Milano/Roma 23 Novembre 2006 BENVENUTI AL SECURITY Marco Misitano misi@cisco.com marco misitano :: misi@cisco.com :: © 2006 Cisco , All rights reserved. 1 Agenda 09:00 - 09:30 Registrazione 09:30 - 10:00 Benvenuto ed Introduzione ai lavori 10:00 - 10:30 Strategia Cisco per il 2007 e News dal Product Management 10:30 - 10:45 Come indirizzare i clienti verso ASA 10:45 - 11:15 Coffee break 11:15 - 12:00 ASA New product lineup, New Features e Roadmap 12:00 - 12:45 Cisco NAC 12:45 - 13:30 Pausa Pranzo 13:30 - 14:00 Partner Self enablement tools 14:00 - 14:30 Security Management: What's new in MARS e CS-Manager 14:30 - 15:30 Technical Session: Analisi della sicurezza VoIP/IPT e contromisure 15:30 - 16:00 Chiusura Lavori ed estrazione ricchi premi! marco misitano :: misi@cisco.com :: © 2006 Cisco , All rights reserved. 2 Agenda 09:00 - 09:30 Registrazione 09:30 - 10:00 Benvenuto ed Introduzione ai lavori 10:00 - 10:30 Strategia Cisco per il 2007 e News dal Product Management 10:30 - 10:45 Come indirizzare i clienti verso ASA 10:45 - 11:15 Coffee break 11:15 - 12:00 ASA New product lineup, New Features e Roadmap 12:00 - 12:45 Cisco NAC 12:45 - 13:30 Pausa Pranzo 13:30 - 14:00 Partner Self enablement tools 14:00 - 14:30 Security Management: What's new in MARS e CS-Manager 14:30 - 15:30 Technical Session: Analisi della sicurezza VoIP/IPT e contromisure 15:30 - 16:00 Chiusura Lavori ed estrazione ricchi premi! marco misitano :: misi@cisco.com :: © 2006 Cisco , All rights reserved. 3 Due o tre cose… § Milano e Roma § Logistica § Ricchi Premi § Evaluation Form § Domande e Risposte §… marco misitano :: misi@cisco.com :: © 2006 Cisco , All rights reserved. 4 Prossimi eventi.. (non avrete piú scuse per dire “non lo sapevo…”) § Networkers 30 Gennaio-2 Febbraio 2007, Cannes § ASA Training 18/19 Dicembre, Monza (2gg) § ISR Security 18 Gennaio 2007 Monza § ISR Security 19 Gennaio 2007 Roma § Expo 6-7 Marzo 2007 § PINT Security 16 Maggio 2007 (Monza+Roma) § Security Sales Enabler Seminar 11 Gennaio Vimercate, 12 Gennaio Roma marco misitano :: misi@cisco.com :: © 2006 Cisco , All rights reserved. 5 § 3000+ attendees expected from Europe, Middle East and Africa § The 2007 Technology Roadmap is articulated around 9 technology tracks: § Application Optimisation Technologies, Campus and Wireless Evolution, Data Centres, IP & MPLS Infrastructure Evolution, IP NGN Architectures and Technologies, Management and Operations, Mobility, Security, Unified Communications Technologies More than 100 sessions delivering in-depth innovation technology content Technology panels and case studies sessions 22 techtorials covering technology updates or project based case studies (on techtorial day – Dec 12) Targetting 111 Strategic Solutions partners showcasing innovation solutions in the world of solutions (exhibition) NEW: 11 labs offering hands on mentored technology sessions The Networkers Innovation Awards Ceremony will be rewarding those companies that have deployed and successfully implemented innovative technologies 1 FREE Cisco Career Certification or CCIE Written Exam per registrant 200+ Cisco technology experts in all technology areas available And… a customer appreciation event not to be missed! Registration Live at www.cisco.com/networkers marco misitano :: misi@cisco.com :: © 2006 Cisco , All rights reserved. 6 Agenda 09:00 - 09:30 Registrazione 09:30 - 10:00 Benvenuto ed Introduzione ai lavori ü 10:00 - 10:30 Strategia Cisco per il 2007 e News dal Product Management 10:30 - 10:45 Come indirizzare i clienti verso ASA 10:45 - 11:15 Coffee break 11:15 - 12:00 ASA New product lineup, New Features e Roadmap 12:00 - 12:45 Cisco NAC 12:45 - 13:30 Pausa Pranzo 13:30 - 14:00 Partner Self enablement tools 14:00 - 14:30 Security Management: What's new in MARS e CS-Manager 14:30 - 15:30 Technical Session: Analisi della sicurezza VoIP/IPT e contromisure 15:30 - 16:00 Chiusura Lavori ed estrazione ricchi premi! marco misitano :: misi@cisco.com :: © 2006 Cisco , All rights reserved. 7 Security Product Management Update Maurizio Taffone PM Security-European Markets PINT Rome-Milan November 21st, 2006 TMO-Security 2006-2007 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8 Agenda § Product Update Key Portfolio Innovations: -ASA -IPS -ISRs, High-end routers § Product Focus: -ASA -IPS -NAC TMO-Security 2006-2007 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9 § Product Update TMO-Security 2006-2007 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10 Security Services Cisco ASA 5500 Platforms Modules Catalyst 6500 Service Modules Cisco ASA 5500 Series and Catalyst 6500 Services Modules Catalyst 6500 FWSM, IDSM2, Anomaly Detector and Guard New Platform Perf TMO-Security 2006-2007 ASA 5505 ASA 5510 ASA 5520 ASA 5540 ASA 5550 New SSC SSM-10 100 Mbps 300 Mbps © 2006 Cisco Systems, Inc. All rights reserved. SSM-20 Cisco Confidential 500 Mbps 1 Gbps 1-2+ Gbps 11 Cisco Intrusion Prevention Family Cisco IPS Platforms Catalyst 6500, IDSM2 Bundles AIP-SSM for the Cisco ASA platform 150-450 Mbps Firewall+IPS IPS 4255 IPS 4260 600 Mbps 1 Gbps New SecureWAN IPS 9–45 Mbps IDS 4240 250 Mbps IDSM-2 Blade 500 Mbps IDS 4215 NM-CIDS 65 Mbps 45 Mbps IDS Platform Perf TMO-Security 2006-2007 50 Mbps © 2006 Cisco Systems, Inc. All rights reserved. 200 Mbps Cisco Confidential 500 Mbps 1 Gbps 2 Gbps 12 Cisco Router Security Portfolio Cisco Router Security Platforms Confidential Communications Leadership NOW! NPE-G2 PA Jacket Card Cisco 800 Cisco 1800 Series ISR Series ISR Cisco 2800 Series ISR Cisco 3800 Series ISR Cisco 7301 Cisco 7200 Series 30 Mbps 45 Mbps 66 Mbps 180 Mbps 5K tunnels SSL VPN 2 users 25 users 50 users 100 users 150 users New New New VPN Modules IPsec VPN Cisco 7600 Series Catalyst 6500 Series 16K tunnels 8K tunnels SEP-06 SSL & IPsec SSL & IPsec SSL & IPsec NEW SEP-06 IPsec VPN SSL VPN TMO-Security 2006-2007 AIMVPN/SSL-1 95 Mbps AIMVPN/SSL-2 145 Mbps AIMVPN/SSL-3 200 Mbps 50 users 100 users 200 users © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential VAM II+ VSA 280 Mbps 950 Mbps IPsec VPN SPA 2.5 Gbps x 10 = 25 Gbps 13 § Product Focus: ASA TMO-Security 2006-2007 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14 Cisco Adaptive Security Device Manager (ASDM) v5.2 Dashboard Provides At-a-Glance View of System Status • Dashboard provides instant status of items such as: - Software versions installed - Interface status and throughput - Platform uptime - Security Contexts - Real-time syslog viewer (last ten) - Powerful search capabilities - And more! TMO-Security 2006-2007 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15 Now Available in ASDM 5.2: New Rule Table Many Enhancements Coming to Primary Focus Area § Redesigned rule table for streamlined policy creation § Able to create objects, object-groups and rules from single UI § Policy visualizer provides graphical view of actions § Policy query in the rule table for advanced filtering § "Show log" for a particular access rule in the real time log viewer § Options to expand and display elements in an object group § Ability to see attributes of a object or members of a group via tooltips TMO-Security 2006-2007 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16 Now Available in ASDM 5.2: Packet Tracer Live Tool to Determine Day In the Life of a Packet PACKET TRACING: Enables the injection of arbitrary packets through the system to audit policy configuration and enforcement Benefits § Enables policy tuning and refining § Enables rapid troubleshooting § Simplifies fault isolation in complex policy environments § First Pro-active Debugging Tool TMO-Security 2006-2007 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17 Now Available in Cisco ASDM 5.2 Logging Enhancements § Structured syslogs in Real time Log Viewer § Parse all the syslogs and put into tabular structure § Coloring of logs based on severity § Integrated syslog guide within the Real time Log Viewer § “Explanation” and “Recommended Action” for each syslog § Single-Click Rule Creation from Syslog § Ability to Show the access rule which created this Syslog TMO-Security 2006-2007 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18 § Product Focus: IPS TMO-Security 2006-2007 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19 Cisco IPS IDMS-2 Bundle 2 Gbps IPS Solutions Includes: 6506 + SUP32 + 4 X IDSM -2s + interfaces IDSM-2s • 2 Gbps of performance • Leveraging the reliability of the Catalyst switch chassis • Single, simultaneous policy push to all blades for a seamless configuration • Sup redundancy capability • Flexible interface options: 8 10/100/1000 / 2 10GE • DC Power option for SPs and Telcos • Redundant Power Supply • Easy ELB configuration • Additional slot for increased port density / other services • CAT OS & IOS support TMO-Security 2006-2007 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Availability: NOW!! 20 § Product Focus: NAC TMO-Security 2006-2007 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21 NAC Statements § Cisco Strategy: Provide a comprehensive NAC solution today Provide a NAC solution leveraging customer’s network and system infrastructure today Provide value-add features leveraging Cisco’s network and system infrastructure § Go-to-Market: Lead with NAC Appliance in the next 12-18 months Position “VPN/Wireless/LAN” and “Enterprise-ready” Market NAC “now” TMO-Security 2006-2007 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 22 NAC Strategy - Update Challenge: How do I explain the multiple Cisco NAC approaches? ANSWER: It’s about total product lifecycle Just like Cisco offers firewalls/IPS in three different forms—appliance, network modules, and embedded—so we offer NAC in the same format. Customer environments are complex; could use multiple approaches to implement NAC Challenge: Customer is eager to deploy wired 802.1x ANSWER: Slow roll the 802.1x project Direct customers to prioritize posture requirements first by selling NAC Appliance Ensure customer focuses on deploying 802.1x from Cisco TMO-Security 2006-2007 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23 NAC Strategy - Why Now? Challenge: Customers want to wait. ANSWER: Understand and explain maturity cycle NAC undergoes a maturity cycle—SNMP (established) to .1x (maturing technology) Start with proven SNMP solution today, then migrate over time as .1x in LAN matures Appliance technology TODAY has in-band, OOB SNMP and will have 802.1x overlay support Challenge: Customers want to wait for NAC/NAP. ANSWER: Understand customer network and business drivers NAC Appliance supports a “total customer business environment” today With Microsoft, we support AD, GPO, WSUS, SMS, WinXP/2K/98/ME, Security Updates Plus, NAC Appliance supports heterogeneous networks: Mac, Linux, PalmOS, etc. TMO-Security 2006-2007 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24 NAC Appliance Microsoft Support Current New in 4.1 Window OS Support GPO Launch post Authentication (4.1) XP (Home/Pro/MCE/Tablet), 2000/ME/98 (Agent) Ability to launch GPO to tie AD desktop policy to access VLAN WinCE/WinMobile (Agentless) WSUS Agent immediate launch (4.1) AD Single-Sign-On Ability to force WSUS agent to remediate now Windows 2003/2000 Server Microsoft SMS Agent remediation (4.1.x) Windows Hotfixes/AV Checks Auto-updates to pre-configured hotfix and oneCare AV checks Launch SMS Agent during remediation or xdays old IE7.0 and Vista Support Windows Update via WSUS Ability to configure Windows Updater and launch WSUS agent for auto-remediation Vista Agent within 30-45 days of Vista commercial availability Login Script “hold” Configuration Provide a configuration to hold login script mapping till access VLAN Future: Cisco NAC/Microsoft NAP Integration Technology proved and in beta today! TMO-Security 2006-2007 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25 New Features in Release 4.1 Enterprise Agent Features Enterprise Deployment Features Enterprise Reporting Features § CAS Fallback § Silent Audit § Enhanced Reporting § Agent/Applet Relase/Renew (for IPT) § Close Login/Logout screen after x seconds § OOB Switch OID Via Updates § Trigger GPO Update § Launch Any “Signed” Executable § CDL Timer Enhancement § Mac OS X Agent (Auth Only) § 14 International Languages TMO-Security 2006-2007 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 26 Q and A TMO-Security 2006-2007 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27 Agenda 09:00 - 09:30 Registrazione 09:30 - 10:00 Benvenuto ed Introduzione ai lavori ü 10:00 - 10:30 Strategia Cisco per il 2007 e News dal Product Management 10:30 - 10:45 Come indirizzare i clienti verso ASA ü 10:45 - 11:15 Coffee break 11:15 - 12:00 ASA New product lineup, New Features e Roadmap 12:00 - 12:45 Cisco NAC 12:45 - 13:30 Pausa Pranzo 13:30 - 14:00 Partner Self enablement tools 14:00 - 14:30 Security Management: What's new in MARS e CS-Manager 14:30 - 15:30 Technical Session: Analisi della sicurezza VoIP/IPT e contromisure 15:30 - 16:00 Chiusura Lavori ed estrazione ricchi premi! marco misitano :: misi@cisco.com :: © 2006 Cisco , All rights reserved. 