logging in or signing up cisco mukeshkmr.sinha Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 1654 Category: Education License: All Rights Reserved Like it (1) Dislike it (0) Added: March 13, 2009 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript RELEASE 12.3(7)T: CISCO IOS SECURITY UPDATE : MARCH 2004 RELEASE 12.3(7)T: CISCO IOS SECURITY UPDATE Agenda : Agenda Cisco IOS® Firewall Feature Set What’s new in Cisco IOS 12.3.7T Security? AutoSecure/SDM Demo Slide 3: CISCO IOS SOFTWARE FIREWALL FEATURE SET 3 3 3 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS Security Update, Release 12.3(7)T, 3/04 For Cisco Internal Use Only ICSA Cisco IOS Firewall Certification : Certification Certified the Cisco 1700 Series Router Cisco 2600, 3600, and 3700 Series Routers will be certified by the end of March 2004 Tell customers that Cisco IOS Stateful Firewall is ICSA certified and that Cisco has inititated the process for Common Criteria EAL-4+ Certification ICSA Cisco IOS Firewall Certification Cisco IOS Firewall Features : Cisco IOS Firewall Features Context-Based Access Control Stateful, per-application filtering Support for advanced protocols (H.323, SQLnet, RealAudio and more) Denial of Service detection and prevention Control downloading of Java applets Real-time alerts TCP/UDP transaction log Cisco IOS Firewall Features, cont’d. : Cisco IOS Firewall Features, cont’d. Basic and advanced traffic filtering Per-user authentication and authorization (“authentication proxy”) Dynamic per-application port mapping Configurable alerts and audit trail SMTP-specific attack detection IP fragmentation defense Event Logging Audit Trail Cisco IOS Firewall Application Support : Cisco IOS Firewall Application Support Transparent support for common TCP/UDP Internet services: WWW Telnet SNMP Finger FTP TFTP SMTP Java blocking Cisco IOS Firewall Application Support, cont’d. : Cisco IOS Firewall Application Support, cont’d. BSD R-cmds Oracle SQL Net Remote Procedure Call (RPC) Multimedia applications: VDOnet’s VDO Live RealNetworks RealAudio Intel InternetVideo Phone (H.323) Microsoft NetMeeting (H.323) Whitepine CuSeeMe Xing Technologies Streamworks Microsoft NetShow Cisco IOS Firewall Functionality : ACL on outside interface stops everything access-list extended FWACL deny ip any any log int e 0/0 description outside ip access-group FWACL in Internet Corporate Network Cisco IOS Firewall Functionality Cisco IOS Firewall Basics : ACL on outside interface stops everything Inspected traffic will open up temporary access for return traffic access-list 101 deny ip any any log-input int e 0/0 description outside ip access-group 101 in ip inspect name GODZILLA tcp ip inspect name GODZILLA udp int e 0/1 description inside ip inspect GODZILLA in Temporary access opened for matching traffic (stateful CBAC) Internet Corporate Network Cisco IOS Firewall Basics Cisco IOS Intrusion Detection System : Cisco IOS Intrusion Detection System Acts as an in-line intrusion detection sensor Watches packets and sessions as they flow through the router, scanning each to match any of the Cisco IOS Firewall IDS signatures. When it detects suspicious activity, it responds before network security can be compromised and logs the event through Cisco IOS syslog. Can be configured to perform the following tasks Send an alarm to a syslog server or a VMS (centralized management interface) Drop the packet Reset the TCP connection Cisco IOS Intrusion Detection : Cisco IOS Intrusion Detection Cisco 7200 Attack Network Management Alarm Attack Attack Attack Attack Attack Drop Packet Attack Attack Reset Cisco IOS differentiator – Mitigate, act (reset), and notify upon signature identification: DROP packet, RESET connection, Send alarm IDS Signatures : IDS Signatures Cisco IOS Firewall IDS identifies 59 of the most common attacks using "signatures" to detect patterns of misuse in network traffic Additional IDS Signatures (12.2.6th(T)) : Additional IDS Signatures (12.2.6th(T)) Added detection includes 42 additional signatures to Cisco IOS IDS, including: 19 HTTP signatures: 3229, 3233, 5034, 5035, 5041, 5043, 5044, 5045, 5050, 5071, 5116, 5117, 5118, 5123, 5055, 5081, 5114, 3215, 5090 10 most common DNS signatures: 6050, 6051, 6052, 6053, 6062, 6063, 6054, 6055, 6056, 6057 3 UDP signatures: 4051, 4052, 4600 10 additional signatures: 1101, 1104, 1105, 1106, 1107, 1202, 1206, 3038, 3039, 3043 Additional IDS Signature Breakdown : Additional IDS Signature