Network as an Sensor & Enforcer

Similar documents
Network as a Sensor and Enforcer Leverage the Network to Protect Against and Mitigate Threats

Cisco TrustSec for PCI Scope Reduction Verizon Assessment and Validation

Cisco dan Hotel Crowne Plaza Beograd, Srbija.

Intelligent WAN 2.0 principles. Pero Gvozdenica, Systems Engineer, Vedran Hafner, Systems Engineer,

plixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels

NetFlow/IPFIX Various Thoughts

NetFlow-Lite offers network administrators and engineers the following capabilities:

Threat Defense with Enterprise Networks Vaibhav Katkade, Product Manager BRKCRS-1449

Delivering Control with Context Across the Extended Network

Cisco EXAM Enterprise Network Unified Access Essentials. Buy Full Product.

Secure Networks for Process Control

Passguide q

Cisco TrustSec Solution Overview

The Critical Role of Netflow/IPFIX Telemetry in the Next- Generation Network Security Infrastructure

XenMobile Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

Cisco Cyber Threat Defense - Visibility and Network Prevention

Network Performance Monitoring at Minimal Capex

MDM Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

Implementing Cisco IOS Network Security

Cyb T er h Threat D f e ense S l o uti tion Moritz Wenz, Lancope 1

Cisco IOS Flexible NetFlow Technology

Technical Note. ForeScout CounterACT: Virtual Firewall

Five Steps For Securing The Data Center: Why Traditional Security May Not Work

Redefine Network Visibility in the Data Center with the Cisco NetFlow Generation Appliance

Cisco Security Strategy Update Integrated Threat Defense. Oct 28, 2015

Threat Defense with Full NetFlow

PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data

Configuring Flexible NetFlow

IINS Implementing Cisco Network Security 3.0 (IINS)

Flow Analysis Versus Packet Analysis. What Should You Choose?

Cisco Security Manager 4.2: Integrated Security Management for Cisco Firewall, IPS, and VPN Solutions

Network as a Sensor and Enforcer. Matthew Robertson - Technical Marketing Engineer

Secure Cloud-Ready Data Centers Juniper Networks

Cisco Identity Services Engine

NetFlow The De Facto Standard for Traffic Analytics

Cisco Firewall Technology

Cisco Passguide Exam Questions & Answers

Intro to NSX. Network Virtualization VMware Inc. All rights reserved.

Threat Defense with Full NetFlow

Securing and Monitoring BYOD Networks using NetFlow

LiveAction: GUI-Based Management and Visualization for Cisco Intelligent WAN

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík

Invisible attacks visible in your network. How to see and follow the tracks?

About the Authors. About the Authors

How To Extend Security Policies To Public Clouds

Introduction to Cisco IOS Flexible NetFlow

IPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令

ICND2 NetFlow. Question 1. What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring. B.

NetFlow Tracker Overview. Mike McGrath x ccie CTO mike@crannog-software.com

Gaining Operational Efficiencies with the Enterasys S-Series

Cisco Virtualization Experience Infrastructure: Secure the Virtual Desktop

CISCO IOS NETFLOW AND SECURITY

LiveAction: GUI-Based Management and Visualization for Cisco Intelligent WAN

Cisco NetFlow Generation Appliance (NGA) 3140

Analyze hop-by-hop path, devices, interfaces, and queues Locate and troubleshoot problems

Cisco Performance Agent Data Source Configuration in the Branch-Office Router

BEFORE. DURING. AFTER. CISCO'S INTEGRATED SECURITY STRATEGY NIALL MOYNIHAN CISCO EMEAR

Good MDM Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

How Network Virtualization can improve your Data Center Security

Cisco Cyber Threat Defense Solution: Delivering Visibility into Stealthy, Advanced Network Threats

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

CISCO INFORMATION TECHNOLOGY AT WORK CASE STUDY: CISCO IOS NETFLOW TECHNOLOGY

Secure Remote Access Solutions Balancing security and remote access Bob Hicks, Rockwell Automation

Chapter 1 The Principles of Auditing 1

Plugging Network Security Holes using NetFlow. Loopholes in todays network security solutions and how NetFlow can help

Cisco Advanced Routing and Switching for Field Engineers - ARSFE

Visualization, Management, and Control for Cisco IWAN

Enhancing Cisco Networks with Gigamon // White Paper

Scalable Extraction, Aggregation, and Response to Network Intelligence

Managing Enterprise Security with Cisco Security Manager

Cisco Network Analysis Module Software 4.0

Take the NetFlow Challenge!

