Network Security--Embedded in Network, Integrated in Product [Security Solutions for Enterprise]

White Paper

Network Security—Embedded in the Network,
Integrated in the Product

Today's networks are more extensive in terms of geographic reach and the internal and external communities they interconnect. They are more complex, support a wide variety of applications and services, and handle converged data, voice, and video traffic across wired and wireless connections. They are also increasingly open—they use untrusted public networks, connect partners, and are a business tool that touches both customers and suppliers. In fact, the division between private and public networks has blurred.

The extensive, complex, and open nature of the network environment increases the need for robust and comprehensive security, because any point the network touches must be protected, as well as protected against.

This paper discusses and describes embedded, integrated security as the only effective method of protection. It outlines the drivers for integration and then considers some of the existing and new additions to Cisco Integrated Network Security Solutions. The paper is intended for the technical decision maker.

To begin, please review the following definitions:

"Integrated security" describes the security functionality that is provided on a networking device, for example on a router, switch, or wireless access point. As traffic passes through a networking device, it must be scanned and analyzed, then allowed to continue, partitioned, or rejected. This requires that the integrated security device possess intelligence, performance, and scalability.

"Embedded security" refers to security functionality that is distributed across key locations in the network infrastructure—for example, at the end user workstation, in remote branches, in the campus, and in the data center.

Embedded, integrated security must defend the network against external and internal threat, always striking a balance between the need for access and the need for protection.

That means security functionality must be embedded and integrated everywhere—from the campus core to the endpoints of the network—but that it also must be transparent to the user and application.

The goal is to deploy a set of security capabilities that together create an "intelligent self-defending network" that can identify attacks as they occur, alert as appropriate, and then automatically respond, without user intervention.

Drivers for Integration

This section considers factors that drive the need for integrated, embedded network security.

Increased Threat

The network is increasingly both a target and a source of attack:

A recent study by Riptech, a real-time information protection company, reveals that network security breaches are up 28 percent from the last half of 2001 to the first half of 2002.
A 2002 FBI report reveals that 85 percent of the businesses surveyed have detected computer security breaches within the last 12 months.
The threat may come from untrusted outsiders or trusted employees. In their 2001 survey, the FBI found 91 percent of respondents reported insider network abuse.

Threats may originate from deep within the organization, or from the very edges of the network. The implication is that protection must exist at all points in the network, not just the perimeter or the ingress/egress to untrusted domains. Only security that is embedded and fully integrated can provide this pervasive defense.

Organizational Impetus

The responsibility for security policy, deployment, and purchase is changing. The network operations (NetOps) and security operations (SecOps) teams no longer operate in an isolated manner.

The traditional deployment model has been for NetOps to purchase and roll out the networking infrastructure, while SecOps, with a significantly smaller budget and resource base, acted as a discrete and highly specialized team. The two teams had different, divergent roles—the function of NetOps was to provide access, while SecOps had the mission to limit access

This led to intraorganizational tension. However, the increased threat level and need to secure new technologies such as wireless and IP telephony has since forced SecOps and NetOps to work more closely together. In addition, the CxO level is now increasingly involved in security strategy and deployment, and this executive level of involvement has more closely drawn NetOps and SecOps together.

In an August 2002 survey of 400 Cisco customers, when asked who was responsible for security, 45 percent of those surveyed responded that it was a combination of SecOps and NetOps (36 percent NetOps answered, 7 percent SecOps, and 2 percent the applications management team). The current trend is for SecOps to carry responsibility for policy definition and NetOps to have responsibility for policy deployment.

Organizational integration drives the requirement for integrated and embedded security. If SecOps and NetOps are jointly deploying security, the task is greatly simplified when the security solution is an integrated one.

