PINT 23.11.2006
advertisement
Milano/Roma
23 Novembre 2006
BENVENUTI AL
SECURITY
Marco Misitano
misi@cisco.com
marco misitano :: misi@cisco.com :: © 2006 Cisco , All rights reserved.
1
Agenda
09:00 - 09:30 Registrazione
09:30 - 10:00 Benvenuto ed Introduzione ai lavori
10:00 - 10:30 Strategia Cisco per il 2007 e News dal Product Management
10:30 - 10:45 Come indirizzare i clienti verso ASA
10:45 - 11:15 Coffee break
11:15 - 12:00 ASA New product lineup, New Features e Roadmap
12:00 - 12:45 Cisco NAC
12:45 - 13:30 Pausa Pranzo
13:30 - 14:00 Partner Self enablement tools
14:00 - 14:30 Security Management: What's new in MARS e CS-Manager
14:30 - 15:30 Technical Session: Analisi della sicurezza VoIP/IPT e contromisure
15:30 - 16:00 Chiusura Lavori ed estrazione ricchi premi!
marco misitano :: misi@cisco.com :: © 2006 Cisco , All rights reserved.
2
Agenda
09:00 - 09:30 Registrazione
09:30 - 10:00 Benvenuto ed Introduzione ai lavori
10:00 - 10:30 Strategia Cisco per il 2007 e News dal Product Management
10:30 - 10:45 Come indirizzare i clienti verso ASA
10:45 - 11:15 Coffee break
11:15 - 12:00 ASA New product lineup, New Features e Roadmap
12:00 - 12:45 Cisco NAC
12:45 - 13:30 Pausa Pranzo
13:30 - 14:00 Partner Self enablement tools
14:00 - 14:30 Security Management: What's new in MARS e CS-Manager
14:30 - 15:30 Technical Session: Analisi della sicurezza VoIP/IPT e contromisure
15:30 - 16:00 Chiusura Lavori ed estrazione ricchi premi!
marco misitano :: misi@cisco.com :: © 2006 Cisco , All rights reserved.
3
Due o tre cose…
§ Milano e Roma
§ Logistica
§ Ricchi Premi
§ Evaluation Form
§ Domande e Risposte
§…
marco misitano :: misi@cisco.com :: © 2006 Cisco , All rights reserved.
4
Prossimi eventi.. (non avrete piú scuse per dire “non lo sapevo…”)
§ Networkers 30 Gennaio-2 Febbraio 2007, Cannes
§ ASA Training 18/19 Dicembre, Monza (2gg)
§ ISR Security 18 Gennaio 2007 Monza
§ ISR Security 19 Gennaio 2007 Roma
§
Expo 6-7 Marzo 2007
§ PINT Security 16 Maggio 2007 (Monza+Roma)
§ Security Sales Enabler Seminar
11 Gennaio Vimercate, 12 Gennaio Roma
marco misitano :: misi@cisco.com :: © 2006 Cisco , All rights reserved.
5
§ 3000+ attendees expected from Europe, Middle East and Africa
§ The 2007 Technology Roadmap is articulated around 9 technology tracks:
§ Application Optimisation Technologies, Campus and Wireless Evolution, Data Centres, IP & MPLS
Infrastructure Evolution, IP NGN Architectures and Technologies, Management and Operations,
Mobility, Security, Unified Communications Technologies
More than 100 sessions delivering in-depth innovation technology content
Technology panels and case studies sessions
22 techtorials covering technology updates or project based case studies (on techtorial day – Dec 12)
Targetting 111 Strategic Solutions partners showcasing innovation solutions in the world of solutions
(exhibition)
NEW: 11 labs offering hands on mentored technology sessions
The Networkers Innovation Awards Ceremony will be rewarding those companies that have deployed
and successfully implemented innovative technologies
1 FREE Cisco Career Certification or CCIE Written Exam per registrant
200+ Cisco technology experts in all technology areas available
And… a customer appreciation event not to be missed!
Registration Live at www.cisco.com/networkers
marco misitano :: misi@cisco.com :: © 2006 Cisco , All rights reserved.
6
Agenda
09:00 - 09:30 Registrazione
09:30 - 10:00 Benvenuto ed Introduzione ai lavori
ü
10:00 - 10:30 Strategia Cisco per il 2007 e News dal Product Management
10:30 - 10:45 Come indirizzare i clienti verso ASA
10:45 - 11:15 Coffee break
11:15 - 12:00 ASA New product lineup, New Features e Roadmap
12:00 - 12:45 Cisco NAC
12:45 - 13:30 Pausa Pranzo
13:30 - 14:00 Partner Self enablement tools
14:00 - 14:30 Security Management: What's new in MARS e CS-Manager
14:30 - 15:30 Technical Session: Analisi della sicurezza VoIP/IPT e contromisure
15:30 - 16:00 Chiusura Lavori ed estrazione ricchi premi!
marco misitano :: misi@cisco.com :: © 2006 Cisco , All rights reserved.
7
Security Product
Management Update
Maurizio Taffone
PM Security-European Markets
PINT Rome-Milan November 21st, 2006
TMO-Security 2006-2007
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
8
Agenda
§ Product Update
Key Portfolio Innovations:
-ASA
-IPS
-ISRs, High-end routers
§ Product Focus:
-ASA
-IPS
-NAC
TMO-Security 2006-2007
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
9
§ Product Update
TMO-Security 2006-2007
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
10
Security
Services Cisco ASA 5500
Platforms
Modules
Catalyst 6500
Service
Modules
Cisco ASA 5500 Series and Catalyst 6500
Services Modules
Catalyst 6500
FWSM, IDSM2,
Anomaly
Detector and
Guard
New
Platform
Perf
TMO-Security 2006-2007
ASA
5505
ASA 5510
ASA
5520
ASA
5540
ASA
5550
New
SSC
SSM-10
100
Mbps
300
Mbps
© 2006 Cisco Systems, Inc. All rights reserved.
SSM-20
Cisco Confidential
500
Mbps
1
Gbps
1-2+
Gbps
11
Cisco Intrusion Prevention Family
Cisco IPS Platforms
Catalyst 6500,
IDSM2 Bundles
AIP-SSM for the Cisco ASA platform
150-450 Mbps Firewall+IPS
IPS 4255 IPS 4260
600 Mbps
1 Gbps
New
SecureWAN IPS
9–45 Mbps
IDS 4240
250 Mbps
IDSM-2
Blade
500 Mbps
IDS 4215
NM-CIDS
65 Mbps
45 Mbps IDS
Platform
Perf
TMO-Security 2006-2007
50
Mbps
© 2006 Cisco Systems, Inc. All rights reserved.