INTRODUCTION TO FIREWALL SECURITY

Configure ISE Version 1.4 Posture with Microsoft WSUS

FIREWALLS & CBAC. philip.heimer@hh.se

VMware Software Defined Network. Dejan Grubić VMware Systems Engineer for Adriatic

Lumeta IPsonar. Active Network Discovery, Mapping and Leak Detection for Large Distributed, Highly Complex & Sensitive Enterprise Networks

Network Virtualization Network Admission Control Deployment Guide

Cisco Cybersecurity Pocket Guide 2015

NetStream (Integrated) Technology White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 01. Date

Simplify IT. With Cisco Application Centric Infrastructure. Barry Huang Nov 13, 2014

Cisco Prime Network Services Controller. Sonali Kalje Sr. Product Manager Cloud and Virtualization, Cisco Systems

Threat-Centric Security for Service Providers

Cisco CCNP Optimizing Converged Cisco Networks (ONT)

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

COURSE AGENDA. Lessons - CCNA. CCNA & CCNP - Online Course Agenda. Lesson 1: Internetworking. Lesson 2: Fundamentals of Networking

Cisco Security Manager

Unlock the full potential of data centre virtualisation with micro-segmentation. Making software-defined security (SDS) work for your data centre

HUNTING ATTACKERS WITH NETWORK AUDIT TRAILS

SANS Top 20 Critical Controls for Effective Cyber Defense

Interconnecting Cisco Networking Devices: Accelerated (CCNAX) 2.0(80 Hs) 1-Interconnecting Cisco Networking Devices Part 1 (40 Hs)

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

LiveAction Visualization, Management, and Control for Cisco IWAN Overview

Configuring NetFlow-lite

Case Study: Instrumenting a Network for NetFlow Security Visualization Tools

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch

Cisco Wide Area Application Services (WAAS) Software Version 4.0

Transcription:

Network as an Sensor & Enforcer Leveraging the network to control threats Jaromír Pilař jpilar@cisco.com May, 2016

Agenda Overview of Network as a Sensor and Enforcer Network as a Sensor Network as an Enforcer Summary and resources

Network as a Sensor and Enforcer Overview

Security Challenges Growing Attack Surface Dynamic Threat Landscape Complexity and Fragmentation

How Data Breaches Happen Malware dropped via backdoor Reconnaissance Victim clicks phishing email link Lateral Movement to find Admin Escalate Privilege to become Admin Data Exfiltration using Admin privilege Information monetized after breach

You Can t Protect What You Don t See 60% 85% 54% of data is stolen in HOURS of point-of-sale intrusions aren t discovered for WEEKS of breaches remain undiscovered for MONTHS 51% increase of companies reporting a $10M loss or more in the last 3 YEARS A community that hides in plain sight avoids detection and attacks swiftly - Cisco Security Annual Security Report

A Threat-Centric Security Model Attack Continuum Before Discover Enforce Harden During Detect Block Defend After Assess Contain Remediate Network as a Sensor Network as an Enforcer

Network with Only Perimeter Visibility 192.168.19.3 Many devices in your network without visibility Visibility available for traffic transiting through perimeter 192.168.132.99 10.4.51.5 10.200.21.110 10.51.51.0/24 10.51.52.0/24 10.51.53.0/24 10.43.223.221 Internet 10.85.232.4

Enabling Visibility Inside Your Network 192.168.19.3 Cryptic network addresses that may change constantly Difficult to manage policy without any context 192.168.132.99 10.4.51.5 10.200.21.110 10.51.51.0/24 10.51.52.0/24 10.51.53.0/24 10.43.223.221 Internet 10.85.232.4

Context based Visibility and Control Allowed Traffic Denied Traffic Employee Clear understanding of traffic flow with context Supplier Server Easier to create & apply policy based on such context Quarantine Network Fabric High Risk Segment Shared Server Internet Employee

Network as a Sensor - Cisco ISE, Netflow and visualization and mitigation tools Context Information NetFlow Cisco ISE Mitigation Action Real-time visibility at all network layers Data Intelligence throughout network Assets discovery Network profile Security policy monitoring Anomaly detection Accelerated incident response Integration options Cisco Platform Exchange Grid (pxgrid) open to 3 rd party API/script for example APIC-EM and Flowmon integration

access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462 access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384 access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878 access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467 Network as an Enforcer Traditional Security Policy with TrustSec Security Control Automation Simplified Access Management TrustSec Security Policy Improved Security Efficacy software defined segmentation Network Fabric Switch Router Wireless DC FW DC Switch Flexible and Scalable Policy Enforcement