Total Cost of Ownership

Security deployment is a priority for all organizations. But budgets are tight in today's economy. Integrated security offers the lowest total cost of ownership:

Adding security services to an already deployed networking device means the existing chassis, power supply, LAN/WAN cards, and other components can be reused. If the networking device is itself modular and offers scalable performance, cost of ownership is further reduced.
Existing management and monitoring systems can manage the new security services.
Current support contracts may either cover or be cost-effectively extended to cover new security capabilities.
The requirement for staff training may be reduced when existing systems are "reused" as security platforms.
Where load balancing is deployed as part of an integrated security solution, the organization can reduce the number of, and hence investment in, servers and security systems such as firewalls.

Exploding Scale

This paper has discussed the increasingly extensive nature of the network, which is one aspect of the scale issue. The network must now cope with an expanded population of users, sites, and services. It must handle ever-increasing amounts of traffic, whether data, voice, or video. The network now includes wired and wireless connectivity.

Effectively managing this environment is very challenging, if not impossible, unless an organization takes an integrated approach. The scale problem is significantly reduced, for example, if an integrated management system is available to manage a network of integrated devices, supported by a unified identity framework.

Product Availability

Between 2000 and 2002, there has been a significant move from single-function networking and security devices to multifunction systems. Networking devices such as routers and switches now provide enhanced connectivity and networking services with the addition of sophisticated security services.

In parallel, single-function security appliances such as firewalls and VPN concentrators have benefited from additional security services such as intrusion detection. In summary, the availability of products offering integrated features helps propel or at least satisfy the market requirement for integration.

Solution Integration

Finally, all components of the network must interoperate and function as a cohesive whole.

Consider the data center. It contains multiple servers connected to the external environment via switches and routers. The servers must be protected. The routers and switches must have their own countermeasures to defend themselves. In addition, the entire architecture must be available and scalable, as well as maintain an integrated management subsystem that controls it.
Consider LAN-based wireless deployment. Several security threats are posed by this increasingly popular technology. Wireless traffic must be protected from interception. The network must be protected against wireless intruders in the same way as it is protected against wired threats. In addition, rogue access points, created without corporate knowledge, may lack robust countermeasures. Only an integrated approach to network security can protect this environment. Wired Equivalent Privacy (WEP), Cisco Lightweight Extensible Authentication Protocol (LEAP), and IPSec provide increasing levels of access control and encryption, providing secure conduits to the wireless access point and beyond. VLANS implemented behind the access point can restrict traffic to appropriate domains. Intrusion protection and firewalling can provide protection once traffic is decrypted.

The Cisco Integration Strategy

The integration of security throughout the network is a fundamental aspect of Cisco's development and marketing strategy. Cisco's integration plans have the following components:

To provide an increasing amount of security functionality integrated within Cisco IOS^® Software. This software cuts across all Cisco platforms—from the teleworker and remote office solution extending to the head end.
To provide security functionality within discrete security appliances and within integrated networking devices that also provide LAN and WAN connectivity.
To provide a management and monitoring infrastructure that supports the easy deployment of integrated, embedded security.
To provide a scalable and high-availability security framework. The network is now an essential business tool that can never be out of service.
Finally, to provide a deployment model for customers and organizations wanting to deploy integrated embedded security. This is the function of the Cisco SAFE Blueprint.

Waves of Integration in Cisco IOS

Cisco IOS Software is the value-added software that operates all Cisco routers and switches. It has extensive security functionality, which is increasing with every new release. Cisco IOS functionality has evolved from permit-deny access techniques such as access control lists (ACLs) to the support of multiple VPN types, intrusion protection, sophisticated identity services, and firewalling.

Cisco IOS Software can now deliver three tiers of functionality:

Robust security services
Comprehensive IP services such as routing, quality of service (QoS), multicasting, and voice over IP (VoIP)
Secure management, protecting management traffic and Cisco IOS Software management capability on devices

Integration of the three tiers differentiates Cisco IOS Software. A prime example of a solution that benefits greatly from the integration of Cisco IOS Software is the Cisco Voice and Video-Enabled IPSec VPN (V3PN) Solution. This solution provides dependable quality and resiliency for encrypted voice and video traffic through new low-latency QoS features in Cisco IOS Software, with IPSec stateful failover to eliminate dropped calls.

