Welcome to the Cisco Networking Professionals Ask the Expert conversation for small and medium business. For a one-week period, small and medium business and technology leaders and Cisco engineers are available to continue discussing issues and ideas from scheduled live web broadcasts.
This is an opportunity to discuss with experts Ted Slockbower and Robb Boyd how Cisco Security experts examine unlocking security information from more than just security devices to find threats from internal users. Ted Slockbower, a presales systems engineer focusing on security technologies and design at Cisco, has worked in Cisco's Advanced Technologies Security team where he has been recognized as a leader helping customers deploy secure, high-availability networks with a philosophy based upon confidentiality, integrity, and availability. Rob Boyd, certified by ISC2 as a Certified Information Systems Security Professional and has a Global Information Assurance Certification Security Essentials Certification from SANS, is a security marketing manager who functions most visibly as the Cisco Security Expert on Cisco's Techwise TV.
Remember to use the rating system to let Ted and Robb know if you have received an adequate response.
They might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through December 20, 2006. Visit this forum often to view responses to your questions and the questions of other community members.
How do you recommend we manage network and host IPS, firewalls VPNs, and other security technologies with a staff of one or two people who have no pre-existing security experience?
The biggest hurdle that you need to deal with is how to get the security technologies installed and configured correctly. Fortunately, we have designed the products to work together significantly reducing the deployment learning curve. They have similar built in management interfaces or can be centrally managed via one enterprise security management tool called CSM. This significantly reduces the work involved in managing a security system.
Examples of this include the fact that CSA can stop ?Day 0? attacks. CSA can provide host information to Cisco?s Network IPS technologies to identify if the host OS is vulnerable to the attack. CSA can also let the MARS know the attack was stopped. Other linkages include the fact that CSA let the IPS know of bad hosts by IP address. If a signature is fired on a signature sourced from that IP address, the IPS can drop those packets in-line instead of only sending an alert to a management platform. Another example is if an IPS fires off an alarm, the MARS can download that signature to a security enabled router easing the management of IPS signatures in a distributed environment.
If this still seems like a daunting task due to lack of expertise in-house, Cisco has a broad based partner ecosystem. These partners are certified in the different technologies that they sell and deploy. These partners can also provide post sales training in addition to the installation services. There are also a number of partners that provide remote management and support for your security system.
An additional consideration is deploying a security information manager (SIM). The Cisco Security Monitor Analysis and Response System (MARS) is an excellent tool that greatly reduces the complexities involved in monitoring security.
For starters, the MARS can import the configurations of your different security and network devices, Cisco and non-Cisco. This allows the MARS to understand how they are connected together giving the MARS topological awareness of your environment.
The MARS then collects events from your routers, switches, Network IPS, Host IPS, firewalls, Windows, Linux and Solaris servers as well as vulnerability assessment information from various penetration test tools. The MARS also collect Netflow data from Cisco routers and chassis based switches. For those of you not familiar with Netflow, it is accounting information. This Netflow data allows the MARS to understand what the normal traffic patterns are through those devices essentially turning them into anomaly intrusion detection systems.
The MARS takes all these raw event messages in grouping them together by source destination IP addresses, ports and protocols into what we call sessions. These sessions are then run through our rules engine to identify incidents or attacks. Since the MARS is topologically aware, it can help mitigate these attacks by shutting switch ports down with the click of a button or suggesting filters that can be deployed manually to L3 devices or via Cisco Security Manager to firewalls, routers and even switches
Ted already provided some great feedback...only two things I would add: If you are deploying some of these as individiual security devices, take a good look at the individual management capabilities. We have made huge improvements over the years getting beyond a difficult to follow Command Line Interface that is popular with techies and thus made it much simpler to do historically complex things..such as troubleshooting your firewall rules with the new ASDM (Adaptive Security Device Manager) on the ASA..you can use the Packet Tracer function to test rules for instance to see exactly how they would behave and be handled.
CSM or Cisco Security Manager is the much improved security management product available for when you want to begin managing all these devices under one interface...especially if you begin running into consistency of policy application across the various devices and so forth.
Bottom line, we have great options included with each product and you can then scale up from there as your warrants dictate.
