Documentos de Académico
Documentos de Profesional
Documentos de Cultura
James Risler
Technology Education Specialist, MBA CISSP, CCIE# 15412 jarisler@cisco.com
Cisco Confidential
Cisco Public
Domains
Cisco Public
Public Web
Public DNS
FIREWALL SYSTEM
To Internal Networks
Public LDAP
RA VPN
IPS
PF
IPS
IPS
Cisco Public
7 6 5 4 3 2 1
Host
Host
Physical
! Firewall components can operate on different OSI layers: Application layer (Layers 57) access control: Controls payload and content inside permitted connections Network layer (Layers 24) access control: Minimizes connectivity between hosts and their applications
Cisco Public
! Network IPS
Cisco Public
IDS Device
Administrator
Analysis and Response
Cisco Public
IPS Device
Alert
Administrator
Analysis
Cisco Public
Signature-Based IPS
Attacker
Known bad traffic! /etc/ shadow detected in HTTP request arguments.
Cisco Public
IPS Alerts
View Tree
Alerts
Cisco Public
10
! Cyber Attacks
Cisco Public
11
Perimeter security stops many threats but sophisticated Cyber threats evade existing security constructs Fingerprints of threats are often found in network fabric
2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
methodology.
Gather info Scan Gain Access Escalate Persist Expand Accomplish Goal Clean Up
Cisco Public
13
! Four South Korean Think Tanks Attacked ! Phishing Attack Emails sent to people in organizations with
! Not typical Command & Control used email servers ! Disables machines firewall
Cisco Public
14
Traffic got around Firewall and IPS and now corporate data is going out of your network via FTP
Attack bypasses perimeter and traverses network Netflow at the access layer provides greater granularity
ACTIVE FLOWS: 23,892 SRC/65.32.7.45 DST/171.54.9.2/US : HTTP DST/34.1.5.78/China : HTTPS DST/165.1.4.9/Uzbekistan : FTP DST/123.21.2.5/US : AIM DST/91.25.1.1/US : FACEBOOK
! Foundation/Background
! ! ! ! Network infrastructure knowledge Diverse device configuration ability Security configuration knowledge Data management & teamwork
Cisco Public
16
Prevent
Network IPS firewall AntiVirus Host IPS
Detect
Collect
Analyze
Mitigate
Adv. ACLs
Foundation
Device Config
Traffic Capture
Performance Monitoring
Device Monitoring
Cisco Public
17
IP Address
Alarm indicating this host touched another host which then began exhibiting the same suspicious behavior Suspicious activity that triggered the alarm
Cisco Public
18
Reputation?
Posture?
Vulnerability AV Patch
Device?
User?
Events?
65.32.7.45
Cisco Public
20
21
Cisco Public
21
Cisco Public
22
Cisco Public
23
24
Cisco Confidential
24
Cisco Public
25
Cisco Public
26
Cisco Public
27
Cisco Public
28
Cisco Public
29
Cisco Public
30
Cisco Public
31
Cisco Public
32
! Firewalls are a critical piece ! IPS helps - but does not catch everything ! Cyber attackers are skilled ! Complex problem
Cisco Public
33
Questions/Discussion?
Thank You