D a a y y --Z Z e e r r o o A A tttta a c c k

Cisco Systems Secu r ity 1

Self Defending Network Stra tegie I NT EG R AT ED S ECU R I T Y Secure C onnectiv ity T h rea t D ef ens e T rus t & I dentity II nn ii tan t ii aa tt iiiivvnn e e ii tt iziz aa uu tt r ir i vv Ve e e tt rro o bb eded ssrr aass mmee rr aauu tt nnii cc g g aa ll ldld y y ee r r Ne tt zzii mmww pepe rrrr koko ffvv äh e e titi ghgh ke ke ee nn ii ttee ee tt n n ww,, oo BB rr k ek e s d d rr ooaa hbhb uiui ll inin tt y gy g ee n n zz u u ee rrtt kko o ee iinndd nnee eenn n n tt ii,, ff y y zz, u, u pp vv rr eeee rrvv hh ee ii nnnn t t dd,, ee aa rr nn n n d d uu nn d d ss ii cc h h ddaa eedd r r aa npnp et et uutt o o ee n n tt hh rrss ee ii aatt uutt ssaa tt ii oo n n aa nn zz uu pp aa ss ss ee nn ADVANCED S ECU R I T Y T ECH NO LO G I ES Endpoint Security A ppl ica tion F irew a l l SSL V P N N etw ork A nom a l y D etection S Y S T EM LEVEL S O LU T I O NS Endpoints + N etw + P ol icies Serv ices P a rtners h ips ork s 2

O O Ständig kleiner werdende R ea ktions fens ter Vu l n e Vr a b iel i t Iy D i s c o v e r e d P EPa PI t c h Is s u e d Pa Et c h ExI p l o i t Is s u epu d b l i s h e d In c i d e n Ex t p l o i t c c u Pu r s b l i s h e d In c i d e n t c c u r s Operation Slot (#vulnerability & resources) B l a s t e r : 2 5 Nachi: 1 5 1 Wenn S l a m m e r : d 1 er 8 0 E x p l o i t v o w r i deem w o lp l en a t c S h i e d a en u f tv r io t t r f a l l v er h i nd er n, Nis m el d b a s: t3 3 1 T a g e b ei m a x i m a l er A ns t r eng u ng? Day-Zero Attack 3

M E v olu tion der Sic h erh eits a nforderu ngen Vergangenheit NN oo tw end ige M aßnahma en R e a k t i v Au t o m a t i s c h, P r o a k t i v, Ei n z e l p r o d u k t e P r o d u k t - p o s i t i o n i e r u n g I n t e g r i e r t üb e r a l l e S c h i c h t e n Lös u n g s d e s i g n / M n g. S e c. S e r v i c e Üb b ee rr gg rr ee ii ff ee nn dd ee rr Lös s uu nn gg ss aa nn ss aa tt zz 4

M Q C is c o Sec u rity V is ion: Üb ergreifender Lös u ngs a ns a tz INTEGRATED S EC U RITY ( P h a s e I) ADAP TIV E TH REAT DEF ENS E ( P h a s e III) C O L L AB O RATIV E S EC U RITY ( P h a s e II) S S L VPN IPS e c VPN D D o S i t i g a t i o n C i s c o S e c u r i t y A g e n t F i r e w a l l s a n d In t r u s i o n D e t e c t i o n En c r y p t e d L A N / W A N C o m m u n i c a t i o n s A V A g e n t Id e n t i t y -B a s e d N e t w o r k i n g u a r a n t i n e VL A N ( R e m e d i a t i o n ) N e t w o r k In f e c t i o n C o n t a i n m e n t C i s c o T r u s t A g e n t N e t w o r k A d m i s s i o n C o n t r o l 5

C is c o S ec u rity A gent 6

F u nktion Signa tu r-b a s ierter V erfa h ren Tägl ic h neu e, s tänd ig w ec hs el nd e B ed ro hu ngen S ic herheits l üc k en in A nw end u ngen -> P atc h v o m H ers tel l er N eu e Viren -> S ignatu ren v o m A nti-viru s H ers tel l er H o s t I D S -> S ignatu ren v o m H o s t I D S H ers tel l er 1 2-2 4 S t u n d e n T im e l in e Erstes A u f treten Erster Patch Erste S i g n atu r K ri ti scher B erei ch! 7

C i s c o S e c u r i t y A g e n t R e g e l b a s i e r t e s V e r f a h r e n Z e r o U p d a t e Regelbasierend ( w h it elist ) K E I N E S ignat u r-u p dat es no t w endig Z ent rale I nst allat io n u nd L iz ensieru ng Erstes A u f treten T im e l in e C C S S A A g g eschütz eschütz tt D D ay ay -Z -Z ero ero Pro Pro tecti tecti o o n n 8