Integrated Appliances and Networking Devices

Security appliances are purpose-built security systems that incorporate one or more security functions—for example, a firewall that also provides VPN or intrusion protection capabilities. The Cisco PIX^® Firewall supports a plug-in VPN module, as well as VPN and intrusion detection system (IDS) software.

Integrated networking devices provide network connectivity (LAN, WAN, or both), IP services, and security services—for example, a router that also provides firewalling. Cisco SOHO 90 and 831 routers are newly released examples of remote office solutions providing integrated security and Ethernet and ADSL connectivity (Figure 1).

Figure 1
The Cisco 831 Secure Broadband Router: 2-Mbps hardware accelerated encryption, advanced QoS, advanced VPN, and routing

Another example of the integrated functionality in Cisco IOS software is the intelligent switch that provides both Layer 2 and 3 switching and security. The Cisco Catalyst^® 6500 Switch now supports intrusion protection, firewall, VPN, Secure Socket Layer (SSL), and other security modules.

Today's organizations can choose between an appliance and an integrated networking device. To decide, these factors must be considered:

Budget. Deploying security capabilities on an existing networking device might provide the lowest cost of deployment and the lowest ongoing total cost of ownership. In addition, the existing management infrastructure might be reused to manage the additional security functionality.
Simplicity. The single-function or dedicated security device might be the simplest to deploy and manage. A multifunction device has, by definition, multiple elements to configure and manage, which can increase the likelihood of misconfiguration. By contrast, a single-function security appliance has a more limited set of capabilities to configure.
Modularity. For a branch site, the integrated networking device providing security and connectivity in a single platform may be the ideal choice. For head-end or larger deployments, however, a modular approach may be preferable. For example, the Cisco Catalyst 6500 has a flexible, adaptive, and modular architecture, which can be future-proof.
Organizational control. SecOps may require a platform that only the team can monitor, configure, and manage, which may influence the team to choose an appliance rather than an integrated networking device. By contrast, when NetOps is responsible for security deployment, the team may choose an integrated networking device for simplicity.

Scalable, Available Networks

A scalable infrastructure can grow as needs evolve. Availability ensures that critical applications and services are always accessible to users with no service interruptions. From a business perspective, a resilient network is required. Today's organizations have several ways to provide a scalable, highly available infrastructure:

Load balancing network traffic and requests for service across multiple switches and servers, or even across data centers. The benefits include the ability to cope with peak volumes of traffic, and a reduction in the amount of the networking equipment required to support a given traffic load. Some examples of load-balancing solutions are the module available for the Cisco Catalyst 6500 Switch, and the Cisco CSS 11000 and 11500 content switches.
Stateful failover helps ensure backup if a device goes out of service, without any perceivable loss of connection to the end user. Cisco IOS routers and Cisco VPN 3000 concentrator platforms are examples of products that provide stateful failover. Stateful failover features provide a backup capability, but can potentially lose connection at the point of failover.
Redundancy. Redundancy is the duplication of devices so that, in the event of failure, a redundant module within a network device—or multiple redundant network devices—can perform the work of those that failed.
Disaster Recovery. Multisite disaster recovery can be accomplished using global server load balancing (GSLB), a capability which is found on the Cisco GSS 4480 Global Site Selector. By continuously monitoring the load and health of Cisco server load balancers, it helps ensure users are quickly rerouted to a standby data center if a primary data center overload or outage occurs.

The Cisco SAFE Blueprint

The Cisco SAFE Blueprint provides a series of guidelines for security deployment. The blueprint provides tangible steps for organizations actively seeking to deploy integrated, embedded security. Cisco SAFE Blueprint white papers are written from a product agnostic perspective, which means they do not specifically recommend Cisco products as the basis for security deployment. They also assume a heterogeneous environment may exist.

Cisco SAFE Blueprint white papers now exist for enterprise and small and medium-sized business. Some dedicated white papers cover VPN, secure wireless, and secure IP telephony deployment.

