Vous êtes sur la page 1sur 39

www.GetPedia.

com

302 0946_05F9_c3

1999, Cisco Systems, Inc.

Introduction to Information Security


Session 302
Roger Farnsworth rfarnswo@cisco.com

302 0946_05F9_c3

1999, Cisco Systems, Inc.

Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0946_05F9_c3.scr

Traditional Business

Employees

Customers

Partners
302 0946_05F9_c3

Enterprise

Suppliers

1999, Cisco Systems, Inc.

The Global Networked Business

Employees

Customers

Partners
302 0946_05F9_c3

Enterprise

Suppliers

1999, Cisco Systems, Inc.

Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0946_05F9_c3.scr

Business Problems?

Internet Business Need


Internet Presence Internet Access

VPN and Extranets Networked Commerce

Security Complexity
302 0946_05F9_c3
1999, Cisco Systems, Inc.

Enable Internet Access

Internet

Applications
World Wide Web and e-mail access

Security issues
Protection of internal resources from outsiders Limiting external privileges of internal users Visibility of internal network addresses Auditing usage and possible attacks
302 0946_05F9_c3
1999, Cisco Systems, Inc.

Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0946_05F9_c3.scr

Enable Internet Presence


E-Mail

WWW

Internet

Additional applications
E-mail server managed locally Web server provides presence

Additional security issues


Protection of public resources Separation of public and internal networks
302 0946_05F9_c3
1999, Cisco Systems, Inc.

Enable Networked Commerce


Commerce Gateways

Internet
Additional applications
Electronic commerce with controlled access to business systems for ordering, etc.

Internal Business Systems

Additional security issues


Secure gateway-internal communication Client-commerce gateway data privacy Strong application authentication of client
302 0946_05F9_c3
1999, Cisco Systems, Inc.

Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0946_05F9_c3.scr

Enable VPN and Extranets


Extranet Partner Mobile/Home Users

Remote Site

Internet
Additional applications
Private connections over public network Virtual Private Network (VPN)

HQ

Additional security issues


Encryption between remote users/sites and HQ Strong network authentication of client
302 0946_05F9_c3
1999, Cisco Systems, Inc.

Why Security?
Three primary reasons
Policy vulnerabilities Configuration vulnerabilities Technology vulnerabilities

And People Eager to Take Advantage of the Vulnerabilities


302 0946_05F9_c3
1999, Cisco Systems, Inc.

10

Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0946_05F9_c3.scr

Security Objective: Balance Business Needs with Risks


Transparent Access
Connectivity Performance Ease of Use Manageability Availability

Security
Authentication Authorization Accounting Assurance

Policy Management

Confidentiality Data Integrity

302 0946_05F9_c3

1999, Cisco Systems, Inc.

11

Threats: Identity Spoofing

Mallet

Im Bob. Send Me all Corporate Correspondence with Cisco.

Bob
302 0946_05F9_c3
1999, Cisco Systems, Inc.

12

Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0946_05F9_c3.scr

Threats: Packet Sniffing

telnet foo.bar.org username: dan password:

m-y-p-a-s-s-w-o-r-d

d-a-n

302 0946_05F9_c3

1999, Cisco Systems, Inc.

13

Threats: Data Theft

Corporate Business Plan:


Expand into Mallets core area Massively discount our products for next quarter
302 0946_05F9_c3
1999, Cisco Systems, Inc.

14

Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0946_05F9_c3.scr

Threats: Data Alteration

Deposit $1000 in Bobs Account

Deposit $900 in Mallets Account and $100 in Bobs Account

Customer

Bank

302 0946_05F9_c3

1999, Cisco Systems, Inc.

15

Threats: Denial of Service

CPU

302 0946_05F9_c3

1999, Cisco Systems, Inc.

16

Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0946_05F9_c3.scr

PolicyThe Only Scalable Model


Enterprise-wide security policy
Who can see what information? Who can change it? From where? How protected is it? What are the assets ? What is the cost ?
302 0946_05F9_c3
1999, Cisco Systems, Inc.
USA

UNIVERSAL PASSPORT

17

What Is a Security Policy?

A security policy is a formal


statement of the rules by which people who are given access to an organizations technology and information assets must abide.
Source: RFC 2196, Site Security Handbook draft
302 0946_05F9_c3
1999, Cisco Systems, Inc.