200
Mbps
Cisco Confidential
500
Mbps
1
Gbps
2
Gbps
12
Cisco Router Security Portfolio
Cisco Router
Security Platforms
Confidential Communications Leadership
NOW!
NPE-G2
PA Jacket Card
Cisco 800 Cisco 1800
Series ISR Series ISR
Cisco 2800
Series ISR
Cisco 3800
Series ISR
Cisco
7301
Cisco 7200
Series
30 Mbps
45 Mbps
66 Mbps
180 Mbps
5K tunnels
SSL VPN
2 users
25 users
50 users
100 users
150 users
New
New
New
VPN
Modules
IPsec
VPN
Cisco
7600
Series
Catalyst
6500
Series
16K
tunnels
8K
tunnels
SEP-06
SSL & IPsec SSL & IPsec SSL & IPsec
NEW
SEP-06
IPsec
VPN
SSL VPN
TMO-Security 2006-2007
AIMVPN/SSL-1
95 Mbps
AIMVPN/SSL-2
145 Mbps
AIMVPN/SSL-3
200 Mbps
50 users
100 users
200 users
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
VAM II+
VSA
280 Mbps 950 Mbps
IPsec VPN SPA
2.5 Gbps x 10 = 25
Gbps
13
§ Product Focus: ASA
TMO-Security 2006-2007
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
14
Cisco Adaptive Security Device Manager (ASDM) v5.2
Dashboard Provides At-a-Glance View of System Status
• Dashboard provides
instant status of items
such as:
- Software versions
installed
- Interface status and
throughput
- Platform uptime
- Security Contexts
- Real-time syslog
viewer (last ten)
- Powerful search
capabilities
- And more!
TMO-Security 2006-2007
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
15
Now Available in ASDM 5.2: New Rule Table
Many Enhancements Coming to Primary Focus Area
§ Redesigned rule table
for streamlined policy
creation
§ Able to create objects,
object-groups and
rules from single UI
§ Policy visualizer
provides graphical
view of actions
§ Policy query in the
rule table for
advanced filtering
§ "Show log" for a
particular access rule
in the real time log
viewer
§ Options to expand and
display elements in an
object group
§ Ability to see
attributes of a object
or members of a group
via tooltips
TMO-Security 2006-2007
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
16
Now Available in ASDM 5.2: Packet Tracer
Live Tool to Determine Day In the Life of a Packet
PACKET TRACING:
Enables the injection of
arbitrary packets through
the system to audit policy
configuration and
enforcement
Benefits
§ Enables policy tuning and
refining
§ Enables rapid troubleshooting
§ Simplifies fault isolation in
complex policy environments
§ First Pro-active Debugging Tool
TMO-Security 2006-2007
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
17
Now Available in Cisco ASDM 5.2
Logging Enhancements
§ Structured syslogs in
Real time Log Viewer
§ Parse all the syslogs
and put into tabular
structure
§ Coloring of logs based
on severity
§ Integrated syslog guide
within the Real time
Log Viewer
§ “Explanation” and
“Recommended
Action” for each syslog
§ Single-Click Rule
Creation from Syslog
§ Ability to Show the
access rule which
created this Syslog
TMO-Security 2006-2007
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
18
§ Product Focus: IPS
TMO-Security 2006-2007
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
19
Cisco IPS IDMS-2 Bundle
2 Gbps IPS Solutions
Includes: 6506 + SUP32 + 4 X IDSM
-2s + interfaces
IDSM-2s
• 2 Gbps of performance
• Leveraging the reliability of the Catalyst
switch chassis
• Single, simultaneous policy push to all
blades for a seamless configuration
• Sup redundancy capability
• Flexible interface options: 8 10/100/1000 / 2
10GE
• DC Power option for SPs and Telcos
• Redundant Power Supply
• Easy ELB configuration
• Additional slot for increased port density /
other services
• CAT OS & IOS support
TMO-Security 2006-2007
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Availability: NOW!!
20
§ Product Focus: NAC
TMO-Security 2006-2007
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
21
NAC Statements
§ Cisco Strategy:
Provide a comprehensive NAC solution today
Provide a NAC solution leveraging customer’s network and
system infrastructure today
Provide value-add features leveraging Cisco’s network and
system infrastructure
§ Go-to-Market:
Lead with NAC Appliance in the next 12-18 months
Position “VPN/Wireless/LAN” and “Enterprise-ready”
Market NAC “now”
TMO-Security 2006-2007
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
22
NAC Strategy - Update
Challenge: How do I explain the multiple Cisco NAC approaches?
ANSWER: It’s about total product lifecycle
Just like Cisco offers firewalls/IPS in three different forms—appliance, network modules,
and embedded—so we offer NAC in the same format.
Customer environments are complex; could use multiple approaches to implement NAC
Challenge: Customer is eager to deploy wired 802.1x
ANSWER: Slow roll the 802.1x project
Direct customers to prioritize posture requirements first by selling NAC Appliance
Ensure customer focuses on deploying 802.1x from Cisco
TMO-Security 2006-2007
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
23
NAC Strategy - Why Now?
Challenge: Customers want to wait.
ANSWER: Understand and explain maturity cycle
NAC undergoes a maturity cycle—SNMP (established) to .1x (maturing technology)
Start with proven SNMP solution today, then migrate over time as .1x in LAN matures
Appliance technology TODAY has in-band, OOB SNMP and will have 802.1x overlay support
Challenge: Customers want to wait for NAC/NAP.
ANSWER: Understand customer network and business drivers
NAC Appliance supports a “total customer business environment” today
With Microsoft, we support AD, GPO, WSUS, SMS, WinXP/2K/98/ME, Security Updates
Plus, NAC Appliance supports heterogeneous networks: Mac, Linux, PalmOS, etc.