Breakdown A New Total of 101 critical signatures now supported! Severity 40 info signatures (detect info eg. port sweep) 61 attack signatures (detect malicious activity eg. Illegal ftp commands Complexity 74 atomic signatures (detect simple patterns like an attempt on a specific host) 27 compound signatures (detect complex patterns such and attack on multiple hosts, over extended time periods with multiple packets) IDS Implementation / CLI Commands : CLI Commands [no] ip audit name audit-name {info | attack} [list standard-acl] [action [alarm] [drop] [reset]] no ip audit audit-name {in | out} [no] ip audit smtp spam number-of-recipients Global Commands [no] ip audit signature signature-id {disable | list acl-list} [no] ip audit attack {action [alarm] [drop] [reset]} ! action for attack signatures [no] ip audit info {action [alarm] [drop] [reset]} ! action for info signatures IDS Implementation / CLI Commands Secure Branch Infrastructure IDS On The Router : Secure Branch Infrastructure IDS On The Router Intrusion Detection Cisco IOS® Security RouterVPN + Intrusion Detection + URL Filter + Firewall + WAN Router Accelerates IDS performance for Cisco 2600, 3660, 3700 routers Up to 45 Mbps (varies by platform) Log/Alert Deep Packet Inspection Lockstep code and signature updates with appliance and switch Leverages IDS appliance Technology and Management Slide 18: RELEASE 12.3(7)T: CISCO IOS SECURITY UPDATE 18 18 18 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS Security Update, Release 12.3(7)T, 3/04 For Cisco Internal Use Only What’s New in 12.3(7)T?FCS: March 1, 2004 : What’s New in 12.3(7)T?FCS: March 1, 2004 Infrastructure Security Role-Based CLI Access Control Plane Policing Enhancements: MIB Support & packet per second input (prior bps) CISCO-CLASS-BASED-QOS-MIB NetFlow MIB IP Source Tracker Cisco IOS Firewall ICSA Certification for Cisco IOS Firewall Cisco IOS Firewall for IPv6 Transparent Cisco IOS Firewall Extended Simple Mail Transport Protocol (ESMTP) support What’s New in 12.3(7)T?FCS: March 1, 2004 (Cont.) : IPsec VPN Dynamic Multipoint VPN (DMVPN) VRF Integration DMVPN NAT–Transparency Awareness Cisco IOS Easy VPN Remote with Digital Certificate* Software Encryption Algorithm (SEAL) Encryption Trust & Identity Key Rollover for Certificate Renewal Public Key Infrastructure (PKI): Query Multiple Servers during Certificate Revocation Check SSHv2 Client RADIUS Attribute Screening support for Access-Request Per VRF TACACS+ support What’s New in 12.3(7)T?FCS: March 1, 2004 (Cont.) * Will appear in Release 12.3(7)T1 Role-Based CLI Access : Role-Based CLI Access WAN Engineer Config Routing Config Interfaces Show Customized Access To Match Operational Needs Provide a view-based access to CLI commands View: set of operational commands and configuration capabilities User authentication is done via an external or internal AAA Server (or TACACS+) Customer can define up to 15 views, plus one reserve for the root user Security Operator Config AAA, NetFlow Show IOS Firewall, IDS IP Source Tracker : IP Source Tracker Attack Source Tracking DoS attack Router A Router B Router C Router A Tracking DoS Attack source Through router A, B & C www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s21/ipst.htm NetFlow for Security:Flow Information Helps Mitigate Attacks : Identify the attack Count the flows Inactive flows signal a worm attack Classify the attack Small size flows to same destination What is being attacked and origination of attack Many companies prevented SQL slammer by watching flows per port Cisco IOS NetFlow MIB with Export of Top N talkers Top N flow information for packets, bytes, Top N Flows based on various NetFlow field values (ie: AS Number, destination, ports) NetFlow for Security:Flow Information Helps Mitigate Attacks Cisco IOS Firewall for IPv6 : Cisco IOS Firewall for IPv6 Stateful protocol inspection (anomaly detection) of IPv6 fragmented packets, TCP, UDP and ICMP traffic Stateful inspection and translation services of IPv4/IPv6 packets IPv6 DoS attack mitigation IPv4 and IPv6 coexistence: no need for new hardware, just software upgrade Recognizes IPv6 Extension Header information such as routing header, hop-by-hop Options header, fragment header, etc All IPv4/v6 dual (T-train) stack Cisco IOS Software routers supported Transparent Cisco IOS Firewall : Layer 2 connectivity with Layer 3 Firewall support Easily add firewall to existing networks - no IP subnet renumbering required! Support