C S A i n A c t i o n : S c h u t z g e g e n S l a m m e r - 2 0 0 3 S e n d U DP / 1 4 3 3 p a c k e t l o o k i n g fo r M S S Q L O v e o w b u i n M S S Q L S e e 2 0 0 0 rfl ffe r DE/ rv r D ef en se i n D ep th = 3 R eg el n g eg en S l am m er No p e rs i s t re b o o ti n g s y s te m k i l l s w o rm PP ii cc k k ra nn dd oo m m IP aa dd dd re ss ss ee s s aa nn d d ss pp re aa d d to nn ee w w ta rg ee ts Ne tw o rk i s c ri p p l e d b y tra ffi c o v e rl o a d 9

G C SA - V erteilu ng der P olic ies üb er P U LL - A ns a tz e n e r i e r u n g d e r A g e n t K i t s V M S 2. 3 CA Agent Kits In s t a l l a t i o n d e r K i t s ( m i t Z e r t i f i k a t ) üb e r VM S 2. 3 R e g i s t r i e r u n g u n d PU L L d e r Po l i c y v i a S S L S S L A g e n t CA S S L CA CA CA CA A g e n t A g e n t A g e n t A g e n t 10

N etw o rk A d m is s io n C o ntro l 11

W H a u p tu rs a c h e für V irenb efa ll Wo w a r d e r R e m ot e -U s e r m i t s e i n e m L a p t op? H Q WAN F l u g h a fe n, H o te l, L AN H o ts p o ts Etc Au s s e n s te l l e n Te l e w o rk e r B ei sp i el S l am m er Netzwerkausfall d urc h D D o s A ttac ken Für A usb rei tun g war led i g li c h ei n e K o n fi g uri erte I P -A d resse erfo rd erli c h S o g ar d i e b este Fi rewall i st g eg en I n fekti o n i m i n n eren m ac h tlo s 12

C is c o Network A dm V orteile is s ion C ontrol: Ein int e g r ie r t e s S y s t e m : E nd geräte S ic herheits l ös u ngen k ennen S ic herheits s tatu s R b m K o o u Z u ic htl iniens erv er es tim en nf rm ität nd gangs regel n N etz w erk z u gangs geräte s etz en Z u gangs ric htl inien d u rc h 13

QQ Network A dm is s ion C ontrol in A c tion C l i en t b au t V erb i n d u n g De s k to p au f A u then ti f i z i eru n g u n d Üb erp rüf u n g d er Po l i cy ( C i sco S ecu re A C S ) C i s c o Tru s t Ag e n t Si Re m e d i a ti o n C o rp o rate N et Z u g a n g e r l a u b t Z u g a n g v e r w e i g e r t Q u a r a n tän e R e m e d i a ti o n uu aa ra nn ti nn e e VV LL AN 14

O O NA C Logic a l C om Shipping and NAC2 p onents N E W N A C 2 H o s t Ne t w o r k Ac c e s s De v i c e No n-r e s p o ns i v e Au d i t S e r v e r GAME V e nd o r S e r v e r S e c ur i t y A p p C T A Many V e nd o r s p e n L i c e ns e P r o g r am S h i p p i n g Plug-i n s C T A C T A NT, X P, 2 0 0 0, 2 0 0 3 E AP o U DP E AP o 8 0 2. 1 x E AP o U DP R o u t e r s ( 8 x x -7 5 x x ) V P N 3 0 0 0 R ADI U S AAA S e r v e r C i s c o S e c u r e AC S H C AP Many V e nd o r s p e n L i c e ns e P r o g r am NAC2 R e d H at L i nu x E AP o 8 0 2. 1 x S w i t c he s ( 2 9 0 0, 3 5 0 0, 3 7 0 0, 40 0 0, 6 5 0 0 ) W i r e l e s s AP & W L S M NR Au d i t S e r v e r AP I I ni t i al v e nd o r s i nt e g r at e d 15

m C O L L A B O R A T I V E S E C U R I T Y P a rtnerp rogra m Üb e r 6 0 P a rtn e r m i t d u tz e n d e n b e re i ts V e rfüg b a re n An w e n d u n g e n ANTI V IRU S REM EDIATIO N AU DIT C L IENT S EC U RITY 16

