Cyber security solutions for the public sector. Cyber security solutions for the public sector

Transcription

1 Cyber security solutions for the public sector 1

2 Just because I, as a national security official, am giving a speech about cyber, I don t want you to take away the impression that it is solely a national security or defence issue. It goes to the heart of our economic well-being and national interest. Ian Lobban, GCHQ The task of protecting our security is never complete and in an age of uncertainty we must remain vigilant, regularly taking stock of the changing threats we face. Foreword to the National Security Strategy, October

3 Contents Foreword 4 Executive Summary 5 Securing Public Sector ICT 6 The Shared Services Approach Modern Borderless Networks Cisco and Cyber Security Foundation Network Security 10 Control Plane Security Data Plane Security Management Plane Security Perimeter Threat Defence 12 Cisco Adaptive Security Appliance (ASA) Cisco Intrusion Protection System (IPS) Content and Security 14 Cisco IronPort Security Appliances Cisco IronPort Web Security Appliances Cloud-based Security Solutions Secure Network Overlays 17 Dynamic Multipoint VPN (DMVPN) Group Encrypted Transport VPN (GET-VPN) Comparison or DMVPN and GET-VPN Deployments Secure Mobile Working 18 Cisco TrustSec Cisco AnyConnect Mobility Client How can Cisco Help? 19 Further Information 20 3

4 Foreword Welcome to this paper offering our latest guidance on cyber security measures for your organisation. Rod Halstead Managing Director Cisco UK Public Sector Cisco faces cyber attacks to its global operations on a continual basis and has created this paper to share a multi-layered approach to cyber defence with our Public Sector partners. The paper provides practical, workable, relevant measures that we hope will inform security leads in Government, the wider Public Sector and Industry. Our aim is to increase security awareness through a series of measures so that your organisation can achieve agile, capable, and pro-active cyber defence. Cyber threats to our country and to our organisations now occur within a decision/action cycle that is no longer in days, or even minutes. We now recognise the need to defend to the greatest extent of our capability, but also to be prepared and competent to react in seconds. Whatever the stated security and cyber security outcomes of your organisation, our experience inside Cisco and across the Public Sector shows that the approach outlined in this document will help you to achieve those outcomes. Of course technology can only control the fundamental cyber security strength of our Government networks. Holistic cyber defence requires additional measures to be taken to transform culture and processes within the workforce as part of a strong organisational approach. Please see the Cisco and Cyber Defence paper, which will deal in more depth with the critical people, process and policy considerations. We would, of course, be most happy to discuss our approach to cyber security with you. We look forward to that opportunity and to supporting your efforts. 4

5 Executive Summary Both the National Security Strategy and the Strategic Defence and Security Review (SDSR) stressed the increasing and changing nature of the security threat to our country and how we must, as a nation, invest to counter the threat of cyber attacks on citizens, business and Government. The Government has signaled intent by allocating additional funding of 650 million in the SDSR to enable cyber threats to be better identified, understood and mitigated. These threats come at a time when many Public Sector organisations are changing their approach to ICT by adopting common or shared-services environments shared ICT infrastructure, applications and services in line with the Government s ICT Strategy. With the network at the very heart of these new environments, security provision becomes ever more critical; Shared ICT infrastructure, applications and services support larger communities of users and have become business critical; Key components of shared ICT environments, such as the backbones of shared networks and shared services data centres, become identifiable focal points for cyber security attack; Shared infrastructure often uses virtualisation techniques to support different stakeholder groups, meaning that robust cyber security is essential to maintain the confidentiality and integrity of each stakeholder group. We strongly recommend that Departments carry out an infrastructure security assessment to establish security provision within existing ICT. A local ICT strategy should be created to explain how existing ICT can be adapted and migrated to create common or shared-services environments. The ICT strategy should clearly explain the approach that should be taken to securing these new environments. This paper sets out Cisco s recommendations on best practice for securing modern ICT environments, based upon a clear and differentiated two-stage approach: Stage One exploits foundation network security - embedded security and telemetry capability to make the network a security sensor; Stage Two deploys four pillars of layered security to deliver optimum internal and perimeter security capability to meet an organisation s delivery and outputs in a quantifiable and measurable secure manner. We particularly recommend use of the Cisco Turn it On programme within Stage One. This advocates simple steps to ensure that all the embedded security capability is enabled in foundation network infrastructure. We very often find that organisations have not taken this fundamental step. Security provision within the local ICT Strategy must, of course, align with broader cyber security objectives based on Trust, Visibility and Resilience. Cyber attacks represent a very particular threat; characterised by their severe business impact, global scale, speed of propagation and, often, by the distance between attacker and victim. Cisco is actively engaged in supporting business, citizens and Government the three vectors for cyber attack to develop new approaches to defeating these cyber security attacks. Please see the Cisco and Cyber Defence paper, which will provide more information on this subject. This will cover fundamental security measures that we feel will soon become mandatory across Government, as well as clear guidance on maintaining an agile and responsive posture to meet, and defeat, the ever developing types of attack. Cisco has a global consultancy practice that provides a link into Cisco s expertise and experience on security and cyber security. These individuals are already supporting many Departments in Government, and can help you directly by: Assisting in the development of ICT, security and cyber security strategies; Carrying out infrastructure security assessments; Advising on life-cycle management of ICT to reduce costs and address security vulnerabilities; Developing transition plans to enhance security capability in line with business requirements and changing consumption models; Advising on how best to implement foundation network security and implement solutions that deliver the four pillars of layered security; Assisting with Information Assurance targets and outcomes. We would welcome the opportunity to discuss the contents of this paper and how Cisco can support your cyber security requirements. In the first instance, please contact your Cisco representative. 5