for sub-interfaces and VLAN trunks Spanning Tree Protocol support –handles PBDU packets correctly per 802.1d, not just “pass/drop” Simultaneous support for Transparent and L3 firewall on the same router (only device in the industry that can do this!) No need for IP addresses on the interfaces All standard management tools supported Supports DHCP pass through to assign DHCP addresses on opposite interfaces (bi directional) Transparent Cisco IOS Firewall ESMTP Inspection and Attack Mitigation : Extension to current SMTP inspection ESMTP inspection of ESMTP commands for anomalies Detects and blocks known SMTP & ESMTP attacks or illegal commands Scans for a limited number of known attacks bad from/recipient, header with “:decode@” When an anomaly is detected, the connection is reset and a syslog message is generated ESMTP Inspection and Attack Mitigation VRF Integrated Dynamic Multipoint (DMVPN) : VRF Integrated Dynamic Multipoint (DMVPN) VRF Integrated DMVPN + DMVPN can be used to extend MPLS Deployments + Multiple spokes can be coalesced into a single MGRE interface EasyVPN Client Certificate Support* : EasyVPN Client Certificate Support* Easy VPN now works with PKI Certificates Alternative to pre-shared keys Can use Cisco IOS CA server for enrollment Central Site Cisco IOS Router (w/IOS CA Server or external CA Server), VPN Concentrator, or PIX Cisco VPN S/W Client on PC/MAC/Unix Internet Cisco IOS Router, 3002, or PIX Branch Office Home Office * Will appear in Release 12.3(7)T1 SEAL Encryption : SEAL Encryption Software Encryption Transform for IPsec: a new encryption algorithm to be completed in software Better performance then other encryption algorithms done in software Alternative for encryption transform in addition to DES/3DES/AES / “esp-seal” SEAL encryption is based on a 160 bit key For large packets about 3x faster then 3DES when done in S/W Slide 30: Key Rollover for Cert Renewal Previously, after the certificate expired, transmission was rejected. Operator intervention would have been needed to install new certificate Renewal is now automatic and unattended Benefits Allows users to configure a router to automatically and request a certificate from the certification authority (CA) Does not require operator intervention When the certificate expires, new cert requested Unattended recovery from certificate expiration 30 30 30 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS Security Update, Release 12.3(7)T, 3/04 For Cisco Internal Use Only Secure Shell v2 – Client : Secure Shell v2 – Client Offers Encrypted Terminal Access SSHv2 Server support: Releases 12.1(19)E, 12.3(4)T, and 12.2(22)S SSHv2 client support: Releases 12.3(7)T and 12.2(5th)S Available in all crypto images Slide 32: AutoSecure 32 32 32 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS Security Update, Release 12.3(7)T, 3/04 For Cisco Internal Use Only Cisco AutoSecure : Cisco AutoSecure “One Touch” Device Lockdown Standard feature beginning with Cisco IOS Versions 12.3 and 12.3T Supported platforms include Cisco 800, 1700, 2600,3600, 3700, and 7200 Series Routers Transforms the security posture of Cisco Routers Secures the management plane Secures the forwarding plane AutoSecure—Modes of Operation : AutoSecure—Modes of Operation Interactive Mode—Prompts the user with options to enable and disable services and other security-related features. Non-Interactive Mode—Automatically executes the AutoSecure command using recommended default settings. AutoSecure can be deployed using one of the following two modes of operation: AutoSecure—Management Plane Security : Global Services Disable often unnecessary, but potentially insecure global services that could be exploited (e.g. finger) Enable certain services that help further secure often necessary global services (e.g. password encryption) Interface Services Disable often unnecessary, but potentially insecure interface services that could be exploited (e.g. icmp redirects) Securing administrative access to the router Enabling appropriate security-related logging services AutoSecure—Management Plane Security AutoSecure—Forwarding Plane Security : Global Services Enable Cisco Express Forwarding (CEF) to improve router performance under SYN attacks (directed at hosts, not the router itself) Configure TCP intercept (as part of the CBAC configuration) to mitigate SYN-flood attacks[1] Interface Services Enable stateful firewall configuration (CBAC) on outside interfaces for