F irew al l L ös u ngen: C is c o A S A F W S M 17

Vorstellung d er C i sc o A d a p ti v e S ec uri ty A p p li a nc e Ad a p t i v e T h re a t D e fe n s e u n d V P N Lös u n g e n Ad a p ti v e T h r e a t D e f e n s e u n d F l e x i b l e V P N Lös u n g i n e i n e m G e r ät Ap p l i k a ti o n s s i c h e rh e i t, W u rm / V i ru s Ab w e h r, M a l w a re -S c h u tz, Th re a t-p ro te c te d V P N u n d u m fa n g re i c h e Ne tz w e rk fu n k ti o n e n M i n i m i e r t I n b e tr i e b n a h m e - u n d B e tr i e b s k o s te n P l a ttfo rm S ta n d a rd i s i e ru n g, z e n tra l e s M a n a g e m e n t E r w e i te r b a r e T e c h n o l o g i e g e g e n z u k ün f ti g e B e d r o h u n g e n S p e z i a l h a rd w a re, Ad a p ti v e Erk e n n u n g u n d En ts c h ärfu n g s a rc h i te k tu r e rm ög l i c h t n o c h n i e d a g e w e s e n e Erw e i te rb a rk e i t u n d Ri c h tl i n i e n k o n tro l l e Die C is c o A SA 5 5 0 0 Series 18

M Cisco ASA 5500 Se r ie Konvergenz von rob u s t en, m a rk t erp rob t en T ec h nol ogi en a rk e t-p ro v e n Te c h n o l o g i e s Ad a p ti v e Th re a t De fe n s e, S e c u re C o n n e c ti v i ty Firewall Technology C is co P I X A p p I ns p ect ion, U s e E nf orcem ent, W eb C ont rol A p p licat ion S ecu rit y N W I P S Technology C is co I P S -A V Technology C is co I P S, A V V P N Technology C is co V P N 3 0 0 0 M alware/ C ont ent D ef ens e, A nom aly D et ect ion A nt i-x D ef ens es Traf f ic/ A d m is s ion C ont rol, P roact iv e R es p ons e N et work C ont ainm ent & C ont rol N et work I nt elligence C is co N et work S erv ices S ecu re C onnect iv it y I P S ec & S S L V P N 19

m C is c o A SA 5 5 0 0 P rodu ktline Lös u n g e n für S M B b i s h i n z u m G ro ßu n t e rn e h m e n C i s c o AS A 5 5 1 0 C i s c o AS A 5 5 2 0 C i s c o AS A 5 5 4 0 Z iel m ar k t S M B u n d S M E U n te rn e h m e n Gro ßu n te rn e h m e n Listenp r eis a b $ 3, 4 9 5 a b $ 7, 9 9 5 a b $ 1 6, 9 9 5 Leistungsdaten Max F i r e w al l d u r c hs at z Max C o n. T hr e at Mi t i g at i o n Max I P S e c V P N Du r c hs at z 3 0 0 Mb p s 1 5 0 Mb p s 1 7 0 Mb p s 45 0 Mb p s 3 7 5 Mb p s 2 2 5 Mb p s 6 5 0 Mb p s 45 0 Mb p s 3 2 5 Mb p s D ienste der B asisp l attf o r m Ap p F W, I P S e c u nd S S L V P N, A/ S H A ( U p g. ), 3 F E t o 5 F E W i e 5 5 1 0, z u s ät z l i c h A/ A F ai l o v e r, V P N C l u s t e r i ng, 4 G E + 1 F E W i e 5 5 2 0 j e d o c h i t höhe r e r L e i s t u ng u nd S k al i e r b ar k e i t 20

C i sc o A S A O S 7. 0 A p p li c a ti on I nsp ec ti on I ns p ec tio n E ngine C ap ab il ities Ap p l i c a ti o n P o l i c y E n f o r c e m e n t P r o to c o l C o n f o r m a n c e C h e c k i n g P r o to c o l S ta te T r a c k i n g S e c u r i ty C h e c k s NAT / P AT S u p p o r t D y n a m i c P o r t Al l o c a ti o n M u l ti m e d i a / V o i c e o v e r IP H. 3 2 3 v 1-4 S I P S C C P ( S k i nny) G T P ( 3 G W i r e l e s s ) MG C P R T S P T AP I / J T AP I S p e c i fi c Ap p l i c a ti o n s Enhanced NN ew Enhanced Mi c r o s o f t W i nd o w s Me s s e ng e r Mi c r o s o f t Ne t Me e t i ng R e al P l aye r C i s c o I P P ho ne s C i s c o S o f t p ho ne s C o re In te rn e t P ro to c o l s H T T P F T P T F T P S MT P / E S MT P DNS / E DNS I C MP T C P U DP Da ta b a s e / O I L S / L DAP O r ac l e / S Q L * Ne t ( V 1 / V 2 ) Mi c r o s o f t Ne t w o r k i ng NF S R S H S u nr P C / NI S + X W i nd o w s ( X DMC P ) S e c u ri ty S e rv i c e s S S e rv i c e s I K E I P S e c P P T P 20 0 5 C i s c o S y s t e m s, I n c. A l l r i g h t s r e Cisco s e r v e d. Con f id e n t ia l N D A U se O n l y 21 NN ew NN ew NN ew NN ew NN ew 21

