXP Egress Enforcement Site-to-Site ASR1K Campus Aggregation: VPN user WAN • Cat6K/Sup2 – SGT/SGACL ISR G2 with integrated switch Data Center Enforcement • Nexus 7000 – SGT/SGACL Security Group Access WAN Aggregation Router: • SXP/ SGT Support (No MACSec) BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • SGACL Policy on ACS / ISE1 3 2 BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012 46
    • SGA Feature Support Matrix Platforms Available Feature Minimum OS Version NotesNexus 7000 series Switch SGACL, 802.1AE + SAP, NDAC, SXP, Cisco NX-OS®5.0.2a. Advanced Service Package license is required Enforcement Device, DC Distribution IPM, EACCatalyst 6500E Switch (Supervisor 2T) SGACL, 802.1AE + SAP, NDAC, SXP, Cisco IOS® 12.2 (50) SY Or later release. Need MACSec capable Enforcement Device, DC Distribution IP, EAC linecardCatalyst 6500E Switch (Supervisor 32, 720, NDAC (No SAP), SXP, EAC Cisco IOS® 12.2 (33) SXI3 or later release. IP Base K9 image required Campus / DC Access switch720-VSS)Catalyst 49xx switches SXP, EAC Cisco IOS® 12.2 (50) SG7 or later release. DC Access switchCatalyst 4500 Switch (Supervisor 6L-E or 6-E) SXP, EAC Cisco IOS® 12.2 (53) SG7 or later release. Campus Access SwitchCatalyst 3560-X / 3750-X Switches SXP, EAC Cisco IOS® 12.2 (53) SE2 or later release. Campus Access SwitchCatalyst 3560(E) / 3750(E) Switches SXP, EAC Cisco IOS® 12.2 (53) SE1 or later release. Campus Access SwitchCatalyst Blade Module 3x00 Switches SXP, EAC Cisco IOS® 12.2 (53) SE1 or later release. DC Access SwitchCisco EtherSwitch service module for ISR SXP, EAC Cisco IOS® 12.2 (53) SE1 or later release. IP Base K9 image required. Branch Access SwitchRoutersCisco ASR 1000 SXP, SGT Cisco IOS XE® 3.4 or later release. Remote Access HeadendCisco Identity Service Engine (ISE) Centralized Policy Management for ISE Version 1.0 with Advanced License required. CSACS1120 appliance Policy Server TrustSec or ESX Server 3.5 or 4.0 is supportedCisco Secure ACS Centralized Policy Management for ACS Version 5.1 with TrustSec™ license required. CSACS1120 Policy Server TrustSec appliance or ESX Server 3.5 or 4.0 is supportedCisco ISR G2 Routers SXP, EAC, NDAC (PAC Provisioning Cisco IOS® 15.2(2)T or later release Branch end routers, WANc3900, c2900, c1900, c890 and Env Download), SGT-IPSEC, aggregation routers SGT-ZBFW BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • SXP Configuration Speaker Enable SXPisr-cts2-2911c#config terminal SXP default passwordEnter configuration commands, one per line. End with CNTL/Z.isr-cts2-2911c(config)#cts sxp enableisr-cts2-2911c(config)#cts sxp default password ciscoisr-cts2-2911c(config)#cts sxp connection peer 1.1.1.2 source 1.1.1.1 password defaultmode local speakerisr-cts2-2911c(config)#endisr-cts2-2911c# peer ip address source ip address Listenerisr-cts2-2921a#config terminalEnter configuration commands, one per line. End with CNTL/Z.isr-cts2-2921a(config)#cts sxp enableisr-cts2-2921a(config)#cts sxp default password ciscoisr-cts2-2921a(config)#cts sxp connection peer 1.1.1.1 source 1.1.1.2 password defaultmode local listenerisr-cts2-2921a(config)#endisr-cts2-2921a# BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • SXP VRF Configurationconfig terminal SpeakerEnter configuration commands, one per line. End with CNTL/Z.isr-cts2-2921b(config)#cts sxp enableisr-cts2-2921b(config)#cts sxp default source-ip 10.1.1.1isr-cts2-2921b(config)#cts sxp default password ciscoisr-cts2-2921b(config)#cts sxp connection peer 20.1.1.1 source 10.1.1.1 password defaultmode local speaker vrf vrfaisr-cts2-2921b(config)#endisr-cts2-2921b# Listenerconfig terminalEnter configuration commands, one per line. End with CNTL/Z.isr-cts2-2921a(config)#cts sxp enableisr-cts2-2921a(config)#cts sxp default source-ip 20.1.1.1isr-cts2-2921a(config)#cts sxp default password ciscoisr-cts2-2921a(config)#cts sxp connection peer 10.1.1.1 source 20.1.1.1 password defaultmode local listener vrf vrfaisr-cts2-2921a(config)#endisr-cts2-2921a# BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • Verify SXP Connectionisr-cts2-2911c#show cts sxp connections SXP : Enabled Indicates default password configured Default Password : Set Indicates default souce-ip not configured Default Source IP: Not SetConnection retry open period: 120 secs Retry and reconcile timersReconcile period: 120 secsRetry open timer is running---------------------------------------------- src-ip SXP conn peer andPeer IP : 1.1.1.2 Connection statusSource IP : 1.1.1.1 SXP protocol version runningConn status : On SXP conn mode for this