TMO-Security 2006-2007
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
24
NAC Appliance Microsoft Support
Current
New in 4.1
Window OS Support
GPO Launch post Authentication (4.1)
XP (Home/Pro/MCE/Tablet), 2000/ME/98
(Agent)
Ability to launch GPO to tie AD desktop
policy to access VLAN
WinCE/WinMobile (Agentless)
WSUS Agent immediate launch (4.1)
AD Single-Sign-On
Ability to force WSUS agent to remediate
now
Windows 2003/2000 Server
Microsoft SMS Agent remediation (4.1.x)
Windows Hotfixes/AV Checks
Auto-updates to pre-configured hotfix and
oneCare AV checks
Launch SMS Agent during remediation or xdays old
IE7.0 and Vista Support
Windows Update via WSUS
Ability to configure Windows Updater and
launch WSUS agent for auto-remediation
Vista Agent within 30-45 days of Vista
commercial availability
Login Script “hold” Configuration
Provide a configuration to hold login script
mapping till access VLAN
Future: Cisco NAC/Microsoft NAP Integration
Technology proved and in beta today!
TMO-Security 2006-2007
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
25
New Features in Release 4.1
Enterprise
Agent
Features
Enterprise
Deployment
Features
Enterprise
Reporting
Features
§ CAS Fallback
§ Silent Audit
§ Enhanced Reporting
§ Agent/Applet
Relase/Renew (for
IPT)
§ Close Login/Logout
screen after x
seconds
§ OOB Switch OID Via
Updates
§ Trigger GPO Update
§ Launch Any “Signed”
Executable
§ CDL Timer
Enhancement
§ Mac OS X Agent
(Auth Only)
§ 14 International
Languages
TMO-Security 2006-2007
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
26
Q and A
TMO-Security 2006-2007
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
27
Agenda
09:00 - 09:30 Registrazione
09:30 - 10:00 Benvenuto ed Introduzione ai lavori
ü
10:00 - 10:30 Strategia Cisco per il 2007 e News dal Product Management
10:30 - 10:45 Come indirizzare i clienti verso ASA
ü
10:45 - 11:15 Coffee break
11:15 - 12:00 ASA New product lineup, New Features e Roadmap
12:00 - 12:45 Cisco NAC
12:45 - 13:30 Pausa Pranzo
13:30 - 14:00 Partner Self enablement tools
14:00 - 14:30 Security Management: What's new in MARS e CS-Manager
14:30 - 15:30 Technical Session: Analisi della sicurezza VoIP/IPT e contromisure
15:30 - 16:00 Chiusura Lavori ed estrazione ricchi premi!
marco misitano :: misi@cisco.com :: © 2006 Cisco , All rights reserved.
28
23 novembre 2006
Come indirizzare i Clienti
verso ASA
Roberto Mircoli
Business Development Manager
rmircoli@cisco.com
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
29
Agenda
Evoluzioni di mercato
ASA – Come accelerare la domanda
ASA – Come gestire le obiezioni
ASA – Qualche Sales Tool
Q&A
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
30
EVOLUZIONI DI MERCATO
Buone e cattive notizie…
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
31
SECURITY - Market Dynamics Summary
§Le Security appliances sono l’ideale per
gli uffici remoti e le PMI, di cui l’Italia è
ricca. In effetti IDC stima che proprio l’Italia
beneficerà del più elevato CAGR 20052009 (31.9%) nelle Security appliance in
tutt’Europa
Annual Growth (%) - ITALY
Year
Firewall & VPN
IDS & IPS
2007-2008
6.2
15.7
2008-2009
3.0
10.8
Source: Cisco analysis
AdvancedSecurityEMEA
$800,000,000
$700,000,000
$600,000,000
MARS, CSM, ICS, CCA
$500,000,000
§IDC stima che in particolare le UTM
Security Appliance cresceranno in Italia
con un CAGR del 69.1% 2004-2009
$400,000,000
CSC SSM
$300,000,000
$200,000,000
$100,000,000
$0
CY2005
§In Italia vi è un’amplissima base installata
di PIX e VPN3K, che va sistematicamente
SSL VPN
migrata su ASA (la serie è finalmente
CY2008 completa: ASA5505-ASA5550)
Host & Network IPS
CY2006
CY2007
SSLVPNGateways NIPS&HIPS GatewayAnti-Virus Security management
Source: Infonetics, March 2006 and DataMonitor, Oct. 2005
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
32
Cisco Adaptive Security Appliance
Ecco la value proposition!
1. Servizi di sicurezza adattativi e convergenti & grande flessibilità VPN
“ASA fornisce una protezione completa contro le minacce odierne con funzionalità integrate
di Firewall, VPN, IPS e Anti-X”
2. Riduzione di CapEx e OpEx per voi e i vostri Clienti
“Standardizza su un’unica piattaforma tutte le tue esigenze di Sicurezza e beneficia di
un’unico strumento per molteplici servizi di Sicurezza”
3. Riduci i costi di pre-vendita
“Sviluppi le tue competenze su un’unica piattaforma, ma al contempo sei in grado di proporre
prodoti e servizi differenziati ai tuoi Clienti: Firewall, VPN, IPS, Anti-X”
4. Facilità di Configurazione e Gestione
“Cisco include gratuitamente il Cisco Adaptive Security Device Manager (ASDM), uno
strumento potente ed estremamente semplificato per il management e il monitoring di ASA”
5. Protezione degli investimenti a prova di Futuro
“Le esigenze di Sicurezza mutano nel tempo inerentemente: le prestazioni e la modularità di
ASA consentono di espandere nel tempo i servizi di Sicurezza presso i tuoi Clienti”
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
33
GENERARE E ACCELERARE LA DOMANDA
Esploriamo nuove prospettive…
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
34
Generare la domanda per servizi Anti-X
1. Continui ad avere problemi con virus e
worm?
2. Mitigare spyware e malware è una
prioritàper la tua azienda?
3. Lo SPAM congestiona la tua rete e
impatta la produttività delle tue risorse?
4. Vuoi avere maggiore controllo sull’utilizzo
degli accessi a internet per migliorare la
protezione del tuo ambiente IT e la
produttività dell’organizzazione?
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
35
Generare la domanda per servizi IPS
1. Il controllo degli accessi non autorizzati è una tua priorità?
2. Stai esplorndo un modo semplificato di introdurre la
tecnologia IPS nella tua rete?
3. Come stai mitigando virus e worm di nuova generazione
sulla tua rete? In futuro pensi di aggiungere anche la
tecnologia IPS?
4. La tua azienda è soggetta a vincoli normativi e/o regolatori
(es. Privacy, SOX, Basilea II)
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
36
Generare la domanda per VPN SSL
1. Vorresti fornire accesso remoto ai tuoi dipendenti da
ovunque si trovino con qualunque PC?