18

Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0946_05F9_c3.scr

Cisco Enterprise Security Model


UNIVERSAL PASSPORT

Policy

USA

Identity Integrity

UNIVERSAL PASSPORT
Kjdf k kk e fae l kfakddkofdd fjakkdgk jkjdkafjkd kkjjkkiljd kjdkdddaj k dddkkidjd kj je kj k kjdfkjj j f jffkjfkd jdk j k l k fj dkjjia f j k kjai a f kj ee jio e d fefoi ke e

************************ USA Kdd f j k kkkkdd Ikjf jdjk kjjjKkd e gI j dj d ed K fjKfkKd dkkk j KkjKk kf j Kdd k dkjd j jdj ************************

Active Audit

UNIVERSAL PASSPORT

302 0946_05F9_c3

1999, Cisco Systems, Inc.

19

Security Technology Taxonomy


UNIVERSAL PASSPORT
Kdkfldkaloee kjfkjajjakjkjkjkajkjfiejijgkd kdjfkdkdkdkddfkdjfkdjkdkd kfjdkkdjkfd kfjdkfjdkjkdjkdjkaj kjfdkjfkdjkfjkjajjajdjfla kjdfkjeiieie f ee o i kio e

Identity
Accurately identify network users and their privileges

************************ USA
Kjkjkjdgdk kjdkjfdkI kdfjkdj I ek j k k k j eK d d fdKKjkdjd Kk jk Kk j df d j d KjdkfjkdjKjdk

************************

Integrity
UNIVERSAL PASSPORT
kfakddkljdk fjjKkdgk jkkjkfkjkj k kkjfi d jjl e e jo i a kjdddakfkdd dakkdfde djd j kkfjddad dd kfka f f k djjjj l jdfk df a kkjkikjejij j j fkekiie f jfejka k ko j f je d o

Network integrity through: Secure network perimeters Privacy and encryption Reliable operation

************************ USA Kdd k kd k j kjjjkkjf dgk kjKdkkj fjkKId IkkfkKd d fkdj ej j d j e Kdjdd KkjKkd dkjd j jdj f ************************

Active Audit
Provide auditing, accounting and active detection and response
20

UNIVERSAL PASSPORT

302 0946_05F9_c3

1999, Cisco Systems, Inc.

Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0946_05F9_c3.scr

10

What Is the Appropriate Security Policy?


Restrictive Open Closed

Policy Management

Open security policy


Permit everything that is not expressly denied

Restrictive security policy


Combination of specific permissions and specific restrictions

Closed security policy


That which is not expressly permitted is denied
302 0946_05F9_c3
1999, Cisco Systems, Inc.

21

Setting Security Policies


Know your assets Count the costs Control secrets Allow for human factors Physical security Change management
302 0946_05F9_c3
1999, Cisco Systems, Inc.

22

Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0946_05F9_c3.scr

11

Identity

Who are you? Where are you? What is permitted?

UNIVERSAL PASSPORT
Kdkfldkaloee kjfkjajjakjkjkjkajkjfiejijgkd kdjfkdkdkdkddfkdjfkdjkdkd kfjdkkdjkfd kfjdkfjdkjkdjkdjkaj kjfdkjfkdjkfjkjajjajdjfla kjdfkjeiieie fkeieooei

************************ USA
Kjkjkjdgdk kjdkjfdkI kdfjkdj IkejkejKkdkd fdKKjkdjd KjkdjfkdKjkd KjdkfjkdjKjdk

************************

302 0946_05F9_c3

1999, Cisco Systems, Inc.

23

Methods of Authentication
UNIVERSAL PASSPORT

Weak
No username/password Static username/password Aging username/password One-Time Password (OTP)
S/KeyOTP for terminal login PAPOTP for PPP

USA

Token cards/soft tokens (OTP)

Strong
302 0946_05F9_c3
1999, Cisco Systems, Inc.

Enigma Logic, DES Card, Security Dynamics


24

Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0946_05F9_c3.scr

12

Username/Password
Security Server Public Network Password

Campus

Network Access Server

Fundamental authentication mechanism Can be static or aging


302 0946_05F9_c3 25

1999, Cisco Systems, Inc.