6 Securing Public Sector ICT The Coalition Government published its ICT Strategy in March 2011 in order to define the Public Sector ICT required to meet business requirements. The strategy specifies the use of common or shared ICT infrastructure and services to substantially reduce capital and operational costs and to enable information-sharing across the public services. It also highlights the need to balance open and accessible solutions against the growing cyber security threat and the need to handle sensitive information with due care. The Shared Services Approach Many Public Sector organisations have already begun to adopt their own local ICT strategies based on a common or sharedservices approach to infrastructure, applications and services. There are several very important reasons why security provision must be at the heart of any such provision: Shared ICT infrastructure, applications and services support larger communities of users and so are very likely, because of this very fact, to be business critical; Key components of shared ICT environments - for example the backbones of shared networks and shared services data centres become particular focal points for cyber attack; Shared infrastructure very often uses virtualisation techniques to support different stakeholder groups and must, therefore, provide robust security mechanisms to maintain the confidentiality and integrity of each stakeholder group; The importance that Government itself attaches to the security of shared environments can be seen by reference to the Public Services Network (PSN) programme, one of the main delivery threads of Government ICT. The PSN programme is seeking to deliver common network infrastructure to support the whole of the Public Sector. The PSN programme has developed its own security model - specifying base network infrastructure assured to Impact Level 2 (IL2) and encrypted VPN security overlays for Impact Level 3 and 4 (IL3 and 4) traffic transiting the PSN. The PSN programme has also defined a new assurance scheme for security overlay products to be used in IL3 environments. Modern Borderless Networks The Government s common infrastructure approach to ICT is based upon intelligent networks that offer the reach and range to support stakeholder groups both from within and external to Public Sector. The PSN is an excellent example of such an intelligent network. Cisco refers to these networks as Borderless Networks, reflecting the ubiquity of network technology in the modern world. These networks have a number of particular characteristics (see Figure 1) that can lead to an increased cyber security threat: An unprecedented rate of technological change making it difficult to identify best practice; A far greater reach and range than in the past making boundaries difficult to define and offering many more points of attack; Converged ICT Data, Voice, Video New End Points Smartphones, ipads Perimiter Threat Defence Firewall, IPS Mobile Access Flexible Workforce New Stakeholders Internal, External Drivers Mitigation Content & Filtering Data Leakage Prevention Network Security Overlays Encryption Business Critical 27x7 Working XaaS Managed & Cloud Security for Mobile Working Trust, Identity, Access Control Secure Borderless Access Drivers and Mitigations 6

