Cisco Secure Router Michael Salat msalat@cisco.com Cisco Systems Austria, SMB

Cisco Secure Router Michael Salat msalat@cisco.com Cisco Systems Austria, SMB 1

Agenda Block 1: - Cisco's Network Admission Control Programm & Selbstverteidigende Netzwerke, Überblick zu Cisco Security Produktangebot - IEEE 802.1x Standard als Teil der (W)LAN Security - VPN Services ohne IPsec / PPTP / L2TP Kaffeepause Block 2: - Cisco Access Router als Security Komponente - Live Routerkonfiguration mittels Cisco Security Device Manager - Aktuelles aus dem Cisco Reseller Programm Kaffeepause Block 3: - Security Appliances - Praxisnahe Vorstellung der Cisco PIX Firewall Family und der notwendigsten Konfig Schritte - Day Zero Protection fuer Server und Clients - Cisco Security Agent setzt neue Massstäbe Lunchbuffett 2

Router Evolution Low density Switching Advanced Security Functionality/Integration Routing, INS VoFR, VoIP IOS Firewall/Encryption Multi-Protocol Routing, Access Control, QoS Tools Content Delivery Voice Apps IP Telephony Time Today 3

Integrated Device Security - Embedded Cisco IOS Security Hardware VPN Client Intrusion Detection System Firewall WAN Router Cisco IOS Security Router VPN + Firewall + IDS + IP Routing 4

Cisco Security Product Portfolio Secure Connectivity Extended Perimeter Security Intrusion Protection Identity Services Security Management Appliances VPN 3000 Series PIX Security App. 6503, 6506 Integrated Switch VPN Module Cisco IOS VPN Appliances PIX Security App. Catalyst 6503, 6506 Integrated Switch Firewall Module Cisco IOS Firewall Appliances 4200 Series PIX Security App Host Based Cisco Security Agent Integrated Switch IDS Module Cisco IOS IDS Cisco Access Control Server IBNS 802.1x extensions VPN Solutions Center (VPNSC) CiscoWorks VMS v2.1 (VPN/Sec Mgmt Solution) Embedded Device Managers SOHO 90, 830,1700, 2600, 3600, 3700, 7000 series 5

Cisco IOS Firewall Positioning and Platform Support Supported on all Cisco IOS Software Platforms Cisco 800, 900, 1400, 1600, 1700, 2500, 2600, 3600, 7100, 7200, 7400 and 7500 Series Routers Cisco Catalyst 5000 and 6000 Series Switches Small Division Branch/Retail Cisco 1700/2600 Series Routers Cisco 1700 Series Routers Cisco 830 Routers Telecommuter Cisco 830 Series Routers Internet Service Provider SP Edge Aggregation Small Business Small Satellite Office Cisco 2600/3600/3700 Series Routers Cisco 7000 Series Routers Server Farm Regional Office Corporate Office 6

Cisco IOS Firewall Features Stateful Firewall Engine tracks protocol state of connection Support for advanced protocol inspection: TCP, UDP, H.323v2, SIP, Skinny, ICMP, etc. Denial of Service (DoS) detection and prevention Destination URL Policy enforcement (Websense & N2H2) Per User Firewalls Per user, interface or subinterface security policies Per-user authen. and author. for http/https, ftp and telnet Tightly integrated with AAA services Firewall and Multicast routing co-exist Control downloading of Java applets Real-time alerts Integrated inline IDS functionality! 7

Intrusion Detection Sensor 8

Cisco IOS Firewall Intrusion Detection Inline sensor of network traffic for potential misuse or policy violations Deep packet inspection Matches network traffic against lists of 101 signatures, which look for patterns of misuse Takes action upon detection and sends alarm Combined with Cisco IOS Firewall on the Cisco 835, 1720, 2600, 3600, 3700, 7100 and 7200 Series Routers Cisco IOS IDS Roadmap Dynamic signature update functionality Leverage IDS Sensor DAT File Support Investigation of integrating Psionic s acquisition Mitigates 90% of false positive event 9