firewall images Enable “strict” Unicast Reverse Path Forwarding to drop packets with obviously spoofed IP source addresses Configure “anti-spoofing” named access lists to drop packets with obviously illegal IP source addresses AutoSecure—Forwarding Plane Security Slide 37: Login Enhancements Router presents a tempting target for compromise Make router compromise a tougher nut to crack Login Enhancements offer a thicker skin for routers, making attackers’ access to management interfaces more difficult Delays and “Login Lockdown” reduces likelihood that a dictionary login attack will succeed. Disable login after too many failed login attempts… Enable configuration of retry interval period for login attempts… Login remains disabled for configurable time period More options for logging failed and successful login activity… Logging can be suspended during DoS/Dictionary attack Use with CPP to limit DoS Flooding Router(config)# login block-for 120 attempts 3 within 30 Router(config)# login quiet-mode access-class 199 Router(config)# login on-failure trap every 3 Router(config)# login on-success log every 1 Router(config)# login delay 10 SDM Feature Overview : SDM Feature Overview Quick, Easy Single Device Provisioning No Cisco IOS CLI knowledge required Startup Wizard for quick deployment and lock-down On-screen guide to aid full router configuration LAN, WAN, IPSec VPN, Firewall, DMZ, Security Audit Wizards (with intelligent defaults) Context-Sensitive Help and Tutorials embedded in application SDM Home Page : SDM Home Page SDM Feature Overview (cont.) : SDM Feature Overview (cont.) Security focused “Application Intelligence” Identify and rectify incompatibilities in configuration Strong security defaults Comprehensive Router Security Audit TAC and ICSA recommended security configurations Device/Interface specific defaults Secure Communication using SSL/SSH Encrypt all management traffic from SDM to the router SDM Wizard Options : SDM Wizard Options Overview View IOS version, hardware installed and configuration summary LAN Configuration Configure the LAN interfaces and DHCP WAN Configuration Configure PPP, Frame Relay, HDLC WAN interfaces Firewall Two types of firewall wizard simple inside/outside or more complex inside/outside/DMZ with multiple interfaces. VPN Three types of wizards to create a secure site-to-site VPN, Easy VPN and GRE tunnel with IPSec Security Audit Perform a router security audit and provides easy instructions on how to lock down the insecure features found Reset Restore to factory default settings. Security Audit : Security Audit SDM provides a check list of security faults found. Security Audit : Security Audit Fix the fault you want SDM to secure. Review the summary of changes that willbe delivered to the router. Quick Setup – Site-to-Site VPN Configuration : Quick Setup – Site-to-Site VPN Configuration Select the existinginterface for this VPNconnection Identify the remoteVPN peer Both sides must agreeon the Pre-shared key Select the source (inside) interface Enter the destinationIP addresses that willbe permitted to enter the tunnel Automatically creates an access list to permit IP traffic between the source and destination networks Slide 45: 45 45 45 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS Security Update, Release 12.3(7)T, 3/04 For Cisco Internal Use Only SDMv2.0 Key Features (September 2004) : SDMv2.0 Key Features (September 2004) New Hardware New ATG platforms GigE ports VAM2 Plus recognition and support SDMv2.0 Key Features & Benefits : SDMv2.0 Key Features & Benefits SDMv2.0 Key Features & Benefits (Cont.) : SDMv2.0 Key Features & Benefits (Cont.) Slide 49: CISCO IOS FIREWALL 49 49 49 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS Security Update, Release 12.3(7)T, 3/04 For Cisco Internal Use Only Highlights for Releases 12.2S & 12.3(4th)T : Certification Update Head-end Update QoS for traffic policing Network Admission Control Dynamic IDS Signatures Cisco will instantly will support 680 signatures! Leverages Cisco IDS Sensor Signature Database and IDS MC for management IPsec/IKE tunnel Scalability (16K tunnel) - This is at the infrastructure level – it will contribute to handling a greater number of session as hardware and other functionality continues to scale. Cisco AutoSecure Rollback support Security Device Manager (SDM): September 2004, in back-up Official DMVPN spoke-to-spoke support Highlights for Releases 12.2S & 12.3(4th)T You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