As one example, Cisco has provided a blueprint specifically for the enterprise, where the network is split into modules since a modular approach helps deployment and budgeting. Within modules, the Cisco SAFE Blueprint recommends an optimum design for reliable network security. The corporate Internet module provides access from the campus core to the untrusted Internet domain. To provide comprehensive network security, the network has overlapping layers of secure routers providing access control, network and host-based intrusion detection systems scanning for attack signatures, and VPN tunnel initiation and termination devices.

The Cisco Security Portfolio

This section examines five essential network security technologies that should be embedded within the network and integrated into the products that comprise the network infrastructure. These security technologies must be simultaneously deployed as overlapping countermeasures to create what is known as "defense in-depth." If one defense is compromised, the network does not lose its security coverage.

Extended Perimeter Security

The role of today's firewalls extends beyond protecting a corporate network from unauthorized external access. Firewalls can also prevent unauthorized users from accessing a particular subnet, workgroup, or LAN within a corporate network, guarding borders known as the "extended perimeter." The perimeter no longer exists solely at the boundary between the trusted internal and untrusted external network, and FBI statistics indicate that 70 percent of all security problems originate from inside an organization. Cisco offers three firewalling solutions:

The Cisco PIX 500 Series Firewall delivers strong security in an easy-to-install, integrated security appliance that offers outstanding performance. The Cisco PIX Firewall series spans the entire security appliance spectrum, from cost-conscious desktop firewalls for teleworkers and small offices, to carrier-class gigabit firewalls for the most demanding enterprise and service provider environments. Cisco PIX Firewalls deliver up to 500,000 simultaneous connections and nearly 1.7 gigabits-per-second (Gbps) aggregate throughput—while providing world-class security, reliability and customer service.
Cisco IOS Software provides powerful firewall, intrusion detection, and VPN capabilities. This integrated security solution eases policy enforcement throughout the network and uses an organization's previous investments in Cisco infrastructure.
Installed inside a Cisco Catalyst 6500 Series Switch or Cisco 7600 Series Internet Router, the firewall services module allows any port on the device to operate as a firewall port and integrates stateful firewall security inside the network infrastructure (Figure 2). This modularity becomes especially important where rack space is at a premium.

Figure 2
Firewall Services Module for Catalyst 6500—100,000 connections per second and 5 Gbps throughput per module

The Cisco Catalyst 6500 is the IP services switch of choice for customers requiring intelligent services such as firewall services, intrusion detection, and virtual private networking, along with multilayer LAN, WAN, and MAN switching capabilities. It is also the choice for customers that require the highest levels of firewalling performance, with up to 20 Gbps of firewall throughput from a single chassis.

Intrusion Protection

Intrusion protection systems must deliver comprehensive security solutions for identifying and combating unauthorized intrusions, malicious Internet worms, and bandwidth and e-business application attacks.

There are two major types of intrusion detection:

Network protection, which provides security for network segments, examining traffic as it passes along those segments
Host intrusion detection, which provides an effective defense for hosts and services within the network

The Cisco intrusion protection portfolio features the following components:

Cisco IDS sensors support the broadest range of network deployments, from small businesses to the largest enterprise and service providers environments that demand high-speed, resilient solutions. The sensors use sophisticated detection techniques, including stateful pattern recognition, protocol parsing, heuristic detection, and anomaly detection to provide comprehensive protection from a variety of both known and unknown network threats.
The Intrusion Detection System Module for the Catalyst 6500 Series is positioned for distribution and data-center deployments. It delivers a comprehensive, pervasive security solution for combating unauthorized intrusions, malicious Internet worms, and bandwidth and e-business application attacks.
Cisco IDS Host Sensor safeguards the server using a combination of behavioral rules and signatures to prevent known and unknown attacks, rather than merely detecting and reporting attacks after they occur. The Cisco IDS Host Sensor Standard Edition Agent protects hosts by evaluating requests to the operating system before they are processed. The Web Server Edition Agent proactively protects the Web server application by evaluating requests to the Web application, the Web server application programming interface (API), and the operating system before they are processed. It combines both operating-system and Web-application protection, giving an unparalleled depth of security against known and unknown attacks.
Both the Cisco PIX Firewall and Cisco IOS Software-based systems offer intrusion protection.