2. Hai bisogno di fornire accesso alla rete anche a PC e
dispositivi non gestiti dal tuo dipartimento?
3. Stai esplorando l’opzione di portali utente
personalizzati o applicazioni extranet?
4. La sicurezza dei tuoi dati acceduti da utenti
remoti/mobili è una tua priorità?
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
37
GESTIRE LE OBIEZIONI
Se fosse tutto facile…non ci divertiremmo!
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
38
Eppure stai ancora vendendo PIX e VPN3K…
“Al mio Cliente serve solo la funzionalità firewall”
Anche quando utilizzata solo per le sue funzionalità firewall, un ASA ha prestazioni molto
maggiori di un PIX di pari prezzo. Inoltre apre la possibilità a te e ai tuoi Clienti di aggiungere
ulteriori fiunzionalità di Sicurezza, subito o in futuro
“Conosco bene e ho tutte le competenze sul PIX, non voglio/posso spendere
tempo ad imparare come configurare anche l’ASA”
L’ASA ha lo stesso sistema operativo del PIX: se conosci già il PIX, sei quindi già ferrato
anche su ASA
“Il mio Cliente ha una base installata di PIX e preferisce non mischiare prodotti
diversi”
Dal momento che l’ASA è basato sulla stessa architettura e sistema operativo del PIX, può
quindi essere impiegato anche in configurazioni miste insieme a PIX preesistenti. Considera
anche l’interessante programma di trade-in PIXàASA di cui i tuoi Clienti possono
avvantaggiarsi per rinnovare la propria infrastruttura di Sicurezza beneficiando delle superiori
prestazioni e dei più ricchi servizi di Sicurezza a bordo degli ASA
“Il mio Cliente conosce e apprezza il VPN3K e gli serve solo la funzionalità VPN”
L’ASA può essere utilizzato in abbinamento al VPN3K. Anche qui, considera l’interessante
programma di trade-in VPN3KàASA di cui i tuoi Clienti possono avvantaggiarsi per
rinnovare e standardizzare la propria infrastruttura VPN & Security su ASA
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
39
Cisco ASA 5500
Significant Benefits over Cisco PIX Firewall
Cisco ASA 5510
List Price: $3,495
300
300
250
250
200
200
Mbps
Mbps
Cisco® PIX® 515E-R
List Price: $3,495
150
150
100
100
50
50
0
0
Firewall
Firewall + IPS
Firewall +
VPN
Firewall
Firewall + IPS
Firewall +
VPN
Cisco ASA 5510 Solution Benefits over Cisco PIX 515E Firewall
§ Nearly double the price/performance
§ Additional upgradeable services
Anti-X capabilities and Intrusion Prevention
Integrated SSL and IPSec VPN support
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
40
Posizionamento ASA 5500 vs VPN3K
ASA 5500 è la piattaforma di sostituzione per ogni VPN3K
ed è superiore da TUTTI i punti di vista
§ Opzione SSL VPN
ASA ha una scalabilità 10 volte supriore sulle VPN SSL
ASA offre maggiori funzionalità SSL VPN ed un supporto della QoS più
sofisticato
§ Prestazioni
ASA ha prestazioni decisamente superiori, 4x-50x
§ Prezzo
ASA può costare fino al 45% in meno per le funzionalità IPSec
§ Protezione dell’investimento
ASA fornisce inoltre IPS, Anti-X e firewall
ASA è dotata di stateful failover, può integrarsi in cluster di VPN3K per load
balancing e/o migrazione graduale
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
41
Cosa mi avete raccontato…
“Certamente vi è una componente di “inerzia commerciale”: i
commerciali conoscono ormai a memoria codici e configurazioni dei
PIX, per questo in mancanza di direttive diverse il PIX è ancora adesso
la loro prima opzione”
“Non conosciamo ancora bene ASA, quindi se il Cliente non lo chiede
espressamente continuiamo a posizionare PIX e VPN3K”
Partecipa ai Training
Tecnici &
Commerciali di Cisco
“...ma tra PIX e ASA Cisco cosa preferisce spingere di più? Non mi è
Investi in unità demo
chiaro, sapendolo mi allineerei certamente alla strategia visto che è
ASA
anche nel ns interesse di rivenditori proporre ai Clienti piattaforme sulle
quali sono garantiti sviluppi futuri”
“Inizialmente oltre a Firewall e VPN, su ASA era disponibile solo la
funzionalità IPS che tuttavia è piuttosto difficile da posizionare data la
sua complessità (configurazione, gestione dei log...). Il modulo CSCSSM (cioè quello con tecnologia TrendMicro) adesso disponibile è
molto più interessante, lo consideriamo un vero booster alle vendite di
ASA”
“Prudenza: quando Cisco ha introdotto ASA si è trattato di una nuova
piattaforma e versione di sw (7.0), quindi ci siamo presi 6 mesi per
analizzarla bene prima di proporla proattivamente”
Approfondisci la
tecnologia TMIC su
CSC-SSM
Stimola nuove
attitudini dei
commerciali
“Vendere 2 o più box (es. PIX + VPN + IDS) invece di 1 sola (ASA) per
noi è meglio”
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
42
QUALCHE SALES TOOL
Se vi serve altro, fatecelo sapere
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
43
Programma di Trade-in per Cisco ASA
Cisco & Competitive
§ Soluzioni concorrenti incluse nel programma
CTMP Security – http://cco.cisco.com/offer/tic/Security_Migration_Plan_Promo.htm
Check Point
Nokia
Fortinet
Nortel
ISS
SonicWALL
Juniper / Netscreen
Symantec
McAfee / Network Assoc.