cisco mukeshkmr.sinha Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 1654 Category: Education License: All Rights Reserved Like it (1) Dislike it (0) Added: March 13, 2009 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript RELEASE 12.3(7)T: CISCO IOS SECURITY UPDATE : MARCH 2004 RELEASE 12.3(7)T: CISCO IOS SECURITY UPDATE Agenda : Agenda Cisco IOS® Firewall Feature Set What’s new in Cisco IOS 12.3.7T Security? AutoSecure/SDM Demo Slide 3: CISCO IOS SOFTWARE FIREWALL FEATURE SET 3 3 3 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS Security Update, Release 12.3(7)T, 3/04 For Cisco Internal Use Only ICSA Cisco IOS Firewall Certification : Certification Certified the Cisco 1700 Series Router Cisco 2600, 3600, and 3700 Series Routers will be certified by the end of March 2004 Tell customers that Cisco IOS Stateful Firewall is ICSA certified and that Cisco has inititated the process for Common Criteria EAL-4+ Certification ICSA Cisco IOS Firewall Certification Cisco IOS Firewall Features : Cisco IOS Firewall Features Context-Based Access Control Stateful, per-application filtering Support for advanced protocols (H.323, SQLnet, RealAudio and more) Denial of Service detection and prevention Control downloading of Java applets Real-time alerts TCP/UDP transaction log Cisco IOS Firewall Features, cont’d. : Cisco IOS Firewall Features, cont’d. Basic and advanced traffic filtering Per-user authentication and authorization (“authentication proxy”) Dynamic per-application port mapping Configurable alerts and audit trail SMTP-specific attack detection IP fragmentation defense Event Logging Audit Trail Cisco IOS Firewall Application Support : Cisco IOS Firewall Application Support Transparent support for common TCP/UDP Internet services: WWW Telnet SNMP Finger FTP TFTP SMTP Java blocking Cisco IOS Firewall Application Support, cont’d. : Cisco IOS Firewall Application Support, cont’d. BSD R-cmds Oracle SQL Net Remote Procedure Call (RPC) Multimedia applications: VDOnet’s VDO Live RealNetworks RealAudio Intel InternetVideo Phone (H.323) Microsoft NetMeeting (H.323) Whitepine CuSeeMe Xing Technologies Streamworks Microsoft NetShow Cisco IOS Firewall Functionality : ACL on outside interface stops everything access-list extended FWACL deny ip any any log int e 0/0 description outside ip access-group FWACL in Internet Corporate Network Cisco IOS Firewall Functionality Cisco IOS Firewall Basics : ACL on outside interface stops everything Inspected traffic will open up temporary access for return traffic access-list 101 deny ip any any log-input int e 0/0 description outside ip access-group 101 in ip inspect name GODZILLA tcp ip inspect name GODZILLA udp int e 0/1 description inside ip inspect GODZILLA in Temporary access opened for matching traffic (stateful CBAC) Internet Corporate Network Cisco IOS Firewall Basics Cisco IOS Intrusion Detection System : Cisco IOS Intrusion Detection System Acts as an in-line intrusion detection sensor Watches packets and sessions as they flow through the router, scanning each to match any of the Cisco IOS Firewall IDS signatures. When it detects suspicious activity, it responds before network security can be compromised and logs the event through Cisco IOS syslog. Can be configured to perform the following tasks Send an alarm to a syslog server or a VMS (centralized management interface) Drop the packet Reset the TCP connection Cisco IOS Intrusion Detection : Cisco IOS Intrusion Detection Cisco 7200 Attack Network Management Alarm Attack Attack Attack Attack Attack Drop Packet Attack Attack Reset Cisco IOS differentiator – Mitigate, act (reset), and notify upon signature identification: DROP packet, RESET connection, Send alarm IDS Signatures : IDS Signatures Cisco IOS Firewall IDS identifies 59 of the most common attacks using "signatures" to detect patterns of misuse in network traffic Additional IDS Signatures (12.2.6th(T)) : Additional IDS Signatures (12.2.6th(T)) Added detection includes 42 additional signatures to Cisco IOS IDS, including: 19 HTTP signatures: 3229, 3233, 5034, 5035, 5041, 5043, 5044, 5045, 5050, 5071, 5116, 5117, 5118, 5123, 5055, 5081, 5114, 3215, 5090 10 most common DNS signatures: 6050, 6051, 6052, 6053, 6062, 6063, 6054, 6055, 6056, 6057 3 UDP signatures: 4051, 4052, 4600 10 additional signatures: 1101, 1104, 1105, 1106, 1107, 1202, 1206, 3038, 3039, 3043 Additional IDS Signature Breakdown : Additional