s C i sc o A S A O S 7. 0 Active-Active F a il o ver Active-Active F a il o ver Ad d s M u l tigro u p H S R P s ty l e a ctive-a ctive fa il o ver a s a l tern a tive to ex is tin g a ctive/ p a s s ive fa il o ver E ffectivel y d o u b l es th ro u gh p u t o f fa il o ver p a ir S u p p o rt fo r a s y m m etric ro u tin g l evera ges H A p a ir b id irectio n a l s ta te s h a rin g fo r res il ien cy in m u l ti-h o m ed n etw o rk s L evera ges s ecu rity co n tex ts a rch itectu re to p ro vid e a s ca l a b l e H A Ne ww ii n 77.. 00!! L i c e n s e d F e a tu re a i l a b l e o n e 5 1 5, 5 1 5 5 2 5 a n d 5 3 5 p l a w i U F O l i c e n s e s Av th E, tfo rm th R/ -AA C o nt e x t 1 Ac t i v e P I X CC oo nt ee xx t t 22 SS tt and bb y IS P P 11 Ne tw oo rk CC oo nt ee xx t t 11 SS tt and bb y P I X C o nt e x t 2 Ac t i v e 22 Cisco Con f id e n t ia l N D A U se O n l y IS P P 22 22

C i sc o A S A O S 7. 0 M u l ti-c o n tex t S ecu r ity S er vices Security Contexts (Virtual Firewalls) lower operational costs Reduce overall management and support costs b y h osti ng multi ple vi rtual f i rew alls i n a si ngle appli ance E nab les th e logi cal parti ti oni ng of a si ngle C i sco P I X S ecuri ty A ppli ance i nto multi ple logi cal f i rew alls, each w i th th ei r ow n uni q ue poli ci es and admi ni strati on E ach contex t provi des th e same pri mary f i rew all f eatures provi ded b y a standalone C i sco P I X S ecuri ty A ppli ance S upports up to 1 0 0 contex ts, dependi ng on platf orm I deal soluti on f or enterpri ses consoli dati ng multi ple f i rew alls i nto a si ngle larger appli ance, or servi ce provi ders w h o of f er managed f i rew all or h osti ng servi ces Ne ww ii n 77.. 00!! L i c e n s e d F e a tu re Av ai l ab l e o n t he 5 1 5, 5 1 5 E, 5 2 5 and 5 3 5 p l at f o r m s w i t h U R / F O l i c e ns e s. T i e r s : 5, 1 0, 2 0, 5 0, and 1 0 0 c o nt e x t s. Dept/C u s t 1 Dept/C u s t 2 Dept/C u s t 3 Dept/C u s t N Dept/C u s t 1 Dept/C u s t 2 Dept/C u s t 3 Dept/C u s t N PIX PIX PIX PIX P IX 20 0 5 C i s c o S y s t e m s, I n c. A l l r i g h t s r e Cisco s e r v e d. Con f id e n t ia l N D A U se O n l y 23 23

C i sc o A S A O S 7. 0 Layer2 Firewall Ne ww ii n 77.. 00!! T ra n s p a ren t F irew a l l p ro vid es ra p id d ep l o y m en t s ecu rity s ervices S im p l ifies a n d s p eed s d ep l o y m en t o f s ecu rity s ervices in to S M B a n d E n terp ris e n etw o rk en viro n m en ts P rov id es ab ility to rapid ly d rop in Cisco P I X Security A ppliances into existing network s with out req uiring any ad d ressing ch ang es D eliv ers h ig h -perf orm ance stealth L 2 -L 7 security serv ices and prov id es protection ag ainst network layer attack s Seam less security appliance integ ration in com plex routing, h ig h av ailab ility, and m ulticast env ironm ents I d ea l fo r en viro n m en ts w ith l im ited I T res o u rces / b u d get T r ans p ar e nt F i r e w al l R o u t e r 1 0. 3 0. 1. 0 / 2 4 P IX 1 0. 3 0. 1. 0 / 2 4 R o u t e r S AME S u b ne t 20 0 5 C i s c o S y s t e m s, I n c. A l l r i g h t s r e Cisco s e r v e d. Con f id e n t ia l N D A U se O n l y 24 24