Cisco IOS Intrusion Detection Inline Cisco IOS differentiator Mitigate, act (reset), and notify upon signature identification: DROP packet, RESET connection, Send alarm Drop Packet Attack Alarm Network Management Attack Reset Cisco Attack 7200 10

Currently Supported Cisco IOS IDS Signatures Signatures types supported: - IP option attacks - Land Attack - Ping of Death - ICMP Attacks - TCP Attacks - RPC Attacks - Mail Attacks - Mail Spam Attack - UDP Bomb - FTP Attacks - Majordomo Execute Attack - Tftp Password File attack - DoS Attacks (TCP/UDP) - FTP Retrieve Password File - high severity DNS - high severity HTTP - high severity UDP 11

Cisco VPN Solutions 12

Benefits of VPNs Flexibility Extend network to remote users Ability to set up and restructure networks quickly Service Provider Independency Network Cost More bandwidth at lower cost Delivers cost effective remote site bandwidth for new applications Reduced WAN and dial infrastructure expenditures New Capabilities Enable extranet connectivity to business partners Leverages and extends the WAN to remote and external users Increase security by means of data encryption Security Encryption - Confidentiality - Authentication - Integrity 13

VPN Types Intranet VPN site2site Remote Access VPN Extranet VPN site2site Internet or IP Network Main Office POP Business Partner Remote Office Regional Office Home Office Mobile Worker 14

Cisco Site-Site VPN Strengths Many different platforms Integrated solution EasyVPN/ Security Device Manager Voice and Video support Solutions that fit your requirements VPN with all the benefits of the traditional Cisco router Easy deployment and Management. Lower operational cost A very cost effective solution for Voice and Video transport Dynamic Multipoint VPN Easy expansion of the network 15

Remote Access VPN Options Internet Software access Hardware-based remote-site firewall and VPN DSL or Cable Hardwarebased VPN client Remotesite firewall DSL or Cable Remotesite router Remotesite router Broadband access modem Broadband access modem Cisco 831 with firewall and VPN Broadband access modem Cisco VPN 3002 Broadband access modem Cisco PIX 501 with firewall and VPN Cisco ubr925, 803, or 837 with firewall and VPN Cisco ubr925, 803, or 837 with firewall Cisco VPN 3002 Desktops/laptops with Cisco VPN Client, HIDS, third-party anti-virus software and personal firewall Desktops/ laptops with HIDS and thirdparty antivirus software Desktops/ laptops with HIDS and thirdparty antivirus software Desktops/ laptops with HIDS and thirdparty antivirus software Cisco 7910 IP Phone 100 users or fewer 100 to 500 users 500 users or more CIBR Security technical solution customer 16

Remote Connectivity - Cisco IPsec VPN Client Cisco s VPN Client can terminate on all of our VPN platforms! FREE of Charge! PIX VPN 3000 PIX 6.0 VPN 3.0 IOS 12.2(8)T IOS Benefits: -Little client side configuration -Server side pushes policy to any authenticated clients 17

V 3 PN Voice and Video Enabled VPN Fully functional, cost-effective remote working environments Securely extend the corporate PBX to home offices for full-featured teleworker solutions Deliver secure IP video for videoconferencing and training Enhanced security for voice and video traffic over the WAN Encryption of voice and video streams, authentication of gateways IP telephony + VPNs = Greater cost savings Combining IP telephony and video with VPNs reduces bandwidth and telephony expenses Extending converged communications to remote sites or users increases productivity VPN V 3 PN Voice Video QoS 18

V 3 PN Voice and Video Enabled VPN I need to speak to John: 212-555-1212 Hello, This is John PSTN Home office 212-555-1212 Hello, This is John Wash DC John QoS-enabled VPN (V 3 PN) Corp Office NY 212-555-1212 Hello, This is John Philadelphia Consistent user experience Same network connectivity at home as in corporate office (data, voice and video) Lowers costs and increases teleworker productivity Service provider partners with networks built with Cisco products carry voice and video with toll-quality SLAs Log into phone and phone takes profile of 212-555-1212 19

