THIS IS THE POWER OF CISCO SECURITY now

Скачать презентацию THIS IS THE POWER OF CISCO SECURITY now

7292227555ffb205c374b4f78057b345.ppt

Количество слайдов: 18

Server and Desktop

Host Based Intrusion Prevention (HIPS) Items to secure Servers and Desktops • Cisco Security Agent software (CSA) -Behavior based, NO SIGNATURE UPDATES REQUIRED -Zero Hour Protection • BLOCKED: -MS Blaster (luvgate) - Nimda -Code. Red v 1 & v 2 - SQL Slammer -So. Big Backdoor. IRC. RPCBot. D • Event correlation at the management console across the network to give high alert of potential WORM or VIRUS • With the addition of the PROFILER, event correlation is enhanced and custom policies generated © 2003, Cisco Systems, Inc. All rights reserved. 3

Transition From Detection to Protection: At the Endpoint… • From Signature-based to Policy-Based Stops new attacks that attempt malicious activity Policies allow “good” behavior and prevent “bad” behavior P 2 P, Instant Messaging, Custom Programs • From Multiple Products to Single Agent Aggregates multiple security functionality in one agent HIPS, Zero-day protection, Firewall and OS lockdown • From Updates to Zero-Update Protection Behavior-based architecture changes desktop and server paradigm © 2003, Cisco Systems, Inc. All rights reserved. 4

Cisco Security Agent (CSA): Behavioral Protection From Attacks MRapidly Mutating MContinual signature updates MInaccurate Target © 2003, Cisco Systems, Inc. All rights reserved. M Most damaging Change very slowly Inspiration for CSA solution 5

Behavior Control Protects End Points Corporate Security Policy Web Server Email Client Web Browser System Call Shims Host Operating System . . . File System Access Registry Access COM Object Access Memory Access Code Execution HTTP Filtering Network Protocol Stack Inbound packets Outbound packets Network Shim SMBDie Ping of Death Mount Shares Buffer Overflow Active Content Protocol Attack Operating System Attack Application Attack © 2003, Cisco Systems, Inc. All rights reserved. 6

Cisco Security Agent Functions • System Hardening Syn-flood protection Malformed packet protection Restart of failed services • Resource Protection File access control Network access control Registry access control COM component access control • Control of executable content Protection against email worms Protection against automatic execution of downloaded files or Active. X controls © 2003, Cisco Systems, Inc. All rights reserved. • Application-related Application run control Executable file version control Protection against code injection Protection of process memory Protection against buffer overflows Protection against keystroke logging • Detection Packet sniffers & unauthorized protocols Network scans Monitoring of OS event logs 7

Types of Behavior • CSA can also provide customized behavioral security for any environment Strict Control Policy Violations May be undesired Application Specific Policies via CSA Profiler Default Application Policies Malicious Behavior Always undesired Default Server and Desktop Policies All Possible Types of Security Relevant Behavior © 2003, Cisco Systems, Inc. All rights reserved. 8

CSA Management Model CSA MC Security Administrators • • • Configure the system via browser connected to CSA Management Console Review security events, reports, & alerts Modify security policies Can have: Configure, Deploy, Monitor roles Is required to be physically secure Holds the configuration and event databases (SQL Server) Serves to distribute agent software to end-points Deploys security policies to end-points Receives events from agents and performs correlation Sends alerts to administrators • • Management Console Web Browser Administrator Events Configuration data Router Agent Hosts or End Points Agent © 2003, Cisco Systems, Inc. All rights reserved. Agent • • Protected by CSA Are members of one or more groups Get their security policies from the CSAMC Send security events to the CSAMC 9

CISCO Security Agent Architecture Other Managers Web Browser Management Configuration Desktop Agent Policy Updates Alerts Reports, Events CSA Mgmt Console SNMP Manager Custom Programs Local File © 2003, Cisco Systems, Inc. All rights reserved. Desktop Agent Laptop Agent Server Agent • Platforms: Win. NT, Win 2 K, Win. XP and Solaris 8 64 bit • Agents enforce policy locally, connected or not • All communications HTTP and SSL 10

CSA Correlation Capabilities CSA offers unique agent and management level correlation Correlation on Agent • Higher accuracy • Fewer “False Positive” events Agent Management Server Example: Trojan Horse detection, Network Worm propagation, automatic application recognition Correlation on Manager • Higher accuracy • Fewer “False Negative” events Example: Distributed “Ping Scans”, Network Worm propagation © 2003, Cisco Systems, Inc. All rights reserved. 11

CISCO Security Agent v 4. 0 – July 2003 • Integration with Cisco Works VMS 2. 2 – Co-resident installation; Sec. Mon integration • Additional Web server protection features – HTTP filtering; Connection Rate Limiting • End-point integrity enforcement – Are You There integration with Cisco VPN client 4. 0 • Augmenting the security of CISCO infrastructure – CSA policies for VMS and CISCO Call Manager © 2003, Cisco Systems, Inc. All rights reserved. 13

The Value of Prevention We estimated three classes of users, from data input to managerial functions, and assigned a population to each. After totaling the server downtime, the amount of time lost for employees and the hourly rate for each group, we came up with a staggering $98, 306 for the incident. " Network Computing Magazine, October 2002 © 2003, Cisco Systems, Inc. All rights reserved. 14

The Value of Patch Relief "And Digex, a provider of managed Web and application hosting services, calculates the annual cost of manually managing patch deployment to be about $14, 400 per server. " CSO Magazine , August 2003 • CSA enables more cost effective patch management (providing relief from today’s reactive approach): Vulnerable hosts have protection in the face of new attacks Customer may wait for ‘roll-ups’ and Service Packs, which come better qualified from vendor Testing and implementation of updates can be scheduled without undue change control interruption • CSA enables fewer updates to endpoints in a proactive and scheduled fashion …. . which means a lower TCO per server “IT managers spend two hours per server to test and deploy a patch, which leads research firm Gartner to estimate that it can cost a company with 1, 000 servers about $300, 000 for each patch. Information Week, Attacks Averted, Feb 3, 2003 © 2003, Cisco Systems, Inc. All rights reserved. 15

CISCO Security Agent Summary • CSA’s behavior based technology enables: – Lower Total Cost of Ownership • Single agent for Desktops and Servers • Provides multiple security solutions (Firewall + IDS + Malicious Mobile Code + OS Hardening + File Integrity) • Removal of the signature management burden • Huge reduction in alerts and false positives • Correlation on the Agent and Management Console • Intrusion Prevention not detection © 2003, Cisco Systems, Inc. All rights reserved. 16

CISCO Security Agent Summary • CSA’s behavior based technology enables: – You get to enforce your Corporate Security Policies – You get to control the Patch process – Data Theft Policy protects Intellectual Property – Protection in the face of new and unknown threats © 2003, Cisco Systems, Inc. All rights reserved. 17