m C i sc o A d a p ti v e S ec uri ty D ev i c e M a na ger v 5. 0 C i s c o AS DM v 5.0 d e l i v e rs e x te n s i v e IP S m a n a g e m e n t a n d o n i to ri n g o f a s i n g l e C i s c o AS A a p p l i a n c e S u p p o rts fu l l c o n fi g u ra ti o n o f: - En g i n e s - S i g n a tu re s - Th re a t Ri s k Ra ti n g - IP S Ac ti o n s - An d m o re! S u p p o rts m o n i to ri n g o f: - Ev e n ts - Di a g n o s ti c re p o rts - S e n s o r s ta ti s ti c s A S A 5 5 0 0 I n t r o 25 20 00 45 CC ii ss cc o o SS yy ss tt ee mm s s,, II nn c c.. AA ll l l rr ii gg hh tt s s rr ee ss ee rr vv ee d d.. 25

Firewall Service M o d u l High Performance Firewall I ntegriert in C ataly s t 6 5 0 0 S witch V ergleichb ar Pix 6. 3 / 7. 0 L ay er 2 od er L ay er 3 Firewall V irtu elle Firewall Fu nk tionen U nters tütz t 1 0 0 0 V L A N s Performance K ein I D S u nd k ein V PN 5, 5 G b it D u rchs atz 1 0 0 K neu e V erb ind u ngen / s ec 1 M illion gleichz eitige V erb ind u ngen 3 M p p s FWSM 26

W Remote Access VPN eb VPN 27

V P N D ien s t e für j ed en Robuste I P S ec - un d S S L -V P N D i en ste A n wen d u n g s fall B ranch O f f i ce S i te-to-s i te S up p l y P artner E x tranet ZZ uu ga nn gs ss zz en aa rien : S i te -to -S i te, M a n a g e d D e s k to p, E m p l o y e e D e s k to p, K i o s k A c c e s s V o l l e r o d e r e i n g e s c h r än k te r N e tz w e r k z u g a n g P a r tn e r Z u g a n g P u b l i c In te rn e t Account Manager Mob i l e U s er E m p l oy ee at H om e U nm anaged D es k top AS A 5 5 0 0 KK oo nn vv ee rr gg ee nn zz vv oo n n II PP SS ee c c,, WW ee bb VV PP N N,, FF ii rr ee ww aa ll l l : Üb e r w a c h u n g v o n V P N V e r b i n d u n g e n R e m o te A c c e s s V P N I n f r a s tr u k tu r i n e i n e m G e r ät Z e n tr a l e, e i n h e i tl i c h e B e n u tz e r v e r w a l tu n g O p ti m a l e V e r f üg b a r k e i t I n te g r i e r te L a s tv e r te i l u n g B ietet s icheren Z u gang für j ed en B enu tz er v on j ed em O rt in einem G erät mit u mfas s end em M anagement 28

W eb V P N : SSL -B as iert er R em o t e A cces s E r m ög l i c h t si c h er en Rem otez ug r i f f oh n e C l i en t W eb P a ge Z u griff ( H T T P / H T T P S ) R em o te E -M a il Z u griff O u tl o o k ( M AP I ), O W A, P O P, I M AP, S M T P, N o tes, in o tes F il e Z u griff a u f U n tern eh m en s s erver W in d o w s C I F S F il e S h a res via W eb I n terfa ce F l ex ib l e L o gin O p tio n en, in d ivid u el l a n p a s s b a r für u n ters ch ied l ich e B en u tz ergru p p en G ru p p en -b a s ierte Z u ga n gs k o n tro l l e P o rt F o rw U n ters tütz u n g a l l er gän gigen U n tern eh m en s w eiten Au th en tis ieru n gs m ech a n is m en a rd in g Z u ga n g z u T C P -b a s ierten T h ick C l ien t An w en d u n gen W eb -B a s iertes M a n a gem en t U m fa s s en d e K o n figu ra tio n u n d Üb erw a ch u n g KK oo ss te nn ll oo ss ee r SS SS L L VV PP N Tri aa l l ii mm BB aa ss ii ss pp re ii ss ee nn th aa ll te n n KK ee ii nn ee PP ee r-fr F ee aa tu re LL ii cc ee nn ss e e! 29