Watch Guard
§ Piattaforme Cisco incluse nel programma
TMP Security – http://www.cisco.com/web/partners/pr11/incentive/tmp/security.html
PIX 501, 506/506E, 515/515E, 520, 525, and 535
IPS 4210, 4215, 4230, 4235, 4240, 4250, 4250XL, and 4255
VPN 3002, 3005, 3015, 3020, 3030, 3060, and 3080
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
44
PIX -> ASA – Matrice di conversione
Esiste un ASA di sostituzione per ciascun modello PIX!
http://www.cisco.com/application/pdf/en/us/guest/products/ps6120/c1031/cdccont_0900aecd8053258b.pdf
Cisco
ASA 5505
Cisco
ASA 5510
Cisco
ASA 5520
Cisco
ASA 5540
Cisco
ASA 5550
Target Market
SOHO and
ROBO
SMB and
SME
Enterprise
Medium
Enterprise
Large
Enterprise
List Price
Starting at
$595
Starting at
$3,495
Starting at
$7,995
Starting at
$16,995
Starting at
$19,995
150 Mbps
Future
100 Mbps
25 / 25
300 Mbps
150 Mbps
170 Mbps
250 / 250
450 Mbps
375 Mbps
225 Mbps
750 / 750
650 Mbps
450 Mbps
325 Mbps
5000 / 2500
1.2 Gbps
N/A
425 Mbps
5000 / 5000
PIX 515
PIX 525
Performance
Max Firewall
Max Firewall + IPS
Max IPSec VPN
Max IPSec / SSL VPN Peers
PIX Replacement
Presentation_ID
PIX 501
PIX 506E
© 2006 Cisco Systems, Inc. All rights reserved.
PIX 525
PIX 535
45
ASA Seeding Unit : un esempio possibile
(*)
SMB Business Case
§ Costo unità demo ASA5505-BUN-K9 (GPL 595K$, sc. NFR 70%): €142
§ Mark-up su vendita di ASA5505-SSL25-K9 (GPL 3.7K$, sc. 40%, marg. 8%): €142
§ Durata di una demo on-site c/o Prospect: 15 gg
§ Deal Rate (= #vendite / #demo effettuate): 50%
senza considerare il pull-through di servizi associati, per rientrare dei €142 di
investimento è sufficiente vendere 1 sola unità di ASA5505-SSL25-K9
§ Ciò equivale a generare un funnel di 2 Prospects
§ Quindi il pay-back di una demo unit ASA5510 si aggira attorno a:
15 gg x 2 = 30 gg
Promo valida fino al 31/12/2006
€3,90/mese
(*) laPresentation_ID
scontistica potrebbe
© 2006 Cisco
variare
Systems,
in Inc.
base
All rights
al livello
reserved.di partnership
46
ASA Seeding Unit : un esempio possibile
(*)
Mid-Mkt Business Case
§ Costo unità demo ASA5510-CSC10-K9 (GPL 7.2K$, sc. NFR 70%): $2.160
§ Mark-up su vendita di ASA5510-SSL250-K9 + ASA-CSC-10-INC-K9 (GPL 23.5K$+4.5K$=28K$, sc. 40%,
marg. 8%): $1.4K$
§ Durata di una demo on-site c/o Prospect: 15 gg
§ Deal Rate (= #vendite / #demo effettuate): 50%
§ Quindi per rientrare dei $2.160 di investimento è sufficiente vendere (senza considerare il pull-through di
servizi associati):
$2.160 / $1.400 = 1.54 unità di ASA5510-SSL250-K9 + ASA-CSC-10-INC-K9
§ Ciò equivale a generare un funnel di 1.54 / 50% = 3 Prospects
§ Quindi il pay-back di una demo unit ASA5510 si aggira attorno a:
15 gg x 3 = 45 gg
Promo valida fino al 31/12/2006
60$/mese
© 2006 Cisco
Systems,
All rights
reserved.di partnership
(*) laPresentation_ID
scontistica potrebbe
variare
inInc.
base
al livello
47
Roberto Mircoli
rmircoli@cisco.com
www.cisco.com/go/asa
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
48
Agenda
09:00 - 09:30 Registrazione
ü
Strategia Cisco per il 2007 e News dal Product Management ü
Come indirizzare i clienti verso ASAü
09:30 - 10:00 Benvenuto ed Introduzione ai lavori
10:00 - 10:30
10:30 - 10:45
10:45 - 11:15 Coffee break
11:15 - 12:00 ASA New product lineup, New Features e Roadmap
12:00 - 12:45 Cisco NAC
12:45 - 13:30 Pausa Pranzo
13:30 - 14:00 Partner Self enablement tools
14:00 - 14:30 Security Management: What's new in MARS e CS-Manager
14:30 - 15:30 Technical Session: Analisi della sicurezza VoIP/IPT e contromisure
15:30 - 16:00 Chiusura Lavori ed estrazione ricchi premi!
marco misitano :: misi@cisco.com :: © 2006 Cisco , All rights reserved.
49
Agenda
09:00 - 09:30 Registrazione
ü
Strategia Cisco per il 2007 e News dal Product Management ü
Come indirizzare i clienti verso ASAü
09:30 - 10:00 Benvenuto ed Introduzione ai lavori
10:00 - 10:30
10:30 - 10:45
10:45 - 11:15 Coffee break
11:15 - 12:00 ASA New product lineup, New Features e Roadmap
12:00 - 12:45 Cisco NAC
12:45 - 13:30 Pausa Pranzo
13:30 - 14:00 Partner Self enablement tools
14:00 - 14:30 Security Management: What's new in MARS e CS-Manager
14:30 - 15:30 Technical Session: Analisi della sicurezza VoIP/IPT e contromisure
15:30 - 16:00 Chiusura Lavori ed estrazione ricchi premi!
marco misitano :: misi@cisco.com :: © 2006 Cisco , All rights reserved.