PAP Authentication

TCP/IP PPP Client

PSTN or ISDN

PPP

NAS

PAPCleartext, repeated password NAS compares username/password to that stored in database, and accepts or rejects
302 0946_05F9_c3
1999, Cisco Systems, Inc.

26

Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0946_05F9_c3.scr

13

CHAP Authentication
Run PPP

Username: Jack Password: Giraffe1

Use CHAP OK Challenge Response Accept/Reject

Username : Jack Password: Giraffe1

Secret password per remote user Three-way handshake via challenge Product of (challenge* secret) provides authentication
302 0946_05F9_c3
1999, Cisco Systems, Inc.

27

One-Time Passwords
ID/One-Time Password ID/One-Time Password ID/One-Time Password ID/One-Time Password ID/One-Time Password ID/One-Time Password

Token Card Soft Token S-key Public Network One-Time Password End User NAS

AAA Server

Token Server

Campus

Password used one time only, sent in cleartext Can use token card or soft token, using algorithm based on PIN or time of day to generate secure password Token server uses same algorithm, sends password back to NAS to complete authentication
302 0946_05F9_c3
1999, Cisco Systems, Inc.

28

Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0946_05F9_c3.scr

14

One-Time Passwords
S/KEY
List of one-time passwords
34 HUM FISH BIRD DIG SCRAP 35 SAVE DUNK FRED SELF HURT 36 RAKE GET HIS BUNK OFF 37 DEAD RUN JACK HIDE LOAD

Token cards
Use algorithm based on PIN or time-of-day to generate passwords Server uses same algorithm
302 0946_05F9_c3
1999, Cisco Systems, Inc.

29

Bio-Metrics
Finger-scan Face recognition Iris scan

302 0946_05F9_c3

1999, Cisco Systems, Inc.

30

Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0946_05F9_c3.scr

15

Authentication, Authorization and Accounting (AAA)

Authentication = Verifies identity who are you? Authorization = Configures integrity what are you permitted to do? Accounting = Assists with audit what did you do?
302 0946_05F9_c3
1999, Cisco Systems, Inc.

31

Centralized Security Servers

Includes centralized security database with username, password and authorization information For use with a variety of authentication protocols including TACACS+, RADIUS, one-time password mechanisms
302 0946_05F9_c3
1999, Cisco Systems, Inc.

32

Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0946_05F9_c3.scr

16

CiscoSecure: Identity for Dial, Internet, and Campus


Token Card Servers CiscoSecure Access Control Server
Oracle Sybase

Configuration

Access Server
302 0946_05F9_c3

Router

Firewall

1999, Cisco Systems, Inc.

33

Centralized Security (AAA) Server


Can be based on TACACS+ or RADIUS protocols Maintains database of user information Authenticates dial-in users Downloads user authorization information to NAS If user information changes, network administrator only has to change information on centralized server
302 0946_05F9_c3
1999, Cisco Systems, Inc.

Centralized Security Server

Corporate Network

PSTN/ISDN

Alice
34

Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0946_05F9_c3.scr

17

TACACS+/RADIUS Comparison
TACACS+ Dial Functionality Transport Protocol Authentication Protocol Support Confidentiality
RADIUS Server
302 0946_05F9_c3

RADIUS
Combines Authentication and Authorization UDP Uni-Directional No ARA No NetBEUI PasswordEncrypted

Separates AAA

TCP Bi-Directional Full Support Entire PacketEncrypted

TACACS+ Client RADIUS Client

Campus

TACACS+ Server

1999, Cisco Systems, Inc.

35

Device Authentication
CERTIFICATE AUTHORITY

Internet
Router A Router B

Certificate Authority (CA) verifies identity CA signs digital certificate containing devices public key Certificate equivalent to an ID card
302 0946_05F9_c3
1999, Cisco Systems, Inc.

36

Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0946_05F9_c3.scr

18

Digital Certificates
A digital certificate contains:
Serial number of the certificate Issuer algorithm information Valid to/from date User public key information Signature of issuing authority
302 0946_05F9_c3
1999, Cisco Systems, Inc.

0000123 SHA,DH, 3837829.... 1/1/93 to 12/31/98 Alice Smith, Acme Corporation DH, 3813710... Acme Corporation, Security Dept. SHA,DH, 2393702347 ...