This is always a good question to ask yourself. However, I encourage you to think about the asset you are protecting first. Don't confuse the idea of compromising a security device, say through a flaw, with compromising an operating system such that an attacker would do to gain escalated privileges. Look at the firewall for example, nobody is highly interested in compromising your firewall per se as it is simply one element of what should be a defense in depth. Many attacks leverage holes that are already present in a firewall and thus are not concerned with a flaw in that firewall regardless.
Defense in Depth is always encouraged at every level and this is one of the reasons why. You never want to implement 'brittle' security so that the failure of only one mechanism results in the entire keys to the kingdom.
Now, as for the positive angle...I would argue that a key benefit to consolidating your security efforts around a vendor like Cisco is that this allows to do so much more creative things to your benefit. When you run multi-vendor solutions, you are forced to drop to a lowest common demoninator of interoperability and that trade off may not be in your best interest.
That is a valid concern. I have heard this objection many times. The concern typically arises out of the fear that a flaw in one product from a vendor could affect multiple products of that vendor. However, it is important to understand that even though the products may come from the same vendor, they typically run on different operating systems, provide different functionality, written by different developers from different business units.
An example is that Cisco routers have firewall functionality as do our ASA / PIX firewalls. However, they are running on different operating systems using different code bases from different developers. The same is true of our network IPS, host IPS and other security technologies.
On the flip side, there are many benefits to going with Cisco as a single vendor. You get the following benefits:
? Single phone number for support for all products
? A single co-terminus support contract for all products
? Cisco?s products are designed to work together sharing and collaborating information. This removes the burden of figuring out how to get them to work together which reduces the total cost of ownership. They also allow for dynamic reconfiguration of the network. Some examples include but not limited to:
o Dynamic distribution of ACLs running Cisco?s host IPS
o Dynamic distribution of signatures to IPS capable routers
o Dynamically changing of IPS responses from alert to drop based on alarm severity, signature reliability, asset value of target, collaboration of information from host IPS
? Similar look and feel between the integrated management interfaces of the security products
? Enterprise management that encompasses IPS, firewall, VPN, and router ACLs
? Security is intertwined in the network and the security system. There are numerous features built into the underlying network architecture like DHCP Snooping, Dynamic ARP Inspection, IP Source Guard, Scavenger Class Queuing, Control Plane Policing
? Complete end-to-end security.
Ben, in today's reality, we are hacked more often because WE CAN be hacked than because we raised any sort of attention. You must think about the goals of the attacker...your site could be leveraged as a 'jump' site to hide the true source of an attack for instance...this opens you up to what the attorney's call 'downstream liability'...you get blamed for something you had nothing to do with...what generally happens then is an assesment of whether you practiced any kind of due dilligence. The other attacker motivations to consider are your storage capacity, processing power and so forth.
Due to automated scanning/bots and such out there, you will be targeted nowadays simply becuase you become identified as an easy target.
The lesson here is that you don't have to be the most secure company in the world...you can benefit greatly from just not being the most in-secure.
I typically equate that statement to security by obscurity. Just because your organization is small, does not mean you are not a target. Think of all the home computers that have been compromised over they years. They have even fewer computers, typically one, than your company, yet they were successfully compromised. And once they are compromised, you need to re-image the computer. You can?t just update the signatures, run a scan to remove the bad files and think the computer is safe. All too often, there are back doors left on them.
I do have to agree with you that to some extent, you may not be a direct target from an attacker. However, you are still a target. All too often, I have met with other customers who considered themselves too small, yet they were compromised. They couldn?t understand how or why it happened, yet it did.
There are several ways organization?s systems are taken over or become part of botnets. The most common way is via a virus or worm. An unsuspecting user opens an e-mail and gets their machine infected. The user?s computer then makes an IRC connection out to the botnet controlling computer. The controller can do what they want with this computer. They can get information off of it. They can use it to attack other computers on the network. They are also used to launch DDOS attacks and send spam.