connConn version : 2Local mode : SXP SpeakerConnection inst# : 1TCP conn fd : 1TCP conn password: default SXP passwordDuration since last state change: 0:00:00:15 (dd:hr:mm:sec)Total num of SXP Connections = 1isr-cts2-2911c# BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • show sxp connection briefisr-cts2-2921a#show cts sxp connections brief SXP : Enabled Default Password : Set Default Source IP: Not Set Duration since the connection is inConnection retry open period: 120 secs the indicated statusReconcile period: 120 secsRetry open timer is running-----------------------------------------------------------------------------Peer_IP Source_IP Conn Status Duration-----------------------------------------------------------------------------1.1.1.1 1.1.1.2 On 0:00:00:16 (dd:hr:mm:sec)10.1.1.1 20.1.1.1 On 0:00:00:15 (dd:hr:mm:sec)Total num of SXP Connections = 2isr-cts2-2921a# BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • IP-SGT Bindings configurationisr-cts2-2911c#config terminalEnter configuration commands, one per line. End with CNTL/Z.isr-cts2-2911c(config)#cts role-based sgt-map 1.10.1.1 sgt 10isr-cts2-2911c(config)#cts role-based sgt-map 1.11.1.1 sgt 11isr-cts2-2911c(config)#cts role-based sgt-map 1001:100:1::1 sgt 610isr-cts2-2911c(config)#cts role-based sgt-map 1001:100:1::2 sgt 611isr-cts2-2911c(config)#endisr-cts2-2911c#config terminalEnter configuration commands, one per line. End with CNTL/Z.isr-cts2-2921a(config)#cts role-based sgt-map 2.20.1.1 sgt 20isr-cts2-2921a(config)#cts role-based sgt-map 2.21.1.1 sgt 21isr-cts2-2921a(config)#cts role-based sgt-map 2001:100:1::1 sgt 620isr-cts2-2921a(config)#cts role-based sgt-map 2001:100:1::2 sgt 621isr-cts2-2921a(config)#end BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • IP-SGT Bindings VRF configurationisr-cts2-2921a#config terminalEnter configuration commands, one per line. End with CNTL/Z.isr-cts2-2921a(config)#cts role-based sgt-map vrf vrfa 2.20.1.2 sgt 220isr-cts2-2921a(config)#cts role-based sgt-map vrf vrfa 2.21.1.2 sgt 221isr-cts2-2921a(config)#endisr-cts2-2921a#isr-cts2-2921a#config terminalEnter configuration commands, one per line. End with CNTL/Z.isr-cts2-2921a(config)#cts role-based sgt-map vrf vrfa 2001:2100:1::1 sgt 2610isr-cts2-2921a(config)#cts role-based sgt-map vrf vrfa 2001:2100:1::2 sgt 2611isr-cts2-2921a(config)#endisr-cts2-2921a# BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • Verify IP-SGT Bindingsisr-cts2-2911c#show cts role-based sgt-map allActive IP-SGT Bindings Information Ipv4 ip-sgt bindsIP Address SGT Source============================================ IPv4 SGT bindings1.10.1.1 10 CLI1.11.1.1 11 CLIIP-SGT Active Bindings Summary============================================ Total no. of active bindingsTotal number of CLI bindings = 2Total number of active bindings = 2isr-cts2-2921a#show cts role-based sgt-map all ipv6Active IP-SGT Bindings Information ipv6 bindingsIP Address SGT Source================================================================1001:100:1::1 610 SXP Source of learning1001:100:1::2 611 SXP2001:100:1::1 620 CLI2001:100:1::2 621 CLIIP-SGT Active Bindings Summary============================================Total number of CLI bindings = 2 Total no. of active ipv6 bindingsTotal number of SXP bindings = 2Total number of active bindings = 4 BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • IOS Zone-Based FirewallBRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • IOS Zone-Based Firewall ISR Routers Integrated Network Defense Firewall Perimeter Control  External and internal protection: internal network is no longer trusted Hacker  Protocol anomaly detection and stateful inspection ! Securing Unified Communications  Cisco UC Trusted FWBranch  Voice Signatures (SIP, SCCP, H323)Offices  Virtualized UC (VRF aware) ! Corporate Office  Call flow awareness  Prevent DoS attacks Flexible Deployment Models  Split Tunnel-Branch/Remote Office/Store/Clinic  Internal FW – International or un-trusted locations/segments, Key Benefits: addresses regulatory compliances  Secure Internet access to branch, without the need for Integrates with other IOS services additional devices  Works with IPS, VPN, ISR Web Security w/ScanSafe  Segment network to meet PCI Compliance  Works with SRE/ISM & WaaS Express  Control threats right at the remote site; conserve WAN Management Options and Flexibility bandwidth  Supports CLI, SNMP, CCP, and CSM  Interoperability with Cloud Web Security  Supports Cisco Configuration Engine BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • Zone