37

Integrity

Physical security Maintain data confidentiality Secure perimeters Secure communications

302 0946_05F9_c3

1999, Cisco Systems, Inc.

38

Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0946_05F9_c3.scr

19

Physical Security
Small Equipment Is Easy to Hide Large Equipment Is Too Heavy to Lift

Reality CheckLock Equipment Racks and Doors!


302 0946_05F9_c3
1999, Cisco Systems, Inc.

39

Secure Configurations for All Infrastructure Components


Routers, switches, firewalls, etc. Secure console and Telnet access
Simple clear-text password by default TACACS+ or RADIUS
Intranet

Multiple privilege levels for configuration and user commands Encrypted passwords when viewing configurations
302 0946_05F9_c3
1999, Cisco Systems, Inc.

40

Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0946_05F9_c3.scr

20

Workgroup Security: VLANs


Isolates protected clients by:
Switch port
VLAN 1 VLAN 2

MAC address Network address Application type

Inter-VLAN controls via Cisco IOS access controls


302 0946_05F9_c3
1999, Cisco Systems, Inc.

41

Workgroup Port Security

MAC address lockdown Static or first learned address Port is disabled after unsecured address is seen and initiates link-down trap with port security flag
302 0946_05F9_c3
1999, Cisco Systems, Inc.

0800.c7bf.438f 0800.cbad.beef (Learned Address Was: 0800.c7bf.1234)


42

Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0946_05F9_c3.scr

21

Perimeter Controls

Firewalls focuses on us and them


Each Layer Assumed Homogenous
Top Secret Secret Confidential Unclassified

Most networks are more like this:

302 0946_05F9_c3

1999, Cisco Systems, Inc.

43

Policy Enforcement Using Access Control Lists


Video Internet

FTP Stopped Here

Terminal

Internet

Ability to stop or reroute traffic based on packet characteristics Access control on incoming or outgoing interfaces Works together with NetFlow to provide high-speed enforcement in campus networks Violation logging provides useful information to network managers
302 0946_05F9_c3
1999, Cisco Systems, Inc.

44

Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0946_05F9_c3.scr

22

Packet Filtering Firewall


Go to Finance Server The Internet

WWW Server

Go to WWW Server

Finance Server

Most versatile for adding protocols and new applications Less conducive to authentication and authorization Minimal auditing functions for user sessions
302 0946_05F9_c3
1999, Cisco Systems, Inc.

45

Stateful Packet Filtering


Firewall Mail WWW Server Server

More stringent security Maintains complete session state Connection oriented


Tracks complete connection Establishment and termination
Internet

Sessions immune to hijacking Strong audit capability


302 0946_05F9_c3
1999, Cisco Systems, Inc.

46

Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0946_05F9_c3.scr

23

Cisco PIX Firewall


Dedicated firewall appliance Strong security
ITSEC E1 Certified

Highest performance on the market


16,000 sessions 90 Mbps throughput

Simple setup
302 0946_05F9_c3
1999, Cisco Systems, Inc.

47

What Is an Appliance?

Equipment dedicated to just one job Easy to install and use Very reliable

302 0946_05F9_c3

1999, Cisco Systems, Inc.

48

Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0946_05F9_c3.scr

24

Proxy Service
Provides user-level security Most effective when used with packet filtering
Internet/ Intranet

Proxy Server

Internal Network
302 0946_05F9_c3
1999, Cisco Systems, Inc.

49

Securing Network Perimeter and DMZ IOS Firewall Feature Set

Users

Protected Network

Cisco Router with Cisco IOS Firewall Feature Set

Users
Micro MWbee c esrWebserver ir vr o zip 100

ISP and Internet

E-mail Server

Web Server

Public Access

302 0946_05F9_c3

1999, Cisco Systems, Inc.

50

Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0946_05F9_c3.scr

25

Business Drivers of Data Confidentiality

Extend the corporate network across the Internet Conduct business over the Internet Reduce remote access costs
302 0946_05F9_c3
1999, Cisco Systems, Inc.

51

Challenges of Data Confidentiality


Protect confidentiality of data over an untrusted network Ensure identity of users and systems Scale from small to very-large networks Implement a manageable key exchange system
302 0946_05F9_c3
1999, Cisco Systems, Inc.