C ustom i z a b le A p p li c a ti on A c c ess Al l l SS SS L L VV PP N N FF eatures II ncl ud ed ii n BB as e PP ri ci ng NN o SS pp eci al LL ii cens es!! Deployment Examples: Extend i ng A ppr opr i ate C onnec ti v i ty CC CComp is co any SS SS -M L L anaged VV PN TT uu nneling DD es kk top CC: lient CC Pers ontrolled is tent, ss oftware L AA NN -lik env e ironment network ed connectiv ity KK AAnown cces s ss s ecu to vv rity irtu ppally os tu any re && ap ss pp yy lication ss tem pp riv ileges DD UUiv tiliz ers es ap ss mall, pp lication dd yy namically req uu irements load ed client Pos BB es t-s t es op sstion for clean-u bb road p p op ap tional pp lication acces ss L AA NN -lik e remote connectiv ity dd es ired Home/ CC lientles KK ios s s k k,, WWAA cces eb -B s s as : ed AA cces ss UU RRncontrolled ev ers e pp rox env y y firewalled ironment - ss connection uu pp pp ort is ss uu es UU AAnk cces nown s s to ss ecu web rity -b as pp os ed tu ap re pp && lications ss yy ss tem and pp riv CCileges itrix LL imited NN o ss oftware ap pp lication dd ownload acces ed s s allowed Pos BB es tu t re op as tion ss es for ss ment, limited pp os web t-s es ap ss pion p lication clean-u acces p p req s s uu and ired CC uuuu nmanaged s s tomiz acces dd kk s s top pp ortal ss often dd es irab le Partner TT hin CC AAlient cces Port s s : Forward ing UU ncontrolled RR ev ers e pp rox env y y firewalled ironment - ss uconnection u pp pp ort is ss uu es UU nk AA cces nown s s to ss ecu web rity,, email, pp os tu calend re && ss yy ar, ss tem II M M and p p riv ileges many other VV ery TT CC P granu ap pp lications lar acces s s controls Pos SS mall tu re JJ as av ss a es ap ss ment, pp let dd yypp namically os t-s es ss ion load clean-u ed p p req uu ired CC uubb ss es tomiz t op ed tion acces for limited s s pp ortal web often and dd es client/ irab le s s erv er ap pp lications and uu nmanaged dd es kk top ss 30

C SD in A ct io n 31

C i sco VPN L ösu n g en I n teg r a ted S er v i ce Rou ter 32

M C is co I n t eg rat ed Services R o u t er I n teg r a ted S er v i ces Rou ter u l ti s e rv i c e Ac c e s s Ro u te r S w i tch i ng, rou ti ng W i rel es s E ncry p ti on, F i rew al l, I D S / I PS S p ra c h - u n d S i c h e rh e i ts - P ro z e s s o re n C ontent D el i v ery V oi ce & I PT A O N L i efert S i ch erh ei t, p aral l el e D aten-, S p rach - u nd V i d eod i ens te i n L ei tu ng s g es ch w i nd i g k ei t B es ch l eu ni g t A nw end u ng s b erei ts tel l u ng u nd red u z i ert K os ten u nd K omp l ex i tät B ei s p i el l os e D i ens te, L ei s tu ng s fäh i g k ei t u nd I nv es ti ti ons s ch u tz s ch affen neu e Mög l i ch k ei ten für K u nd en 33

MM Cisco Integrated Services Router The Right Ro u ter f o r E v er y O f f ic e Office Size Performance and Services Density M ark ets 33 88 00 00 SS eries H i gh es t D ens i ty and P erf orm ance f or C oncurrent S erv i ces 22 88 00 00 SS eries E m b ed d ed, Ad v anced V oi ce, V i d eo, D ata & S ecuri ty S erv i ces H i gh P erf orm S ecure B road b and and W Enterprise ance I ntegrated S ecuri ty & D ata Enterprise Branch Office i rel es s C onnecti v i ty M ed iu m B u siness S m al l Branch S m a l l B u siness oo dd uu ll aa r 11 88 00 00 SS eries FF ix ed New Models f or S m a ll O f f i c es 88 00 00 SS ee ri ee ss S m al l R em o te Offices T el ew o rk er S ing l e S ite S m al l Bu siness 34