28 23 novembre 2006 Come indirizzare i Clienti verso ASA Roberto Mircoli Business Development Manager rmircoli@cisco.com Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. 29 Agenda Evoluzioni di mercato ASA – Come accelerare la domanda ASA – Come gestire le obiezioni ASA – Qualche Sales Tool Q&A Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. 30 EVOLUZIONI DI MERCATO Buone e cattive notizie… Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. 31 SECURITY - Market Dynamics Summary §Le Security appliances sono l’ideale per gli uffici remoti e le PMI, di cui l’Italia è ricca. In effetti IDC stima che proprio l’Italia beneficerà del più elevato CAGR 20052009 (31.9%) nelle Security appliance in tutt’Europa Annual Growth (%) - ITALY Year Firewall & VPN IDS & IPS 2007-2008 6.2 15.7 2008-2009 3.0 10.8 Source: Cisco analysis AdvancedSecurityEMEA $800,000,000 $700,000,000 $600,000,000 MARS, CSM, ICS, CCA $500,000,000 §IDC stima che in particolare le UTM Security Appliance cresceranno in Italia con un CAGR del 69.1% 2004-2009 $400,000,000 CSC SSM $300,000,000 $200,000,000 $100,000,000 $0 CY2005 §In Italia vi è un’amplissima base installata di PIX e VPN3K, che va sistematicamente SSL VPN migrata su ASA (la serie è finalmente CY2008 completa: ASA5505-ASA5550) Host & Network IPS CY2006 CY2007 SSLVPNGateways NIPS&HIPS GatewayAnti-Virus Security management Source: Infonetics, March 2006 and DataMonitor, Oct. 2005 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. 32 Cisco Adaptive Security Appliance Ecco la value proposition! 1. Servizi di sicurezza adattativi e convergenti & grande flessibilità VPN “ASA fornisce una protezione completa contro le minacce odierne con funzionalità integrate di Firewall, VPN, IPS e Anti-X” 2. Riduzione di CapEx e OpEx per voi e i vostri Clienti “Standardizza su un’unica piattaforma tutte le tue esigenze di Sicurezza e beneficia di un’unico strumento per molteplici servizi di Sicurezza” 3. Riduci i costi di pre-vendita “Sviluppi le tue competenze su un’unica piattaforma, ma al contempo sei in grado di proporre prodoti e servizi differenziati ai tuoi Clienti: Firewall, VPN, IPS, Anti-X” 4. Facilità di Configurazione e Gestione “Cisco include gratuitamente il Cisco Adaptive Security Device Manager (ASDM), uno strumento potente ed estremamente semplificato per il management e il monitoring di ASA” 5. Protezione degli investimenti a prova di Futuro “Le esigenze di Sicurezza mutano nel tempo inerentemente: le prestazioni e la modularità di ASA consentono di espandere nel tempo i servizi di Sicurezza presso i tuoi Clienti” Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. 33 GENERARE E ACCELERARE LA DOMANDA Esploriamo nuove prospettive… Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. 34 Generare la domanda per servizi Anti-X 1. Continui ad avere problemi con virus e worm? 2. Mitigare spyware e malware è una prioritàper la tua azienda? 3. Lo SPAM congestiona la tua rete e impatta la produttività delle tue risorse? 4. Vuoi avere maggiore controllo sull’utilizzo degli accessi a internet per migliorare la protezione del tuo ambiente IT e la produttività dell’organizzazione? Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. 35 Generare la domanda per servizi IPS 1. Il controllo degli accessi non autorizzati è una tua priorità? 2. Stai esplorndo un modo semplificato di introdurre la tecnologia IPS nella tua rete? 3. Come stai mitigando virus e worm di nuova generazione sulla tua rete? In futuro pensi di aggiungere anche la tecnologia IPS? 4. La tua azienda è soggetta a vincoli normativi e/o regolatori (es. Privacy, SOX, Basilea II) Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. 36 Generare la domanda per VPN SSL 1. Vorresti fornire accesso remoto ai tuoi dipendenti da ovunque si trovino con qualunque PC? 2. Hai bisogno di fornire accesso alla rete anche a PC e dispositivi non gestiti dal tuo dipartimento? 3. Stai esplorando l’opzione di portali utente personalizzati o applicazioni extranet? 4. La sicurezza dei tuoi dati acceduti da utenti remoti/mobili è una tua priorità? Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. 37 GESTIRE LE OBIEZIONI Se fosse tutto facile…non ci divertiremmo! Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. 38 Eppure stai ancora vendendo PIX e VPN3K… “Al mio Cliente serve solo la funzionalità firewall” Anche quando utilizzata solo per le sue funzionalità firewall, un ASA ha prestazioni molto maggiori di un PIX di pari prezzo. Inoltre apre la possibilità a te e ai tuoi Clienti di aggiungere ulteriori fiunzionalità di Sicurezza, subito o in futuro “Conosco bene e ho tutte le competenze sul PIX, non voglio/posso spendere tempo ad imparare come configurare anche l’ASA” L’ASA ha lo stesso sistema operativo del PIX: se conosci già il PIX, sei quindi già ferrato anche su ASA “Il mio Cliente ha una base installata di PIX e preferisce non mischiare prodotti diversi” Dal momento che l’ASA è basato sulla stessa architettura e sistema operativo del PIX, può quindi essere impiegato anche in configurazioni miste insieme a PIX preesistenti. Considera anche l’interessante programma di trade-in PIXàASA di cui i tuoi Clienti possono avvantaggiarsi per rinnovare la propria infrastruttura di Sicurezza beneficiando delle superiori prestazioni e dei più ricchi servizi di Sicurezza a bordo degli ASA “Il mio Cliente conosce e apprezza il VPN3K e gli serve solo la funzionalità VPN” L’ASA può essere utilizzato in abbinamento al VPN3K. Anche qui, considera l’interessante programma di trade-in VPN3KàASA di cui i tuoi Clienti possono avvantaggiarsi per rinnovare e standardizzare la propria infrastruttura VPN & Security su ASA Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. 39 Cisco ASA 5500 Significant Benefits over Cisco PIX Firewall Cisco ASA 5510 List Price: $3,495 300 300 250 250 200 200 Mbps Mbps Cisco® PIX® 515E-R List Price: $3,495 150 150 100 100 50 50 0 0 Firewall Firewall + IPS Firewall + VPN Firewall Firewall + IPS Firewall + VPN Cisco ASA 5510 Solution Benefits over Cisco PIX 515E Firewall § Nearly double the price/performance § Additional upgradeable services Anti-X capabilities and Intrusion Prevention Integrated SSL and IPSec VPN support Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. 40 Posizionamento ASA 5500 vs VPN3K ASA 5500 è la piattaforma di sostituzione per ogni VPN3K ed è superiore da TUTTI i punti di vista § Opzione SSL VPN ASA ha una scalabilità 10 volte supriore sulle VPN SSL ASA offre maggiori funzionalità SSL VPN ed un supporto della QoS più sofisticato § Prestazioni ASA ha prestazioni decisamente superiori, 4x-50x § Prezzo ASA può costare fino al 45% in meno per le funzionalità IPSec § Protezione dell’investimento ASA fornisce inoltre IPS, Anti-X e firewall ASA è dotata di stateful failover, può integrarsi in cluster di VPN3K per load balancing e/o migrazione graduale Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. 41 Cosa mi avete raccontato… “Certamente vi è una componente di “inerzia commerciale”: i commerciali conoscono ormai a memoria codici e configurazioni dei PIX, per questo in mancanza di direttive diverse il PIX è ancora adesso la loro prima opzione” “Non conosciamo ancora bene ASA, quindi se il Cliente non lo chiede espressamente continuiamo a posizionare PIX e VPN3K” Partecipa ai Training Tecnici & Commerciali di Cisco “...ma tra PIX e ASA Cisco cosa preferisce spingere di più? Non mi è Investi in unità demo chiaro, sapendolo mi allineerei certamente alla strategia visto che è ASA anche nel ns interesse di rivenditori proporre ai Clienti piattaforme sulle quali sono garantiti sviluppi futuri” “Inizialmente oltre a Firewall e VPN, su ASA era disponibile solo la funzionalità IPS che tuttavia è piuttosto difficile da posizionare data la sua complessità (configurazione, gestione dei log...). Il modulo CSCSSM (cioè quello con tecnologia TrendMicro) adesso disponibile è molto più interessante, lo consideriamo un vero booster alle vendite di ASA” “Prudenza: quando Cisco ha introdotto ASA si è trattato di una nuova piattaforma e versione di sw (7.0), quindi ci siamo presi 6 mesi per analizzarla bene prima di proporla proattivamente” Approfondisci la tecnologia TMIC su CSC-SSM Stimola nuove attitudini dei commerciali “Vendere 2 o più box (es. PIX + VPN + IDS) invece di 1 sola (ASA) per noi è meglio” Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. 42 QUALCHE SALES TOOL Se vi serve altro, fatecelo sapere Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. 43 Programma di Trade-in per Cisco ASA Cisco & Competitive § Soluzioni concorrenti incluse nel programma CTMP Security – http://cco.cisco.com/offer/tic/Security_Migration_Plan_Promo.htm Check Point Nokia Fortinet Nortel ISS SonicWALL Juniper / Netscreen Symantec McAfee / Network Assoc. Watch Guard § Piattaforme Cisco incluse nel programma TMP Security – http://www.cisco.com/web/partners/pr11/incentive/tmp/security.html PIX 501, 506/506E, 515/515E, 520, 525, and 535 IPS 4210, 4215, 4230, 4235, 4240, 4250, 4250XL, and 4255 VPN 3002, 3005, 3015, 3020, 3030, 3060, and 3080 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. 44 PIX -> ASA – Matrice di conversione Esiste un ASA di sostituzione per ciascun modello PIX! http://www.cisco.com/application/pdf/en/us/guest/products/ps6120/c1031/cdccont_0900aecd8053258b.pdf Cisco ASA 5505 Cisco ASA 5510 Cisco ASA 5520 Cisco ASA 5540 Cisco ASA 5550 Target Market SOHO and ROBO SMB and SME Enterprise Medium Enterprise Large Enterprise List Price Starting at $595 Starting at $3,495 Starting at $7,995 Starting at $16,995 Starting at $19,995 150 Mbps Future 100 Mbps 25 / 25 300 Mbps 150 Mbps 170 Mbps 250 / 250 450 Mbps 375 Mbps 225 Mbps 750 / 750 650 Mbps 450 Mbps 325 Mbps 5000 / 2500 1.2 Gbps N/A 425 Mbps 5000 / 5000 PIX 515 PIX 525 Performance Max Firewall Max Firewall + IPS Max IPSec VPN Max IPSec / SSL VPN Peers PIX Replacement Presentation_ID PIX 501 PIX 506E © 2006 Cisco Systems, Inc. All rights reserved. PIX 525 PIX 535 45 ASA Seeding Unit : un esempio possibile (*) SMB Business Case § Costo unità demo ASA5505-BUN-K9 (GPL 595K$, sc. NFR 70%): €142 § Mark-up su vendita di ASA5505-SSL25-K9 (GPL 3.7K$, sc. 40%, marg. 8%): €142 § Durata di una demo on-site c/o Prospect: 15 gg § Deal Rate (= #vendite / #demo effettuate): 50% senza considerare il pull-through di servizi associati, per rientrare dei €142 di investimento è sufficiente vendere 1 sola unità di ASA5505-SSL25-K9 § Ciò equivale a generare un funnel di 2 Prospects § Quindi il pay-back di una demo unit ASA5510 si aggira attorno a: 15 gg x 2 = 30 gg Promo valida fino al 31/12/2006 €3,90/mese (*) laPresentation_ID scontistica potrebbe © 2006 Cisco variare Systems, in Inc. base All rights al livello reserved.di partnership 46 ASA Seeding Unit : un esempio possibile (*) Mid-Mkt Business Case § Costo unità demo ASA5510-CSC10-K9 (GPL 7.2K$, sc. NFR 70%): $2.160 § Mark-up su vendita di ASA5510-SSL250-K9 + ASA-CSC-10-INC-K9 (GPL 23.5K$+4.5K$=28K$, sc. 40%, marg. 8%): $1.4K$ § Durata di una demo on-site c/o Prospect: 15 gg § Deal Rate (= #vendite / #demo effettuate): 50% § Quindi per rientrare dei $2.160 di investimento è sufficiente vendere (senza considerare il pull-through di servizi associati): $2.160 / $1.400 = 1.54 unità di ASA5510-SSL250-K9 + ASA-CSC-10-INC-K9 § Ciò equivale a generare un funnel di 1.54 / 50% = 3 Prospects § Quindi il pay-back di una demo unit ASA5510 si aggira attorno a: 15 gg x 3 = 45 gg Promo valida fino al 31/12/2006 60$/mese © 2006 Cisco Systems, All rights reserved.di partnership (*) laPresentation_ID scontistica potrebbe variare inInc. base al livello 47 Roberto Mircoli rmircoli@cisco.com www.cisco.com/go/asa Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. 48 Agenda 09:00 - 09:30 Registrazione ü Strategia Cisco per il 2007 e News dal Product Management ü Come indirizzare i clienti verso ASAü 09:30 - 10:00 Benvenuto ed Introduzione ai lavori 10:00 - 10:30 10:30 - 10:45 10:45 - 11:15 Coffee break 11:15 - 12:00 ASA New product lineup, New Features e Roadmap 12:00 - 12:45 Cisco NAC 12:45 - 13:30 Pausa Pranzo 13:30 - 14:00 Partner Self enablement tools 14:00 - 14:30 Security Management: What's new in MARS e CS-Manager 14:30 - 15:30 Technical Session: Analisi della sicurezza VoIP/IPT e contromisure 15:30 - 16:00 Chiusura Lavori ed estrazione ricchi premi! marco misitano :: misi@cisco.com :: © 2006 Cisco , All rights reserved. 