Académique Documents
Professionnel Documents
Culture Documents
EBC Presentation
Presenter:
205523.Y_C97-60001-00 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1
Self-Defending Network Defined
Efficient security
management, control,
Policy–Based Management
and response and Enforcement
Session Number
205523.Y_C97-60001-00
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
Cisco Security Management Suite
Monitoring, Analysis, and Mitigation
Identity Analysis
How to control access Too much
to network assets… meaningless
Who can do what raw data...
Branch
Branch
Partner
Data
Center
Monitoring Patch
Need to monitor Branch Management
Multivendor Data Image, inventory,
networks… Center Data signature…
Center Partner
SOHO
Mitigation Configuration
How to use network How to rapidly deploy
to eliminate threats… new policies…
Session Number
205523.Y_C97-60001-00
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4
Cisco’s Security Management Evolution
From To
Network and Security Managing Networks with
Management Separate Embedded Security
Session Number
205523.Y_C97-60001-00
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5
Cisco Security Management―
Value Summary
Cisco® Management
Session Number
205523.Y_C97-60001-00
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6
Cisco Security Management Framework Vision
The Operational Framework
… Partners
…
Clean Access
NAC
Configuration Monitoring, Identity
Management Mitigation Management
Network Access
SDN Security Solutions:
… Assessment
Anti-X
Policy
Intrusion Prevention
…
CSA Desktop/Server Patch
Management
Firewall Identity/Role-
Foundation
Cisco®
Security Cisco®
Manager Security
Simplified Policy Mars
Administration Rapid Threat
End-to-End Identification and
Configuration Mitigation
Session Number
205523.Y_C97-60001-00
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8
Transition from CiscoWorks VMS
Cisco® NEW
Security
CiscoWorks Manager
VPN/Security Management Solution CS Manager
Firewall Management Center
Session Number
205523.Y_C97-60001-00
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
Cisco Security Manager
Overview
Superior Usability VPN Administration
Session Number
205523.Y_C97-60001-00
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10
Security Management EBC
Session Number
205523.Y_C97-60001-00
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11
Cisco Security Management—Value Summary
Best of breed applications which are integrated, collaborative and adaptive
EBC Presentation
Presenter:
205523.Y_C97-60001-00 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13
Distributed Protection
CS MARS and CS Manager in Action
Protected
• CS MARS detects
an incident Branch
Office
• CS Administrator
updates a shared Branch
policy in one place Office
Data Center CNS-CE
• A single deploy to
Corporate 4
protect the network LAN
• Scale through use
of distributed
deployment using 1
CNS Configuration
Branch
Engine Branch 3 Office
Office
CS-MARS 2
CS Manager
Session Number
205523.Y_C97-60001-00
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14
Cisco Security Configuration―Agenda
Session Number
205523.Y_C97-60001-00
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15
CS Manager
Cisco Security Manager
“It Has to be Easy to Use and Flexible”
Session Number
205523.Y_C97-60001-00
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16
CS Manager
Device-Centric View
Session Number
205523.Y_C97-60001-00
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17
CS Manager
Policy-Centric View
• Centralized policy
management
• Powerful scalability
via inheritance, reuse,
assignment, and sharing
Session Number
205523.Y_C97-60001-00
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18
CS Manager
Topology-Centric View
Session Number
205523.Y_C97-60001-00
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19
CS Manager
VPN―Wizard-based Configuration
• Wizard-based
configuration
• Three steps to
create a VPN!!