Other ways that your computers may get attacked is by ?drive by hacking? where the user gets an e-mail with imbedded HTML or link. Just following this link can get the computer infected. Another approach is via selecting banner ads or installing screen savers. No one gives something away for free. So when you click on the ad, you get a surprise instead of a prize. Code is downloaded to the computer and installed. Once this computer is compromised, it can become part of a botnet, capture keystrokes and e-mail them out, or even worse, e-mail out confidential files.
These are the reasons why it is important to deploy security in layers. You could have all the greatest protection at the edge of your network. You may have your anti-phishing, anti-virus, firewall, IPS, etc deployed. But how good are those technologies when a laptop is removed from the office? Those countermeasures are no longer protecting the computers. That is why it is important to have the host protected no matter where they are.
We just had an audit and the consultant said we only needed an IPS to be compliant. Why should we add more security devices when we don't have to? Frank
Depends on what your goals are. If your goal is to satisfy the auditor, then you are done. If your goal is to be more secure than I would consider how an IDS can assist you through proper installation and proper monitoring. If you are interested in becoming more secure and/or figuring out if you are secure, then please contact a Cisco Partner certified in security and ask them about analysis services they can provide for you.
First of all, if the only reason you are deploying an IPS due to an audit, then you are not buying security. You are only purchasing a checkmark. This is what I call the CYA approach to security.
Before you purchase any security technologies, you need to do an analysis of your environment. You need to identify your critical processes and applications. Once these are identified, you need to understand the risks to those applications and the implications if they are compromised or become unavailable. The next step is to understand how to mitigate those risks. If the mitigation costs are too high, should you reassign the risks using instruments like insurance or just simply accept the risks? These are things you need to determine.
The bottom line is that the ultimate goal of security is CIA, not CYA. I don?t think I need to explain CYA. CIA is confidentiality, availability and integrity of data. If you don?t take these things into account, you are wasting your time, wasting your organization?s resources and getting nothing but a false sense of security.
Once you can equate security to business needs, then and only then will you get the budget and resources required to secure your environment. Ultimately, the goal of any executive is for the company to make money, save money and mitigate risk. Once you demonstrate how security can save money and mitigate risk, then and only then will you be able to truly secure your network.
Not a lot to go on here Beth. Depends on what you want to accomplish. I would first look at your architecture...is it Cisco? We have a multitude of ways to cost effectively increase your security posture through intelligent use of your infrastructure. Any dedicated security devices you may add beyond that could possibly work in hand in hand with your network to increase security at a very cost effective price point. Our products are consistently rated at the top of their class and deserve heavy consideration if security projects are being considered.
That is a good question. For starters, deploying a security system from a single vendor can greatly reduce the amount of work required to secure your network thereby realizing a significantly lower total cost of owenership. There are several reasons for this:
- Cisco has designed the products to work together so you don't have to be the integrator. This reduces the time required to secure your network which in turn saves you money.
- Similar device management interfaces or a single global enterprise configuration tool reduces the learning curve required to configure and deploy your devices. This also saves you time and money.
- A single phone number for support reduces the time required to resolve issues. This can save time and increase network availability. This increases employee productivity.
- The different technologies share and collaborate information allowing for quicker identification and responses to vulnerabilities, threats and attacks. This allows for greater network availability, integrity and reliability. This increases employee productivity.
- Cisco also allows for the collaboration of security with the network itself. This is truly the self-defending network. By having the network heal itself, you will experience much higher network availability, integrity and reliability.
Worms are just one thing to worry about and your experience is actually shared with just about everyone at this point. There has been relatively little worm activity as malicious individuals/'hackers' are less interested these days in being identified through high profile worm attacks and more interested in staying low on the radar focusing on how they can make money instead. At a minimum, you should examine what visibility type things exist in your set up...i.e. Intrusion Detection Systems (may be able to do this on your Router or ASA at a low cost) and or at least a very strong log reading/log analysis approach...Cisco MARS would be a simple appliance based approach. In this way you can be more sure about whether people are playing in your network unseen...
Every time we try to lock things down, a VP complains and we have to remove the security we just added. How do you recommend we address this challenge?
Not knowing specifically what you may be doing...security will always be a balancing act. You may want to involve this VP in the process prior to new rules as to get better buy in on the decisions you feel are needed to protect the company.