Integrating Security into Network Devices CCNA Coaching Center in New Delhi

Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192

 

It is crucial to integrate security into all network devices throughout your network. Common device types include

• IOS routers and switches
• PIX firewalls
• Adaptive Security Appliances (ASA)
• VPN concentrators
• Intrusion Prevention Systems (NIPS/HIPS)
• Catalyst 6500 service modules
• Endpoint security

The following sections discuss device security integration in more detail.

IOS Security

Cisco has developed many security features that are integrated into the IOS base software or security-specific feature sets. Here are some of the major areas of security focus that have been included with IOS releases:

• Cisco IOS Firewall feature set provides stateful firewall functionality for perimeter routers running IOS. IOS Firewall allows businesses to protect networks from network and application layer attacks, improve uptime, and offer policy enforcement for internal and external connections.
• Cisco IOS IPS offers inline deep-packet inspection to successfully diminish a wide range of network attacks. IOS IPS can identify, classify, and block malicious traffic in real time. IOS IPS operates by loading attack signatures on the router and then matching the attacks based on signatures.
• Cisco IOS IPsec encrypts data at the IP packet level using a set of standards-based protocols. IPsec provides data authentication, anti-replay, and data confidentially, and is the preferred method of securing VPNs.
• Cisco IOS Trust and Identity is a set of services that includes the following:

  - AAA— Framework and mechanisms for controlling device access

  - Secure Shell (SSH)— Used for encrypted router access

  - Secure Socket Layer (SSL)— Secure web application access

  - 802.1X— Standards-based access control protocol to permit or deny network access

  - PKI— Strong authentication for e-commerce applications

ISR Security Hardware Options

The Cisco Integrated Services Routers have additional hardware options that enhance the routers' security capabilities. Here are some of the available hardware options:

• Built-in VPN Acceleration is hardware-based encryption that offloads VPN processing from the router's internal CPU to improve VPN throughput.
• High-Performance AIM is a VPN encryption advanced integration module used to terminate large numbers of VPN tunnels such as with DMVPN. The module supports 3DES and AES, which increases the router encryption and compression performance.
• IDS Network Module (NM-CIDS) provides technologies to prevent a large range of security threats. IDS network modules also include correlation and validation tools to decrease the number of false positives.
• Secure Voice is digital signal processor (DSP) slots on the ISR for use with packet voice/fax DSP modules (PVDM). These offer capabilities such as conferencing and transcoding. In addition, Secure Real-time Transport Protocol (SRTP) protects the entire voice payload by encryption, except for the header, which remains in clear text to support QoS.
• Network Analysis Module allows capturing of traffic flows from hosts and the decoding of packets for detailed network analysis. It also collects NetFlow data to increase the visibility into application flows.
• Content Engine Module is an Integrated Content module for 2800/3800 series routers that supports 40-GB and 80-GB internal hard disks for application and content networking.

Note

For a quick reference and complete list of ISR modules, go to http://www.cisco.com/warp/public/765/tools/quickreference/isr.pdf.

Cisco Security Appliances

Cisco Security Appliances provide robust security services and protection, including IPsec VPNs and stateful packet filtering. The following is an overview of Cisco Security Appliances:

• Adaptive Security Appliance (ASA)— The ASA is a high-performance multifunction security appliance that offers a comprehensive set of services for securing network environments. The services are customized through product editions tailored for firewall, IPS, anti-X, and VPN. The ASA is a critical component of the Cisco Self-Defending Network that provides proactive threat mitigation, controls application data flows, and delivers flexible VPN and IPS services. In addition, the ASA is very cost-effective and easy to manage, and offers advanced integration modules that enhance the processing capabilities.
• PIX Security Appliance— The Cisco PIX series of appliances provides robust firewall services for users and application policy enforcement, attack protection, and security VPN connectivity services. The PIX appliances are easy to deploy and are very cost-effective for most network environments. The appliances range from the desktop PIX 501 (SOHO) up to the modular PIX 535, offering Gigabit network interfaces and failover capabilities.
• VPN concentrators— The Cisco VPN 3000 concentrators provide businesses with IPsec and SSL VPN connectivity. VPN concentrators are flexible and offer many deployment scenarios. However, they are commonly used to terminate VPN sessions for remote-access connections. VPN concentrators can also be used to terminate site-to-site tunnels with other VPN concentrators, routers, or even PIX firewalls. The centralized architecture and web-based management ease the administrative burden and consolidate the VPN connectivity for the enterprise. Many organizations are now starting to look at the Cisco ASAs instead of the VPN concentrators due to the increased security options in addition to VPN functionality.