52

Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0946_05F9_c3.scr

26

Cryptography
Cryptographic technologies can provide:
Authentication Confidentiality Integrity

Network infrastructure
Routing updates, management

Secure user-data transport


302 0946_05F9_c3
1999, Cisco Systems, Inc.

53

Encryption and Decryption


Clear-Text
John Chambers is a space alien
&d leh31 8vya rw8743 t ktu.d 093h ie*nP $F

Clear-Text
John Chambers is a space alien

Encryption

Decryption

Cipher Text
302 0946_05F9_c3
1999, Cisco Systems, Inc.

54

Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0946_05F9_c3.scr

27

Encryption Alternatives
Application-Layer Encryption
Application Layers (5-7)

Network-Layer Encryption
Transport/Network Layers (3-4)

Link/Physical Layers (1-2)

Link-Layer Encryption
302 0946_05F9_c3
1999, Cisco Systems, Inc.

Link-Layer Encryption
55

Classical Cryptography vs. Public Key


Symmetric Algorithm Asymmetric Algorithm

Public Key Dual-Purpose Key Private Key

302 0946_05F9_c3

1999, Cisco Systems, Inc.

56

Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0946_05F9_c3.scr

28

What Is IPSec?
Network-layer encryption and authentication Open standards for ensuring secure, private communications over any IP network, including the Internet Provides a necessary component of a standards-based, flexible solution for deploying a network-wide security policy Data protected with network encryption, digital certification, and device authentication
302 0946_05F9_c3
1999, Cisco Systems, Inc.

57

IPSec Everywhere!

Router to Firewall

Router to Router

PC to Server

PC to Router
302 0946_05F9_c3

1999, Cisco Systems, Inc.

58

Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0946_05F9_c3.scr

29

Benefits of IPSec

Privacy, integrity and authenticity for networked commerce Implemented transparently in the network infrastructure End-to-end security solution including routers, firewalls, PCs and servers
302 0946_05F9_c3
1999, Cisco Systems, Inc.

59

Open Design

Internet
Internal

1. Firewall
FW/Router with Access Lists, No Per-User Identity, No Data Encryption
302 0946_05F9_c3

2. Dial
Identity Is Password Authentication Pap or Chap to CiscoSecure

3. Internal
Passwords for Telnet and Console Access Equipment, No Data Encryption

1999, Cisco Systems, Inc.

60

Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0946_05F9_c3.scr

30

Restrictive Design Example

Internet
Internal

1. Firewall
Separate Gateway Router and Dedicated Stateful Firewall (Cisco IOS Router and PIX)
302 0946_05F9_c3
1999, Cisco Systems, Inc.

2. Dial

3. Internal

Identity Is Password Equipment Configuration Authentication and Access CiscoSecure Pap or Chap to Passwords and Privilege Levels, CiscoSecure Route Authentication, VLANs Encryption to Branches (Cisco IOS 11.2)
61

Closed Design Example

Internet
Internal

1. Firewall

2. Dial

3. Internal
Equipment Configuration and Access w/CA and Privilege Levels Encryption between All WAN Routers (Cisco IOS 11.2)
62

Separate Gateway Digital Certificate Router and Dedicated Authentication, Stateful Firewall (Cisco use Encryption IOS Router and PIX) (Available with IPsec Identity using Implementation PIX and CiscoSecure Cisco IOS 12.0?)
302 0946_05F9_c3
1999, Cisco Systems, Inc.

Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0946_05F9_c3.scr

31

Active Audit
Verify policy Assurance Reporting
Attacks Errors Misuse Anomalies
302 0946_05F9_c3
1999, Cisco Systems, Inc.
UNIVERSAL PASSPORT

UNIVERSAL PASSPORT
lk e a kfakddkljdk fjjKkdgj jkkjkdfjfk k kjfki e jkjfod e j kjdddakkk d dakkkidfd kj d j k kkjkkjejjij j dkf jdadl f ffdfka a jdkdked k djdkjjiief j jfekoj f ke a jo kif e

************************ USA Kdd kgk jjj k


kjkk k dj I kjKdkfd Ikkkd j e f djj ed fjKfkKd dK d Kkjjdk kfk j j j KdKk dkd j j jdd

************************

63

Monitor the Network

The monitoring system


Based upon your business goals, what will you measure and report? Need to validate that the connection is meeting your business goals

302 0946_05F9_c3

1999, Cisco Systems, Inc.