Network as a Sensor

Introduction to NetFlow 172.168.134.2 10.1.8.3 Switches Routers NetFlow provides Trace of every conversation in your network An ability to collect record everywhere in your network (switch, router, or firewall) Network usage measurement An ability to find north-south as well as east-west communication Light weight visibility compared to SPAN based traffic analysis Indications of Compromise (IOC) Security Group Information Flow Information Packets SOURCE ADDRESS 10.1.8.3 DESTINATION ADDRESS 172.168.134.2 SOURCE PORT 47321 DESTINATION PORT 443 INTERFACE IP TOS Gi0/0/0 0x00 IP PROTOCOL 6 NEXT HOP 172.168.25.1 TCP FLAGS 0x1A SOURCE SGT 100 APPLICATION NAME : : NBAR SECURE- HTTP Internet

Cisco Network Empowers NetFlow in Scale Comprehensive view into all activities Usage Packet count Byte count Source IP address Destination IP address From/To Unsampled NetFlow on Cisco devices allows all traffic to be collected Time Start sysuptime End sysuptime Packet count Byte count Application Fundamental capabilities built-in to Cisco Routers and Switches plus UCS vnic Even on routers full 1-to-1 NetFlow introduced little overhead, typically around 5% but upwards of 15% in the worst case depending on prior CPU utilization Port Utilization QoS Input ifindex Output ifindex Type of Service TCP flags Protocol Next hop address Source AS number Dest. AS number Source prefix mask Dest. prefix mask Routing and Peering

NetFlow Terminology Flow Traffic set defined by a set of KEY fields Ex. Source IP, Destination IP, Source Port, Destination Port, Protocol, TOS, Interface Flow Record NetFlow Protocol Data Unit exported from a NetFlow generator Contains a collection of KEY and NON- KEY fields relating to a flow Non-KEY fields Ex. Bytes, Packets, TCP Flags, AP MAC and Client MAC Flow Collector A device that receives NetFlow records from a NetFlow generator Flow Template A flexible (v9) feature that advertises the record format to the collector Flow Exporter A NetFlow configuration of where (Collector) the flows are going to be sent, including IP address and protocol/port NetFlow Generator A NetFlow enabled network device

Myths about NetFlow Generation Myth #1: NetFlow impacts performance Hardware implemented NetFlow has no performance impact Software implementation is typically significantly <15% processing overhead Myth #2: NetFlow has bandwidth overhead NetFlow is a summary protocol Traffic overhead is typically significantly <1% of total traffic per exporting device 17

NetFlow in Motion Source NetFlow Generator Destination NetFlow Key Fields 1 Source IP Address Destination IP Address Source Port Destination Port Destination Port TOS byte (DSCP) 3 2 NetFlow Cache Flow Information Address, ports Packets Bytes / packet 11000 1528 Input Interface FlowCollector

NetFlow Supported Platforms NetFlow Capable WAN User Switch Router Router Firewall DC Switch Server ISE NetFlow Exporters Catalyst 2960-X (NetFlow Lite) - Sampled Only Catalyst 3560-X (SM-10G module only) Catalyst 3750-X (SM-10G module only) Catalyst 3850/3650 (FNF v9 SGT support) Catalyst 4500E (Sup7E/7LE) Catalyst 4500E (Sup8) (FNF v9 SGT support) Catalyst 6500E (Sup2T) (FNF v9 SGT support) Catalyst 6800 (FNF v9 SGT support) Cisco ISR G2 (FNF v9 SGT support) Cisco ISR 4000 (FNF v9 SGT support) Cisco ASR1000 (FNF v9 SGT support) Cisco CSR 1000v (FNF v9 SGT support) Cisco WLC 5760 (FNF v9) Cisco WLC 5520, 8510, 8540 (v9) * ASA5500, 5500-X (NSEL) Nexus 7000 (M Series I/O modules FNF v9) Nexus 1000v (FNF v9) Cisco NetFlow Generation Appliance (FNF v9) Cisco UCS VIC (VIC 1224/1240/1280/1340/1380) Cisco AnyConnect Client (IPFIX) *