Based Firewall(Config Example)Step.1 Classify trafficclass-map type inspect match-any match-protocol Step.3 Define Security Zones match protocol ftp match protocol tcp zone security public-zone match protocol udp zone security private-zone! !class-map type inspect match-any match-acl Interface GigabitEthernet 1/0/0 match access-group 181 Description ***connect-to-Internet*** Zone-member security public-zone !Step.2 Define actions in Policy map Interface GigabitEthernet 1/1/0policy-map type inspect private-to-public Description ***connect-to-private*** class type inspect match-acl Zone-member security private-zone inspect ! class type inspect match-protocol Step.4 Define inter-Zone Rules pass log ! Zone-pair security private-to-public source private-zone destination public-zone class type inspect class-default service-policy type inspect private-to-public drop log ASR1000 Office (Private) Internet (Public) BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • SGT Based ZBFW ZBFW capability has been extended to support SGT tags New filter – “match security-group source tag <tag>” has been added It works identical to the way how “match user-group <name>” works Supports „inspect‟, „pass‟ and „drop‟ actions Can‟t work if the source address is translated using NATBRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • ZBFW Configuration Example!class-map type inspect match-any partner-services match protocol http match protocol icmp match protocol ssh match-all filter for specifying services that areclass-map type inspect match-any partner-sgts allowed for partners match security-group source tag 2001 match security-group source tag 2002 match security-group source tag 2003class-map type inspect match-all partner-class match class-map partner-services match class-map partner-sgtsclass-map type inspect match-any guest-services match-all filter for specifying services that are match protocol http allowed for guestsclass-map type inspect match-any guest-sgts match security-group source tag 5555class-map type inspect match-all guest-class match class-map guest-services match class-map guest-sgtsclass-map type inspect match-any emp-services match protocol http match protocol ftp match-all filter for specifying services that are match protocol icmp allowed for employees match protocol sshclass-map type inspect match-any emp-sgts match security-group source tag 1001 match security-group source tag 1002 match security-group source tag 1003class-map type inspect match-all emp-class match class-map emp-services match class-map emp-sgts BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • ZBFW Configuration example!policy-map type inspect branch-policy class type inspect emp-class Specific class filters are defined inside inspect policy maps for each sgt groups class type inspect partner-class inspect class type inspect guest-class inspect class class-default drop!zone security lanzone security hozone-pair security lan-ho source lan destination ho service-policy type inspect branch-policy!interface GigabitEthernet0/1 description ***branch lan network*** ip address 10.0.0.1 255.255.255.0 zone-member security lan!!interface GigabitEthernet0/2 description ***connection to head-office*** ip address 172.16.0.1 255.255.255.252 zone-member security ho! BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • IOS IPS DeploymentBRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • IOS IPS Overview Software based inline intrusion prevention sensor Support Cisco IPS version 5.x signature format starting from 12.4(11)T Signature based packet scanning Uses signatures built for the Cisco IPS 4200 dedicated appliances Dynamic signature update, no need to update IOS image Event actions configurable per-signature and per-category (alert, reset TCP connection, deny packet, deny attacker, deny connection) Management Options - Cisco Security Manager (CSM), Cisco Configuration Professional (CCP)BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • IOS IPS Pre-requisites Cisco Integrated Services Routers 128MB or more DRAM and at least 2MB free flash memory Console or telnet connectivity to the router IOS Release 12.4(15)T3 or later A valid CCO (Cisco.com) login username and password A current Cisco IPS Service Contract for licensed signature update servicesBRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • IOS IPS Getting Started with IOS IPS, http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps66 34/prod_white_paper0900aecd805c4ea8.html Step 1: Downloading IOS IPS files Step 2: Creating IOS IPS configuration