Secure Connectivity

Traffic must be protected as it travels across unprotected domains and network segments. The two main technologies providing secure connectivity are:

VPNs. VPNs provide network-layer secure connectivity. The most prevalent protocol for VPNs today is IPSec, which provides authentication, encryption, and address concealment. It is used both for site-to-site secure connectivity and remote access to head office connectivity.
Secure Socket Layer (SSL), a protocol developed by Netscape for transmitting private documents via the Internet. SSL works by using a public key to encrypt data transferred over the SSL connection. Both Netscape Navigator and Internet Explorer support SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers. By convention, URLs that require an SSL connection start with https: instead of http. SSL creates a secure connection between a client and a server, over which any amount of data can be sent securely. The Internet Engineering Task Force (IETF) has approved it as a standard.

Cisco provides an extensive family of network platforms that provide LAN and WAN connectivity. Many Cisco routers and switches have already been integrated with secure connectivity capabilities.

VPN capabilities are also built into the Cisco PIX 500 Series Firewall. In addition, for dedicated remote access VPN deployments where scalability and ease of management are primary concerns, the Cisco VPN 3000 Concentrator plays a crucial role. The Cisco 7100 Series VPN Router offers hardware-accelerated VPN throughput and advanced data, voice, and video VPN networking.

As an alternative, Cisco provides SSL offload and termination capabilities on its network switches via plug-in SSL modules, and on a range of dedicated SSL appliances and content switches.

Identity

Identity is a key component of the security infrastructure. Identity based networking services enable users to be identified based on parameters such as username, IP address, and MAC address, and then given specific access privileges—for example access to specific portions of the network, to specific applications, or to specific network services. Important trends in identity include increasing granularity of access rights and the ability to dynamically and proactively assign access privileges.

Two essential elements relate to identity. First there is the creation of identity policy. Second is policy enforcement. In the Cisco identity services portfolio, the policy definition function is carried out by the access control server, which interacts (through LDAP) with a server-based user directory. Identity policy enforcement is then conducted by the switch, router, or other network device.

The integration of all policy and enforcement differentiates the Cisco identity services portfolio. For example, Cisco switches and wireless access points work with the Cisco Access Control Server (ACS) to provide port-based security on a granular and dynamic basis. A user connecting to the network via a Cisco switch or access point uses 802.1x for authentication purposes. The Cisco extensions to the 802.1x protocol are crucial. The user can be placed in a particular VLAN and given specific access privileges. Because of 802.1x, even as a user travels around the network, from one physical location to another, a security policy moves with the user. Regardless of the user's location, the user will experience a consistent security policy and access.

The Cisco ACS underpins the 802.1x implementation, offering a centralized command and control for all user authentication, authorization, and accounting from a Web-based, graphical interface. It also distributes those controls to hundreds or thousands of access gateways in the network. With Cisco ACS, an organization can manage and administer user access for Cisco IOS routers, VPNs, firewalls, dial and broadband DSL, cable access solutions, voice over IP (VoIP), Cisco wireless solutions, and Cisco Catalyst switches via IEEE 802.1x access control. In addition, the organization may use the same Cisco ACS access framework to control administrator access and configuration for all TACACS+ enabled network devices.

Security Monitoring and Management

The benefits of an integrated security infrastructure can be truly realized only if the network maintains an integrated policy, management, and monitoring system that supports it.

The management subsystem requires four components:

It must provide element management of individual devices and systems within the network.
It must support security policy creation and control, known as the "smart rules" concept.
It must provide active surveillance of the network, and any security event that occurs within it.
It must provide analysis that supports the ongoing design and structural improvement of security within the network.

Within the CiscoWorks VPN/Security Management Solution (VMS) all four elements are provided as part of a single integrated offering. CiscoWorks VMS combines Web-based tools for configuring, monitoring, and troubleshooting Cisco IOS Software-based VPNs, Cisco firewalls, and network and host intrusion detection systems.