Cisco Easy VPN 20

VPN Deployment & Management Challenges Mobile Workers Teleworkers VPN Repository Central Site Internet VPN Tunnels Heterogeneous CPE devices and clients Remote sites without on-site support VPN tunnels over static and dynamic WAN connections Static & dynamic IP addresses Pushing configuration changes once deployed Coordinating custom configuration, IP address and mixed WAN environment (Cable/DSL, PPPoE/hostname) Configuration? Configuration Configuration Configuration??? Small Branch Offices IP Address?? 21

Scalable Deployment & Management VPN Solution Cisco Easy VPN server on VPN gateway with security policy repository (Cisco CVPN 3000, Cisco IOS Router, PIX Firewall) Mobile Workers Central Site HQ / ISP Policy Updates Internet Cisco Easy VPN Remote and Server Support for all Cisco VPN Clients Dynamic policy updates, pushed to each CPE and clients Dynamic VPN tunnels over static and dynamic WAN connections Dynamic & static IP addresses Teleworkers VPN Tunnels Small Branch Office Configuration A Configuration Configuration A Configuration A A 22

Push VPN Policy with Cisco Easy VPN Teleworker / Small Branch SBO Office VPN functions are assigned IKE Mode Config Attributes; several parameters may be pushed at once Central HQ Site Cisco Mobile 1700 Workers Attributes Internal IP Address Internal NetMask Internet Internal DNS Server Internal WINS Server Split tunnel allowed when VPN tunnel is up (remote site traffic goes in the clear) Cisco Easy VPN Server on Central Site Gateways with security policy repository (Cisco CVPN 3000, Cisco IOS Router, Cisco PIX Firewall) 23

Cisco Full Service Access Router Portfolio Concurrent Services and Performance IOS Intelligent Services: Security Voice QoS Availability SOHO & 800 Series Secure Access Fixed platform Four port switch 1700 Series Low Density Services Platform Modular connectivity (WIC/VIC) Entry level voice services 2600XM Series Multi-Services Platform Extended modular connectivity (NM, WIC/VIC) Integrated content networking or low density switching option Legacy & dial aggregation 3700 Series High Density Services Platform Modularity with performance optimized for all-in-one solution (HSDM, NM, AIM, WIC/VIC) Density for integrated content networking+ low density switching + future service modules Scalability for Branch aggregation Enhanced availability Small Office & Teleworker SMB Small Branch Enterprise Branch Office 24

Cisco Access Router Portfolio Performance and Service Cisco 1760 Cisco 3700 Cisco 2600XM/2691 Cisco 7x00 Cisco 800 Cisco 1700 Cisco SOHO Teleworker/SOHO SMB/Small Branch Enterprise Branch Large Branch Enterprise HQ 25

Cisco SOHO90 and Cisco 800 Secure Broadband Router 26

Extending Integrated Security and Advanced Services To the Edge Cisco 836 Hardware Acceleration Stateful Firewall 4-Port 10/100 Switch IDS and URL filtering* IPSec 3DES ISDN Dial Back Up (836-only) Out-of-Band Management QoS for Voice and Video Cisco SOHO 96 27

Cisco SOHO 96 Router Hardware 10/100 MB Ethernet Switch Connect to Ethernet network devices on the LAN Console Port ISDN S/T Port ADSL-over-ISDN WAN Port Connects to SP network Processor Motorola RISC Memory DRAM Default: 32MB DRAM Max: 32MB FLASH Default: 8 MB FLASH Max: 8 MB 28

Extending the Intelligent Network to the Small Office Cisco 830 Series Broadband Routers 831 Secure BB Router for Ethernet (DSL or Cable) 836 Secure BB Router for ADSLoISDN 837 Secure BB Router for ADSLoPOTS Integrated security & routing for broadband access and VPNs Applications Convergence Support for multiple, advanced applications on a single, converged network Scalable, manageable and highly reliable network systems Cross-functional awareness between security and other network functions (Routing, QoS, Availability) 29

Key Features Integrated Security & Routing Hardware Encryption Stateful Firewall Authentication Proxy, 802.1x PKI with digital certificates IPSec NAT Transparency IDS, AES, URL filtering DMVPN Dynamic Routing: BGP, EIGRP, OSPF, RIPv2, L2TP SSHv2* *features available through software upgrade in late 2003 30