directory on flash Step 3: Configuring IOS IPS crypto key Step 4: Enabling IOS IPS Step 5: Loading IOS IPS signature package to router Also see BRKSEC-2030 for details!BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • IOS IPS: Signature CategoriesIOS-IPS# show ip ips category ? adware/spyware Adware/Spyware (more sub-categories) attack Attack (more sub-categories) configurations Configurations (more sub-categories) ddos DDoS (more sub-categories) dos DoS (more sub-categories) email Email (more sub-categories) instant_messaging Instant Messaging (more sub-categories) ios_ips IOS IPS (more sub-categories) l2/l3/l4_protocol L2/L3/L4 Protocol (more sub-categories) network_services Network Services (more sub-categories) os OS (more sub-categories) other_services Other Services (more sub-categories) p2p P2P (more sub-categories) reconnaissance Reconnaissance (more sub-categories) releases Releases (more sub-categories) telepresence TelePresence (more sub-categories) uc_protection UC Protection (more sub-categories) viruses/worms/trojans Viruses/Worms/Trojans (more sub-categories) web_server Web Server (more sub-categories) BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • IOS IPS: Active Signatures IOS-IPS# show ip ips signature count Cisco SDF release version S636.0 Trend SDF release version V0.0 Signature Micro-Engine: atomic-ip: Total Signatures 436 atomic-ip enabled signatures: 82 atomic-ip retired signatures: 369 atomic-ip compiled signatures: 67 atomic-ip obsoleted signatures: 7 Signature Micro-Engine: normalizer: Total Signatures 10 normalizer enabled signatures: 9 normalizer retired signatures: 1 normalizer compiled signatures: 9 […] Total Signatures: 4498 Total Enabled Signatures: 1924 Total Retired Signatures: 3913 Total Compiled Signatures: 584 Total Signatures with invalid parameters: 1 Total Obsoleted Signatures: 13 BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • IOS IPS: Basic Setup 172.17.44.101 10.5.5..0/24 .5 Attacks F0/1.1124 IOS-IPS ip ips IPS1 in 172.17.6.0/24.103 172.17.22.0/24 ip ips signature-category category all ip ips config location flash:ips retries 1 retired true ip ips notify SDEE category ios_ips advanced ip ips name IPS1 retired false interface FastEthernet0/1.1124 encapsulation dot1Q 1124 IOS-IPS#show ip ips interfaces ip address 172.17.6.4 255.255.255.0 Interface Configuration ip ips IPS1 in Interface FastEthernet0/1.1124 Inbound IPS rule is IPS1 Outgoing IPS rule is not set BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • IOS IPS in action 172.17.44.101 10.5.5..0/24 .5 Attacks F0/1.1124 IOS-IPS ip ips IPS1 in 172.17.6.0/24.103 172.17.22.0/24 IOS-IPS# show ip ips sessions Established Sessions Session 49746F80 (172.17.44.101:3765)=>(172.17.22.103:137) udp SIS_OPEN Half-open Sessions Session 49746C00 (172.17.44.101:3764)=>(172.17.22.103:161) udp SIS_OPENING Session 49746880 (172.17.44.101:3763)=>(172.17.22.103:161) udp SIS_OPENING BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • Secure Wireless Anomaly and ID S/IPS • Wireless IDS Secure Mobility • Detect and contain rogue devices Cisco® Integrated • Mobile access to critical IP WAN Services Router Wireless, Security, and IP Telephony WLAN Security Mgmt. applications and data • WCS dashboard and reporting throughout the site, while maintaining security Admission Control • Cisco ISE for wired • Ease of deployment; and wireless interoperation with wide • Secure guest access IP Phone range of client devices • Reliable, scalable, centralized security IP Video management Wired Users Surveillance Endpoint Protection Wireless • 802.1x (EAP) Users Kiosks • WPA2 (AES) and WPA (TKIP) BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • Secure Wireless ConsiderationsLocal vs Central Switching PCI still applies! H-REAP: Hybrid Remote-Edge Access Point (Local Switching) ‒ Pro‟s: Router services apply to data plane traffic. ‒ Con‟s: Limited integration (authentication only) with ISE 1.1 and WLC 7.2. Central Switching ‒ Pro‟s: Full integration with ISE. ‒ Con‟s: Backhauling all traffic to central WLC in CAPWAP. Data plane traffic bypasses router security services! ‒ Workaround: Leverage WLC VM on SRE.BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • Application Visibility ControlBRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012 71
