IPS AIM for Cisco Integrated Services Routers

Transcription

1 IPS AIM for Cisco Integrated Services Routers Technical Overview James Weathersby, TME, ARTG Tina Lam, Product Manager, ARTG 1

2 Cisco Integrated Threat Control Industry-Certified Security Embedded Within the Network Provide secure Internet access to the branch office without the need for additional devices. Control worms, viruses, and spyware right at the remote site; conserve WAN bandwidth. Protect the router itself from hacking and DoS attacks. Router Protection Automated router lockdown Router availability during DoS Branch Office Branch Office Worm and Virus Prevention Provide distributed defense and rapid response to worms and viruses. Control wired and wireless user access and noncompliant devices. Hacker Worms Choking WAN Illegal Surfing Internet Small Office and Telecommuter Corporate Office Secure Internet Advanced Layer 3 7 firewall P2P and IM control Web-usage control

3 Session Objectives IPS AIM Overview Benefits and Use Cases Quick Start Guide Signature Update and Threat Alert 3

4 Cisco Intrusion Prevention System Advanced Integration Module AIM-IPS-K9 For Cisco 1841 and Cisco 2800 and 3800 Series Integrated Services Routers AIM-IPS November 2007 Incorporates Network Admission Control (NAC) appliance server Accelerated Threat Control for Cisco Integrated Services Routers Helps enable Cisco Enforces Inline security Intrusion policies, Prevention (IPS) Scans for latest anti-virus software Runs same software Prevents (Cisco unauthorized IPS 6.0) and access helps and enable same features spread as Cisco of viruses IPS 4200 on the network Performance improvement Supports wired, by wireless hardware and guest NAC acceleration: Integrated into Cisco ISRs o Up to 45 Mbps Provides on Cisco size and 3845 scale ideal for o Dedicated remote CPU and offices DRAM (<100 to offload users) host CPU Works with NAC appliances at headquarters in a network system Management through Cisco IPS Device Manager and Cisco Security Manager Benefits (tentative of router for integration Cisco IPS 3.1.1) Supported by Cisco Systems Security Integration MARS on event monitoring and correlation Lower Operating Costs 4

5 Cisco Intrusion Prevention System Comprehensive Threat Protection for the SDN Cisco Security Agent Cisco Integrated Services Routers Cisco ASA 5500 Adaptive Security Appliance Cisco Catalyst Service Modules Cisco IPS 4200 Series Sensors Cisco Security MARS Cisco Security Manager Cisco Security Agent Internet Intranet Cisco Security Agent Day Zero Endpoint Protection Cisco IPS Module Branch Protection Converged Perimeter Protection Integrated Data-Center Protection Server Protection Monitoring, Correlation, and Response Policy-Based Solution Management Integrated Multivector protections at all points in the network and desktop and server endpoints Collaborative Cross-solution feedback linkages Common policy management Multivendor event correlation Attack-path identification Passive and active fingerprinting Cisco Security Agent-IPS Collaboration Adaptive Anomaly detection with inproduction learning Network behavioral analysis On-device and network event correlation Real-time security posture adjustment 5

6 Cisco IPS Product Portfolio: Integrated Security Across the Network Cisco IPS 4200 Series Sensors Cisco IPS 4215: 65 Mbps Cisco IPS 4240: 250 Mbps Cisco IPS 4255: 600 Mbps Cisco ASA 5500 Series IPS Editions and AIP Modules Cisco IPS 4260: 1 Gbps Cisco ASA 5510: Up to 150 Mbps Cisco ASA 5520: Up to 375 Mbps Cisco ASA 5540: Up to 450 Mbps AIP SSM-10 AIP SSM-20 Cisco Catalyst 6500 Service Modules Cisco IPS Integrated Services Router Modules IDSM2: 500 Mbps Cisco IOS IPS Cisco Catalyst IDSM-2 Bundle: 2 Gbps IPS AIM: Up to 45 Mbps Runs Same Software (Cisco IPS 6.0) and Facilitates Same Features as Cisco IPS 4200 Native Cisco IOS IPS for the Cisco Integrated Services Router A Variety of Performance Points for the Branch-Office Environment 6

7 Benefits of Integrated IPS on Cisco Integrated Services Routers Corporate Office SMB Network MSSP CE Router Cisco IPS 4200 Sensor Cisco Security MARS AIM-IPS Internet or Service Provider Network Cisco Integrated Services Router Cisco Security Manager Large Branch Small Branch AIM-IPS AIM-IPS Offers full-feature, high-performance threat protection in the branch or SMB network No additional footprint, cabling, or power requirements Integrates with data, security, and voice features on Cisco integrated services router Supports any routed WAN link; transport agnostic: T1/E1, T3/E3, Ethernet, xdsl, Multiprotocol Label Switching (MPLS), and third-generation (3G) wireless WAN (WWAN) Provides defense-in-depth to the perimeter of the network: ICSA-certified Cisco IOS Firewall, IP Security (IPsec) and Secure Sockets Layer (SSL) VPN, Cisco Network Admission Control (NAC), and URL filtering 7