49 Agenda 09:00 - 09:30 Registrazione ü Strategia Cisco per il 2007 e News dal Product Management ü Come indirizzare i clienti verso ASAü 09:30 - 10:00 Benvenuto ed Introduzione ai lavori 10:00 - 10:30 10:30 - 10:45 10:45 - 11:15 Coffee break 11:15 - 12:00 ASA New product lineup, New Features e Roadmap 12:00 - 12:45 Cisco NAC 12:45 - 13:30 Pausa Pranzo 13:30 - 14:00 Partner Self enablement tools 14:00 - 14:30 Security Management: What's new in MARS e CS-Manager 14:30 - 15:30 Technical Session: Analisi della sicurezza VoIP/IPT e contromisure 15:30 - 16:00 Chiusura Lavori ed estrazione ricchi premi! marco misitano :: misi@cisco.com :: © 2006 Cisco , All rights reserved. 50 ASA 5500 New Product Lineup, New Features and Roadmap Luca Bertagnolio Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 51 Introducing the ASA 5505 and 5550 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52 Cisco ASA 5500 Series Product Lineup Solutions Ranging from SOHO, SMB to Large Enterprise Cisco ASA 5505 Cisco ASA 5510 Cisco ASA 5520 Cisco ASA 5540 Cisco ASA 5550 Target Market SOHO and ROBO SMB and SME Enterprise Medium Enterprise Large Enterprise List Price Starting at $595 Starting at $3,495 Starting at $7,995 Starting at $16,995 Starting at $19,995 150 Mbps Future 100 Mbps 25 / 25 300 Mbps 150 Mbps 170 Mbps 250 / 250 450 Mbps 375 Mbps 225 Mbps 750 / 750 650 Mbps 450 Mbps 325 Mbps 5000 / 2500 1.2 Gbps N/A 425 Mbps 5000 / 5000 10,000 / 25,000 3,000 8-port FE switch 3 / 3 (trunk) Stateless A/S (Sec Plus) 50,000 / 130,000 6,000 3+1 FE / 5 FE 10 / 25 A/A & A/S (Sec Plus) 280,000 9,000 4 GE + 1 FE 100 A/A & A/S 400,000 20,000 4 GE + 1 FE 200 A/A & A/S 650,000 28,000 8 GE + 1 FE 200 A/A & A/S Performance Max Firewall Max Firewall + IPS Max IPSec VPN Max IPSec / SSL VPN Peers Platform Capabilities Max Firewall Conns Max Conns/Second Base I/O VLANs Supported HA Supported Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 53 Cisco ASA 5505 Adaptive Security Appliance Features FW Throughput Up to 150 Mbps VPN Throughput Up to 100 mbps Concurrent Sessions 10,000/25,000 IPSec VPN Peers 10; 25 SSl VPN Peer License levels 10 or 25 Interfaces 8-port Fast Ethernet switch with dynamic port grouping (including 2 PoE ports) Virtual Interfaces 3 with restricted DMZ; 3 with full DMZ* High Availability Not supported; stateless Active/Standby and dual ISP support* Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential List Price Starting $595 Minimum Software Version ASA 7.2(1), ASDM 5.2(1) 54 Where does the ASA 5505 fit? SOHO, ROBO and Enterprise Teleworker Networks Advanced Firewall services Rich application and protocol stateful inspection Easy Management and Troubleshooting Advanced Firewall Services and Secure VPN Connectivity Secure VPN connectivity Full function site-to-site VPN and remote access VPN services (IPSec and SSL VPN) IPSec hardware client services Diverse Network Integration Services and more! Rapid deployment of security services such as: Secured Work environment with isolation from Home/Guest users Dedicated DMZ services to protect revenue infrastructures Device and link resiliency to ensure consistent business up times Secure Voice and Video integration with QoS enabled, typically Diverse Network over VPN Integration Requirements Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 55 Cisco ASA 5505 Series Product Tour (SOHO, Teleworker) • Secure access to both Home and Internet VLANs • PoE for IP Phones and/or WiFi AP’s • High Speed Hardware VPN Client Services • DHCP Client Services • PPPoE support • Dynamic DNS support • L2TP over IPsec • Backup ISP support (Security Plus) • Secure access for a wide range of modern applications through the Internet VLAN • DHCP Server Services Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 56 Teleworker Deployment Model Easy to Install Modern Home Networking Services Business VLAN Internet VLAN - Secure access to both Home and Internet VLANs - Power Over Ethernet for IP Phones and WiFi Access Points - DHCP & Dynamic DNS services - PPPoE support - Backup ISP support (Security Plus) - Secure access for a wide range of applications through the Internet VLAN - DHCP Server Services Home VLAN Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 57 Remote Office/SMB Deployment Model High Performance, Resilient Security Services Internet VLAN (Active) Business/DMZ VLAN Email Server Web Server DNS Server SiteSite-toto-Site IPSec VPN Remote Access VPN SSL VPN Power Over Ethernet WiFi Access Point VLAN Trunk Partners Remote Employees Sales Teams - Active/Standby design with Failback Common Network Printer - Support for DHCP, Dynamic DNS & PPPoE Employee/Guest VLANs Internet VLAN (Standby) Inside VLAN Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 58 Cisco ASA 5505 Licensing Model § Similar to PIX 501 licensing, but with additional dimensions § User Based Licensing 10, 50, and Unlimited user licenses § SSL VPN Licensing Base includes 2 for free, 10 & 25 user upgrades available § Security Plus License – offers many additional capabilities Increased system capacity Increases number of maximum connections (10K to 25K) Increases IPSec peer count from 10 to 25 Device and link-level redundancy Enables stateless Active/Standby failover Enables redundant ISP support (dual ISP uplinks) Improved flexibility Enables full DMZ and 802.1q VLAN trunking support Can be used with any user licensing level Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 59 Cisco ASA 5550 Adaptive Security Appliance Features FW Throughput Up to 1.2 Gbps VPN Throughput Up to 425 mbps Concurrent Sessions 650,000 IPSec VPN Peers 5,000 SSl VPN Peer License 10, 25, 50, 100, 250, 500, levels 750, 1000, 2500, and 5000 Security contexts Up to 50* Interfaces 8 Gigabit Ethernet ports, 4 SFP fiber ports and 1 Fast Ethernet port Virtual Interfaces 200 Scaleability VPN clustering and load balancing High Availability Active/Active, Active/Standby Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential List Price $19,995 - $99,995 Minimum Software Version ASA 7.1.2, ASDM 5.1.2 5550 60 ASA 7.2 – New Features Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 61 Strategic Program: Application Inspection and Control Initiative The AIC initiative introduces additional application layer intelligence and controls to Cisco’s wide range of security solutions (ASA, PIX, FWSM, IPS, Integrated Services Routers) by enriching existing inspection engines, as well as delivering new inspection engines with advanced application level controls Protocols Supported HTTP FTP IM P2P SIP H.323 SCCP SMTP DNS RPC CIFS Enh. Enh. New New Enh. Enh. Enh. Enh. New New New Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential NetBios New 62 AIC: Protocol Breadth and Depth HTTP • • • • IM / P2P • Access control for IM (Yahoo, MSN, AIM, ICQ…) and P2P (KaZaa, Torrents, Gnutella…) over user-defined/well known ports • Feature control (whiteboarding, voice chat, file sharing) • Customizable regex based signatures SIP/H.323/SCCP FTP Presentation_ID Enforce HTTP specific parameters (URL/Header Lengths) Filtering on HTTP encoding mechanisms, multiple content types Tunneled application control (IM/P2P/Files types) Customizable reg-ex based signatures and dynamic updates • VoIP DoS protection by filtering on Caller/Callee, direction, etc. • End-point registration enforcement and authentication • Application misuse prevention against embedded IM, gaming, etc. • • • • © 2006 Cisco Systems, Inc. All rights reserved. Directory traversal attack prevention and command filtering Server identity protection via obfuscation techniques Filtering based on username, file name/type, server name Enhanced logging capabilities Cisco Confidential 63 AIC: Protocol Breadth and Depth DNS • Enforce legitimate zone transfers, private v/s public domains • DNS Spoofing and Cache Poisoning prevention • Filtering based on domain name SMTP/ESMTP • Server protection by governing mail transport mechanisms • Filtering based on type, headers, encoding, authentication • Blocking/removing attachments, executables, and more! Microsoft RPC • • • • NetBIOS • Protocol compliance enforcement • Enhanced monitoring and NAT support • And more! Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Protocol compliance enforcement Secure dynamic port allocation NAT and PAT support Support for Microsoft Outlook Full MAPI clients Cisco Confidential 64 And more…Feature packed release! Includes over 50+ New Features VPN Enhancements Other Enhancements Cont’d • • • • • • • • • OCSP (Online Certificate Status Protocol) support • Cut-through AAA authentication parity with VPN • New RTP/RTCP inspection engine • Resource Manager for Virtualization • Secure Computing (N2H2) URL filtering support over HTTPS and FTP NAC support L2TP/IPSec support DNS resolution for peers Multiple Microsoft clients behind NAT Nokia Symbian OS support Zone Labs support Hybrid XAUTH support VPN IP fragmentation and reassembly statistics Resiliency and Scalability • Sub-second LAN-based failover • Dual ISP connection with failback Other Enhancements • Regex traffic selection for MPF • Traffic rate limiting • WCCP support Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Network Integration • • • • • Dynamic DNS support PPPoE support Multicast boundary support RIPv2 Active and Passive Configurable MAC addresses per interface • GTP Enhancements for Mobile wireless environments • DNS resolver for Ping, Traceroute, Copy and AAA server commands 65 Nokia Symbian OS Support Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 66 Nokia Symbian OS Support – Configuration § A new authentication type CRACK is added to support low power consuming algorithms on OS such as Nokia Symbian § Enable CRACK authentication using the crypto isakmp policy priority authentication command with the crack keyword in global configuration mode. For example: hostname(config)# crypto isakmp policy 2 hostname(config-isakmp-policy)# authentication crack Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 67 Nokia Symbian OS Support – Configuration (cont’d) If you are using digital certificates for client authentication, perform the following additional steps: § Step 1 Configure the trustpoint and remove the requirement for a fully qualified domain name. The trustpoint might be NSSM or some other CA. In this example, the trustpoint is named CompanyVPNCA: hostname(config)# crypto ca trustpoint CompanyVPNCA hostname(config-ca-trustpoint)# fqdn none Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 68 Nokia Symbian OS Support – Configuration (cont’d) § Step 2 To configure the identity of the ISAKMP peer, perform one of the following steps: a. Use the crypto isakmp identity command with the hostname keyword. For example: hostname(config)# crypto isakmp identity hostname –or– b. Use the crypto isakmp identity command with the auto keyword to configure the identity to be automatically determined from the connection type. For example: hostname(config)# crypto isakmp identity auto § Note If you use the crypto isakmp identity auto command, you must be sure that the DN attribute order in the client certificate is CN, OU, O, C, St, L. Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 69 Nokia Symbian OS Support – ASDM Option Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 70 Nokia Symbian OS Support – ASDM VPN Wizard Option Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 71 MPF Improvements and New Class-map and Policy-map Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 72 Modular Policy Framework (MPF) MPF framework allows individual traffic flows between hosts or networks to be defined and QoS, application inspection, and connection limits can then be applied separately to each flow. In general, the provisioning of policies (security, QoS, inspection, etc.) MPF is built on three related CLI commands … •class-map •policy-map •service-policy Note: MPF features are derived from QoS as implemented in IOS. Not all features have been carried across. Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 73 Why do we need to change MPF? Pre-7.2 Release § Limited capabilities for class-map (grouping) § Except for a couple of match criteria, only one (1) match command is allowed in a class-map. § MPF can match on static pre-programmed information ex. Static mime types for HTTP inspection Commands This does not satisfy the requirements from the EAAC (Edge Access Application Control) 7.2 Release § Ability to logical-AND multiple match conditions and associate an action to the match results. § Ability to define regular expressions and to match a group of regular expressions that have the 'match-any' attributes. Ex. Block any (get|post) Block URL § Ability to define a NOT operator (negate) for a match condition. § Ability to limit the values that can be entered for a specific inspection object Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 74 MPF – class-map § class-map – This command identifies the traffic that needs a specific type of control. Class-maps have specific names which tie them into the policy-map. § example: class-map type regex match-any restricted_url match regex url_abc match regex url_xyz class-map type inspect http match-all restricted_http description Restrict the following sites: GET "abc.com" OR GET "xyz.com" match request method get match request uri regex class restricted_url Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 75 MPF – policy-map § policy-map – This command describes the actions to be taken on the traffic described in the class-map. Class-maps are listed by name under the appropriate policy-map. Policy-maps have specific names too which tie them into the service-policy. example: policy-map type inspect http http_inspection_policy content-type-verification match request method post drop-connection match request method connect reset class restricted_http drop-connection log policy-map web-policy inspect http http_inspection_policy Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 76 MPF – service-policy § service-policy – This command describes where the traffic should be intercepted for control. Only one service-policy can exist per interface. An additional service-policy, “globalservice-policy,” is defined for traffic and general policy application. This policy applies to traffic on all interfaces. example: service-policy web-policy inside Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 77 MPF Improvements – New CLI “class-map (regex)” § Regex This keyword, when used in the class-map command, specifies that the class-map is of type REGEX, which, is primarily used for matching regular expressions. This type of class-map can be used by other types of class-maps and is restricted to 'match-any' class-map initially. When this keyword is used in the match subcommand, it specifies that a regular expression is to be used as a match condition. § Defined over some alphabet S For programming languages, commonly ASCII or Unicode § If re is a regular expression, L(re ) is the language (set of strings) generated by re Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 78 Modular Policy Framework (MPF) – Example § The following is an example of policy-map type inspect that includes an inspection policy for HTTP. regex url_abc "abc\.com" regex url_xyz "xyz\.com" class-map type regex match-any restricted_url match regex url_abc match regex url_xyz class-map type inspect http match-all restricted_http description Restrict the following sites: GET "abc.com" OR GET "xyz.com" match request method get match request uri regex class restricted_url policy-map type inspect http http_inspection_policy content-type-verification match request method post drop-connection match request method connect reset class restricted_http drop-connection log policy-map web-policy inspect http http_inspection_policy service-policy web-policy inside Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 79 H323 Inspection Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 80 Enhanced H.323 Inspection – Functional Overview 7.0 Release § Initial 7.0 release included the inspect h323 {h225 | ras} command, replacing the fixup command 7.2 Release § The 10 new H.323 AIC (Application Inspection Control) functions are designed to prevent attacks and restrict or deny certain applications Restrict Call Duration Block Rogue Callers Prevent RAS/H.225 Packets Arriving Out of State Restrict H.323 Services That Can Be Used Media-type data Control H.225 Tunneling Control Allow or Disallow Video or Audio Protocol State Tracking Enforcing H.323 Call Duration Phone Number Filtering HSI Routed Call Setup Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 81 H.323 Inspection § The two major functions of H.323 inspection are as follows: • NAT the necessary embedded IPv4 addresses in the H.225 and H.245 messages. Because H.323 messages are encoded in PER encoding format, the security appliance uses an ASN.1 decoder to decode the H.323 messages. • Dynamically allocate the negotiated H.245 and RTP/RTCP connections. Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 82 Enhanced H.323 Inspection – ASDM Configuration Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 83 Enhanced H.323 Inspection – ASDM Configuration Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 84 Enhanced H.323 Inspection – ASDM Configuration Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 85 Enhanced H.323 Inspection – ASDM Configuration Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 86 Enhanced H.323 Inspection – ASDM Configuration Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 87 Enhanced H.323 Inspection – ASDM Configuration Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 88 Enhanced H.323 Inspection – ASDM Configuration § Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 89 Enhanced H.323 Inspection – ASDM Configuration Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 90 H.323 Configuration § Step 1 (Optional) Add one or more regular expressions for use in traffic matching commands according to the § Step 2 (Optional) Create one or more regular expression class maps to group regular expressions according to Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 91 H.323 Configuration (cont’d) § Step 3 (Optional) Create an H.323 inspection class map by performing the following steps. A class map groups multiple traffic matches. Traffic must match all of the match commands to matchthe class map. You can alternatively identify match commands directly in the policy map. The difference between creating a class map and defining the traffic match directly in the inspection policy map is that the class map lets you create more complex match criteria, and you can reuse class maps. To specify traffic that should not match the class map, use the match not command. For example, if the match not command specifies the string “example.com,” then any traffic that includes “example.com” does not match the class map. For the traffic that you identify in this class map, you can specify actions such as drop-connection, reset, and/or log the connection in the inspection policy map. If you want to perform different actions for each match command, you should identify the traffic directly in the policy map. Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 92 H.323 Configuration (cont’d) § a. Create the class map by entering the following command: hostname(config)# class-map type inspect h323 [match-all] class_map_name hostname(config-cmap)# Where the class_map_name is the name of the class map.The match-all keyword specifies that traffic must match all criteria to match the class map. match-all is the default and only option. The CLI enters class-map configuration mode, where you can enter one or more match commands. Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 93 H.323 Configuration (cont’d) § b. (Optional) To add a description to the class map, enter the following command: hostname(config-cmap)# description string Where string is the description of the class map (up to 200 characters). § c. (Optional) To match a called party, enter the following command: hostname(config-cmap)# match [not] called-party regex {class class_name | regex_name} Where the regex regex_name argument is the regular expression you created in Step 1. The class regex_class_name is the regular expression class map you created in Step 2. § d. (Optional) To match a media type, enter the following command: hostname(config-cmap)# match [not] media-type {audio | data | video} Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 94 H.323 Configuration (cont’d) § Step 4 Create an H.323 inspection policy map, enter the following command: hostname(config)# policy-map type inspect h323 policy_map_name hostname(config-pmap)# Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration mode. § Step 5 (Optional) To add a description to the policy map, enter the following command: hostname(config-pmap)# description string Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 95 H.323 Configuration (cont’d) § Step 6 To apply actions to matching traffic, perform the following steps. a. Specify the traffic on which you want to perform actions using one of the following methods: • Specify the H.323 class map that you created in Step 3 by entering the following command: hostname(config-pmap)# class class_map_name hostname(config-pmap-c)# • Specify traffic directly in the policy map using one of the match commands described in Step 3. If you use a match not command, then any traffic that does not match the criterion in the match not command has the action applied. Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 96 H.323 Configuration (cont’d) § b. Specify the action you want to perform on the matching traffic by entering the following command: hostname(config-pmap-c)# {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate} Not all options are available for each match or class command. See the CLI help or the Cisco Security Appliance Command Reference for the exact options available. The drop keyword drops all packets that match. The send-protocol-error keyword sends a protocol error message. The drop-connection keyword drops the packet and closes the connection. The mask keyword masks out the matching portion of the packet. The reset keyword drops the packet, closes the connection, and sends a TCP reset to the server and/or client. The log keyword, which you can use alone or with one of the other keywords, sends a system log message. The rate-limit message_rate argument limits the rate of messages. You can specify multiple class or match commands in the policy map. For information about the order of class and match commands, see the “Defining Actions in an Inspection Policy Map” section on page 21-10. Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 97 H.323 Configuration (cont’d) § Step 7 To configure parameters that affect the inspection engine, perform the following steps: a. To enter parameters configuration mode, enter the following command: hostname(config-pmap)# parameters hostname(config-pmap-p)# b. To define the H.323 call duration limit, enter the following command: hostname(config-pmap-p)# call-duration-limit time Where time is the call duration limit in seconds. Range is from 0:0:0 to 1163:0:0. A value of 0 means never timeout. c. To enforce call party number used ini call setup, enter the following command: hostname(config-pmap-p)# call-party-number Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 98 H.323 Configuration (cont’d) § d. To enforce H.245 tunnel blocking, enter the following command: hostname(config-pmap-p)# h245-tunnel-block action {drop-connection | log} § e. To define an hsi group, enter the following command: hostname(config-pmap-p)# hsi-group id Where id is the hsi group ID. Range is from 0 to 2147483647. § f. To check RTP packets flowing on the pinholes for protocol conformance, enter the following command: hostname(config-pmap-p)# rtp-conformance [enforce-payloadtype] Where the enforce-payloadtype keyword enforces the payload type to be audio or video based on the signaling exchange. § g. To enable state checking validation, enter the following command: hostname(config-pmap-p)# state-checking {h225 | ras} Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 99 ASDM 5.2 – New Features Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 100 ASDM 5.2 – New Features § Object Groups: Now includes ICMP and IP grouping § New How do I help: New manageable Help File § ACL to Syslog: Reference to Logging from ACL § Rule table query: Multiple Objects search § HA Wizard: New Active/Active, Active/Standby Fail Over Wizards and VPN Load Balancing Wizards § NAT IP address as Dst. (just like CLI) § Enhanced Live log Detail § Organized structure in Live log Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 101 ASDM 5.2 – ICMP and IP object grouping support Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 102 ASDM 5.2 – How Do I Help § Admin may add new “How Do I” help file later Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 103 ASDM 5.2 – New ACL to Syslog § Now user can view syslog messages from a selected ACE Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 104 ASDM 5.2 – Rule Table Query § Admin can filter multiple criteria Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 105 ASDM 5.2 – HA Wizard § New HA wizards includes-A/A, A/S FO and VPN LB Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 106 ASDM 5.2 – NAT IP address as Destination Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 107 ASDM 5.2 – Live Log Enhancements Detail and Organized Columns § New syslog columns and Detail button Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 108 Packet Tracer Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 109 Packet Tracer Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 110 Packet Tracer Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 111 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 112 Agenda 09:00 - 09:30 Registrazione ü Strategia Cisco per il 2007 e News dal Product Management ü Come indirizzare i clienti verso ASAü Coffee break ASA New product lineup, New Features e Roadmap ü Cisco NAC 09:30 - 10:00 Benvenuto ed Introduzione ai lavori 10:00 - 10:30 10:30 - 10:45 10:45 - 11:15 11:15 - 12:00 12:00 - 12:45 12:45 - 13:30 Pausa Pranzo 13:30 - 14:00 Partner Self enablement tools 14:00 - 14:30 Security Management: What's new in MARS e CS-Manager 14:30 - 15:30 Technical Session: Analisi della sicurezza VoIP/IPT e contromisure 15:30 - 16:00 Chiusura Lavori ed estrazione ricchi premi! marco misitano :: misi@cisco.com :: © 2006 Cisco , All rights reserved. 