Network as an Enforcer

access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462 access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384 access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878 access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467 Network as an Enforcer Software-Defined Segmentation with TrustSec Traditional Security Policy Security Control Automation Simplified Access Management Improved Security Efficacy TrustSec Security Policy Network Fabric Switch Router Wireless DC FW DC Switch Flexible and Scalable Policy Enforcement

Network Segmentation with TrustSec Segmentation based on RBAC Independent from address based topology Role based on context AD, LDAP attributes, device type, location, time, access methods, etc Use Tagging technology To represent logical group (Classification) To enforce policy on switch, router, and firewall Software Defined Policy managed centrally Policy provisioned automatically on demand Policy invoked anywhere on the network dynamically Security Group: Manager Username: johnd Group: Store Managers Location: Store Office Time: Business Hour AUTHORIZED PERSONNEL ONLY Resource Enforcement Switches Routers Firewall DC Switch Hypervisor SW

How TrustSec Simplifies Network Segmentation Traditional Segmentation Static ACL Routing Redundancy DHCP Scope Address VLAN Enterprise Backbone VACL Aggregation Layer Access Layer TrustSec Micro/Macro Segmentation Central Policy Provisioning No Topology Change No VLAN Change DC Servers Enterprise Backbone DC Firewall / Switch Policy Access Layer ISE Non-Compliant Voice Employee Supplier BYOD Voice Non-Compliant Employee Supplier BYOD Quarantine VLAN Voice VLAN Data VLAN Guest VLAN BYOD VLAN Employee Tag Voice VLAN Data VLAN Security Policy based on Topology High cost and complex maintenance Supplier Tag Non-Compliant Tag Use existing topology and automate security policy to reduce OpEx

TrustSec in Action Remote Access ISE Directory Application Servers 8 SGT 5 SGT Wireless Network Users Switch Routers DC Firewall DC Switch Application Servers 7 SGT Classification Propagation Enforcement

TrustSec Functions Classification Propagation Enforcement 5 Employee 6 Supplier 8 Suspicious A B 8 5 Static Dynamic Inline SXP WAN SGACL SGFW SGZBFW

TrustSec Supported Platforms SGT User WAN (GETVPN DMVPN IPSEC) Switch Router Router Firewall DC Switch vswitch Server ISE Classification Propagation Classification Catalyst 2960-S/-C/-Plus/-X/-XR Catalyst 3560-E/-C/-X/-CX Catalyst 3750-E/-X Catalyst 3850/3650 Catalyst 4500E (Sup6E/7E) Catalyst 4500E (Sup8) Catalyst 6500E (Sup720/2T) Catalyst 6800 WLC 2500/5500/5400/WiSM2/8510/8540 WLC 5760 Nexus 7000 Nexus 6000 Nexus 5500/2200 Nexus 1000v ISRG2, CGR2000, ISR4000 IE2000/3000/CGR2000 ASA5500 (RAS VPN) Propagation Propagation Catalyst 2960-S/-C/-Plus/-X/-XR Catalyst 3560-E/-C/, 3750-E Catalyst 3560-X/3750-X Catalyst 3850/3650 Catalyst 4500E (Sup6E) Catalyst 4500E (Sup, 7E, 7LE, 8E) Catalyst 4500X Catalyst 6500E (Sup720) Catalyst 6500/Sup2T, 6800 WLC 2500/5500/5400/WiSM2/8510/8540 WLC 5760 Nexus 7000 Nexus 6000 Nexus 5500/2200 Nexus 1000v ISRG2,ISR4000 IE2000/3000/CGR2000 ASR1000 ASA5500 Enforcement Enforcement Catalyst 3560-X Catalyst 3750-X Catalyst 3850/3650 WLC 5760 Catalyst 4500E (7E) Catalyst 4500E (8E) Catalyst 6500E (2T) Catalyst 6800 Nexus 7000 Nexus 6000 Nexus 5500/5600 Nexus 1000v ISR G2, ISR4000, CGR2000 ASR 1000 Router CSR-1000v Router ASA 5500 Firewall ASAv Firewall Web Security Appliance

Summary & Resources

Network as a Sensor and Enforcer Summary The network is a key asset for threat detection and control NetFlow, Cisco ISE and visualisatioin and mitigation tools provide visibility and intelligence TrustSec provides software defined (micro) segmentation

To learn more visit www.cisco.com/go/networksecurity www.cisco.com/go/ise www.cisco.com/go/trustsec www.cisco.com/go/ctd

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information