7 Perimeter Threat Defence Content & Security Secure Network Overlays Secure Mobile Working Firewall Intrusion Protection Filtering Data Leakage Prevention Content Filtering Encryption Solutions for IL3 and IL4 Infrastructure Network Admission Control Identity Management TrustSec Foundation Network Security Embedded Securiy Features - Security Telemetry - Network as a Sensor The Four Pillars of Cisco Security Aggregated support for data, voice and video services by an ever-increasing number of applications; Support for wide ranges of end-points including userprovided devices, such as Smartphones and tablets; A greater mix of users including location-independent workers, contractors, business partners and citizens; The demand to support applications sourced as a service from providers over external connections or over the Internet. The traditional approach to securing ICT has been to provide perimeter protection for resources within an organisation in order to mitigate threats expected to arise primarily from outside that organisation. This traditional approach stemmed from a time when ICT provision was very different; networks had fixed perimeters; data centres and networks only supported data services; and organisations had strict policy control over end-point devices and over end-user behaviour. Organisations now need to defend themselves against a far greater, and far more aggressive, range of network threats. Defence can only be achieved in complex borderless network environments by a thorough and systematic approach to security based on intelligent, layered, self-defending technology. Cisco has developed a clear and differentiated two-stage approach to creating secure borderless networks. as standard within Cisco products. A very wide range of capability is provided both to mitigate threats in the network control plane and to control and monitor behaviours in the network date plane. The latter capability using features such as Cisco Netflow is particularly important as it allows proactive responses to cyber threats and detailed audit information to be gathered to help identify emerging threats. Stage Two - is to deploy four pillars of layered security (shown in Figure 2) to deliver the required perimeter and internal security capability demanded by business requirements: Perimeter Threat Defence to mitigate threats that might arise from unauthorised access at network boundaries; boundaries are normally external but may be internal, for example at the perimeter of a data centre; Content and Filtering to mitigate threats that might arise from the content returned by web sites or delivered via ; also to prevent the leakage of sensitive data; Secure Network Overlays to provide network encryption capability so that the confidentiality and integrity of protectively-marked information can be assured as it traverses borderless network infrastructure; Secure Mobile Working to offer a set of trust, identity and access control tools that secure network access for location independent workers. The main sections of this paper provide more information on this Cisco approach; on our foundation network security capability; and on our four pillars of layered security. Stage One - is to exploit foundation network security - embedded security and telemetry capability - provided 7

8 Cisco and Cyber Security Cyber security is defined as the protection of data and systems in networks that are connected to the Internet either directly or by means of electronic transfer of data. Cyber attacks represent a very acute threat to the security of organisations and citizens. They are characterised by their global scale, their speed of propagation and, often, by the distance between attacker and victim. No single company can solve all the complex challenges associated with cyber attacks but we believe Cisco, as a key provider of network technology, is a natural partner to help Government develop and execute a strategy to respond to this key strategic threat. Cisco is already actively engaged in supporting business, citizens and Government the three vectors for cyber attack develop new approaches to mitigating these threats. That support includes Cisco s Security Intelligence Operations (SIO) that uses our large installed base worldwide to gain visibility of new and emerging threats. Cisco advocates an approach to cyber based on the following three concepts: Trust develop a model so that users, hosts, network devices, internet sites, mail servers etc. can be identified in order that information from them can be trusted; Visibility to use the network as a sensor ; to use telemetry tools to monitor the health of a network, detect undesirable behavior and classify network events; Resilience to develop responses that mitigate the scale of an attack and its effects on operations and business. This paper explains some of the capabilities that Cisco exploits to deliver Trust and Visibility to an ICT environment. In addition, Cisco will shortly publish a companion paper called Cisco and Cyber Defence that provides more detailed information on the subject of cyber security. 8

9 No single company can solve all the complex challenges associated with cyber attacks but we believe Cisco, as a key provider of network technology, is a natural partner to help Government 9

10 Foundation Network Security The Cisco approach to securing network and ICT assets begins with the network foundation. Cisco has invested substantially over many years to develop embedded security features and security telemetry within the standard IOS operating system software of its key routing and switching products. These standard security capabilities afford customers the very best protection out of the box, so allowing them to enjoy an improved security posture with little, if any, additional expenditure. Cisco has created a Turn it On Program to provide advice to customers on how these embedded security capabilities can be used to build more robust, more available, more secure networks. The program covers a range of Cisco IOS software capability; specific security and other features that control how data is handled and how network topologies are controlled. Cisco s approach to foundation security visualises the network as comprising three planes : Control Plane Used by protocols that run the network i.e. routing protocols; Data Plane Used for data traffic forwarding; Management Plane Used for managing and monitoring the network devices. A structured approach to securing each of these planes is essential if a network is to deliver robustness and performance. Adequate audit and monitoring must also be performed. Audit and monitoring, linked to pro-active mitigation techniques, can be the key to combating many modern cyber attacks. Control Plane Security The control plane of a network comprises two separate but linked elements; firstly the protocols that run within individual devices to control local resources, such as CPU and memory, and secondly the protocols that run across the network to control topology and stability. These are often referred to as the device and network control planes respectively. Control plane attacks target individual or groups of network devices to compromise their ability to control internal resources or to participate in network control functions. Else they inject erroneous control information to de-stabilise network topology and so affect network and system availability. Cisco IOS software provides a variety of features to create a secure control plane and so mitigate attacks to device and network control planes. Three examples of these capabilities are: Device Control Plane Policing applies policy (e.g. deny, rate limit) to network traffic that targets a device s control plane; thereby preventing device overload that could lead to a denial of service; Routing Protocol Protection authenticates routing peers and routing update sources to harden network routing protocols; thereby protecting Layer 3 topology; Spanning Tree Toolkit capabilities in the Cisco Catalyst switches to control and manage Spanning Tree messages; thereby protecting Layer 2 topology. Cisco has created a Turn it On Program to provide advice to customers on how these embedded security capabilities can be used to build more robust, more available, more secure networks. 10