Cisco 1711 and 1712 Security Access Routers 31

Introducing Cisco 1711 and 1712 Security Access Routers for Enterprise Small Branch Offices and Small/Medium Sized Businesses Broadband Access with WAN Backup DSL broadband or Ethernet access Analog modem or ISDN backup Comprehensive Network Security Hardware accelerated VPN encryption Stateful firewall with URL filtering Intrusion detection Integrated LAN Connectivity 10/100 switch with VLAN Spanning Tree Protocol Advanced Routing and QoS RIP, OSPF, BGP, EIGRP QoS bandwidth optimization 32

Cisco 1711 and 1712 Key Features Cisco 1711 Cisco 1712 Fixed Configuration 1 10/100BaseT Port (WAN) Analog Modem Backup 4 Port 10/100BaseT Switch 802.1Q VLAN 32MB FLASH 64MB DRAM VPN Encryption Module Cisco IOS IP Plus/FW/IDS/ IPSec 3DES Security Device Manager List Price $1,295 Fixed Configuration 1 10/100BaseT Port (WAN) 1 port ISDN (S/T) Backup 4 Port 10/100BaseT Switch 802.1Q VLAN 32MB FLASH 64MB DRAM VPN Encryption Module Cisco IOS IP Plus/FW/IDS/ IPSec 3DES Security Device Manager List Price $1,295 33

Cisco 1711 and 1712 Interfaces Cisco 1711 Cisco 1712 4 Port 10/100 Ethernet Switch Console Port Analog Modem Port 4 Port 10/100 Ethernet Switch Console Port ISDN (S/T) Port Fast Ethernet Port (WAN) AUX Port Telephone Connection Fast Ethernet Port (WAN) AUX Port 34

Cisco 1711/1712 Application: DMZ with Firewall 802.1Q VLAN Defined DMZ LAN 10/100BaseT Switch Analog Modem/ ISDN Port DMZ 10/100BaseT Port Cisco IOS Firewall Applied to DMZ and Internet Connection VPN Tunnel to HQ Cable/DSL Modem Internet 35

Cisco 1711/1712 Application: Internet Hotspot 802.1Q VLAN Defined Hotspot Segment LAN 10/100BaseT Switch Analog Modem/ ISDN Port Wireless Access Point 10/100BaseT Port VPN Tunnel to HQ Cable/DSL Modem Internet 36

Cisco 1711/1712 Application: DDR Backup LAN 10/100BaseT Switch Analog Modem/ ISDN Port 10/100BaseT Port Cisco IOS Firewall Applied to Internet Connection X Internet DDR Initiated failover to Analog Modem/ISDN Port Cable/DSL Modem Internet Connection Failure PSTN 37

Cisco 1711/1712 Application: Remote Management LAN 10/100BaseT Switch Analog Modem/ ISDN Port 10/100BaseT Port Cisco IOS Firewall Applied to Internet Connection VPN Tunnel to HQ Cable/DSL Modem PSTN Internet Remote Administrator 38

Cisco 1711/1712 Application: ISDN to DSL Migration LAN 10/100BaseT Switch ISDN Port Initial/Temporary ISDN Service Cisco IOS Firewall Applied to Internet Connection Internet Migration to DSL Service DSL Modem PSTN 39

Cisco 1700 Series Product Line Cisco 1711/1712 Cisco 1721 Cisco 1751 Cisco 1760 Application Security Router Data Access Data and Voice Data and Voice Form Factor Desktop Desktop Desktop 19 Rack-Mount (1 RU) LAN Ports with 802.1Q VLAN 4-Port 10/100 Fast Ethernet Switch 1 10/100 Autosensing Ethernet Port 1 10/100 Autosensing Ethernet Port 1 10/100 Autosensing Ethernet Port Modular Slots None ( 1 10/100 WAN Port) 2 WIC Slots 2 VIC/WIC Slots 1 VIC Slot 2 VIC/WIC Slots 2 VIC Slots Integrated Backup WAN Analog Modem/ ISDN BRI Optional Optional Optional Integrated VPN Module, Optional Optional Firewall, IDS Optional Voice over IP US List Price (Chassis) US $1,295 US $1,195 US $1,495 US $1,595 40