Intrusion Prevention

The Cisco IPS solution integrates passive intrusion detection, inline prevention services, and new technologies to increase accuracy and keep legitimate traffic from being affected. The Cisco IPS 4200 series sensors offer significant protection by detecting and stopping threats from attacking your network. With Cisco IPS, version 5.1 supports inline (IPS) or passive (IDS) capabilities. The IPS appliances support multivector threat identification through detailed inspection of data flows in Layers 2 through 7. Multivector identification secures the network from policy violations, vulnerability exploits, and abnormal reconnaissance activities. The following IPS sensors support bandwidth requirements from 65 Mbps to 1 Gbps:

• IPS 4215 reviews traffic and provides protection up to 65 Mbps.
• IPS 4240 reviews traffic and provides protection up to 240 Mbps with support for multiple 10/100/1000 interfaces. IPS 4240-DC supports DC power and is Network Equipment Building Standards (NEBS)-compliant.
• IPS 4255 delivers 500 Mbps of performance and can be used to protect partially utilized Gigabit connected subnets.
• IPS 4260 delivers 1 Gbps of performance and can be used on Gigabit subnets with copper or fiber network connections, providing additional flexibility.

Catalyst 6500 Services Modules

The Catalyst 6500 switching platform supports additional security services and functionality through the use of services modules. Several modules enable firewall, IDS, SSL, and network analysis services, in addition to IPsec VPN connectivity and anomaly traffic support.

Catalyst 6500 service modules include the following:

• Firewall Services Module (FWSM) is a high-speed firewall module for use in the Cisco Catalyst 6500 and Cisco 7600 series routing platforms. Up to four FWSMs can be installed in a single chassis, providing 5 Gbps of throughput performance per module. For service provider environments, the FWSM supports advanced features such as multiple security contexts for both routed and bridged firewall modes.
• Intrusion Detection Service Module 2 (IDSM2) is an IDS module that supports both inline (IPS) and passive (IDS) operation. IDSM2 provides up to 500 Mbps of packet inspection capabilities to efficiently protect your infrastructure.
• SSL Service Module is an integrated services module for terminating SSL sessions on Cisco Catalyst 6500 series switch or Cisco 7600 series routing platforms. By offloading the SSL terminations with the SSL module, the web server farms can support more connections, increasing operational efficiency. Up to four SSL modules can be used in a single chassis.
• IPsec VPN SPA enables scalable VPN services using the Cisco Catalyst 6500 series switches and Cisco 7600 series routing platforms. The module does not have any interfaces, but instead uses the other module interfaces available on the chassis.
• Network Analysis Module provides packet-capture capabilities and visibility into all the layers of the data flows. You can analyze application traffic between hosts and networks. The NAMs support RMON2 and mini-RMON features to provide port-level Layer 2 traffic statistics.
• Traffic Anomaly Detector Module uses behavioral analysis and attack recognition technology to identify attack patterns. It monitors traffic destined for application servers and builds detailed profiles based on the normal operating conditions. If the module detects any abnormal behavior in the per-flow data conversations, it considers this behavior a potential attack and responds based on the configured preference. You can have the module send an operator an alert or launch the Cisco Anomaly Guard Module to begin mitigation services.
• Anomaly Guard Module provides the attack response by blocking malicious traffic at Gbps line rates. With multiple layers of defense, it can divert only traffic destined for targeted devices without affecting legitimate traffic.

Endpoint Security

The Cisco Security Agent (CSA) software protects server and desktop endpoints from the latest threats caused by malicious network attacks. CSA can identify and prevent network attacks that are considered unknown or "Day Zero"-type threats. CSAs are packed with many features, including firewall capabilities, intrusion prevention, malicious mobile code protection, operating-system integrity assurance, and audit log consolidation. All these features can be configured and managed through the use of the Management Center for Cisco Security Agents. CSAs can be used with Cisco MARS by sending important endpoints to MARS, thereby improving MARS threat identification and security investigations throughout the network.

The Management Center for Cisco Security Agents provides centralized web-based management for all CSAs deployed in your network. The MC for CSAs comes with more than 20 preconfigured policies that can be used to deploy thousands of agents quickly across the enterprise network. You can create software distribution packages, create or modify security policies, monitor security alerts, and generate reports. It also has features for running the agents in "IDS mode," in which suspicious activity is only alerted to the MC console, not blocked.