8 Cisco IOS IPS, NM-CIDS, and Cisco AIM-IPS Dedicated CPU and DRAM for IPS Inline and promiscuous detection and mitigation Signature supported Automatic signature updates Day-zero anomaly detection Rate limiting Cisco Security Agent and Cisco IPS collaboration Meta event generator Event notification Device management System and network management Event monitoring and correlation Cisco IOS IPS No Subset of signatures, subject to available memory No No No No Syslog and SDEE CLI and SDM Cisco Security Manager IEV and Cisco Security MARS Cisco IPS AIM SNMP and SDEE Cisco IOS CLI and IDM Cisco Security Manager IEV, Cisco Security Manager, MARS, and on-box Meta Event Generator SNMP and SDEE IPS CLI and IDM Cisco Security Manager IEV, Cisco Security MARS, and on-box Meta Event Generator 8 Full set signatures (2200+) Cisco NM-CIDS No, promiscuous mode only Full set signatures (2200+) NOTE: Only one IPS service may be active in the router. All other must be removed or disabled. No

9 Use Case 1: Protect WAN Link and Corporate Offices Branch-office LANs are prone to attacks from Internet from split tunnels, contaminated laptops, and rogue access points. Integrated services router with IPS AIM stops worms and Trojan horses before they enter corporate or service provider network. Integrated services router with IPS AIM moves attack protection to the network edge. Threat Servers /24 Employees x/24 Protect WAN Link and Upstream Corporate Resources IPsec Tunnel Threat Integrated Services Router with IPS AIM threat Internet Corporate Office Wireless Guests x/24 9

10 Use Case 2: Protect Servers at Remote Sites Protect distributed application servers and Web servers hosted at remote sites. Endpoint attack relevance identifies server OS with minimal administration overhead. Servers /24 Servers Hosted Separately in DMZ Employees x/24 IPsec Tunnel Integrated Services Router with IPS AIM Internet Corporate Office Wireless Guests x/24 10

11 Enhances PCI Compliance, Requirement 11 WAP Mobile POS Store Worker PC Retail Location Wireless Device POS Cash Register Cisco Catalyst Switch POS Server Cisco Security Agent Cisco ASA Internet Integrated Services Router with IPS AIM Wireless Access Point Provides intrusion prevention in depth, as part of PCIcompliant self-defending network Event correlation provides audit trail for tests and validation exercises Integrates with Cisco IOS Firewall, IPsec, SSL VPN, and other Cisco IOS Software security technologies for complete solution Offloads all IPS inspection from router CPU Filters inspected traffic through ACLs 11

12 Integrating IPS AIM with Cisco IOS Security Technologies Cisco IOS Firewall and IPS AIM are complementary technologies: o Cisco IOS Firewall blocks unwanted traffic from entry into the network, helping ensure that applications traffic is legitimate. o IPS AIM inspects traffic the firewall has allowed, as well as traffic from the trusted network, to prevent attacks. Cisco IOS Firewall provides SYN flood attack defense. Cisco IOS Firewall and IPS AIM maintain separate state tables for TCP traffic. o It resets from one state table force session timeouts in the other. 12

13 Integrating IPS AIM with Cisco IOS Software Security Technologies Cisco IOS IPS must be disabled when using the IPS AIM. IPsec and SSL VPN traffic can be inspected after decryption. The IPS AIM works with NAC technologies to inspect trusted network traffic. The IPS AIM frees CPU and memory resources for other services. 13

14 IPS Management IDM: Individual device management Cisco Security MARS: Event correlation and management Cisco Security Manager: Networkwide security management No external management connection required 14

15 Lifecycle Security Services Prepare Plan Design Implement Operate Optimize Operate Phase Protects Network Information Assets Cisco Intellishield Alert Manager This comprehensive, cost-effective solution delivers intelligence to identify, prevent, and quickly mitigate IT attacks. Cisco Services for IPS Cisco Services for IPS helps customers effectively maintain integrity and privacy of sensitive information and maximize availability, reliability, and stability of their network while controlling operating expenses. 15

16 Cisco Security IntelliShield Alert Manager Service Now Includes IPS Signature-to-Threat Correlation Complete vulnerability and threat information in a single database Notification of only those vulnerabilities relevant to a predefined infrastructure Actionable alerts in a standardized format based on user-customized profiles Analysis and validation of each vulnerability or threat by security analysts Vendor-neutral and objectively graded vulnerability and threat information Comprehensive library of more than 10,000 threats and vulnerabilities Built-in workflow that allows easy management of tasks and remediation efforts 16

17 Cisco Services for IPS Rapid Signature Updates for Emerging Threats Network Vulnerabilities Viruses and Threats Cisco IPS Signature R&D Team Updated Signature Package Extensive 24-hour research capability gathers, identifies, and classifies vulnerabilities and threats. Signatures are created to mitigate the vulnerabilities within hours of classification. Signature updates are available to customers at Cisco.com. 17

18 18