Cisco 1711 and 1712 Ordering Information CISCO1711-VPN/K9 Includes: 32MB Flash, 64MB DRAM, 4-Port 10/100BaseT Switch, 10/100 WAN & Analog Modem Port, VPN Hardware Module, Cisco IOS IP Plus/ADSL/Firewall/IDS/IPSEC 3DES CISCO1712-VPN/K9 Includes: 32MB Flash, 64MB DRAM, 4-Port 10/100BaseT Switch, 10/100 and ISDN WAN Port, VPN Hardware Module, Cisco IOS IP Plus/ADSL/Firewall/IDS/IPSEC 3DES 41

Ordering Information CISCO1721 Same price as Cisco 1720 CISCO1721-VPN/K9 ($1,195 USD list) ($2,495 USD list) Includes: router, VPN hardware module, 16MB DRAM upgrade,cisco IOS IP plus/firewall/ids/3des CISCO1721-ADSL ($1,695 USD list) Includes: router, ADSL WIC, Cisco IOS IP/ADSL CISCO1721-SHDSL ($1,895 USD List) Includes: router, ADSL WIC, Cisco IOS IP/ADSL 42

Cisco 1760 Architecture WIC/VIC Slots Fast Ethernet Port VIC Slots Console Port/ AUX Port Available on Cisco IOS 12.3T and 12.3 Mainline High Performance RISC Architecture 19 Rack-mount Form Factor (1 RU) 4-slot Modular Chassis Auto-Sensing 10/100 FE Port IEEE 802.1Q VLAN Support on FE port Internal Expansion Slot for VPN Hardware Encryption Module IPSec 3DES Encryption at T1/E1 speed Two Internal Slots for DSP support AUX Port up to 115 kbps (async serial) 43

Cisco 1760 Interface Support WIC/VIC Slots Fast Ethernet Port VIC Slots Console Port/ AUX Port LAN Density 1 Fast Ethernet (on-board) 4 port 10/100 BaseT Ethernet Port WIC WAN density 5 Asynchronous Serial 4 Synchronous Serial 2 BRI (ISDN) Analog and Digital Voice Support Up to 16 analog voice calls Up to 30 digital voice calls with Multiflex VWIC Survivable Remote Site Telephony (SRST) Cisco Call Manager Express call processing features WAN Interface Card (WIC) support 4-port Ethernet Switch, Serial, ISDN, T1, Ethernet, Analog Modem ADSL o POTS, ADSL o ISDN and G.SHDSL (2-wire) Voice Interface Card (VIC) support 2/4-port FXS, 2/4-port FXO and E&M 2-Port BRI 1- and 2-port Channelized T1/E1 and G.703 44

Cisco 1760 Bundles Product Number Includes List Price Savings CISCO1760 CISCO1760-V CISCO1760-VPN/K9 CISCO1760-VPN/K9-A CISCO1760-ADSL CISCO1760-SHDSL CISCO1760-V-SRST CISCO1760-V-CCME CISCO1760-V3PN/K9 Router, 32 MB Flash, 64 MB DRAM Router, 32 MB Flash, 96 MB DRAM 1 PVDM-256K-4, Cisco IOS IP/VOX PLUS Router, 32 MB Flash, 96 MB DRAM, VPN Hardware Module, Cisco IOS IP/ADSL/FW/IDS/IPSec3DES PLUS Router, 32 MB Flash, 96 MB DRAM, VPN Hardware Module, 1 ADSL over POTS WAN Interface Card, Cisco IOS IP/ADSL/FW/IDS/IPSec3DES PLUS Router, 32 MB Flash, 64 MB DRAM, 1 ADSL over POTS WAN Interface Card, Cisco IOS IP/ADSL Router, 32 MB Flash, 64 MB DRAM, 1 G.SHDSL (2-wire) WAN Interface Card, Cisco IOS IP/ADSL Router, 32 MB Flash, 128 MB DRAM, 1 PVDM-256K-4, Cisco IOS IP/VOX Plus, Feature License FL-SRST-SMALL for 24 IP phones Router, 32 MB Flash, 128 MB DRAM, 1 PVDM-256K-4, Cisco IOS IP/VOX Plus, Feature License FL-CCME-SMALL for 24 IP phones Router, 32 MB Flash, 128 MB DRAM, VPN Hardware Module, 1 PVDM-256K-4, Cisco IOS IP/ADSL/VOX/FW/IDS/IPSec3DES PLUS $1,595 US $2,595 US $2,895 US 39% $3,395 US $2,095 US 18% $2,295 US 16% $2,995 US 30%(1) $2,995 US 30%(1) $ 3,895 US Cisco 1760 platform provides 8 bundle SKUs versus 3 bundle SKUs for 1751 (1) Calculation based on 1760-V 22% 38% 35% 45