11 Data Plane Security The data plane of a network comprises the paths taken by data traffic as it traverses a network. The data plane includes paths both within and between network devices. Data plane attacks target individual or groups of network devices by flooding them with erroneous data traffic such that they are unable to maintain their network service. These attacks are referred to as denial-of-service attacks. Erroneous data traffic can manifest itself as incorrectly structured, incorrectly addressed or misdirected data packets. Cisco IOS software provides a range of features to secure the data plane by detecting and mitigating attacks of this type. Examples of such features are: Unicast Reverse Path Forwarding (urpf) blocks IP traffic using a spoofed source IP address; this is done by checking inbound packets against the device routing table to ensure that they arrive on the correct interface; Access Control Lists (ACLs) functions (permit, deny etc.) to limit the forwarding capability of network devices; so limiting the capacity of an attacker s access point to a network. Network telemetry is particularly important for mitigating cyber attacks. It offers visibility so the network becomes the sensor to monitor the health of a network, detect undesirable behavior and classify network events. Management Plane Security The management plane of a network is used to control and manage physical network devices. Management plane attacks target individual or groups of network devices so that an attacker can modify the function, performance or availability of a network to compromise users. Any compromise, whatsoever, of the management plane can provide an attacker with unparalleled control over network infrastructure. Cisco IOS software provides a variety of features to secure the management plane and so mitigate attacks of this type. Examples of such features are: Secure Remote Access the use of encrypted remote access protocols, such as SSH and HTTPS, and ACLs to restrict access to just trusted management source IP addresses limits the scope for attack; Role Based Access the principle of least privilege is a core axiom in information security; ensuring that administrators have access privileges that suits their role and limits both malicious and accidental damage; Network Telemetry security monitoring is one of the most powerful tools for mitigating new and emerging security threats; Cisco Netflow provides administrators with a detailed insight into all traffic flowing across a network; when coupled with appropriate analysis tools it can quickly identify anomalous activity and characterise more obvious attacks, such as denial of service. Network telemetry is particularly important for mitigating cyber attacks. It offers visibility so the network becomes the sensor to monitor the health of a network, detect undesirable behavior and classify network events. In addition there are other capabilities of IOS devices that complement the above security features. For example the ability of Cisco devices to support rich and complex Quality of Service policies ensures that network availability for real-time protocols cannot be compromised even by the heaviest data traffic loadings. 11

12 Perimeter Threat Defence In the past Public Sector organisations have developed ICT environments based upon well-defined wired networks with well-defined domain perimeters. Computer network attacks were always assumed to originate from outside the organisation, so mitigation was based on the creation of securely defended perimeters. The advent of borderless networks has made it much more difficult to define and defend the perimeter of an organisation - due to multiple gateway connections and the reach and range of wireless and VPN technologies. While building the secure network foundation must be the top priority, the second priority still remains to create robust Perimeter Threat Defence capability to secure ingress and egress points. Perimeter Threat Defence is the first of the four pillars of layered security. Common perimeter defence technologies, such as firewalls and network intrusion prevention systems (IPS), have been available for some time to defend network perimeters. However the most modern devices offer rich features, high performance and are virtualised in order to maximise the utilisation and re-use of device assets. Cisco offers two device capabilities for Perimeter Threat Defence: Cisco Adaptive Security Appliance (ASA) that offers that offers enterprise-strength firewalling; Network IPS appliances that deliver auditing and protective monitoring of traffic flows. The ASA and IPS devices should be deployed wherever there are physical or logical domain boundaries in an organisation s network. Normally this would be at external boundaries - for example at gateways to backbone networks such as the Government Secure Intranet (GSi), Government Connect Secure Extranet (GCSx), the NHS N3 network and the Internet but also at key internal boundaries for example at the ingress point of a data centre or between functional layers within a data centre. Cisco Adaptive Security Appliance (ASA) The Cisco ASA is an enterprise-strength security solution that combines market-leading firewall and remote access VPN features with Intrusion Protection and optional content security capabilities. The Cisco ASA firewall capability allows valid business traffic to flow, while keeping out unwanted or undesirable traffic based on a set of application control capabilities. These application control capabilities implement an organisation s security policies to limit peer-to-peer file sharing, instant messaging and malicious traffic, without offering a barrier to the secure deployment of new business applications. The Cisco ASA Remote VPN capability provides site-to-site and remote-user VPN access to internal network systems and services. SSL and IPsec VPN options are available for maximum flexibility. Since the ASA combines firewall and content security services with remote access VPN services, it is a particularly robust solution that cannot introduce malware or other threats from remote VPN devices. The Cisco ASA offers expansion slots for the support of addon capability. The ASA can be deployed out of the box for firewall and remote access VPN and other features added to meet changing business needs or security threats. The Cisco ASA also offers intrusion protection capability that can operate in standalone mode or can be configured to connect to Cisco SensorBase part of Cisco s Security Intelligence Operations (SIO). In this mode the Cisco ASA connects every hour to the database to retrieve the latest list of known botnet command and control hosts for repudiation. The Cisco IPS is one of the most widely deployed intrusion prevention systems providing protection against more than 30,000 known threats. 12