G E G E MM VV Cisco Integrated Security Architecture Integrated Hardware Security Serv ices B u i l t-i n V P N Ac c e l e ra ti o n H ig h P erf o rm a nc e C ry pto o f f l o a d 3 D ES / A ES Enc ry ptio n U p to 4 x f a ster th a n prev io u s ro u ters S e c u re V o i c e P V D M M o d u l es S u ppo rt S R T P A ES Enc ry ptio n H i g h P e rfo rm a n c e AIM O ptio na l A I M -V P N P L U S 3 D ES, A ES & C o m pressio n U p to 1 0 x f a ster th a n prev io u s ro u ters U S B P o rt R em o v a b l e S ec u re C red entia l s FF II PP SS Po ww G E G E ee r r + + 88 00 22.. 33 aa ff HH WW II CC HH WW II CC HH WW HH WW II CC II CC VPN EE VV M AIM AIM UU SS BB UU SS BB II KK E E CC rr ac kk HH II PP AA AA Man in the Middle NN ME BB AA K K DD EE S S CC rr ac kk oo II P P SS ec uu rr ity CC ommon Hard ware AA rchitectu re od uu lar DD es ign II nv es tment Protection 35

Cisco Router and Security Device Manager (( SDM) ff or Sim pp ll if ied Managem ent O ne tou ch rou ter lock -d own, au to s ecu re K nowled geb as e of T A C recommend ed configu rations B u ilt-in G U I av ailab le for all 1 8 0 0, 2 8 0 0, 3 8 0 0 s eries I nd u s try lead ing rou ter and s ecu rity management tool for: V P N F i re w a l l, IP S S ta ti c / Dy n a m i c Ro u ti n g Q o S, NB AR L AN/ W AN/ V L AN In te rfa c e s One Touch R R out er er L L ock - d d ow ow n, n, A A ut uto S S ecur e 36

GG Adv anced Secure Connectiv ity Faster Deployment, Reduced Configuration VV 33 PN BB ee ss t ii n n cc ll aa ss s s QQ oo S S ww ii th IP SS ee c c VV PP Ns fo r mm uu ll ti ss ee rv ii cc ee hh ii gg hh - qq uu aa ll ii ty,, jj ii tte r-frer e e vv oo ii cc e e,, vv ii dd ee o o aa nn d d hh ii gg hh -p p ri oo ri ty dd aa ta II PS ec EE as yy VV PN Re mm oo te Ac cc ee ss s s hh uu b b aa nn d d ss pp oo kk e e VV PP Ns uu ss ii nn g g cc ee nn tra ll ii zz ee d d pp oo ll ii cc y y pp uu ss hh VV irtu aliz ed SS erv ices SS uu pp pp oo rt mm uu ll ti pp ll e e oo rg aa nn ii zz aa ti oo nn s s ww ii th oo vv ee rl aa pp pp ii nn g g IP aa dd dd re ss ss ee s s ww hh ii ll e e mm aa ii nn ta ii nn ii nn g g ss ee pp aa ra ti oo n n oo f dd aa ta,, ro uu ti nn g g,, aa nn d d pp hh yy ss ii cc aa l l ii nn te rfa cc ee ss Cost Effectively Ensuring Information Integrity and P rivacy II PS ec DD yy namic MM uu ltip oint VV PN (( DD MM VV PN )) ZZ ee ro to uu cc h h pp ro vv ii ss ii oo nn ii nn g g,, dd yy nn aa mm ii c c mm ee ss h h VV PP N tu nn nn ee ll ss RR E E // II PS ec with DD yy namic RR ou ting LL ee vv ee ra gg e e th e e bb ee ss t ro uu ti nn g g ii n n th e e bb uu ss ii nn ee ss s s fo r mm aa xx ii mm uu m m cc oo nn tro l l aa nn d d fl ee xx ii bb ii ll ii ty Internet = D M V P N T u nnel P E C u sto m er A C u sto m er B 2 8 0 0 C u sto m er C w w w.c i s c o.c o m / g o / i p s e c 37

DMV P N - E ncryp ts V oice T raf f ic D y n a m i c & P e r m a n e n t S p o k e A -t o -H u b a n d S p o k e B -t o -H u b I P s e c t u n n e l s f o r e n c r y p t i o n o f s i g n a l i n g t r a f f i c b e t w e e n 7 9 3 5 s a n d C a l l M a n a g e r H u b D y n a m i c & T e m p o r a r y S p o k e A -t o -S p o k e B I P s e c t u n n e l f o r e n c r y p t i n g m e d i a t r a f f i c b e t w e e n t w o 7 9 3 5 c o n f e r e n c i n g s t a t i o n s S p o k e B S p o k e A S i g n a l i n g t r a f f i c Me d i a t r a f f i c N O T E b l a c k = u n e n c r y p t e d, c o l o r = e n c r y p t e d 38