Cisco Security Device Manager (=SDM) 46

SDM Ease of configuration Two modes of operation Guide: for the novice Feature: for technical users 47

Security Device Manager (SDM) Security application embedded in all target router s flash Supported on the Cisco 800, 1700, 2600, 3600 and 3700 Series Routers Supported on: Windows 98, ME, NT4 with service pack 4 or above Windows 2000 and XP Microsoft Internet Explorer 6.0 and above Netscape 4.7 or client machine must have browser built-in Java Virtual Machine (JVM) supporting Java 1.1.8 48

Security Device Manager (SDM) Device Configuration & Monitoring Features Basic Layer 3 configuration Basic Routing Configuration Static, RIP, EIGRP, and OSPF ACL, IDS and Cisco IOS Firewall Configuration VPN Configuration Site-to-site, pre-shared key, EZ VPN Client and GRE Tunnel Basic Monitoring capability 49

Cisco Security Device Manager: Combining Ease Of Use & Application Intelligence SDM is an intuitive, web-based device management tool embedded within Cisco access routers Security Audit: ICSA, TAC recommended security configuration Intelligent wizards: Autodetect mis-configuration and proposes fixes (e.g., punches hole for DHCP thru firewall if WAN interface is DHCP addressed) Quick Deployment: 1-Step Router Lockdown (Firewall), and VPN Wizard (Site-to-Site, Easy VPN) Tools for Expert Users: ACL Editor, VPN tunnel monitoring 50

Questions? 51

2003, 2001, Cisco Systems, Inc. All rights reserved. 52

SMB Security Deployment Blueprint 100 Users or Fewer Main business location Cisco access router with firewall and VPN FTP server with HIDS Web server with HIDS DMZ VLAN 10/100 and Gigabit Ethernet Cisco ACS using Remote Dial-In User Service (RADIUS) Secure corporate servers with HIDS Desktops/laptops with HIDS and thirdparty anti-virus software Internet DSL or Cable Cisco Catalyst stackable switch with Secure LAN features Desktops/laptops with Cisco VPN Client, HIDS, thirdparty anti-virus software and personal firewall Teleworker/remote access CIBR Security technical solution customer Broadband access modems Cisco access router with firewall and VPN Desktops/laptops with HIDS and third-party antivirus software This network blueprint is intended to be an educational resource and a starting point in planning your network solution; it is not a final recommendation from Cisco. To determine the deployment most appropriate for your company we suggest you work with a Cisco representative, Cisco channel partner or a solutions provider. 53

SMB Security Deployment Blueprint 100 Users or Fewer Main business location Cisco 1700, 2600 or ubr925 with firewall and VPN FTP server with HIDS Web server with HIDS DMZ VLAN 10/100 and Gigabit Ethernet Cisco ACS using Remote Dial-In User Service (RADIUS) Secure corporate servers with HIDS Desktops/laptops with HIDS and thirdparty anti-virus software Internet DSL or Cable Catalyst 2950 with Secure LAN features Desktops/laptops with Cisco VPN Client, HIDS, third-party anti-virus software and personal firewall Teleworker/remote access CIBR Security technical solution customer Broadband access modems Cisco 831 with firewall and VPN Desktops/laptops with HIDS and third-party antivirus software This network blueprint is intended to be an educational resource and a starting point in planning your network solution; it is not a final recommendation from Cisco. To determine the deployment most appropriate for your company we suggest you work with a Cisco representative, Cisco channel partner or a solutions provider. 54