13 Cisco Intrusion Protection System (IPS) The Cisco IPS should be deployed in tandem with firewall capability in order to secure physical and logical domain boundaries at the perimeter of, and within, an organisation s network. The Cisco IPS is critical to the successful deployment of borderless networks as it identifies and classifies, and can stop, both known and unknown security threats at each boundary. Cisco IPS is one of the key components for making the network the sensor and hence offering the visibility to mitigate cyber attacks. The Cisco IPS is one of the most widely deployed intrusion prevention systems providing protection against more than 30,000 known threats. It protects against increasingly sophisticated attacks including directed attacks, worms, botnets, malware and application abuse. Timely signature updates, combined with the Cisco Global Correlation feature within each IPS, permit the dynamic recognition, evaluation, and stopping of emerging as well as known Internet threats. The Cisco IPS, like the Cisco ASA, can be configured to connect to Cisco Security Intelligence Operations (SIO) to retrieve updated host reputation information. Real-time reputation information provides unique context information for the Cisco Global Correlation feature so that host reputation can be factored into the dynamic threat assessment to determine the probability of malicious intent associated with a network event. For example, the Cisco IPS may detect an event that occurs often but which is not always associated with malicious activity. Without Global Correlation, the IPS would send an alert about the event, but no action will be taken on the network traffic. With Global Correlation, however, the sensor is able to use information on the reputation of the traffic source. If the reputation is low, the sensor can take direct action and block the potential attack without the risk of compromising valid traffic. Cisco IPS can also use reputation data in other ways; for example to pre-filter traffic from sources with extremely low reputations thus saving processing power for traffic that requires full inspection. Global Threat Telemetry Cisco Threat Operations Centre Global Threat Telemetry Dynamic Updates and Actionable Intelligence Adaptive Security Appliance Intrusion Prevention Solution Security Applicances Web Security Applicances System Administrators Cisco Security Intelligence Operations (SIO) 13

14 Content and Security In recent years there have been an ever-increasing number of new threats, nuisances and risks that must be addressed through the security policy and strategy of Public Sector organisations. Two new types of cyber-security attack vectors have emerged that require particular attention: is now regularly used as a channel to infect target devices or to phish for sensitive personal or corporate information; Web content has emerged as one of the primary delivery vehicles for infecting end devices, often without the user s knowledge. In addition to being a prime method of attack, and web also represent a significant channel for the exfiltration of sensitive information. Public Sector organisations must also be aware of the real potential for data loss via these channels, whether it is done maliciously or simply accidental. With the announcement in 2010 that the Information Commissioner can levy fines of up to 500,000 for malicious or deliberate data breaches, data loss is not only damaging to reputation, but can also now carry a financial penalty as well. and web content security comprises the second pillar of layered security offered by the Cisco approach. This pillar deals with all the above threats and nuisances and affords rich perimeter defence to compliment those offered by Cisco ASA and Cisco IPS. Cisco IronPort Security Appliances Cisco IronPort security appliances provide a rich set of security features that can be used to control incoming and outgoing for an organisation. The appliances will deliver two main business benefits to a Public Sector organisation: Monitoring and control of incoming to mitigate cyber attacks and eradicate SPAM; Monitoring and control of outgoing to ensure data loss prevention. In the past monitoring and control of incoming was carried out by signature-based software solutions which looked for common words or phrases in the headers and bodies of s. However, as the volume of messages increased and SPAM messages became more sophisticated, new solutions were needed that reduced processing overheads. Cisco has developed and uses a new technique, referred to as reputation filtering, in its appliances. Reputation filtering is a technique that assigns a reputation score to each sending domain. appliances are able to make a simple trust decision as to whether an message is likely to contain a security attack or to be SPAM based on the reputation of the sending mail domain address; the higher the reputation of a domain, the lower the probability that a message will be a threat or be SPAM. Cisco IronPort security appliances retrieve reputation information for incoming messages in real-time by querying records in SensorBase. SensorBase is a further component of Cisco s Security Intelligence Operations (SIO) and allows appliances to retrieve a reputation score associated with the IP address of the sending server. Reputation scores are created by gathering, aggregating and weighting more than two hundred different parameters. Reputation scores can range from 10.0 for the worst servers to for the best. Cisco security appliances reject from servers with low scores (below 3.0) and rate-limit senders that have medium to low reputation scores. They can also white-list high reputation servers with +9.0 scores from Fortune 1000 organisations. Nowadays SPAM is so predictable, so most of our customers report that default appliance settings block more than ninety percent of incoming message attempts. This first line of defence reduces the effective volume of incoming s so that other downstream virus and SPAM scanners are able to carry out further deep packet inspection of s. Data Loss Prevention Data loss prevention capability is essential if Public Sector organisations are to effectively protect their sensitive citizen and business information. This is particularly critical as organisations become less centralised - with more distributed sites and remote employees - making it more difficult to monitor the actions of individual members of the workforce. Cisco Data Loss Prevention (DLP) is a data leakage protection solution that helps organisations assess risk and prevent data loss. It safeguards against sensitive information being lost over the web or through , by implementing policies on the content, context, and destination of traffic. Cisco DLP is available as an option for Cisco IronPort security appliances. It is implemented using RSA technology and is supplied as a software feature for the appliances. 14