IDS Signature Breakdown A New Total of 101 critical signatures now supported! Severity 40 info signatures (detect info eg. port sweep) 61 attack signatures (detect malicious activity eg. Illegal ftp commands Complexity 74 atomic signatures (detect simple patterns like an attempt on a specific host) 27 compound signatures (detect complex patterns such and attack on multiple hosts, over extended time periods with multiple packets) IDS Implementation / CLI Commands : CLI Commands [no] ip audit name audit-name {info | attack} [list standard-acl] [action [alarm] [drop] [reset]] no ip audit audit-name {in | out} [no] ip audit smtp spam number-of-recipients Global Commands [no] ip audit signature signature-id {disable | list acl-list} [no] ip audit attack {action [alarm] [drop] [reset]} ! action for attack signatures [no] ip audit info {action [alarm] [drop] [reset]} ! action for info signatures IDS Implementation / CLI Commands Secure Branch Infrastructure IDS On The Router : Secure Branch Infrastructure IDS On The Router Intrusion Detection Cisco IOS® Security RouterVPN + Intrusion Detection + URL Filter + Firewall + WAN Router Accelerates IDS performance for Cisco 2600, 3660, 3700 routers Up to 45 Mbps (varies by platform) Log/Alert Deep Packet Inspection Lockstep code and signature updates with appliance and switch Leverages IDS appliance Technology and Management Slide 18: RELEASE 12.3(7)T: CISCO IOS SECURITY UPDATE 18 18 18 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS Security Update, Release 12.3(7)T, 3/04 For Cisco Internal Use Only What’s New in 12.3(7)T?FCS: March 1, 2004 : What’s New in 12.3(7)T?FCS: March 1, 2004 Infrastructure Security Role-Based CLI Access Control Plane Policing Enhancements: MIB Support & packet per second input (prior bps) CISCO-CLASS-BASED-QOS-MIB NetFlow MIB IP Source Tracker Cisco IOS Firewall ICSA Certification for Cisco IOS Firewall Cisco IOS Firewall for IPv6 Transparent Cisco IOS Firewall Extended Simple Mail Transport Protocol (ESMTP) support What’s New in 12.3(7)T?FCS: March 1, 2004 (Cont.) : IPsec VPN Dynamic Multipoint VPN (DMVPN) VRF Integration DMVPN NAT–Transparency Awareness Cisco IOS Easy VPN Remote with Digital Certificate* Software Encryption Algorithm (SEAL) Encryption Trust & Identity Key Rollover for Certificate Renewal Public Key Infrastructure (PKI): Query Multiple Servers during Certificate Revocation Check SSHv2 Client RADIUS Attribute Screening support for Access-Request Per VRF TACACS+ support What’s New in 12.3(7)T?FCS: March 1, 2004 (Cont.) * Will appear in Release 12.3(7)T1 Role-Based CLI Access : Role-Based CLI Access WAN Engineer Config Routing Config Interfaces Show Customized Access To Match Operational Needs Provide a view-based access to CLI commands View: set of operational commands and configuration capabilities User authentication is done via an external or internal AAA Server (or TACACS+) Customer can define up to 15 views, plus one reserve for the root user Security Operator Config AAA, NetFlow Show IOS Firewall, IDS IP Source Tracker : IP Source Tracker Attack Source Tracking DoS attack Router A Router B Router C Router A Tracking DoS Attack source Through router A, B & C www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s21/ipst.htm NetFlow for Security:Flow Information Helps Mitigate Attacks : Identify the attack Count the flows Inactive flows signal a worm attack Classify the attack Small size flows to same destination What is being attacked and origination of attack Many companies prevented SQL slammer by watching flows per port Cisco IOS NetFlow MIB with Export of Top N talkers Top N flow information for packets, bytes, Top N Flows based on various NetFlow field values (ie: AS Number, destination, ports) NetFlow for Security:Flow Information Helps Mitigate Attacks Cisco IOS Firewall for IPv6 : Cisco IOS Firewall for IPv6 Stateful protocol inspection (anomaly detection) of IPv6 fragmented packets, TCP, UDP and ICMP traffic Stateful inspection and translation services of IPv4/IPv6 packets IPv6 DoS attack mitigation IPv4 and IPv6 coexistence: no need for new hardware, just software upgrade Recognizes IPv6 Extension Header information such as routing header, hop-by-hop Options header, fragment header, etc All IPv4/v6 dual (T-train) stack Cisco IOS Software routers supported Transparent Cisco IOS Firewall : Layer 2 connectivity with Layer 3 Firewall support Easily add firewall to existing networks - no IP subnet renumbering