113 Armando Lombardi Cisco Security Specialist arlombar@cisco.com Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 114 AGENDA • CCA overview • NAC Appliance options • Nuove Features in ultima release • Feature in Roadmap • Demo/movies TM - Massafra © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 115 Four Key Capabilities of NAC Securely Identify Device and User What It Means Why It Is Important Without it . . . Who’s on? What’s on? Associating Users with Devices Enables Granular Enforcement of Policies by Role or group Critical to associate users and devices with roles to know which policies apply; prevents device spoofing. Enforce Consistent Policy Quarantine and Remediate What are the requirements for access? What are the steps to meet requirements? How do I create or modify requirements? Centralized policy supports multiple user roles Scans for infections, port vulnerabilities, hotfixes, AV, AS, services running, and files Isolates noncompliant devices using MAC and IP addresses; effective at a per-user level Network-based, self-guided remediation Web-based interface for easy management of roles, policies, and remediation steps A decentralized policy mechanism (e.g. on endpoint) can leave gaping security holes. Just knowing a device is noncompliant is not enough— someone still needs to fix it. Configure and Manage Policies that are too complex or difficult to create and use will lead to abandonment of project. A Comprehensive NAC Solution Must Have All Four Capabilities: The Absence of Any One Weakens the Solution TM - Massafra © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 116 Cisco NAC Appliance Components § Cisco Clean Access Manager Centralizes management for administrators, support personnel, and operators § Cisco Clean Access Server Serves as enforcement point for network access control § Cisco Clean Access Agent Optional lightweight client for device-based registry scans in unmanaged environments § Rule-set Updates Scheduled automatic updates for anti-virus, critical hot-fixes and other applications TM - Massafra © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 117 Cisco NAC Appliance Sizing Super Manager Enterprise and Branch Servers Standard Manager Manager Lite manages up to 40 manages up to 20 Enterprise and Branch Servers manages up to 3 Branch Office or SMB Servers or ISR NM 2500 users each 1500 users each 100 users 250 users 500 users TM - Massafra © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 118 NAC Appliance Conceptual Overview THE GOAL 1. End user attempts to access a Web page or uses an optional client Network access is blocked until wired or wireless end user provides login information Authentication Server Cisco Clean Access Manager 2. User is redirected to a login page Cisco Clean Access Server Clean Access validates username and password, also performs device and network scans to assess vulnerabilities on the device 3a. Device is noncompliant or login is incorrect User is denied access and assigned to a quarantine role with access to online remediation resources TM - Massafra © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Intranet/ Network 3b. Device is “clean” Quarantine Role Machine gets on “certified devices list” and is granted access to network 119 Pre-Configured Policy Checks simplify deployment Critical Windows Updates, Anti-Virus Updates Anti-Spyware Updates, 3rd Party Checks NAC Appliance Supports Policies for 250+ Applications, Including These Vendors: Customers can easily add customized checks TM - Massafra © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 120 NAC Appliance One Product for all Use Cases § Wireless users — common pain point addressed LAN Endpoint Compliance Wireless Compliance Secured network access only for compliant wireless devices Network access only for compliant devices § LAN—Position L2 or L3 OOB with feature for L3 VoIP in 4.1 CAMPUS BUILDING 1 802.1Q Remote LAN Compliance Network access only for compliant devices WIRELESS BUILDING 2 Guest Compliance Restricted internet access only for guest users VPN User Compliance Intranet access only for compliant remote access users INTERNET IPSec CONFERENCE ROOM IN BUILDING 3 § Guest users — common pain point addressed by 3 options PLUS pitch hotspot app in 4.1 TM - Massafra © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential § Remote LAN—Complex positioning with a roadmap: Today à Remote CAS, L3 IB, L3 OOB 121 NAC Appliance Options Customers can choose from a variety of product and deployment options to tailor NAC Appliance for individual networks Software-only (customer provides hardware) Virtual Gateway TM - Massafra or Appliance (Cisco provides hardware) Real-IP Gateway (bridged) or Edge Deployment or Central Deployment L2 Client Access or L3 Client Access In-band Server or Out-of-band Server © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential (routed) 122 CAS Foundation: Virtual Gateway § Direct Bridging: Frame Comes In, Frame Goes Out § VLAN IDs are either passed through untouched or mapped from A to B § DHCP and Client Routes point directly to network devices on the Trusted side § CAS is an IP passive bump in the wire, like a transparent firewall TM - Massafra © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 123 CAS Foundation: Real IP / NAT Gateway § CAS is Routing, Packet Comes In, Packet Goes Out § VLAN IDs terminate at the CAS, no pass-through or mapping § DHCP and Client Routes usually point to the CAS for /30 § CAS is an active IP router, can also NAT outbound packets ** TM - Massafra © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 124 CAS Foundation: Edge Deployment § Easiest deployment option to understand § CAS is logically inline, and Physically inline § Supports all Catalyst Switches § VLAN IDs are passed straight through when in VGW 10 à 10 § Installations with multiple Access Layer closets can become complex TM - Massafra © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 125 CAS Foundation: Central Deployment § Most common deployment option § CAS is logically inline, NOT physically inline § Supports 6500 / 4500 / 3750 / 3560 ** § VLAN IDs are mapped when in VGW 110 à 10 § Easiest installation § Most scalable in large environments TM - Massafra © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 126 CAS Foundation: Layer 2 Mode § Client is Layer 2 Adjacent to the CAS § MAC address is used as a unique identifier § Supports both VGW and Real IP GW § Supports both In Band and Out of Band § Most common deployment model for LANs TM - Massafra © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 127 CAS Foundation: Layer 3 Mode § Client is NOT Layer 2 Adjacent to the CAS § IP Address is used as a unique identifier § Supports both VGW and Real IP GW § Supports In Band Mode** § Needed for WAN and VPN deployments TM - Massafra © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 128 CAS Foundation: In Band § Easiest deployment option § CAS is Inline ( in the data path ) before and after posture assessment § Supports any switch, any hub, any AP § Role Based Access Control Guest, Contractor, Employee § ACL Filtering and Bandwidth Throttling TM - Massafra © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 129 CAS Foundation: Out of Band § Multi-Gig Throughput deployment option § CAS is Inline for Posture Assessment Only § Supports most common Cisco Switches ** § Port VLAN Based and Role Based Access Control § ACL Filtering and Bandwidth Throttling for Posture Assessment Only TM - Massafra © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 130 Out Of Band Process Flow 1. New MAC Notification sent to CAM 2. Unauthenticated client discovery ( Agent popup or new traffic ) 3. CAS challenges for credentials TM - Massafra © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 131 Out Of Band Process Flow 4. Client sends credentials to CAS 5. CAS performs Posture Assessment 6. CAM changes VLAN from Auth to Access TM - Massafra © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 132 CAS Foundation Summary TM - Massafra 1 Virtual Gateway mode is usually the easiest integration into existing networks 2 Central deployments will make up 99% of designs 3 Layer 2 adjacent clients give more options for security with Layer 2 strict mode 4 Pay close attention to In-Band math: it’s 1Gig for 1500 users. © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 133 NAC Appliance Overview: Web Login Login Screen Scan is performed (types of checks depend on user role/OS) Click-through remediation TM - Massafra © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 134 End User Experience: with Agent Login Screen Scan is performed (types of checks depend on user role) Scan fails Remediate 4. TM - Massafra © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 135 Recent NAC Appliance Innovations Deployment Features Layer 3 Out-of-Band Reduces the number of Servers required for deployments with multiple locations “Super” Manager Manages up to 40 Server failover pairs VLAN by Name Simplifies the administration of VLANs Expanded Failover Options Multiple options for failover in case of CAS link failure New 2500-user CAS Additional option for larger-user environments TM - Massafra © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Authentication Features Windows Active Directory Single Sign-On Vastly improves user experience by automatically passing through Windows login credentials Corporate Asset Authentication Ability to apply network admission control to corporate assets not associated with specific users (IP phones, printers, etc.) 136 Recent NAC Appliance Innovations, cont Agent Features Seamless Agent Provisioning Enables Agent updates without requiring user to have admin privileges Auto-Remediation for Windows Single button for auto-launching Windows Updater MacOS Authentication Agent Extends network admission control to Macintosh desktops TM - Massafra © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Platform Options Expanded Platform Support In addition to software option, now available on new hardware for higher performance 137 NAC STRATEGY-SOLUTIONS Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 138 NAC Strategy – Microsoft Support Current Roadmap Window OS Support GPO Launch post Authentication (4.1) XP (Home/Pro/MCE/Tablet), 2000/ME/98 (Agent) Ability to launch GPO to tie AD desktop policy to access VLAN WinCE/WinMobile (Agentless) WSUS Agent immediate launch (4.1) AD Single-Sign-On Ability to force WSUS agent to remediate now Windows 2003/2000 Server Microsoft SMS Agent remediation (4.1.x) Windows Hotfixes/AV Checks Auto-updates to pre-configured hotfix and oneCare AV checks Launch SMS Agent during remediation or xdays old IE7.0 and Vista Support Windows Update via WSUS Ability to configure Windows Updater and launch WSUS agent for auto-remediation Vista Agent within 30-45 days of Vista commercial availability Login Script “hold” Configuration Provide a configuration to hold login script mapping till access VLAN TM - Massafra © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 139 NAC Strategy – Microsoft Support CAM DNS/DHCP Server Switch VLAN 10 WSUS Server Laptop with CCA Agent VLAN 10 AD Server VLAN 110 CAS 1. End user attaches a laptop to network 2. TM - Massafra © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Switch sends MAC address via SNMP-based notification to CAM 140 NAC Strategy – Microsoft Support CAM DNS/DHCP Server Switch VLAN 10 WSUS Server VLAN 110 Latptop with CCA Agent AD Server VLAN 10 VLAN 110 CAS 4. DHCP address is assigned as DHCP/DNS traffic traverses the CAS using VLAN mapping. 5. Laptop performs authentication to AD with CAS permitting AD ports access. TM - Massafra © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3. CAM instructs switch to place port to Authentication VLAN (110). 141 NAC Strategy – Microsoft Support CAM DNS/DHCP Server Switch VLAN 10 Web Server VLAN 110 Latptop with CCA Agent VLAN 10 AD Server VLAN 110 CAS 6. During AD login, GPO policy and login scripts are downloaded to the laptop. 