15 Encryption has now become an ubiquitous business tool. It can be used to share data quickly and easily in a wide range of different work settings but can be misused and abused. Cisco has found standard in use to handle even sensitive citizen and patient information. This creates the real danger that the data may not be adequately protected in line with an organisation s security policy or even applicable laws. Cisco uses a method known as secure envelopes for encryption. It is simple to use and allows sensitive data to be shared quickly and securely, while still permitting the sharing of encrypted s with third parties. An sender has no need to worry about encrypting s as the central security appliance takes on that role. The security appliance is configured with rules to encrypt messages based on the sender, recipient and even the content of the message. An recipient of the message requires no prior knowledge of the sender to decrypt the message. This approach would give Public Sector workers the confidence that when they share personal data via , it will remain protected, even when sent to external parties. Cisco IronPort Web Security Appliances In the past web content security has been deployed to address corporate concerns about access to inappropriate web content and lost productivity due to workers accessing non-work applications. More recently, however, web security is being exploited to mitigate the threat of phishing websites and websites that have been hijacked to carry malicious content. In the past web content security, like security, appliances have focused on static filtering to detect malicious or inappropriate web content. Techniques have now been improved significantly by the application of reputation scoring mechanisms to web domains, similar to that used for domain names. Web security appliances dynamically calculate the risk associated with each web request and response. Web reputation filtering is used in conjunction with signature and behavior-based scanning to provide much faster and stronger multi-layered web protection. Reputation data is used to block high-risk transactions and safeguard users from attacks such as IFrame and cross-site scripting. Cisco IronPort web security appliances dynamically connect to the Cisco SIO every five minutes for rule-set updates (reputation data) from the SenderBase database. Rule-sets contain lists of compromised web hosts as well as information about infected urls and pages. Rapid, granular scanning of each object within a requested web page, rather than just scanning of urls and initial html requests, significantly increases the chance of detecting infected content. Cloud-based Security Solutions In today s economic climate, Public Sector organisations have to make fundamental business changes if they are to respond effectively to the gap between the demand for public services and the budget available to pay for them. One such change, endorsed by Government, is the use of cloud-based ICT services to drive new usage-based commercial models and so drive down costs. Cisco offers the Cisco ScanSafe Web Security solution; a cloud-based security service designed to prevent zero-day malware from reaching the borderless networks of Public Sector organisations. The Cisco ScanSafe Web Security solution offers a new commercial model to customers; there are no new hardware requirements and no upfront capital or maintenance costs. The solution provides unparalleled realtime threat protection coupled with unprecedented reliability, with 100% uptime over 8 years, to ensure that customers can always connect securely to the web. The solution allows organisations to build a granular global policy for all web traffic, including SSL encrypted communications. Security policy can be created based on categories, content, file types, schedules, and quotas to suit your organisation. Coupled with this, an integrated outbound policy capability ensures that confidential data, such as customer details or credit card numbers, does not leave the network. The solution also analyses every web request to determine if content is malicious, inappropriate or acceptable based on defined security policies. This offers effective protection against threats, including against zero-day threats that would otherwise be successful. Coupled with the Cisco AnyConnect 3.0 client, the Cisco ScanSafe solution can now offer consistent web security policy enforcement not only for fixed offices, but also for the remote and mobile workforce. Cisco AnyConnect will transparently forward all Internet bound traffic via the nearest ScanSafe data centre ensuring that devices remain protected even when disconnected from the network. 15

