vpn roadshow module 1 overview

Security Product VendorsMost security vendors sell a limited set of legacy* security solutions – “one-trick ponies” Those products are often marketed as network security “solutions” Bu

Cisco VPN Partner Technical Development

Module 1 : VPN and Product Overview

APAC Channels Technical Operations

Security Concerns

Why is security concern increasing, and how is the market status?

Networks Of The 90’s

PSTN

Frame Relay X.25 Leased Line

Mobile User

Branch Office

PSTN

Closed Network Telecommuter

The Problem

Most security tools were designed for simple, static networks

Single-solution companies, built reputations

as “security providers” with simple control devices

access-These single-point technologies became the

default security solution (a “cure-all”)

Networks have changed, and today there are serious drawbacks to relying on “overlay” products to protect sophisticated networks

Security Product Vendors

Most security vendors sell a limited set of legacy* security solutions – “one-trick ponies”

Those products are often marketed as network

security “solutions”

But the TRUTH Is:

• Legacy solutions have limited network intelligence,

and cannot support most network services or

technologies

• Implementing single solutions leaves gaping security holes in the network

• Over-confidence in these solutions may be a major

reason why companies are broken into repeatedly

The Network Today

The Security Threat is Real

-| Ok a bit about the kit Version based on lrk style trojans -| made up from latest linux sources special thanks to

-| k1ttykat/j0hnny7 for this

-| First rootkit of its kind that is all precompiled and yet allows

-| you to define a password password is stored in a external encrypted

-| file The trojans using this are login/ssh/finger

-| This kit was designed with the main idea of being portable and quick

-| to be mainly used for mass hacking linux's, hence the precompiled bins.

-| Usage : /t0rn <password> <ssh-port>

Today’s Threats

Attackers take advantage of these new, complex

networks and sophisticated services

In this environment, Everything is a target:

•Routers, Switches, Hosts, Networks (local and remote),

Applications, Operating Systems, Security Devices, Remote Users, Business Partners, Extranets, etc.

Threats to today’s networks are not addressed by

legacy security vendors or solutions

In fact, there is no single security device which can protect all of these targets

Business Continuity:

How Much Down-Time Can You Afford?

$1,107,274 Retail

$1,202,444 Insurance

$1,344,461

Information Technology

Information Technology

$1,495,134 Financial Institutions

$1,610.654 Manufacturing

$2,066,245 Telecommunications

$2,817,846 Energy

Revenue/Hour Industry Sector

There’s No Longer a Question of Need

The Question Is How To Secure

$100,000

$14,000 14

4 23

Tampering on I/O

$1,500,000

$197,000 18

5 35

Loss of

Confidential Data

$4,000,000

$155,000 80

12 79

Critical System

Failure

$200,000

$32,000 84

12 79

Website Intrusion

(eg Hacking)

$3,000,000

$104,000 19

16 102

Loss of s/w

$200,000

$16,000 12

61%

390 Virus Incident

Highest Reported US$ Lost / Year

Average US$

Lost / Year

Average Days Lost / Year

% Suffering Breaches

# of Organizations Reporting Breaches

Source: KPMG 2002 Information Security Survey

Majority of Ingram’s customer base?

SMB Security Market Dynamics

Multiple factors driving market growth

Requirements for market success

deployments

SMB Security Market

Solution(s) should be designed for independent

organizations; not small branches of large

enterprises

• Typical SMB will have < 6-10 locations to connect

• About 10-15% of its workforce will telecommute several times/month

• About 85% of its workforce will telework extended hours

• Post 9/11 have become more concerned about business resilience

Sweet spot is 20-500 users

Increasing adoption of eBiz apps – CRM, SFA,

eCommerce, Web marketing & communications

Current security method is mostly firewalls

SMB Security Market (con’t)

Companies most likely haven’t figured out security ROI (&

don’t know how to)

• Also don’t inherently understand the value of end-to-end

security solutions over point security products

Will consider partial security solution outsourcing if there are economic benefits

SMB verticals typically most advanced in networking systems: education, state/local government, financial services

(insurance, banking, brokerage), legal, healthcare

Only 15% of Small Businesses have installed Firewalls.