    • Application Visibility and Control - Vision  Expand platform visibility options up the full OSI stackL7 ‒ Provide full Layer 2-7 view, rather than just Layers 2-4 ‒ Know what application, not only ports that are being usedL6  Use that knowledge to report on key parametersL5 AVC ‒ … and allow you to choose what information is collectedL4  Use that knowledge to prioritize Netflow or control applicationsL3 Discover ‒ … using a well known, familiarL2 QoS mechanismsL1 Control Report BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • AVC - How it works ISR G2 ASR1000 3 Insight Reporter 1 NFv9 Collection Scale to 100 reported Interfaces Data Work with Cisco Insight v3.0 (ASR) & Base Manager & Prime Assurance Manager(ISR G2) Database 21. Application Monitoring & 2. Data Collection 3. Insight Reporter Or Prime Assurance Control Router controls and collect Cisco Collection-Manager (CM) Advanced Web-based UI statistics at application & aggregates & persists data Drill down, Scheduled reports, subscriber granularity email integration, PDF export and more BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • Next Generation NBAR (NBAR2) SCE Classification +1000 Signatures IOS NBAR Advanced Classification Techniques Innovations +150 Signatures Native IPv6 Classification Open API 3rd Party Integration.. NBAR2 New DPI component which provide Advanced Application Classification and Field Extraction Capabilities taken from SCE Backward compatibility to preserve existing NBAR investments In-service Protocol Definition Update – no IOS upgrade requiredBRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • NBAR2 1000+ Application Supported and Growing HTTP HTTP HTTP Examples of apps recognized by NBAR2 as of XE 3.6S and 15.2(3)T  List of protocols and applications supported by NBAR2 http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6553/90364_product_bulletin_c2 5_627831.pdf  Enhanced reporting with additional field extraction – top browsing domain, top URL, browser type (Future) BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • Two Modes of Operation1. Protocol Discovery, 2. Modular QoS Classification Configure traffic statistics collection for all applications known to NBAR Also used for application discovery Discover application transiting an interface, and populate CISCO-NBAR- PROTOCOL-DISCOVERY-MIB Supports both input and output traffic Configuration Command Router(config)# interface fastethernet 0/0 Router(config-if)# ip nbar protocol-discovery Show Command Router# show ip nbar protocol-discovery [interface interface- spec][stats {byte-count|bit-rate|packet-count}][protocol protocol-name| top-n number}]BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • Protocol DiscoveryRouter# show ip nbar protocol-discovery top-n 5 GigabitEthernet0 Input Output ----- ------ Protocol Packet Count Packet Count Byte Count Byte Count 5min Bit Rate (bps) 5min Bit Rate (bps) 5min Max Bit Rate (bps) 5min Max Bit Rate (bps) ---------------- ------------------------ ----------------------- skype 395 75  Top-N for all 28539 6415 interfaces with 1000 1000 2000 2000 NBAR protocol icmp 101 100 7360 6860 discovery enabled 0 0 0 0  NBAR-PD- MIB snmp 28 0 1988 0 provides Top-N for 0 0 all interfaces where 0 0 netbios 9 0 N can differ for 738 0 0 0 each interface 0 0 unknown 205 204 14976 10404 0 0 0 0 Total 41304 40944 2649809 2619839 6000 6000 BRKSEC-2031 7000© 2012 Cisco and/or its affiliates. All rights reserved. 7000 Cisco Live 2012
    • Modular application aware QoSClass-map match-all business-critical match protocol citrix Application BW Priority match access-group 101 Committed BW (50% of the line) Business Critical Committed 50% Highclass-map match-any browsing Browsing 30% (=15% of the line) Normal match protocol attribute category browsing Internal Browsing 60% (Out of Browsing) Excess BW (50% of the line)class-map match-any internal-browsing Rest 70% (=35% of the line) Normal match protocol http url “*myserver.com*”policy-map internal-browsing-policy class internal-browsing bandwidth remaining percent 60policy-map my-network-policy class business-critical priority police cir percent 50 class browsing Remaining: Business-Critical: 70% of Excess BW bandwidth remaining percent 30 High Priority (=35% of line) service-policy internal-browsing-policy 50% committed Browsing:interface eth0/0 Internal-Browsing: 30% of Excess BW service-policy output my-network-policy 60% of Browsing (=15% of the line) BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • Example: Application-aware Shaping class-map match-all browsing match protocol attribute category browsing class-map match-all p2p match protocol attribute sub-category p2p-file-transfer ! policy-map my-priority-policy class p2p bandwidth remaining percent 20 class browsing bandwidth remaining