16 DMVPN binds together three separate Internet standard protocols - IPsec, Next Hop Resolution Protocol (NHRP) and Generic Route Encapsulation (GRE) - to provide customers with the ability to construct a simple hub-and-spoke tunnel overlay and automatically establish dynamic, on-demand spoke-to-spoke tunnels. 16

17 Secure Network Overlays Protecting the confidentiality of information across wide area networks is a key consideration for all Public Sector organisations that use Government protective marking or who deal with sensitive citizen or patient data. In 2006 CESG issued guidance advising government departments that public WAN services in the UK may no longer be suitable for carrying restricted information in the clear. It advised departments to consider the deployment of network encryption technology to mitigate the risk to information confidentiality and integrity. For many years Cisco has developed and supported a range of capabilities for delivering large-scale encrypted wide area networks. Based on the IP Security (IPsec) standards, Cisco has continually innovated and enhanced its capability to deliver the protection required in a way that is both highly scalable and retains a low management overhead. Cisco offers a range of Secure Network Overlay encryption options; these are the third of the four pillars of layered security for Public Sector organisations. Dynamic Multipoint VPN (DMVPN) Cisco introduced Dynamic Multipoint VPN (DMVPN) a number of years ago to address the scalability limitations faced by customers who required both hub-to-spoke communications for access to central data centres and direct spoke-tospoke communications - for real-time applications such as IP voice and video. DMVPN binds together three separate Internet standard protocols - IPsec, Next Hop Resolution Protocol (NHRP) and Generic Route Encapsulation (GRE) - to provide customers with the ability to construct a simple hub-and-spoke tunnel overlay and automatically establish dynamic, on-demand spoke-to-spoke tunnels. Prior to the development of DMVPN, customers had to manually build full or partial meshes of IPsec tunnels resulting in large and complex device configurations and high management overheads. DMVPN is being widely deployed for networks that must be compliant with the Public Services Network (PSN) technical and security models. Group Encrypted Transport VPN (GET-VPN) The second, and more recent, Cisco approach to delivering large-scale encrypted overlays is Cisco Group Encrypted Transport VPN (GET-VPN). GET-VPN is designed specifically for deployment inside private MPLS WANs (compared to DMVPN which can be deployed in a private WAN or on the Internet) and offers tunnel-less encryption. To do this Cisco has enhanced a new standard, called Group Domain of Interpretation (GDOI), to develop an overlay groupencryption model whereby any device permitted to join the group is able to communicate with any other device in the group, without the need to build or define tunnels. This approach to encryption introduces the concept of a key-server within each IPsec domain. The key-server is responsible for managing a common encryption key (which is refreshed on a regular basis) across all group members and acting as a central point of policy control. This removes the need to explicitly define the encryption policy to new group members thus providing a single point of administration. Comparison of DMVPN and GET-VPN Deployments DMVPN and GET-VPN both use similar approaches to solving a common set of business and security challenges that face Government and the wider Public Sector. The primary difference comes in the form of the security model. In DMVPN, the security and trust model is identical to traditional point-to-point IPsec implementations, i.e. a pair of encryption endpoints share a common encryption key and exchange information based on a pair-wise fashion. With GET-VPN, as described above, the key-server becomes responsible for establishing trust as well as managing a common encryption key across all devices in the group. Members join the group based on their ability to present a valid credential, typically a digital certificate issued by a public key infrastructure (PKI). Information is then shared in a groupwise fashion. Each approach has a different trust model but both can deliver high scalability - in excess of 10,000 devices - but with correspondingly low administrative overhead when compared to traditional hub-and-spoke solutions. Cisco offers both of these network security overlay options. DMVPN and GET-VPN are both available as optional licensed IOS software for WAN CPE routers, such as the Cisco ISR G2. A Cisco comparison guide for VPN technologies is available at: iosswrel/ps6537/ps6586/ps6635/ps7180/prod_ brochure0900aecd pdf 17