50
ASA 5500
New Product Lineup, New Features
and Roadmap
Luca Bertagnolio
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
51
Introducing the ASA 5505 and 5550
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
52
Cisco ASA 5500 Series Product Lineup
Solutions Ranging from SOHO, SMB to Large
Enterprise
Cisco
ASA 5505
Cisco
ASA 5510
Cisco
ASA 5520
Cisco
ASA 5540
Cisco
ASA 5550
Target Market
SOHO and
ROBO
SMB and
SME
Enterprise
Medium
Enterprise
Large
Enterprise
List Price
Starting at
$595
Starting at
$3,495
Starting at
$7,995
Starting at
$16,995
Starting at
$19,995
150 Mbps
Future
100 Mbps
25 / 25
300 Mbps
150 Mbps
170 Mbps
250 / 250
450 Mbps
375 Mbps
225 Mbps
750 / 750
650 Mbps
450 Mbps
325 Mbps
5000 / 2500
1.2 Gbps
N/A
425 Mbps
5000 / 5000
10,000 / 25,000
3,000
8-port FE switch
3 / 3 (trunk)
Stateless A/S (Sec
Plus)
50,000 / 130,000
6,000
3+1 FE / 5 FE
10 / 25
A/A & A/S (Sec
Plus)
280,000
9,000
4 GE + 1 FE
100
A/A & A/S
400,000
20,000
4 GE + 1 FE
200
A/A & A/S
650,000
28,000
8 GE + 1 FE
200
A/A & A/S
Performance
Max Firewall
Max Firewall + IPS
Max IPSec VPN
Max IPSec / SSL VPN Peers
Platform Capabilities
Max Firewall Conns
Max Conns/Second
Base I/O
VLANs Supported
HA Supported
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
53
Cisco ASA 5505 Adaptive Security
Appliance Features
FW Throughput
Up to 150 Mbps
VPN Throughput
Up to 100 mbps
Concurrent Sessions
10,000/25,000
IPSec VPN Peers
10; 25
SSl VPN Peer License
levels
10 or 25
Interfaces
8-port Fast Ethernet switch
with dynamic port grouping
(including 2 PoE ports)
Virtual Interfaces
3 with restricted DMZ; 3
with full DMZ*
High Availability
Not supported; stateless
Active/Standby and dual
ISP support*
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
List Price
Starting $595
Minimum Software Version
ASA 7.2(1), ASDM
5.2(1)
54
Where does the ASA 5505 fit?
SOHO, ROBO and Enterprise Teleworker Networks
Advanced Firewall services
Rich application and protocol stateful inspection
Easy Management and Troubleshooting
Advanced Firewall
Services and Secure
VPN Connectivity
Secure VPN connectivity
Full function site-to-site VPN and remote access VPN services (IPSec and SSL VPN)
IPSec hardware client services
Diverse Network Integration Services and more!
Rapid deployment of security services such as:
Secured Work environment with isolation from Home/Guest
users
Dedicated DMZ services to protect revenue infrastructures
Device and link resiliency to ensure consistent business up
times
Secure Voice and Video integration with QoS enabled, typically
Diverse Network
over VPN
Integration
Requirements
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
55
Cisco ASA 5505 Series
Product Tour (SOHO, Teleworker)
• Secure access to both Home and
Internet VLANs
• PoE for IP Phones and/or WiFi AP’s
• High Speed Hardware VPN Client
Services
• DHCP Client Services
• PPPoE support
• Dynamic DNS support
• L2TP over IPsec
• Backup ISP support (Security Plus)
• Secure access for a wide range of
modern applications through the
Internet VLAN
• DHCP Server Services
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
56
Teleworker Deployment Model
Easy to Install Modern Home Networking Services
Business VLAN
Internet VLAN
- Secure access to both Home and
Internet VLANs
- Power Over Ethernet for IP Phones
and WiFi Access Points
- DHCP & Dynamic DNS services
- PPPoE support
- Backup ISP support (Security Plus)
- Secure access for a wide range of
applications through the Internet VLAN
- DHCP Server Services
Home VLAN
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
57
Remote Office/SMB Deployment Model
High Performance, Resilient Security Services
Internet VLAN (Active)
Business/DMZ VLAN
Email
Server
Web
Server
DNS
Server
SiteSite-toto-Site IPSec VPN
Remote Access VPN
SSL VPN
Power
Over
Ethernet
WiFi
Access
Point
VLAN
Trunk
Partners
Remote
Employees
Sales
Teams
- Active/Standby design
with Failback
Common
Network
Printer
- Support for DHCP,
Dynamic DNS & PPPoE
Employee/Guest VLANs
Internet VLAN (Standby)
Inside VLAN
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
58
Cisco ASA 5505 Licensing Model
§ Similar to PIX 501 licensing, but with additional dimensions
§ User Based Licensing
10, 50, and Unlimited user licenses
§ SSL VPN Licensing
Base includes 2 for free, 10 & 25 user upgrades available
§ Security Plus License – offers many additional capabilities
Increased system capacity
Increases number of maximum connections (10K to 25K)
Increases IPSec peer count from 10 to 25
Device and link-level redundancy
Enables stateless Active/Standby failover
Enables redundant ISP support (dual ISP uplinks)
Improved flexibility
Enables full DMZ and 802.1q VLAN trunking support
Can be used with any user licensing level
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
59
Cisco ASA 5550 Adaptive Security
Appliance Features
FW Throughput
Up to 1.2 Gbps
VPN Throughput
Up to 425 mbps
Concurrent Sessions
650,000
IPSec VPN Peers
5,000
SSl VPN Peer License 10, 25, 50, 100, 250, 500,
levels
750, 1000, 2500, and 5000
Security contexts
Up to 50*
Interfaces
8 Gigabit Ethernet ports,
4 SFP fiber ports and 1
Fast Ethernet port
Virtual Interfaces
200
Scaleability
VPN clustering and load
balancing
High Availability
Active/Active,
Active/Standby
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
List Price
$19,995 - $99,995
Minimum Software Version
ASA 7.1.2, ASDM 5.1.2
5550
60
ASA 7.2 – New Features
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
61
Strategic Program:
Application Inspection and Control
Initiative
The AIC initiative introduces additional application
layer intelligence and controls to Cisco’s wide range
of security solutions (ASA, PIX, FWSM, IPS,
Integrated Services Routers) by enriching existing
inspection engines, as well as delivering new
inspection engines with advanced application level
controls
Protocols Supported
HTTP
FTP
IM
P2P
SIP
H.323
SCCP
SMTP
DNS
RPC
CIFS
Enh.
Enh.
New
New
Enh.
Enh.
Enh.
Enh.
New
New
New
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
NetBios
New
62
AIC: Protocol Breadth and Depth
HTTP
•
•
•
•
IM / P2P
• Access control for IM (Yahoo, MSN, AIM, ICQ…) and P2P (KaZaa,
Torrents, Gnutella…) over user-defined/well known ports
• Feature control (whiteboarding, voice chat, file sharing)
• Customizable regex based signatures
SIP/H.323/SCCP
FTP
Presentation_ID
Enforce HTTP specific parameters (URL/Header Lengths)
Filtering on HTTP encoding mechanisms, multiple content types
Tunneled application control (IM/P2P/Files types)
Customizable reg-ex based signatures and dynamic updates
• VoIP DoS protection by filtering on Caller/Callee, direction, etc.
• End-point registration enforcement and authentication
• Application misuse prevention against embedded IM, gaming, etc.
•
•
•
•
© 2006 Cisco Systems, Inc. All rights reserved.