required! Support for sub-interfaces and VLAN trunks Spanning Tree Protocol support –handles PBDU packets correctly per 802.1d, not just “pass/drop” Simultaneous support for Transparent and L3 firewall on the same router (only device in the industry that can do this!) No need for IP addresses on the interfaces All standard management tools supported Supports DHCP pass through to assign DHCP addresses on opposite interfaces (bi directional) Transparent Cisco IOS Firewall ESMTP Inspection and Attack Mitigation : Extension to current SMTP inspection ESMTP inspection of ESMTP commands for anomalies Detects and blocks known SMTP & ESMTP attacks or illegal commands Scans for a limited number of known attacks bad from/recipient, header with “:decode@” When an anomaly is detected, the connection is reset and a syslog message is generated ESMTP Inspection and Attack Mitigation VRF Integrated Dynamic Multipoint (DMVPN) : VRF Integrated Dynamic Multipoint (DMVPN) VRF Integrated DMVPN + DMVPN can be used to extend MPLS Deployments + Multiple spokes can be coalesced into a single MGRE interface EasyVPN Client Certificate Support* : EasyVPN Client Certificate Support* Easy VPN now works with PKI Certificates Alternative to pre-shared keys Can use Cisco IOS CA server for enrollment Central Site Cisco IOS Router (w/IOS CA Server or external CA Server), VPN Concentrator, or PIX Cisco VPN S/W Client on PC/MAC/Unix Internet Cisco IOS Router, 3002, or PIX Branch Office Home Office * Will appear in Release 12.3(7)T1 SEAL Encryption : SEAL Encryption Software Encryption Transform for IPsec: a new encryption algorithm to be completed in software Better performance then other encryption algorithms done in software Alternative for encryption transform in addition to DES/3DES/AES / “esp-seal” SEAL encryption is based on a 160 bit key For large packets about 3x faster then 3DES when done in S/W Slide 30: Key Rollover for Cert Renewal Previously, after the certificate expired, transmission was rejected. Operator intervention would have been needed to install new certificate Renewal is now automatic and unattended Benefits Allows users to configure a router to automatically and request a certificate from the certification authority (CA) Does not require operator intervention When the certificate expires, new cert requested Unattended recovery from certificate expiration 30 30 30 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS Security Update, Release 12.3(7)T, 3/04 For Cisco Internal Use Only Secure Shell v2 – Client : Secure Shell v2 – Client Offers Encrypted Terminal Access SSHv2 Server support: Releases 12.1(19)E, 12.3(4)T, and 12.2(22)S SSHv2 client support: Releases 12.3(7)T and 12.2(5th)S Available in all crypto images Slide 32: AutoSecure 32 32 32 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS Security Update, Release 12.3(7)T, 3/04 For Cisco Internal Use Only Cisco AutoSecure : Cisco AutoSecure “One Touch” Device Lockdown Standard feature beginning with Cisco IOS Versions 12.3 and 12.3T Supported platforms include Cisco 800, 1700, 2600,3600, 3700, and 7200 Series Routers Transforms the security posture of Cisco Routers Secures the management plane Secures the forwarding plane AutoSecure—Modes of Operation : AutoSecure—Modes of Operation Interactive Mode—Prompts the user with options to enable and disable services and other security-related features. Non-Interactive Mode—Automatically executes the AutoSecure command using recommended default settings. AutoSecure can be deployed using one of the following two modes of operation: AutoSecure—Management Plane Security : Global Services Disable often unnecessary, but potentially insecure global services that could be exploited (e.g. finger) Enable certain services that help further secure often necessary global services (e.g. password encryption) Interface Services Disable often unnecessary, but potentially insecure interface services that could be exploited (e.g. icmp redirects) Securing administrative access to the router Enabling appropriate security-related logging services AutoSecure—Management Plane Security AutoSecure—Forwarding Plane Security : Global Services Enable Cisco Express Forwarding (CEF) to improve router performance under SYN attacks (directed at hosts, not the router itself) Configure TCP intercept (as part of the CBAC configuration) to mitigate SYN-flood attacks[1] Interface Services Enable stateful firewall configuration (CBAC) on outside