The management infrastructure and each of its connections must be secured and management privileges must be strictly controlled through centralized role-based access. Cisco is unique in securing the elements, infrastructure, and rights and privileges from one integrated location.

The management framework must be scalable. This capability is provided through the Auto Update Server (AUS), which is also part of CiscoWorks VMS. It enables devices, even remote and dynamically addressed devices, to periodically "call home" to an update server and "pull" the most current security configurations of the Cisco PIX Firewall Software. Without Auto Update, a manual process is required to update each remote device. In addition to easier and faster policy updates, Auto Update also provides consistent policy deployments.

Cisco is continually extending its management capabilities. The CiscoWorks Hosting Solution Engine (HSE) is a turnkey, hardware-based solution for e-business operations in Cisco powered data centers. It provides up-to-date fault and performance information on network infrastructure and Layer 4-7 services, saving time and resources in daily operation. It can also offer tiered user access to server managers in different organizations for taking respective servers in and out of service as well as configuration of Layer 4-7 hosted services. For IT departments, CiscoWorks HSE enables centralized network and service operations with autonomous application management by individual business organizations. It easily integrates with existing upper layer NMS/OSS while extending manageability to e-business operations.

Examples—Integration at Work

This paper considers the requirement for integration and how security may be embedded in the network. This section examines specific examples of how integrated security can be implemented. These examples outline specific security threats where only an integrated solution can provide effective countermeasures.

Securing Web-based applications—The rate of deployment for Web-based applications is growing rapidly. But how can the transaction, user, and server be protected? SSL encryption of application traffic is one step. But this can cause high CPU utilization on the server. The network also needs to inspect potentially harmful SSL payloads. An integrated security solution entails:

- Offloading SSL decryption to a content switch such as the Cisco CSS 11500 Content Services Switch or the Content Switching Module (CSM) for the Cisco Catalyst 6500 Series
- Decrypted traffic can then leverage IDS to protect back-end servers
- Offloading also then enables optimization through Layer 4-7 load balancing, including global server load balancing (GSLB) solutions such as that provided by the Cisco GSS 4480
Preventing unauthorized access—802.1x is a client-server-based access control and authentication protocol. It prevents unauthorized devices from connecting to a LAN through publicly accessible ports. Each user device connected to a switch port is authenticated before any services are made available. Following authentication, RADIUS sends a VLAN assignment to the switch for a particular user. The switch then configures the attached port for the specified VLAN. In summary, 802.1x authenticated ports are assigned to a VLAN based on the username of the user connected to the port. For example, the RADIUS server, switch, and 802.1X client must interoperate to provide robust security.
Secure connectivity from to branch office to head office—Cisco provides integrated access solutions for all price-performance-capacity requirements:
- At the remote office, a Cisco IOS Software-based solution such as the Cisco 830 or SOHO 90 Series router blend security, VPN, and IP services; an appliance-based solution such as the Cisco PIX 506 Firewall combines firewalling, VPN, and intrusion detection.
- For the regional branch, the Cisco 2600, 3600, and 3700 Series routers can now be equipped with next-generation VPN modules that offer DES, 3DES, AES, and hardware compression. This increases VPN throughput by 5 to 10 times while decreasing CPU utilization by half. Because the modules are installed on the routers' AIM motherboard, the routers maintain open slots for voice, WAN, and LAN interfaces.

Conclusion

This white paper has examined the requirement for integrated, embedded security. In essence, only an integrated, embedded solution can protect the extensive, open, complex network that is so prevalent today.

It has discussed the multiple, overlapping layers of critical network security technologies that your organization needs to protect its network.

Finally, it has examined Cisco Integrated Network Security Solutions. Cisco has been an active partner in building many organizations network infrastructures. Cisco can provide the integrated embedded security to protect them from the network security threats of today, and the threats of tomorrow.

For more information about Cisco security solutions, visit:

Hierarchical Navigation

Security Solutions for Enterprise