Average number of firewalls per company, SB = 1.2, M = 2.6

SMB Security Market (con’t)

30-35% of SB’s (< 100 users) have a LAN infrastructure in place

80-90% of MB’s (< 500-999 users) have a LAN infrastructure

in place

• 2-3% of SMB’s have WLAN’s

75-80% of SMB’s have analog, dial-up remote

access to their business/organization & Internet

• ~ 20% of them purchase VPN/firewall services from SP’s

25-30% have high speed remote access services (T1, Frame Relay, DSL, cable, ISDN) –> 80-90% want it

• ~ 40% of them purchase VPN/firewall services from SP’s

SMB’s rely on VARs/consultants/SI’s/SP’s for solution

technical information & assessment criteria & solution delivery – don’t rely on onsite IT

Cisco’s Vision in Network Security

Critical Enabler for E-Business

• Requires defense-in-depth

• Integration into e-business infrastructure

Supply Chain Management

Supply Chain Management

Workforce Optimization

Workforce Optimization Customer Care

Cisco’s Security Commitment

“Mr Chambers has sought to move Cisco into long-term

rebuilding by reorganizing the company, cutting costs and focusing on new markets, like Internet telephony,

security and wireless communications.”

New York Times, 7/2/2

On John Chambers President and CEO

“Mr Chambers has sought to move Cisco into long-term

rebuilding by reorganizing the company, cutting costs and focusing on new markets, like Internet telephony,

security and wireless communications.”

New York Times, 7/2/2

On John Chambers President and CEO

“security is our single most important differentiator…our largest

revenue opportunity over the

next few years…”

Mario Mazzola

Cisco Strongly Positioned in Security

•Broadest set of market-leading solutions

•Integrated in network core technologies

•Integrated in major growth technologies:

telephony and WLAN

•Comprehensive SAFE security blueprint

• Integrated in major growth technologies: telephony and WLAN

Leading the Pack?

Competitors Used to be Focused on

Dedicated Security Devices…

Ded ica

ted Sec

uri ty D

evic es

Leading the Pack

Integrate

d Devices

Now They’re Chasing Integrated

Multi-Function Devices … Routers

and Switches

NetScreen, CheckPoint, Nokia, Symantec,

Enterasys and SonicWall are integrating

secure connectivity, access control, intrusion

prevention, WAN & LAN I/Fs, and routing into

integrated devices

Competitors Used to be Focused

on Dedicated Security Devices…

Integrating Security Services into

existing Infrastructure

Highest Performance Market Leading Integrated Security

PIX Firewall Cisco IDS VPN3000 & IOS VPN

Cisco Catalyst 6500 Appliance Capabilities Cisco Infrastructure

Enterprise Branch

SMB & Small Branch

Cisco SOHO

Cisco 2600XM,

3600, 3700

Regional Hub

Cisco 3700

Embedded Network Security

• Securing the Business End to End

• Protect Productivity

• Embedded Security in the Network

• Integrated Security in Devices

Integrating Security Services into

IOS Routers

What Integrated Security Means to our Customers

Security services are becoming a transparent

and intrinsic part of the network

Integrated security solutions improve

scalability and lower network costs

Security capabilities can be adapted to a wide range of IP services - Voice over IP,

wireless LAN integration, Quality of Service,

content networking – with no impact on

performance

Security services are becoming a transparent

and intrinsic part of the network

Integrated security solutions improve

scalability and lower network costs

Security capabilities can be adapted to a wide range of IP services - Voice over IP,

wireless LAN integration, Quality of Service,

content networking – with no impact on

performance

Portfolio Overview

Q : What are the examples of the network security methods/Tools?