Directory traversal attack prevention and command filtering
Server identity protection via obfuscation techniques
Filtering based on username, file name/type, server name
Enhanced logging capabilities
Cisco Confidential
63
AIC: Protocol Breadth and Depth
DNS
• Enforce legitimate zone transfers, private v/s public domains
• DNS Spoofing and Cache Poisoning prevention
• Filtering based on domain name
SMTP/ESMTP
• Server protection by governing mail transport mechanisms
• Filtering based on type, headers, encoding, authentication
• Blocking/removing attachments, executables, and more!
Microsoft RPC
•
•
•
•
NetBIOS
• Protocol compliance enforcement
• Enhanced monitoring and NAT support
• And more!
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Protocol compliance enforcement
Secure dynamic port allocation
NAT and PAT support
Support for Microsoft Outlook Full MAPI clients
Cisco Confidential
64
And more…Feature packed release!
Includes over 50+ New Features
VPN Enhancements
Other Enhancements Cont’d
•
•
•
•
•
•
•
•
• OCSP (Online Certificate Status
Protocol) support
• Cut-through AAA authentication
parity with VPN
• New RTP/RTCP inspection engine
• Resource Manager for Virtualization
• Secure Computing (N2H2) URL
filtering support over HTTPS and FTP
NAC support
L2TP/IPSec support
DNS resolution for peers
Multiple Microsoft clients behind NAT
Nokia Symbian OS support
Zone Labs support
Hybrid XAUTH support
VPN IP fragmentation and reassembly
statistics
Resiliency and Scalability
• Sub-second LAN-based failover
• Dual ISP connection with failback
Other Enhancements
• Regex traffic selection for MPF
• Traffic rate limiting
• WCCP support
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Network Integration
•
•
•
•
•
Dynamic DNS support
PPPoE support
Multicast boundary support
RIPv2 Active and Passive
Configurable MAC addresses per
interface
• GTP Enhancements for Mobile
wireless environments
• DNS resolver for Ping, Traceroute,
Copy and AAA server commands
65
Nokia Symbian OS Support
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
66
Nokia Symbian OS Support –
Configuration
§ A new authentication type CRACK is added to
support low power consuming algorithms on OS
such as Nokia Symbian
§ Enable CRACK authentication using the crypto
isakmp policy priority authentication command with
the crack keyword in global configuration mode. For
example:
hostname(config)# crypto isakmp policy 2
hostname(config-isakmp-policy)# authentication crack
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
67
Nokia Symbian OS Support –
Configuration (cont’d)
If you are using digital certificates for client
authentication, perform the following additional
steps:
§ Step 1 Configure the trustpoint and remove the
requirement for a fully qualified domain name. The
trustpoint might be NSSM or some other CA. In this
example, the trustpoint is named CompanyVPNCA:
hostname(config)# crypto ca trustpoint CompanyVPNCA
hostname(config-ca-trustpoint)# fqdn none
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
68
Nokia Symbian OS Support –
Configuration (cont’d)
§ Step 2 To configure the identity of the ISAKMP peer,
perform one of the following steps:
a. Use the crypto isakmp identity command with the hostname
keyword. For example:
hostname(config)# crypto isakmp identity hostname
–or–
b. Use the crypto isakmp identity command with the auto
keyword to configure the identity to be automatically
determined from the connection type. For example:
hostname(config)# crypto isakmp identity auto
§ Note If you use the crypto isakmp identity auto command, you must be
sure that the DN attribute order in the client certificate is CN, OU, O, C,
St, L.
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
69
Nokia Symbian OS Support –
ASDM Option
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
70
Nokia Symbian OS Support –
ASDM VPN Wizard Option
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
71
MPF Improvements and New Class-map
and Policy-map
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
72
Modular Policy Framework (MPF)
MPF framework allows individual traffic flows between hosts
or networks to be defined and QoS, application inspection,
and connection limits can then be applied separately to each
flow.
In general, the provisioning of policies (security, QoS,
inspection, etc.)
MPF is built on three related CLI commands …
•class-map
•policy-map
•service-policy
Note: MPF features are derived from QoS as implemented in
IOS. Not all features have been carried across.
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
73
Why do we need to change MPF?
Pre-7.2 Release
§ Limited capabilities for class-map (grouping)
§ Except for a couple of match criteria, only one (1) match command is allowed
in a class-map.
§ MPF can match on static pre-programmed information
ex. Static mime types for HTTP inspection Commands
This does not satisfy the requirements from the EAAC (Edge Access
Application Control)
7.2 Release
§ Ability to logical-AND multiple match conditions and associate an action to
the match results.
§ Ability to define regular expressions and to match a group of regular
expressions that have the 'match-any' attributes.
Ex. Block any (get|post)
Block URL
§ Ability to define a NOT operator (negate) for a match condition.
§ Ability to limit the values that can be entered for a specific inspection object
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
74
MPF – class-map
§ class-map – This command identifies the traffic that needs a
specific type of control. Class-maps have specific names
which tie them into the policy-map.
§ example:
class-map type regex match-any restricted_url
match regex url_abc
match regex url_xyz
class-map type inspect http match-all restricted_http
description Restrict the following sites: GET "abc.com" OR GET
"xyz.com"
match request method get
match request uri regex class restricted_url
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
75
MPF – policy-map
§ policy-map – This command describes the actions to be taken on the
traffic described in the class-map. Class-maps are listed by name
under the appropriate policy-map. Policy-maps have specific names
too which tie them into the service-policy.
example:
policy-map type inspect http http_inspection_policy
content-type-verification
match request method post
drop-connection
match request method connect
reset
class restricted_http
drop-connection log
policy-map web-policy
inspect http http_inspection_policy
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
76
MPF – service-policy
§ service-policy – This command describes where the traffic
should be intercepted for control. Only one service-policy
can exist per interface. An additional service-policy, “globalservice-policy,” is defined for traffic and general policy
application. This policy applies to traffic on all interfaces.
example:
service-policy web-policy inside
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
77
MPF Improvements –
New CLI “class-map (regex)”
§ Regex
This keyword, when used in the class-map command, specifies that
the class-map is of type REGEX, which, is primarily used for matching
regular expressions. This type of class-map can be used by other
types of class-maps and is restricted to 'match-any' class-map initially.
When this keyword is used in the match subcommand, it specifies that
a regular expression is to be used as a match condition.