7. Laptop runs login scripts with “hold” configuration during drive mapping. TM - Massafra © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 142 NAC Strategy – Microsoft Support CAM DNS/DHCP Server Switch VLAN 10 WSUS Server VLAN 110 Latptop with CCA Agent VLAN 10 AD Server VLAN 110 CAS 8. CCA Agent performs SSO to CAM. 9. CAM determines “role” based on AD attributes and passes posture requirements to CCA Agent. TM - Massafra © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 143 NAC Strategy – Microsoft Support CAM DNS/DHCP Server Switch VLAN 10 WSUS Server AV Server VLAN 110 Latptop with CCA Agent VLAN 10 AD Server CAS VLAN 110 10. CCA Agent determines missing hotfix and launches WSUS Agent for remediation. 11. CCA Agent determines AV definition not updated and launches AV Agent for remediation. TM - Massafra © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12. Upon remediation, CAM instructs switch to place port onto Access VLAN (10) based on port mapping (or the role assignment). 144 NAC Strategy – Microsoft Support CAM DNS/DHCP Server Switch VLAN 10 WSUS Server Latptop with CCA Agent VLAN 10 AD Server CAS VLAN 110 13. If role assignment is used, CCA Agent performs release/renew. Laptop user now sees “Successfully Logged In.” 14. CCA Agent launches GPO Update in Access VLAN. 15. Login scripts removes “hold” and completes drive mapping. 16. “Successfully Logged In” dialog box closes in x seconds. TM - Massafra © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 145 NAC Strategy – Microsoft Support Considerations Agent Installation Does not support Embedded XP or XP running on 64bits (roadmap 2007) Support most WinXP/2000 with language packs but not tested on all (see Release Notes) AD SSO (Single Sign-On) Support Pay attention to typo details when you configure SSO/KTPASS One CAS to one AD domain controller Manual login across untrusted domains Microsoft SMS Launch Requires signed application (.exe) to launch Login Scripts Modify login scripts for drive-mapping “hold” Mandatory Hotfix Requirement Must click next button to continue. TM - Massafra © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 146 NAC Strategy – Leverage Infrastructure Current Roadmap AV and AS Applications Patch Management Applications (4.1) Over 250+ partner AV and AS Applications supported today Authentication Servers Support key Patch Management applications (IBM Tivoli, SMS, Citadel, Altiris, Bigfix, etc.) DICOM Applications Any Radius/Kerberos/LDAP/Novell backend Custom Checks Support NAC Appliance enforcement for DICOM routing of PACS in healthcare Any application/file/service checks Firewall Applications Open APIs Support pre-configured checks for FW/HIDS/HIPS vendors (CSA is supported) GreatBay Software provides network device profiling and automated synchronization to CAM and CAS enforcement via Open APIs. Iconium provides compliance policy acceptance and synchronized enforcement via Open APIs. VisitorNet provides Guest Access registration and CAS policy enforcement via Open APIs. TM - Massafra © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Encryption Applications Support pre-configured checks for desktop encryption vendors 802.1x Overlay Support Support any 802.1x supplicants in in-band today and wired 802.1x in future overlay 147 AGENDA • CCA overview • NAC Appliance options • Nuove Features in ultima release • Feature in Roadmap • Demo/movies TM - Massafra © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 148 NAC STRATEGY ROADMAP Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 149 NAC Appliance Roadmap Release 4.0/Dash Corporate asset compliance Agent stub for installs/updates VLAN by Name (OOB) Layer 3 OOB Windows AD SSO Windows Update Launch May 06 Release 4.1/Syndrome Release 4.5/Elastigirl* Silent Audit Remediation Reporting CAS Fallback L3OOB for VoIP MAC Auth Agent Agent Language Template Patch Management Launch Guest Portal (external) Temporal Agent Silent Remediation MAC Posture Agent Preconfigured PFW rules 802.1x Overlay Support Oct 2006 Nov 2006 1H CY07 Release 5.5/Mr. Incredible* NAC Framework support: • NAC Manager • NAC Agent • HCAP 2H CY07 NOW Release 4.0.x/Brunella Cisco NAC Appliance 3300 Series CAS 2500 SuperCAM Release 5.0/Edna* Release 4.1.x/Angera* CC Distributed CAM CAS on ISR NM Blade Enhanced Syslog Enhanced Reporting DBCS Support MOM * subject to concept commit, not a customer commit TM - Massafra © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 150 NAC Appliance Expansion Phase 1 TODAY OUT-OF-BAND NETWORK ACCESS DEVICE NAC Appliance Agent Policy & Remediation Partners NAC Appliance Server IN-BAND HTTPS NAC Appliance Manager HTTPS NETWORK ACCESS DEVICE .1x HTTPS 1H 2007 OUT-OF-BAND RADIUS 802.1x ISR NM NAC AGENT IN-BAND TM - Massafra © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential NAC SERVER 802.1x Proxy HTTPS NAC Appliance MANAGER 151 NAC Appliance Expansion Phase 2 TODAY OUT-OF-BAND Policy & Remediation Partners ISR NM NETWORK ACCESS DEVICE NAC Appliance Agent 802.1x NAC Appliance Server with .1x overlay IN-BAND HTTPS or Radius NAC Appliance Manager HTTPS Policy & Remediation Partners OUT-OF-BAND HCAP, GAME CTA API CTA NETWORK ACCESS DEVICE HTTPS VISION RADIUS UDP, 802.1x HTTPS NAC AGENT NAC SERVER NAC MANAGER IN-BAND TM - Massafra © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 152 Agenda 09:00 - 09:30 Registrazione ü Strategia Cisco per il 2007 e News dal Product Management ü Come indirizzare i clienti verso ASAü Coffee break ASA New product lineup, New Features e Roadmap ü Cisco NAC ü Pausa Pranzo 09:30 - 10:00 Benvenuto ed Introduzione ai lavori 10:00 - 10:30 10:30 - 10:45 10:45 - 11:15 11:15 - 12:00 12:00 - 12:45 12:45 - 13:30 13:30 - 14:00 Partner Self enablement tools 14:00 - 14:30 Security Management: What's new in MARS e CS-Manager 14:30 - 15:30 Technical Session: Analisi della sicurezza VoIP/IPT e contromisure 15:30 - 16:00 Chiusura Lavori ed estrazione ricchi premi! marco misitano :: misi@cisco.com :: © 2006 Cisco , All rights reserved. 153 Agenda 09:00 - 09:30 Registrazione ü Strategia Cisco per il 2007 e News dal Product Management ü Come indirizzare i clienti verso ASAü Coffee break ASA New product lineup, New Features e Roadmap ü Cisco NAC ü Pausa Pranzo 09:30 - 10:00 Benvenuto ed Introduzione ai lavori 10:00 - 10:30 10:30 - 10:45 10:45 - 11:15 11:15 - 12:00 12:00 - 12:45 12:45 - 13:30 13:30 - 14:00 Partner Self enablement tools 14:00 - 14:30 Security Management: What's new in MARS e CS-Manager 14:30 - 15:30 Technical Session: Analisi della sicurezza VoIP/IPT e contromisure 15:30 - 16:00 Chiusura Lavori ed estrazione ricchi premi! marco misitano :: misi@cisco.com :: © 2006 Cisco , All rights reserved. 154 Partners Enablement Strumenti per progettazione e supporto Marco Voi – Channel Systems Engineer mvoi@cisco.com Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 155 Training Tools & Methodologies Selling & Marketing Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 156 Partner Help Online § http://www.cisco.com/web/partners/tools/helponline/index.html Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 157 Service Support Center http://www.cisco.com/go/ssc Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 158 Strumenti di progettazione http://www.cisco.com/go/qb Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 159 Cisco Discovery Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 160 Deliver Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 161 Modello di “Transfer of Information” Partner Virtual Team https://programs.regweb.com/cisco/pvt_07/ P.I.N.T. http://www.cisco.com/it/go/pint Partner E-Learning Connection www.cisco.com/go/pec Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 162 Partner VT elements 1. Address Pre-sales Knowledge Transfer and Competency 2. Create an environment for Partners to network and collaborate as a community 3. Provide Demonstrations, Design Sessions, Hands-On Labs, Interactive discussion 4. Social and Fun Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 163 Partner VT Updates Product / Technology Update and Feedback Hands-On Labs TAC/AS Technical Update* Trusted Technical Advisor (TTA) Trusted Technical Advisor (TTA) Partner SE Team Design Sessions / BOF *Where available Presentation_ID TTA Forums © 2006 Cisco Systems, Inc. All rights reserved. TTA Interaction and Networking Evening Meal – Another chance to Network Cisco Confidential 164 Partner VT Enrolment Process Trusted Technical Advisor is invited to attend Partner VT update events Partner SE becomes a Trusted Technical Advisor and a member of Partner VT Partner SE achieves Specialisation Accreditation (CQS/CCIE) Cisco SE invites via PSS - one or two elite engineers from Specialised, ATP or Learning Partner per Technology stream Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 165 Partner VT Entry Accreditation – FY2007 Routing and Switching Partner VT Security Partner VT Cisco Channel SE Sponsorship Convergence Partner VT VPN or Firewall or IPS Specialist Advanced Security Solutions Design Specialist Cisco Certified Security Professional CCIE Security Data Centre Partner VT Wireless Partner VT Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 166 Partner VT Collaboration Site https://tools.cisco.com/cws/livelink?func=ll&objId=723876&objAction=browse&sort=name Partner VT Presentations in pdf format are stored on this restricted access external site Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 167 Networkers http://www.cisco.com/global/EMEA/networkers/2007/index.shtml Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 168 Newsletter per i partner di Cisco Italia § Italy-channel-newsletter-rs@cisco.com § Italy-channel-newsletter-security@cisco.com § Italy-channel-newsletter-ipc@cisco.com § Italy-channel-newsletter-wireless@cisco.com § Italy-channel-newsletter-storage@cisco.com § Cisco Customized Partner Intelligence http://www.cisco.com/web/partners/news/subscribe.html Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 169 ISCRIZIONE AUTOMATICA inviare una email a mailer@cisco.com contentente il comando: subscribe italy-channel-newsletter-nome dall’indirizzo dal quale ci si vuole sottoscrivere. –Il comando dev’essere nel CORPO del messaggio, non nel SUBJECT –Inviare la mail in PLAIN TEXT, NO HTML, no formattazione. –si riceverá una mail di conferma e welcome Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 170 CANCELLAZIONE AUTOMATICA inviare una email a mailer@cisco.com contentente il comando: unsubscribe italy-channel-newsletter-nome dall’indirizzo dal quale ci si vuole sottoscrivere. –Il comando dev’essere nel CORPO del messaggio, non nel SUBJECT –Inviare la mail in PLAIN TEXT, NO HTML, no formattazione. –non si riceve email di conferma Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 171 Agenda 09:00 - 09:30 Registrazione ü Strategia Cisco per il 2007 e News dal Product Management ü Come indirizzare i clienti verso ASAü Coffee break ASA New product lineup, New Features e Roadmap ü Cisco NACü Pausa Pranzo Partner Self enablement tools ü Security Management: What's new in MARS e CS-Manager 09:30 - 10:00 Benvenuto ed Introduzione ai lavori 10:00 - 10:30 10:30 - 10:45 10:45 - 11:15 11:15 - 12:00 12:00 - 12:45 12:45 - 13:30 13:30 - 14:00 14:00 - 14:30 14:30 - 15:30 Technical Session: Analisi della sicurezza VoIP/IPT e contromisure 15:30 - 16:00 Chiusura Lavori ed estrazione ricchi premi! marco misitano :: misi@cisco.com :: © 2006 Cisco , All rights reserved. 