interfaces for firewall images Enable “strict” Unicast Reverse Path Forwarding to drop packets with obviously spoofed IP source addresses Configure “anti-spoofing” named access lists to drop packets with obviously illegal IP source addresses AutoSecure—Forwarding Plane Security Slide 37: Login Enhancements Router presents a tempting target for compromise Make router compromise a tougher nut to crack Login Enhancements offer a thicker skin for routers, making attackers’ access to management interfaces more difficult Delays and “Login Lockdown” reduces likelihood that a dictionary login attack will succeed. Disable login after too many failed login attempts… Enable configuration of retry interval period for login attempts… Login remains disabled for configurable time period More options for logging failed and successful login activity… Logging can be suspended during DoS/Dictionary attack Use with CPP to limit DoS Flooding Router(config)# login block-for 120 attempts 3 within 30 Router(config)# login quiet-mode access-class 199 Router(config)# login on-failure trap every 3 Router(config)# login on-success log every 1 Router(config)# login delay 10 SDM Feature Overview : SDM Feature Overview Quick, Easy Single Device Provisioning No Cisco IOS CLI knowledge required Startup Wizard for quick deployment and lock-down On-screen guide to aid full router configuration LAN, WAN, IPSec VPN, Firewall, DMZ, Security Audit Wizards (with intelligent defaults) Context-Sensitive Help and Tutorials embedded in application SDM Home Page : SDM Home Page SDM Feature Overview (cont.) : SDM Feature Overview (cont.) Security focused “Application Intelligence” Identify and rectify incompatibilities in configuration Strong security defaults Comprehensive Router Security Audit TAC and ICSA recommended security configurations Device/Interface specific defaults Secure Communication using SSL/SSH Encrypt all management traffic from SDM to the router SDM Wizard Options : SDM Wizard Options Overview View IOS version, hardware installed and configuration summary LAN Configuration Configure the LAN interfaces and DHCP WAN Configuration Configure PPP, Frame Relay, HDLC WAN interfaces Firewall Two types of firewall wizard simple inside/outside or more complex inside/outside/DMZ with multiple interfaces. VPN Three types of wizards to create a secure site-to-site VPN, Easy VPN and GRE tunnel with IPSec Security Audit Perform a router security audit and provides easy instructions on how to lock down the insecure features found Reset Restore to factory default settings. Security Audit : Security Audit SDM provides a check list of security faults found. Security Audit : Security Audit Fix the fault you want SDM to secure. Review the summary of changes that willbe delivered to the router. Quick Setup – Site-to-Site VPN Configuration : Quick Setup – Site-to-Site VPN Configuration Select the existinginterface for this VPNconnection Identify the remoteVPN peer Both sides must agreeon the Pre-shared key Select the source (inside) interface Enter the destinationIP addresses that willbe permitted to enter the tunnel Automatically creates an access list to permit IP traffic between the source and destination networks Slide 45: 45 45 45 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS Security Update, Release 12.3(7)T, 3/04 For Cisco Internal Use Only SDMv2.0 Key Features (September 2004) : SDMv2.0 Key Features (September 2004) New Hardware New ATG platforms GigE ports VAM2 Plus recognition and support SDMv2.0 Key Features & Benefits : SDMv2.0 Key Features & Benefits SDMv2.0 Key Features & Benefits (Cont.) : SDMv2.0 Key Features & Benefits (Cont.) Slide 49: CISCO IOS FIREWALL 49 49 49 © 2004 Cisco Systems, Inc. All rights reserved. Cisco IOS Security Update, Release 12.3(7)T, 3/04 For Cisco Internal Use Only Highlights for Releases 12.2S & 12.3(4th)T : Certification Update Head-end Update QoS for traffic policing Network Admission Control Dynamic IDS Signatures Cisco will instantly will support 680 signatures! Leverages Cisco IDS Sensor Signature Database and IDS MC for management IPsec/IKE tunnel Scalability (16K tunnel) - This is at the infrastructure level – it will contribute to handling a greater number of session as hardware and other functionality continues to scale. Cisco AutoSecure Rollback support Security Device Manager (SDM): September 2004, in back-up Official DMVPN spoke-to-spoke support Highlights for Releases 12.2S & 12.3(4th)T