Choose
VPN topology
and technology
Choose
participants
Customize
protected traffic
if needed
Session Number
205523.Y_C97-60001-00
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20
CS Manager
Multiple VPN Topologies
Site-to-site, DMVPN, RA VPN, EzVPN
Session Number
205523.Y_C97-60001-00
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21
CS Manager
Session Number
205523.Y_C97-60001-00
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 22
Power Tools―FlexConfig
FlexConfig
• Convert Users can create custom
custom CLI CLI and deploy as jobs to
device(s)
to polices
• Powerful
mechanism
to enable
feature
velocity
• Rapidly add
device new
feature
support
Session Number
205523.Y_C97-60001-00
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23
Going Beyond Ease of Use and Flexibility
Session Number
205523.Y_C97-60001-00
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24
CS Manager
Policy-Sharing and Inheritance Model
“Scaleable Policy Definition; Set Once, Deploy to Many”
Example:
• Share common policies across
device groups for: Policy
Branch firewall
Remote Branch
Site-to-site VPN
Policy
Device administration
• Corporate mandatory policies:
No Napster traffic, period
Remote Branch
Allow SSH, SSL
Benefit: Optionally Override
Central Policy at
• Reduced complexity for Local Level
administrators
• Do more with less resources
Session Number
205523.Y_C97-60001-00
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25
CS
CS Manager
Manager
Domain-Based Policy Enforcement
“Fine-Grain Control of What Traffic Flows Where”
Interface Groups
• Interfaces related
to a domain Marketing
• User customizable
Example Engineering
• Define policy to control
traffic between domains
Benefit
Sales
• Enforce policies based
on organizational needs
Session Number
205523.Y_C97-60001-00
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 26
CS Manager
Workflow
“Enable Different Management Teams to Work Together”
What Is It?
Security
• Structured process for change Operations
management that complements Policy Definition
Create/Edit Review/ Approve/
your operational environment Policy Submit Commit
Undo
Example
• Who can set policies
• Who can approve them Generate/ Approve
Submit Job Job Deploy
• Who can approve deployment
and when Network
Rollback
• Who can deploy them Operations
Policy Deployment
Benefit
Firewall, VPN, and IPS Services
• Enables teamwork and
collaboration between
NetOps and SecOps
• Provides scope of control
Session Number
205523.Y_C97-60001-00
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27
Role-Based Access Control
What Is It?
• Authenticates admin access Cisco
to management system IOS®
CS-Manager Software
• Determine who has access to Cisco® PIX®
and ASA S/W
specific devices and policy
functions
Example AAA
Benefit Home
Office
• Enable delegation of admin
tasks to multiple operators
• Provides appropriate
separation of ownership
and controls
Session Number
205523.Y_C97-60001-00
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 28
Scalable Distributed Deployment
Extranet Self-Managed
What Is It? ROBO Telecommuter
• Simplified distributed deployment
method for 1000s remote devices
Example Internet
• Update large numbers of remote
firewalls, which may have dynamic
addresses, intermittent links, or NAT
addresses
Update DMZ
• Update both configurations and
software images Appliance
CNS-CE
• Devices self updated whenever
they come online
• Scales through Web technologies
Benefit Enterprise
• Helps customers with 1000s of INTRAnet
teleworkers and remote locations with Update
minimal technical staff at the remote site Servers
CNS-CE
Session Number
205523.Y_C97-60001-00
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 29
Cisco Security Management Suite
Monitoring, Analysis, and Mitigation
Identity Analysis
How to control access
Too much meaningless
to network assets…
raw data...
Who can do what
Branch
Branch
Partner
Data
Center
Monitoring Branch Patch
Need to monitor Management
multivendor Data Image, inventory,
networks… Center Data signature…
Center Partner
SOHO
Mitigation Configuration
How to use network How to rapidly deploy
to eliminate threats… new policies…
Session Number
205523.Y_C97-60001-00
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 30
CS MARS
n
Co
ctio
rre
du
Rules
lati
Re
on
Release 4.2 Verify
• Log data to policy lookup
• Low latency, real-time event viewer
• Relayed syslog handling
• Ticketing system integration via XML Valid Incidents
Incident Notification
Session Number
205523.Y_C97-60001-00
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 31
CS Manager
Session Number
205523.Y_C97-60001-00
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 32
CS Manager
CS MARS―CS Manager Policy
Lookup View Resultant Rule Table
Session Number
205523.Y_C97-60001-00
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 33
The Value of Cisco’s Security Management Suite
Best-of-Breed Applications: Integrated, Collaborative and Adaptive
• Workflow to allow NetOps and SecOps
to collaborate
Management of an
• Integration with NetFlow data
Integrated Security Fabric
• Integrates network and security
management components