O M O s V oice/ V ideo V P N s ( V 3 P N ) C i s c o IO S V P N Ro u te rs o r V P N Ap p l i a n c e s V o i c e, V i d e o i n te g ra ti o n w i th IP S e c C i s c o IP P h o n e 7 9 x x P h o n e h a n d s e t w i th i n te g ra te d Q o S V P N a i n ffi c e VV PP NN PP II XX L AN I P I P Re m o te ffi c e C i s c o C a l l M a n a g e r C a l l s e tu p a n d s i g n a l i n g ; H o s t IDS p ro te c ti o n C i s c o IO S V P N Ro u te rs / Ap p l i a n c e s In te g ra te d W AN, V P N, a n d v o i c e g a te w a y fo r re m o te o ffi c e s P IX o r IO S F i re w a l l S ta te fu l l y i n s p e c ts C i s c o IP Te l e p h o n y a n d V i d e o s tre a m 39

Cisco E asy V P N Z entra l e B ro w ser-b a siertes G U I a u f C isc o 8 0 0, 9 0 0, C isc o P I X 5 0 1 F W & C V P N 3 0 0 2 I nternet C isc o I O S R o u ter, V P N C o nc entra to r, P I X F irew a l l C isc o 8 0 0, 9 0 0 S eries R o u ter, C isc o P I X 5 0 1 F W, C V P N 3 0 0 2 C isc o 1 7 0 0, 2 6 0 0, 3 6 0 0 S eries, C isc o P I X F irew a l l, C V P N 3 0 0 2 U nters tütz u ng v on d y namis chen V PN V erb ind u ngen E rlau b t k leine b is s ehr große E inführu ngen ohne A nwend erinterv ention Ei n fa c h e K o n fi g u ra ti o n Au to m a ti s c h e r V e rb i n d u n g s a u fb a u P o n g u o n s c h n e l l e s l l a o n E k V R D I C V D G B re -K fi ra ti für In ta ti rz wingt ons is tente PN Policy au f allen emote ev ices nterop erab ility üb er alle is co PN ev ices hinweg arantierte as is fu nk tionalität mit and eren Hers tellern 40

S ecurity M anagement 41

Security Managem ent P roduk tüb ersich t S ec u ri ty A u d i to r C S -M A R S D ev i c e M g rs S ec u ri ty M a na g er S D M V M S 2.3 C V D M A S D M C W -S IM S C o nf ig u ra tio n A u d iting C isc o S ec u rity M a na g em ent S u ite M itig a tio n S e s s io n N u m b e r P r e s e n ta tio n _ ID M o nito ring S ec u ri ty M a na g er A na l y sis 42

Cisco Mitigation and Response System (MARS) Next Generation SIM/STM Nutzung d e r v o r h a nd e ne n Ne tzw e r k i nf r a s tr uk tur zur S i c h e r h e i ts a na l y s e D a te nk o r r e l l i e r ung i m k o m p l e tte n Ne tz N I D S, Firewall, R ou ter, S witches, C S A S y s log, S N M ev ent logs P, R D E P, S D E E, N etflow, E nd p oint S c h ne l l e L o k a l i s i e r ung v o n A ngr i f f e n und E i nl e i tung v o n G e ge nm a ßna h m e n K e y F e a tur e s M e l d e t S e c u ri ty incidents b a s i e re n d a u f D ev ice m essa g es, ev ents, u n d sessio ns I w e e n g p h i s c h i n d e p o l o g i e d a e s l l ncidents rd ra r to rg te t g e n m a a h m e n a u L 2 p o u n d L 3 n Ge ßn f rts Ge räte S k a l i e rb a rk e i t a u c h i n k o m p l e x e re n U m g e b u n g e n 43

CS-MA RS Üb ersich t und K ontrol l e 44

P N -MA RS Datenk orrel ierung Genaue Darstellung des Angriffsweges H o A P o S c a T a X, f o l l o w b y H o A B u f f O v l o w A c k T a X W h X v u l b l A c k, f o l l o w b y T a X u o a c k o T a Y st rt ns rg et ed st er erf tta to rg et ere is nera e to tta ed rg et ex ec tes pa ssw rd tta n rg et 45

CS-MARS E inl eitu ng v on G egenmaßnah men Nutzung d e r A b w e h r m ögl i c h e i te n i nne r h a l b d e s Ne tzw e r k s p h i s c h e l l u n g d e s L a y e 2 a c k p a Gra Da rs te r 3 tta th. Ge g e n m a ßn a h m e n w e rd e n a u f d e m Ne tz w e rk g e rät d u rc h g e füh rt. S w i tc h C i s c o M ARS k o n fi g u ri e rt Ge g e n m a ßn a h m e n R o ute r F i r e w a l l ] 46

47