64

Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0946_05F9_c3.scr

32

Cisco NetSonar Vulnerability Scanning


Network Mapping
Identify live hosts Identify services on hosts

Vulnerability Scanning
Analyze discovery data for potential vulnerabilities Confirm vulnerabilities on targeted hosts
302 0946_05F9_c3
1999, Cisco Systems, Inc.

Target

Target

Target Target

65

Cisco NetRanger

Sensor Sensor

NetRanger Director

Sensor Sensor Sensor Sensor

Sensors watch for attacks or problems NetRanger stops active attacks


302 0946_05F9_c3
1999, Cisco Systems, Inc.

66

Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0946_05F9_c3.scr

33

Accounting/Logging

Actively audit and verify policy Detect intrusion and anomalies Report
302 0946_05F9_c3

1999, Cisco Systems, Inc.

67

Monitoring

Inbound and outbound traffic Source and destination address Port number Implicit denial Illegal attempts logged
302 0946_05F9_c3
1999, Cisco Systems, Inc.

68

Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0946_05F9_c3.scr

34

Cisco Security Products (and Where They Fit)


Identity
CiscoSecure ACS family

Integrity
Network-layer encryption IPSec

Integrity
Firewalls:
PIX firewall Cisco IOS firewall feature set Cisco IOS security features
302 0946_05F9_c3
1999, Cisco Systems, Inc.

Audit
NetSonar NetRanger NETSYS
69

Cisco End-to-End Network Security Services


Sales Office

Perimeter Security
ATM WAN

Domestic R&D Offices International Sales Offices

Mainframe

Campus Backbone

Frame Relay WAN

Suppliers

Suppliers

Secure Remote ISDN Access


Internet
Intranet Servers

Telecommuters

PSTN

Mobile Users

Data Confidentiality
302 0946_05F9_c3
1999, Cisco Systems, Inc.

70

Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0946_05F9_c3.scr

35

Conclusions
Have a written security policy Balance ease-of-use with security Security touches every element of the IT infrastructure; it is pervasive The core elements of network security are:
UNIVERSAL PASSPORT
UNIVERSAL PASSPORT
Kjdfod kk e fj la kfakddkljdk fjakkdgj jkjdkafjfk kkjjkki e kjdkddkkk d dddkkidjfd k je k kjddadj f jfj kka l jdk jfjjkd k fjf jkdjij f j k fjejea f k ki d ja ji e d feoe keoi ************************ U S A Kdd k kkkkdd Ikjf kk kjjjKkjf e gdj dj ed K fjKfjdd j dkkI k KkjkKd kf j j j KdKk dkd j j jdd ************************

USA

UNIVERSAL PASSPORT

Identity

Integrity

Audit

Security applies to active network equipment as well as the application data


302 0946_05F9_c3
1999, Cisco Systems, Inc.

71

More Info at Networkers


Deploying Security Technology Advanced Security Technology Concepts Wednesday 2-4 Thursday 2-4 Thursday 10-12 Friday 9-11

Introduction to Cisco Security Manager Thursday 4-5 Deploying VPNs and Tunneling Technology Intrusion Detection and Scanning with Active Audit New Developments for the Enterprise Virtual Private Network Update on Firewall Technologies Wednesday 12-2 Thursday 3-4 Friday 10-11 Thursday 12-2

Thursday 2-3

302 0946_05F9_c3

1999, Cisco Systems, Inc.

72

Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0946_05F9_c3.scr

36

More Info at Networkers


Introduction to VPNs and Tunneling Cisco Security Consulting Services Update Extranet Architecture Wednesday 11-12 Thursday 12-1 Thursday 11-12

Wednesday 12-2

Wednesday 2-4

Security Birds-of-a-Feather

Wednesday 6-7

302 0946_05F9_c3

1999, Cisco Systems, Inc.

73

Questions?

302 0946_05F9_c3

1999, Cisco Systems, Inc.

74

Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0946_05F9_c3.scr

37

Please Complete Your Evaluation Form


Session 302

302 0946_05F9_c3

1999, Cisco Systems, Inc.

75

302 0946_05F9_c3

1999, Cisco Systems, Inc.

76

Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. 0946_05F9_c3.scr

38