percent 80 policy-map my-network-policy class class-default shape average 50000000 service-policy my-priority-policy ! interface GigabitEthernet0/0/2 service-policy output my-network-policyvBRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • Example: Stop P2P Traffic with AVC Before apply QoS control policy After apply control policyclass-map match-all p2p-app match protocol attribute p2p-technology p2p-tech-yespolicy-map control-policy class p2p-app police 8000 conform-action transmit exceed-action drop BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • Flexible Netflow (FNF)  Flexible Netflow is an opened standard to export network information and statistics ‒ Utilize Netflow Version 9 Format ‒ UDP-based transport ‒ Flexibility in defining fields and flow record format ‒ Opened protocol – can be analyzed by Cisco Prime, Insight, and other 3rd party reporting vendors  Consist of data collection (flow monitor) and data export (flow export)  Flexibility choosing fields to collect for exporting  Can be used for collecting application info from NBAR2 and statistics along with other network information BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • IOS Performance Agent Deployment with NBAR2 Collect application name flow exporter pa-export destination 172.30.104.128 For Your provided by NBAR2 transport udp 3000 ! ReferenceConfiguration Steps flow record type mace pa-record collect application name1. Configure flow exporter collect art all collect (..)2. Configure flow record type mace ! flow monitor type mace pa-monitor record mace-record3. Configure flow monitor type mace exporter mace-export !4. Configure class-map access-list 100 permit tcp any host 10.0.0.1 eq 805. Configure policy-map type mace – policy class-map match-any pa-traffic must be named mace_global match access-group 100 !6. Configure mace enable on interface policy-map type mace mace_global class mace-traffic Optionally enable NBAR2 to flow monitor pa-monitor ! identify applications interface Serial0/0/0 ip nbar protocol-discovery BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. mace enable Cisco Live 2012
    • Performance Agent & NBAR Interaction flow record type mace pa-record interface Serial0/0/0 collect application name ip nbar protocol-discovery collect art all mace enable https://cisco.webex.com Se0/0/0 (IP=192.168.100.100) IOS PA cisco.webex.com (IP=66.114.168.178)  „collect application name‟ exports the application ID field to the reporting tool Without ip nbar protocol-discovery Src IP Dst IP Dst Port App ID Resp Time … 192.168.100.100 66.114.168.178 443 0 100 FlowRecord With ip nbar protocol-discovery Src IP Dst IP Dst Port App ID Resp Time … 192.168.100.100 66.114.168.178 443 0x0D00019E 100 Mapping of App ID to name is Indicate this is BRKSEC-2031 through©FNF option template 2012 Cisco and/or its affiliates. All rights reserved. webex application Cisco Live 2012
    • How to use PA to Monitor Application Usage?flow record type mace mace-record collect datalink mac source address input collect ipv4 dscp collect interface input collect interface output collect application name collect counter client bytes collect counter server bytes Who is sending Bittorrent? collect counter client packets collect counter server packets collect art all Collect Traffic Volume Information BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • How to use PA to Monitor Application Usage?Discover Top Users for the Application Discover Application Per-user BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • AVC Mbps Performance on ISR G2 @ 75% CPU  Average packet size: 390 bytes  30% of BW is upload, 70% download  IOS Release: 15.2(4)M candidatePlatform PA PA+NBAR2+ PA+NBAR2+ QoS QoS+PAT891 (SVI) 42.1 23.5 18.3891 (Ethernet) 55.2 28.2 20.31941 67.2 40.2 40.72921 71 53.6 46.82951 106.5 73.4 74.23945 86.1 BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • ScanSafe Integration via connectorBRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012 87