Cisco’s Broad Security Product Portfolio

Network, Host

Cisco IDS Sensors—

Network, Host

Cisco Access Control Server

Cisco Access Control Server

CiscoWorks— VPN/Sec Mgmt Solution

CiscoSecure Policy Manager Web Device Managers

CiscoWorks— VPN/Sec Mgmt Solution

CiscoSecure Policy Manager Web Device Managers

Intrusion Protection

Security Management

Firewalls

Intrusion Detection Scanning

Intrusion Detection Scanning

Cisco SMB Security and VPN Portfolio

PIX firewall

and VPN appliances

Identity appliances

Switch sensor Host sensor Router sensor Firewall sensor

Management

portfolio for

SMB segment

Management

portfolio for

SMB segment

Embedded Device Managers Management Solution VPN/Security

• Low cost

• Easy to deploy

• Leverage existing

investment in equipment

Award winning single source support

PIX Firewall Family

PIX Firewall Family

• Limited or no routing & services

• Very competitive price points

IPsec VPN Deployment Options

Complete end-to-end solution for all applications

Not only one type of VPN device, but all product types

Best VPN Client software for all popular platforms

Full-featured VPN integrated into the network

Best technical support anywhere

501 506

515 535

PIX Firewall

800 900

2600 1700

3600

7200 7100

IOS VPN Routers

3002 VPN Client

3015 3005

3060 3030

3080 3060

VPN 3000

Concentrators

SOHO

Small/Branch Office

Medium Enterprises

Large Enterprises VPN Family

Secure Command Line

Web UI Embedded Mgr

Web UI Embedded Mgr

Host and Network IDS Comparison

• Understands host context and

may be able to stop attack

• Can verify success or failure

• Impacts host resources

• Operating system dependent

• Scalability—Requires one

agent per host

• Impacts host resources

• Operating system dependent

• Scalability—Requires one agent per host

• Protects all hosts on

monitored network

• No host impact

• Can detect network probes

and denial of service attacks

• Protects all hosts on monitored network

• Generally can’t proactively stop attacks

ACS Portfolio

Cisco Secure ACS for UNIX

* ACS for Dial, VPNs

* TACACS+ and RADIUS

* Token Card Support

* RDBMS Database Storage

* Headed towards EOL/EOS

Next Generation Cisco Secure ACS

* 1 RU Appliance Based ACS

* Unifies NT & UNIX feature sets and customer bases

* SSL Admin

* Security hardening and Reliability features

* AAA for VPNs, Access, Wireless, VOIP, and Switched LANs

* TACACS+ and RADIUS

* LDAP user authentication

* Support for one-time tokens and PKI digital certs

* Wide range of backend support NT DB, Active Directory, SQL, MCIS,& ODBC

Cisco Secure ACS for Windows NT

Management Portfolio

Enterprise

Remote Access VPN Site-to-Site VPN Firewall IDS

VPN/Security Management Solution

Remote Access VPN Site-to-Site VPN Firewall IDS

IP Solution Center

Network security area has been addressed

and Cisco offers purpose-built appliances

for each area :

PDM, IDSM, CSPM, VMS

Refresh!!!!! (Cont’d)

Cisco’s continuous effort towards the

integrated security is introducing the

solutions as follows :

Currently offers the Firewall, IDS, VPN services

modules integrating the solutions into one

alternatives which enables the deployment of the

security in existing Cisco Routers!!!