18 Secure Mobile Working Traditional wired networks are being replaced by borderless networks that comprise a mix of wired, wireless and virtual private networks (VPNs). Borderless networks are making it increasingly difficult to define the perimeter of an organisation; however the perimeter is where security needs to be imposed and where location-independent workers need to access applications and services. Dynamic, location-independent workers present real business benefits to a Public Sector organisation but create real pressures for modern ICT departments - both in terms of service delivery and security challenges. Cisco has developed a range of Secure Mobile Working capabilities to address just this challenge. We recommend them as the fourth of the four pillars of layered security. These capabilities comprise a range of products and product features including: Cisco TrustSec supporting identity-based access to shared networks; Cisco AnyConnect offering secure, policy-based access to shared networks. Cisco TrustSec Cisco TrustSec is one of several value-added service functions offered by products within Cisco s Borderless Network Architecture. TrustSec enables organisations to support locationindependent workers but still secure their networks and services through identity-based access control. It is particularly suited to location-independent workers accessing ICT services in shared Public Sector offices. TrustSec offers a range of embedded services within Cisco routing and switching products that secure user access to a network, protect data as it transits the network and provide centralised monitoring, troubleshooting, and reporting services as follows: Identity-based access control: dynamically provides role-based access; non-compliant devices can be quarantined, remediated, or denied access; Guest user access: authorised guests receive restricted access to specific resources (Internet, printers, etc.) through a customised web portal; all internal network access is blocked and activity is tracked and reported; Data integrity and confidentiality: data paths can be encrypted, via MACsec, from the endpoint to the network core while still allowing critical network appliances (e.g. firewalls, IPSs, QoS engines etc.) to retain visibility into data streams; Monitoring, management, and troubleshooting: centralised, policy-based corporate governance and compliance including centralised monitoring and tracking of users and devices; provides sophisticated troubleshooting, detailed auditing, and historical and real-time reporting. Cisco TrustSec provides these capabilities through a layered set of identity-enabled access, authentication, authorisation, and value-added network services. Cisco AnyConnect Mobility Client The Cisco AnyConnect Client has been designed to provide secure, policy-based access control for location-independent workers. Cisco AnyConnect represents an extension of traditional software remote access VPN clients. It is able to detect its network operating environment and make a policy decision on where it is being used for example main office LAN, remote office LAN, home, wireless hotspot. This enables the AnyConnect client to automatically enable the embedded always-on VPN capability if not on an office LAN, to ensure secure remote access applications and services. This simple approach allows a location-independent worker to operate securely from any location home office, remote office, hotel, in the street without the need to manually start up a VPN client. The Cisco AnyConnect Client supports a wide range of laptop and smartphone-based mobile devices, including laptops using Microsoft Windows 7. It adopts the most efficient VPN tunneling protocol method and is the first VPN solution to offer the Datagram Transport Layer Security (DTLS) protocol. It works seamlessly with the Cisco ASA appliance so that the combination of the client and the appliance offer the optimum combination of client-side security polices and centralised firewall and content monitoring capability. 18

19 How can Cisco Help? Cisco has contributed actively to the development of security and cyber security solutions over a number of years. Cisco has a wide security product portfolio and has integrated security capability into the heart of our core network products. These products are now deployed within service provider and customer networks on a worldwide basis and this affords Cisco an unrivalled opportunity to gather cyber security intelligence. Cisco s Security Intelligence Operations (SIO) works with that installed base of customers to gather that intelligence and pro-actively advise of new and emerging threats. Cisco Services have a global consulting practice which can provide the link between you and Cisco s security and cyber security expertise. Cisco Services have a global consulting practice which can provide the link between you and Cisco s security and cyber security expertise. That practice can provide advice and guidance on how to incorporate the recommendations in this paper into your business, technical and security strategies. They can also advise on how best to execute your security strategy within your organisation to mitigate risk and minimise the impact to ongoing service delivery. We believe there are a number of ways that Cisco and our Cisco Services teams could support you to develop your security and cyber security capability: Assist in the development of ICT, security and cyber security strategies; Carry out infrastructure security assessments; Advise on life-cycle management of IT to reduce costs and eradicate security vulnerabilities; Develop transition plans to enhance security capability in line with business requirements; Advise on how best to implement foundation network security and implement products that comprise the four pillars of layered security; Assist with assurance projects. We would welcome the opportunity to discuss the contents of this paper and share our knowledge and experience directly with you. Please contact your Cisco representative if you would like to discuss your requirements in more detail. 19

20 Further Information The following references provide further information on the content described within this paper. Cisco Borderless Networks Cisco Borderless Security Foundation Security Turn It On Program Cisco ASA Security Appliances Cisco IPS Sensor Appliances Cisco Ironport and Web Security Appliances Cisco VPN Encryption Solutions (DMVPN and GET-VPN) Cisco TrustSec Cisco AnyConnect Secure Mobility Solution 20

21 Americas Headquarters Cisco Systems, Inc. San Jose, CA Asia Pacific Headquarters Cisco Systems (USA) Pte. Ltd. Singapore Europe Headquarters Cisco Systems International BV Amsterdam, The Netherlands Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco s trademarks can be found at com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R) C /11 21