    • Cisco : ScanSafe Services More than 20+ Data Centers worldwideBRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • Zero-day Protection with Outbreak IntelligenceBRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • ISR Web Security with ScanSafeIntelligent Cloud Security Connector for Branch Networks Retail Branch RADIUS/LDAP NTLM Corporate Office Internet ISR G2 with ScanSafe Connector SW Approved Content ScanSafe Web Security and Filtering Services Blocked Blocked URLs Blocked Files ContentBRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • ScanSafe configuration To enable the content-scan (ScanSafe redirection) functionality within IOS you need a 15.2-1.T1 or later firmware along with the SEC/K9 license.Configuring the ScanSafe tower parameter-map type content-scan global server scansafe primary name proxy1.scansafe.net port http 8080 https 8080 server scansafe secondary name proxy2.scansafe.net port http 8080 https 8080 license 0 00000000000000000000000000000000 source interface GigabitEthernet0/1 timeout server 30 user-group ciscogroup username ciscouser server scansafe on-failure block-allBRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • ScanSafe configuration (cont.)Applying the content-scan redirection This is performed on the egress interface for the internet bound traffic. In this example Gi0/1 is the external interface. interface GigabitEthernet0/1 ip address dhcp ip virtual-reassembly in ip virtual-reassembly out content-scan out duplex auto speed autoBRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • ScanSafe configuration (cont.)Configuring Authentication (LDAP backend) ‒ Using an LDAP server as a backend provides the ability to use the following authentication methods: NTLM, HTTP Basic and Authentication Proxy. In the following example the backend will be an Active Directory server. ip http server ‒ the http server must be enabled for authentication. If ip http secure-server is used then ensure that the SSL certificate used is trusted by all client browsers otherwise the browser will issue an SSL security warning whenever the user is prompted for authentication. aaa new-model ldap attribute-map ldap-map map type sAMAccountName usernameBRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • ScanSafe Configuration (cont.) ldap server scansafe-ldap-server ipv4 10.0.1.250 transport port 3268 attribute map ldap-map bind authenticate root-dn cn=scansafe,cn=users,dc=test,dc=localdomain password 7 11180E00071D02 base-dn cn=users,dc=test,dc=localdomain search-filter user-object-type top authentication bind-firstBRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • ScanSafe configuration (cont.) aaa group server ldap scansafe-ldap-group server scansafe-ldap-server aaa authentication login ss-aaa group scansafe-ldap-group aaa authorization network ss-aaa group scansafe-ldap-group aaa accounting network ss-aaa non ip admission virtual-ip 1.1.1.1 virtual-host proxy ip admission name ssauth ntlm ip admission name ssauth method-list authentication ss-aaa authorization ss-aaa accounting ss- aaa interface GigabitEthernet0/0 ip address 10.20.0.1 255.255.0.0 duplex auto speed auto ip admission ssauthBRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • ScanSafe & AnyConnect Integration BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012
    • SummaryBRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012 98
    • Summary Complexity of access in Branch/Edge has increased due to new apps and mobile platforms(BYOD). Integrated Services in the Branch/Edge is no longer an option (i.e. PCI) and can be deployed effectively. Cisco IOS Services and ISR G2 routers enable secure branch/edge solutions and reduce overall risk to business Consolidated services in the Branch/Edge lowers OPEX and TCO.BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012 99
    • Complete Your OnlineSession Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Passport points for each session evaluation you complete. Complete your session evaluation online now (open a browser through our wireless network to access our Don‟t forget to activate your portal) or visit one of the Internet Cisco Live Virtual account for access to stations throughout the Convention all session material, communities, and on-demand and live activities throughout Center. the year. Activate your account at the Cisco booth in the World of Solutions or visit www.ciscolive.com.BRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012 100
    • Final Thoughts Get hands-on experience with the Walk-in Labs located in World of Solutions, booth 1042 Come see demos of many key solutions and products in the main Cisco booth 2924 Visit www.ciscoLive365.com after the event for updated PDFs, on- demand session videos, networking, and more! Follow Cisco Live! using social media: ‒ Facebook: https://www.facebook.com/ciscoliveus ‒ Twitter: https://twitter.com/#!/CiscoLive ‒ LinkedIn Group: http://linkd.in/CiscoLIBRKSEC-2031 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Live 2012 101
    • Presentation_ID © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public