Firewall, IDS, VPN on top of the existing security measures! (But, in smaller scale…)

Secure Connectivity:

Virtual Private Network

Solutions

VPN Overview

VPN Definition

Internet

Virtual private network (VPN)—an encrypted

connection between private networks over a

public network such as the Internet

Mobile user

Analog ISDN Cable DSL

Server

Remote site

Remote site Central site

Remote Access VPNs

Central Site

Internet

DSL cable

POP POP

Remote access client

Mobile

Remote access VPN—Extension/evolution of dial

Site-to-Site VPNs

Central site

DSL cable

Router

or

Internet POP

VPN Product Overview

Cisco Access Router Portfolio

VPN Module Hardware Matrix

AIM-VPN/BP, NM-VPN/MP, and AIM-VPN/HP

• Supported on Releases 12.1(5) T or later 2600, and 3600 Series

• DES/3DES VPN Encryption AIM

AIM-VPN/EP

• Supported on 12.2(2) T or later 2600 Series

• DES/3DES VPN Encryption AIM—Enhanced Performance

AIM-VPN EPII and HPII

• Supported on Releases 12.2(13) T or later for 2691 and

3700 Series

• DES/3DES/AES and Compression VPN Encryption AIM

• 5 to 10 times faster than previous solutions

Include throughput

PIX Firewall Family Lineup

SMB

Gigabit Ethernet Enterprise

$18,495 Unlimited 2,000 2 600 256 8 Yes 360 70

Ent.+, SP

$59,000 Unlimited 2,000 3

1 GHz

1 GB

10 Yes 1.7 Gbps 95

GigE Enabled

PIX Firewall Product Line Overview

SMB

$7,995 Unlimited 2,000 1 433 64 6 Yes 188 63

ROBO

$1,695 Unlimited 25

1 300 32

2 10BaseT No

20 16

< 1 133 16

1 10BT + 4 FE No

10 3

Multi-Gigabit Firewall Module

Multi-Gigabit Firewall Acceleration Module for Securing

Enterprise Campus, Data Center & SP Networks

Applications

• Enterprise Campus/WAN Perimeter Security

• Data Center Security

• Service Provider Edge Security Services

High performance

- 3Mpps (5Gbps) Packet Processing Performance

- 100,000 Conn Per Sec, 1 million sessions/ sec for HTTP&DNS

- VLANs, DMZ, Dynamic Routing, Failover Capabilities

- Multiple blades per chassis supported

Cisco VPN 3000 Concentrator Series

3080

The goal is to provide products that cover the entire spectrum

of customer VPN applications, making Cisco the only choice for CPE and Service Providers

Cisco VPN 3000 Series Concentrator

1,000 1,000

500 100

100 Site-to-Site

Included Option

Option N/A

N/A Redundant SEPs

Included Option

Option Option

No Redundant PS

No No

Yes Yes

No Upgradable

4 2

1 0

N/A SEPs Installed

Hardware Hardware

Hardware Software

Software Encryption

10,000 5,000

1,500 100

100

Remote Access

Tunnels

3080 3060

3030 3015

3005

Cisco VPN Client

Windows 95, 98, NT, ME, 2000, XP

VPN Client Features

Start before login — Windows 2000 and NT

Command line interface

SCEP Data compression Application launcher Entrust Entelligence support Local LAN access option Client update notification Type of Service (TOS) field preservation Personal firewall support

Cisco VPN 3002 Hardware Client

Front

• Client Mode: nonroutable network

• Network Extension Mode: routable network

• Supports up to 253 devices

• Supports PAT transparent IPSec

• Scales to very large networks – it’s a client

• Independent of user operating system

• Greater than 2 Mbps 3DES throughput

• Unit authentication

• Individual user authentication

VPN Positioning

VPN Product Function Matrix

Primary role

(full-fledged remote access solution)

Secondary role 3000

Enhance existing PIX Firewall with the VPN remote access solution

Security organization owns VPN solution

Remote access

VPN Site-to-site

VPN

• Connection of remote sites, users, and partners across a VPN

• High-density, low-bandwidth connections

VPN Clients

Certicom PDA

IPSec VPN Client

3002 Hardware Client

Internet Small office

Cisco VPN Software Client

Site-to-Site VPNs—Cisco Routers

1700 Series

Regional

office

Firewall-Based VPN—PIX Firewall