172 Security Management: What's new in MARS and CS-Manager Managing the Self-Defending Network Zeno Dequal Systems Engineer Cisco Systems Italy 173 Today? Cisco Security Management Suite Cisco® Security Manager Cisco® Security Mars Simplified Policy Administration End-to-End Configuration Rapid Threat Identification and Mitigation Network wide or Device Specific Topology Awareness Data Correlation FABRIC 174 CS Manager 3.1 Key Features 175 CS-Manager 3.1 – xDM cross launch ASDM, SDM, IDM, IEV No embedded DM code required on the device Open FW from CS manager server to device No need to open FW’s from user desktop to device Much faster startup 176 CS-Manager 3.1 – xDM Device log/Signature event to policy cross launch Packet tracer • K Leverage DM logs to cross launch to policy Leverage packet tracer in ASDM 177 CS-Manager 3.1 – Native Cat6000 Mgmt Interfaces, VLANs, VLAN groups • Natively manage Cat6500/Cisco7600, No more launching CVDM • Manage all the VLANs, interfaces, VLAN groups and mappings • Comprehensive Summary page to show all the mappings 178 CS-Manager 3.1 – Cat6500 RACL Management (3.0.1) • Manage the L3 Access Control List on MSFC of Cat6500/Cisco7600 • Use the same powerful rule table as other devices like ASA/PIX or ISRs 179 CS-Manager 3.1 – Inventory Report Single view of all critical device information One place to see all critical inventory information Device, VPN status Deployment status What policies assigned Status from external sources 180 CS-Manager 3.1 – Management Protocol Testing Server to Device protocol and credentials Test available from Device Properties page When adding a device 181 CS-Manager 3.1 – Activity Report What fields changed, what objects changed 182 CS-Manager 3.1 High Availability & Disaster Recovery • Optional High Availability and Disaster Recovery Configurations • Off-the-shelf hardware (servers, storage arrays) and software (Symantec/Veritas) + specific customizations for CS Manager • Supports a wide variety of deployment options based on customer requirements Single, dual-node cluster for high availability Multiple geographically diverse clusters for disaster recovery Fully automated failure detection and recovery Shared local storage for zero data loss Synchronous or asynchronous replication between sites for zero or near-zero data loss 183 CS Manager 3.1 IPS relating Features 184 CS-Manager 3.1 Management Roadmap Update • Supports IPS 5.1, 6.0, and IOS 12.4(11)T 42xx Appliances, IDSM2, NM-CIDS, SSM-10, SSM-20 • 1 Additional RBAC: Modify Policy Image Additional role for deploying IPS updates • Auto Update, Rollback, Config Archive, Filtering, Copying, Cloning • Signature Update Performance – Streamlined sigupdate package/process 185 CS Manager 3.1 VPN relating Features 186 Multi-box Management CS-Manager (CSM) 3.1 Supported SSL VPN features on ASA • SVC (IP layer SSL VPN), DHCP, DNS, WINS, and split tunneling • Clientless (URL list, CIFS, and Citrix) • Thin client (Port Forwarding) and applet auto download • Authentication, authorization and accounting • Password expiration and management • Netegrity single sign-on and auto sign-on • Cisco Secure Desktop enabling and configuration • Web-type access control list • Login and portal page customization • HTTP proxy and proxy bypass (limited content rewrite) • CIFS File encoding • Cache • Interface and SSL port configuration 187 CS Manager 3.1 ASA relating Features 188 CS-Manager Managing the Cisco ASA 5500 Series • Support all ASA models • Support ASA7.0/7.1 and 7.2 • Manage both Routed and Transparent mode and multi-context • Comprehensive coverage of ASA feature sets • Cross-launch Read-Only version of ASDM for quick device status and troubleshooting 189 CS Manager Advantages 190 CS-Manager Policy Sharing, Inheritance, Interface Rolls and Work-Flow LEAD LEAD LEAD 191 CS-Manager Device Override, AUS/CNS-CE, SDP, RBAC LEAD 192 CSM is able to share all kinds of policies, not just Firewall Rules • With CSM you can share syslog policies between devices • This is true for many more settings 193 Changing column order of rule base If you want interface first, that is possible! 194 Rule creation • Objects can be used but are not required! 195 ACL Hitcount HitCount ! CSM can show how many hits a rule is getting 196 Superior support for IOS routers • Manage ACL’s on all routers just like any other FW • Support for many new ISR security features, deep packet inspection etc • Share policies between ASA/FWSM and IOS 197 You want a map…. • Map per user • Custom backdrop • Nested Maps • Manage from the MAP 198 CS Manager Zero Touch Deployment— Scale through AUS and CNS-CE 4 1 3 Subscriber 2 1. 2. 3. 4. Shipped to User CS Manager Pre provision device in CS Manager Order through config express Drop ship to end user End user loggs in using corp ID 199 CS-MARS Updates 200 MARS Product Line Positioning Enterprise MARS 200 10,000 EPS Mid-Market Low-Enterprise MARS 100 5000 EPS MARS 100E 3000 EPS SMB MARS 50 1000 EPS NEW MARS 20R 50 EPS MARS 20 500 EPS * EPS = Events per second 201 CS-MARS 4.2.2 • FWSM 3.1 Device Support. • Multi-Threaded implementation for IDS/IPS/Windows events pulling will provide better performance. • Improves GC and LC communication. 202 MARS differentiators for IPS MARS Update for IPS • Trigger packets Captured in MARS, detected in an IPS alert message Transformed into an event and used in queries, reports, keywords. Packet content can be seen in raw message • IP Session Logging MARS captures complete TCP based sig-attack • Dynamic ARP inspection + spanning tree (L2/L3 complete knowledge) MARS provides attack paths and mitigation actions • Global end-to-end view of security posture Knowledge of device configurations, MAC address tables Uses Netflow, SNMP, SDEE, Host event data 203 MARS - Real-time events, multi-Vendor, rules based correlation, threat mitigation LEAD LEAD Incident dashboard Rules Engine • Consolidated view of security posture • 100+ pre-defined system rules • Day-zero identification based on behavior analysis • Prioritized Incident views • Graphical view of topology • Multiple compliance reports “out-ofthe-box” • Simple customization of rule set Security Management EBC Presentation 2006 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2 Security Management EBC Presentation 2006 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4 Cisco Confidential 5 LEAD Mitigation Views Reporting • Mitigation monitoring and recommendation • Customizable reporting engine • Scheduled reports • Incident replay Attack vector • Over 150 predefined reports Graphical path representation • Drill down to event level detail Security Management EBC Presentation 2006 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3 Security Management EBC Presentation 2006 © 2006 Cisco Systems, Inc. All rights reserved. 204 Cisco Security Conversion Tool (SCT) Check Point™ to Cisco Conversion Tool For Cisco Security Partners 205 The Problem • Large install base of legacy Check Point firewalls. • Customers want to migrate these Check Point firewalls to new Cisco equipment. • Each firewall conversion takes months to complete and is error-prone. • It requires a person that is knowledgeable in both Check Point and Cisco equipment. • The daunting task causes the customer to delay their migration strategy and to consider other firewall vendors. 206 The Solution • Provide a tool to convert a Check Point configuration to a Cisco ASA/PIX/FWSM configuration. • Create a Cisco configuration that can be managed with CLI, PDM, ASDM or Cisco Security Manager. • Provide an option to optimize the rule table display when used in Cisco Security Manager. • Make the tool available at no cost to the Cisco SE’s, Advanced Services, and Cisco Security Partners. Note: The output from this tool should be reviewed by a Cisco SE, Advanced Services, or Cisco Security Partner to verify the accuracy and completeness of the conversion. 207 Benefits / ”What’s in it for me?” • Reduced time to convert a customer from Check Point to Cisco firewalls. • Increased profitability in your service to convert from Check Point to Cisco firewalls. • Increased accuracy in the conversion from Check Point to Cisco firewalls. • Allows your customer to use Cisco TAC for questions/support on their new Cisco firewalls. • Optimized option to convert from Check Point to the new Cisco Security Manager. • Increased traceability since inline comments are created to indicate which Check Point commands correlate to which Cisco commands. • Automated report that summarizes the conversion process. 208 What is Cisco Security Conversion Tool? • Cisco Security Conversion Tool (SCT) is a software program to assist in converting a Check Point Firewall™ configuration into a Cisco ASA, PIX, or FWSM configuration. • The software installs on your PC. • Simple wizard-based GUI. • Converts one Check Point configuration at a time. 209 What is Cisco Security Conversion Tool? • Several assumptions are made during the conversion process since Check Point and Cisco firewalls are managed differently. A user must manually review and verify the output from Cisco SCT. 210 System Requirements • Runs on Windows XP and 2000 platforms. • Converts from Check Point 4.x and NG Firewalls. • Converts to an ASA/PIX 7.0(4) or 7.1 and FWSM 2.3 or 3.1. 211 What Will Be Converted? • Access rules (security policies) • Network objects and network object groups • Service objects and service object groups • NAT rules • Static routes • Interface-related configuration 212 Cisco SCT Output • Corresponding ASA, PIX, or FWSM CLI configuration. • Summary of what was converted. • Conversion report indicating any errors or warnings during the conversion. • Detailed HTML report with hyperlinks from the CLI conversion to the original Check Point policy. 213 Additional Cisco SCT Resources • Download Site (requires a CCO user ID): http://www.cisco.com/web/partners/sell/technology/security/resources.html#technical • Technical Support: sct-support@cisco.com • Report your wins!!! sct-wins@cisco.com 214 Agenda 09:00 - 09:30 Registrazione ü Strategia Cisco per il 2007 e News dal Product Management ü Come indirizzare i clienti verso ASAü Coffee break ASA New product lineup, New Features e Roadmap ü Cisco NACü Pausa Pranzo Partner Self enablement tools ü Security Management: What's new in MARS e CS-Manager ü Technical Session: Analisi della sicurezza VoIP/IPT e contromisure 09:30 - 10:00 Benvenuto ed Introduzione ai lavori 10:00 - 10:30 10:30 - 10:45 10:45 - 11:15 11:15 - 12:00 12:00 - 12:45 12:45 - 13:30 13:30 - 14:00 14:00 - 14:30 14:30 - 15:30 15:30 - 16:00 Chiusura Lavori ed estrazione ricchi premi! marco misitano :: misi@cisco.com :: © 2006 Cisco , All rights reserved. 215 VoIP & Security Marco Misitano misi@cisco.com Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 216 (pochi) Concetti di Base… Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 217 Building a Call PBX ‘A’ PSTN PBX ‘B’ Call leg ‘2’ Call leg ‘1’ Call leg ‘1’ § Two call legs bridged together Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 218 Call Flow PBX ‘A’ PSTN Call leg ‘1’ § Caller A lifts receiver “off hook” § PBX responds with dial-tone § Call leg 1 is “created” Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 219 Call Flow (Cont.) PBX ‘A’ PSTN Call leg ‘2’ Call leg ‘1’ § § § § Caller A dials number PBX maps dialed number to trunk circuit Call leg 2 is “created” Two call legs “conferenced” together Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 220 Call Flow (Cont.) PSTN PBX ‘B’ Call leg ‘2’ Call leg ‘1’ § PBX ‘B receives call setup from PSTN § “Creates” first call leg (“2”) § Maps received digits to extension § Alerts extension, “creating” second call leg (“1”) Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 221 Call Conferenced PBX ‘A’ PSTN PBX ‘B’ Call leg ‘2’ Call leg ‘1’ Call leg ‘1’ § Each PBX has bridged two call legs, each of local significance only § Neither PBX has knowledge of the other PBX’s second call leg Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 222 Packet Voice Replacement Router ‘A’ Data Network Router ‘B’ Call leg ‘2’ Call leg ‘1’ Call leg ‘1’ § Simply replace PBX and PSTN with Router and data packet network Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 223 Quindi ? Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 224 Voice and Data Threat Models Merge § IP Telephony inherits IP data network threat models: Reconnaissance, DoS, host vulnerability exploit, surveillance, hijacking, identity, theft, misuse, etc. § QoS requirements of IP Telephony increase exposure to DoS attacks that affect: Delay, jitter, packet loss, bandwidth § PC endpoints typically require user authentication, phones typically allow any user (exceptions: access/billing codes, Class of Service) Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 225 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 226 IP Telephony in a Nutshell Configuration server IP Telephony Server •Phone software •Phone registration •Phone configuration 3) Registration 4) Call Signaling •Connecting phones •Billing 5) Media Stream 1) Booting 2) Configuration Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 227 Normal IP Telephony Traffic: Booting /1 IP Phone L2 Switch L3 Router Server 802.1Q DHCP Server DHCP Discover DHCP Offer DHCP Request DHCP Confirm Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 228 Normal IP Telephony Traffic: Booting /2 IP Phone L2 Switch L3 Router Server ARP Request TFTP GET config file (multiple packets) TFTP DATA (multiple) Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential TFTP Server ARP Reply 229 Normal IP Telephony Traffic: Signalling/3 IP Phone L2 Switch L3 Router Server TCP/UDP Handshake for SCCP/SIP Key pressed … Dial tone, ringing tones, … IPT Server SCCP/SIP registration Listen on UDP port x and send to IP address Y on port z Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 230 Normal IP Telephony Traffic: Media Stream /4 IP Phone L2 Switch IP Phone ARP Request ARP Reply Dual ARP exchange RTP Stream over dynamic UDP port Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 231 Vulnerabilities: Booting /1 L2 Switch 802.1Q Switch allows only specific VLAN DHCP Offer Rogue DHCP server can reply w/ fake TFTP & router information DHCP Request Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Server Very little information leakage, mainly MAC address DHCP Discover DHCP Confirm L3 Router DHCP starvation/ Pool depletion Cisco Confidential DHCP Server IP Phone 232 Vulnerabilities : Booting /2 L2 Switch ARP Request ARP Reply Router Server Very L3 little information leakage, mainly MAC address Fake ARP reply (can even be sent after original). Can pretend to be the router in order to get all traffic Information leakage, can get configuration of any phones TFTP GET config file (multiple packets) TFTP DATA (multiple) Fake TFTP replies (difficult, must be synchronized w/ requests). Can pretend to be the IPT Server Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential TFTP Server IP Phone 233 Vulnerabilities : Signaling /3 L2 Switch TCP/UDP Handshake for SCCP/SIP SCCP/SIP registration Relies on TCP J Difficult to inject packets Key pressed … IPT Server IP Phone Potential DoS against Call Manager L3 (SYN flooding) Server Router Dial tone, ringing tones, … Listen on UDP port x and send to IP address Y on port z Everything in the clear… can be sniffed and modified. Neither confidentiality nor integrity nor authentication Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 234 Vulnerabilities : Media Stream /4 L2 Switch IP Phone IP Phone Fake ARP reply (can even be sent after original). Can pretend to be the other phone in order to get all traffic. ARPSPOOF ARP Request ARP Reply Dual exchange RTP Stream over dynamic UDP port Assume that the switch does not flood the frames on all ports. CAM Flooding or MACOF Assume good quality of transmission Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 235 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 236 Securing the Infrastructure § Goal: protect the voice through the infrastructure Protecting the network element Prevent layer 2 tricks Don’t forget physical security for Voice Securing the Infrastructure Secure the the Network Element Protect IPT servers! Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 237 Securing the Infrastructure Prevent Layer 2 Tricks § CAM is the forwarding table for a switch Filled dynamically based on source MAC address If destination MAC address is unknown => flood frame within VLAN CAM overflow: overflow sends zillions of fake source MAC to fill MAC => learning is disabled => all frames are flooded: no confidentiality Prevention: port security (small and finite number of MAC per port) § DHCP Rogue DHCP: DHCP malicious (fake DNS, GW) allows for Man in the Middle Attacks Prevention: DHCP snooping, snooping drop all replies coming from non trusted DHCP servers Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 238 Securing the Infrastructure Prevent Layer 2 Tricks (cont.) § ARP is the protocol to link MAC & IP addresses ARP spoofing: spoofing attacked sends fake MAC/IP bindings Redirect traffic to the attacker Breach of confidentiality and integrity Prevention: Prevention: DHCP snooping to learn trusted bindings, drop all violation § Virtual LAN used to logically segregate traffic on physical LAN VLAN Hopping: Hopping sends/receives frames on another VLAN Prevention: Prevention well known configuration techniques, dropping wrong VLAN frames § Spanning Tree Protocol, the ‘routing’ protocol, detects loops Fake BPDU => re-routing, computation (DoS) Prevention: Prevention: drop BPDU on all access port, partially static topology Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 239 Prevent DHCP Spoofing and Exhaustion § DHCP Snooping creates binding of IP address to MAC address DHCP Server § Defines ports that can DHCP Reply 10.1.1.2 § Rate limit DHCP messages bb-bb-bb-bb-bb-bb § Resets with loss of link DHCP-S: Nope! 10.1.1.1 DHCP Reply aa-aa-aa-aa-aa-aa 10.1.1.1 10.1.1.2 10.1.1.3 aa-aa-aa-aa-aa-aa bb-bb-bb-bb-bb-bb cc-cc-cc-cc-cc-cc 1/0 1/1 1/2 DHCP Reply X DHCP Request 10.1.1.3 cc-cc-cc-cc-cc-cc Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential dd-dd-dd-dd-dd-dd 240 Stop Man-in-the-Middle Attacks § Built on DHCP Binding Table § Dynamic ARP Inspection watches ARP/GARP for violations § IP Source Guard examines every packet § Will shun packets or disable port SUCCESSFULLY STOPS ETTERCAP, DSNIFF DAI: 10.1.1.1 No, You’re Not! aa-aa-aa-aa-aa-aa ARP Cache 10.1.1.2 bb cc 10.1.1.3 cc 10.1.1.4 dd GARP: I’m 10.1.1.1 10.1.1.2 Static 10.1.1.3 © 2006 Cisco Systems, Inc. All rights reserved. ISG: I Don’t Think So! aa-aa-aa-aa-aa-aa bb-bb-bb-bb-bb-bb dd-dd-dd-dd-dd-dd 1/0 1/1 1/3 10.1.1.2 bb-bb-bb-bb-bb-bb DAI Off On X X TCP: I’m 10.1.1.2 DHCP 10.1.1.4 cc-cc-cc-cc-cc-cc Presentation_ID 10.1.1.1 10.1.1.2 10.1.1.4 Cisco Confidential ARP Cache 10.1.1.1 cc aa 10.1.1.3 cc 10.1.1.4 dd dd-dd-dd-dd-dd-dd 241 Prevent MAC Flooding Attacks X X macof macof Limit Port to No More than 3 Mac Addresses § Why 3 macs? § Phone on data VLAN § Phone on voice VLAN § PC on data VLAN Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 242 Ignore Gratuitous ARP § Block acceptance of Gratuitous ARP (GARP) by the phone § Prevents malicious device from assuming the identity of something else (default router) to become man-in-the-middle § Doesn’t really ignore it; just doesn’t update ARP cache § Can lead to DoS attack—“I have your address” Better to do this in layer two 10.1.1.2 10.1.1.3 10.1.1.1 I’m 10.1.1.1 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. I’m 10.1.1.2 Cisco Confidential I’m Not Listening You Are? I’m Getting a New Address. 243 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 244 Securing IPT Servers Host-Based Intrusion Prevention § Policy-Based, not signature based § Zero Updates § “Day Zero” support § Effective against existing & previously unseen attacks Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 245 Design a Secure IP Telephony Network § Place all IP telephony servers, and IP phones on different security domains (logically separate networks) § Enforce a security policy by limiting access from the data network to the IP telephony network § Enforce security posture everywhere (to prevent worms degrading QoS degrading QoS ) § Place SCCP/SIP/MGCP aware firewalls in front of all IPT servers and gateways § Design a voice network over a IPsec VPN when IPT is not protected Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 246 Firewall and NAT and IP Telephony § Perform stateful inspection of voice signaling protocols exists for SIP, SCCP, H.323, and MGCP § Issue if the signaling does not follow the media streams 2) Media Stream 3) No state => block 1) Signaling Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 247 Authentication of IP Phones Types of Certificates in Phones § Manufacturing Installed Certificate (MIC) Installed in non-erasable, non-volatile memory Rooted in Manufacturer Certificate Authority § Locally Significant Certificate (LSC) Installed by local authority Supercedes MIC Can be erased via factory reset Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 248 Trusted Certificates Certificate Trust List contains list of trusted devices Who am I ? Who do I trust ? Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. IPT Server trust list is contained in dynamic list (i.e. use of CRL, DN must be known, …) Cisco Confidential 249 Protecting the Signaling TLS is the transport for signed, authenticated and encrypted signaling Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 250 SRTP: Secure RTP • RFC 3711 for transport of secure media • Uses AES-128 for both authentication and encryption • High throughput, low packet expansion V P X CC M PT sequence number timestamp synchronization source (SSRC) identifier contributing sources (CCRC) identifiers … RTP extension (optional) RTP payload SRTP MKI -- 0 bytes for voice Authentication tag -- 4 bytes for voice Authenticated portion Encrypted portion Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 251 Protecting the Media Streams SRTP is the transport for authenticated and encrypted media Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 252 Some Caveats with Firewalls 2) What is this? 3) Media Stream 1) Signaling 4) Unknown traffic => Drop! § If signaling is encrypted, how can firewall inspect the traffic? § IETF is investigating multiple solutions: MIDCOM, NSIS, … Stay tuned Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 253 Latency/Delay Budget Hardware-Based Encryption Adds Minimal Latency Service Provider Campus Branch Office Propagation CODEC Queuing Encrypt Serialization and Network Decrypt 10–50ms Variable Minimal 2–10ms Variable Latency < 150ms Ideal Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Jitter Buffer 6.3 µs/Km + Minimal 20–100 ms Network 2–10ms Delay < 250ms Acceptable 254 G.729 CODEC IPSec G.729 60 Bytes IPSec ESP Tunnel Mode 112 Bytes IPSec ESP ESP Hdr Hdr IV 20 8 8 IP Hdr UDP 20 8 IP Hdr UDP 20 8 RTP Voice 12 20 RTP Voice 12 20 ESP ESP Pad/NH Auth 2–257 12 Encrypted Authenticated Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 255 G.729 CODEC with GRE and IPSec IP Hdr UDP 20 8 IP Hdr UDP 20 8 G.729 60 Bytes IP GRE GRE IP GRE 84 Bytes Hdr 20 4 RTP Voice 12 20 RTP Voice 12 20 IPSec ESP Tunnel Mode 136 Bytes IPSec ESP ESPGRE IP GRE Hdr Hdr IV Hdr 20 8 8 20 IP Hdr UDP 20 8 4 RTP Voice 12 20 ESP ESP Pad/NH Auth 2–257 12 Encrypted Authenticated Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 256 G.711 CODEC with GRE and IPSec G.711 200 Bytes IP GRE GRE IP GRE 224 Bytes Hdr 20 4 IP Hdr UDP RTP Voice 20 8 12 160 IP Hdr UDP RTP Voice 20 8 12 160 IP Hdr UDP RTP Voice 20 8 12 160 IPSec ESP Tunnel Mode 280 Bytes IPSec ESP ESPGRE IP GRE Hdr Hdr IV Hdr 20 8 8 20 4 ESP ESP Pad/NH Auth 2–257 12 Encrypted Authenticated Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 257 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 258 Ringraziamenti Jason Halpern § Eric Vyncke § Fabio Ganzaroli § Maria Lidia Del Vasto § Alessio “Mayhem” Pennasilico § Antonio Mauro § Andrea Pasquinucci §… § NIST, VoIPSA, AIPSI, CLUSIT, § wwwin/search, Google § §Voi(p) Presentation_ID che siete stati ad ascoltare… © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 259 Links For More Information § cisco.com/go/ipcsecurity § J.Halpern, Cisco SAFE: IP Telephony Security In Depth § http://cisco.com/warp/public/cc/so/cuso/epso/sqfr/safip_wp.pdf § Misitano, Pasquinucci, VoIP: una interessante novitá…. § http://misitano.com/pubs/voip-ictsec.pdf § NIST: Security considerations for VoIP Systems § http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 260 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 261 Agenda 09:00 - 09:30 Registrazione ü Strategia Cisco per il 2007 e News dal Product Management ü Come indirizzare i clienti verso ASAü Coffee break ASA New product lineup, New Features e Roadmap ü Cisco NACü Pausa Pranzo Partner Self enablement tools ü Security Management: What's new in MARS e CS-Manager ü Technical Session: Analisi della sicurezza VoIP/IPT e contromisureü Chiusura Lavori ed estrazione ricchi premi! 09:30 - 10:00 Benvenuto ed Introduzione ai lavori 10:00 - 10:30 10:30 - 10:45 10:45 - 11:15 11:15 - 12:00 12:00 - 12:45 12:45 - 13:30 13:30 - 14:00 14:00 - 14:30 14:30 - 15:30 15:30 - 16:00 marco misitano :: misi@cisco.com :: © 2006 Cisco , All rights reserved. 262 Prossimi eventi.. (non avrete piú scuse per dire “non lo sapevo…”) § Networkers 30 Gennaio-2 Febbraio 2007, Cannes § ASA Training 18/19 Dicembre, Monza (2gg) § ISR Security 18 Gennaio 2007 Monza § ISR Security 19 Gennaio 2007 Roma § Expo 6-7 Marzo 2007 § PINT Security 16 Maggio 2007 (Monza+Roma) § Security Sales Enabler Seminar 11 Gennaio Vimercate, 12 Gennaio Roma marco misitano :: misi@cisco.com :: © 2006 Cisco , All rights reserved. 263 § 3000+ attendees expected from Europe, Middle East and Africa § The 2007 Technology Roadmap is articulated around 9 technology tracks: § Application Optimisation Technologies, Campus and Wireless Evolution, Data Centres, IP & MPLS Infrastructure Evolution, IP NGN Architectures and Technologies, Management and Operations, Mobility, Security, Unified Communications Technologies More than 100 sessions delivering in-depth innovation technology content Technology panels and case studies sessions 22 techtorials covering technology updates or project based case studies (on techtorial day – Dec 12) Targetting 111 Strategic Solutions partners showcasing innovation solutions in the world of solutions (exhibition) NEW: 11 labs offering hands on mentored technology sessions The Networkers Innovation Awards Ceremony will be rewarding those companies that have deployed and successfully implemented innovative technologies 1 FREE Cisco Career Certification or CCIE Written Exam per registrant 200+ Cisco technology experts in all technology areas available And… a customer appreciation event not to be missed! Registration Live at www.cisco.com/networkers marco misitano :: misi@cisco.com :: © 2006 Cisco , All rights reserved. 264 Marco L. Misitano CISSP, CISA, CISM Consulting Systems Engineer Cisco Italy misi@cisco.com Presentation_ID marco misitano :: misi@cisco.com :: © 2006 Cisco , All rights reserved. 265 marco misitano :: misi@cisco.com :: © 2006 Cisco , All rights reserved. 266