§ Defined over some alphabet S
For programming languages, commonly ASCII or Unicode
§ If re is a regular expression, L(re ) is the language (set of strings)
generated by re
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
78
Modular Policy Framework (MPF) –
Example
§ The following is an example of policy-map type inspect
that includes an inspection policy for HTTP.
regex url_abc "abc\.com"
regex url_xyz "xyz\.com"
class-map type regex match-any restricted_url
match regex url_abc
match regex url_xyz
class-map type inspect http match-all restricted_http
description Restrict the following sites: GET "abc.com" OR GET "xyz.com"
match request method get
match request uri regex class restricted_url
policy-map type inspect http http_inspection_policy
content-type-verification
match request method post
drop-connection
match request method connect
reset
class restricted_http
drop-connection log
policy-map web-policy
inspect http http_inspection_policy
service-policy web-policy inside
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
79
H323 Inspection
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
80
Enhanced H.323 Inspection –
Functional Overview
7.0 Release
§ Initial 7.0 release included the inspect h323 {h225 | ras}
command, replacing the fixup command
7.2 Release
§ The 10 new H.323 AIC (Application Inspection Control)
functions are designed to prevent attacks and restrict or deny
certain applications
Restrict Call Duration
Block Rogue Callers
Prevent RAS/H.225 Packets Arriving Out of State
Restrict H.323 Services That Can Be Used
Media-type data Control
H.225 Tunneling Control
Allow or Disallow Video or Audio
Protocol State Tracking
Enforcing H.323 Call Duration
Phone Number Filtering
HSI Routed Call Setup
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
81
H.323 Inspection
§ The two major functions of H.323 inspection are as
follows:
• NAT the necessary embedded IPv4 addresses in the H.225
and H.245 messages. Because H.323 messages are
encoded in PER encoding format, the security appliance
uses an ASN.1 decoder to decode the H.323 messages.
• Dynamically allocate the negotiated H.245 and RTP/RTCP
connections.
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
82
Enhanced H.323 Inspection –
ASDM Configuration
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
83
Enhanced H.323 Inspection –
ASDM Configuration
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
84
Enhanced H.323 Inspection –
ASDM Configuration
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
85
Enhanced H.323 Inspection –
ASDM Configuration
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
86
Enhanced H.323 Inspection –
ASDM Configuration
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
87
Enhanced H.323 Inspection –
ASDM Configuration
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
88
Enhanced H.323 Inspection –
ASDM Configuration
§
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
89
Enhanced H.323 Inspection –
ASDM Configuration
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
90
H.323 Configuration
§ Step 1 (Optional) Add one or more regular
expressions for use in traffic matching commands
according to the
§ Step 2 (Optional) Create one or more regular
expression class maps to group regular
expressions according to
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
91
H.323 Configuration (cont’d)
§ Step 3 (Optional) Create an H.323 inspection class map by
performing the following steps.
A class map groups multiple traffic matches. Traffic must match
all of the match commands to matchthe class map.
You can alternatively identify match commands directly in the
policy map. The difference between creating a class map and
defining the traffic match directly in the inspection policy map is
that the class map lets you create more complex match criteria,
and you can reuse class maps.
To specify traffic that should not match the class map, use the
match not command. For example, if the match not command
specifies the string “example.com,” then any traffic that includes
“example.com” does not match the class map.
For the traffic that you identify in this class map, you can specify
actions such as drop-connection, reset, and/or log the connection
in the inspection policy map. If you want to perform different
actions for each match command, you should identify the traffic
directly in the policy map.
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
92
H.323 Configuration (cont’d)
§ a. Create the class map by entering the following command:
hostname(config)# class-map type inspect h323 [match-all]
class_map_name
hostname(config-cmap)#
Where the class_map_name is the name of the class map.The
match-all keyword specifies that
traffic must match all criteria to match the class map. match-all is
the default and only option. The
CLI enters class-map configuration mode, where you can enter
one or more match commands.
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
93
H.323 Configuration (cont’d)
§ b. (Optional) To add a description to the class map, enter the
following command:
hostname(config-cmap)# description string
Where string is the description of the class map (up to 200 characters).
§ c. (Optional) To match a called party, enter the following command:
hostname(config-cmap)# match [not] called-party regex {class class_name |
regex_name}
Where the regex regex_name argument is the regular expression you
created in Step 1. The class
regex_class_name is the regular expression class map you created in
Step 2.
§ d. (Optional) To match a media type, enter the following command:
hostname(config-cmap)# match [not] media-type {audio | data | video}
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
94
H.323 Configuration (cont’d)
§ Step 4 Create an H.323 inspection policy map, enter the
following command:
hostname(config)# policy-map type inspect h323 policy_map_name
hostname(config-pmap)#
Where the policy_map_name is the name of the policy map. The
CLI enters policy-map configuration
mode.
§ Step 5 (Optional) To add a description to the policy map, enter
the following command:
hostname(config-pmap)# description string
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
95
H.323 Configuration (cont’d)
§ Step 6 To apply actions to matching traffic, perform
the following steps.
a. Specify the traffic on which you want to perform actions
using one of the following methods:
• Specify the H.323 class map that you created in Step 3 by
entering the following command:
hostname(config-pmap)# class class_map_name
hostname(config-pmap-c)#
• Specify traffic directly in the policy map using one of the
match commands described in Step 3.
If you use a match not command, then any traffic that does
not match the criterion in the match
not command has the action applied.
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
96
H.323 Configuration (cont’d)
§ b. Specify the action you want to perform on the matching traffic by entering the
following command:
hostname(config-pmap-c)# {[drop [send-protocol-error] |
drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate}
Not all options are available for each match or class command. See the CLI help or the Cisco
Security Appliance Command Reference for the exact options available.
The drop keyword drops all packets that match.
The send-protocol-error keyword sends a protocol error message.
The drop-connection keyword drops the packet and closes the connection.
The mask keyword masks out the matching portion of the packet.
The reset keyword drops the packet, closes the connection, and sends a TCP reset to the server
and/or client.
The log keyword, which you can use alone or with one of the other keywords, sends a system log
message.
The rate-limit message_rate argument limits the rate of messages.
You can specify multiple class or match commands in the policy map. For information about the
order
of class and match commands, see the “Defining Actions in an Inspection Policy Map” section on
page 21-10.
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
97
H.323 Configuration (cont’d)
§ Step 7 To configure parameters that affect the inspection
engine, perform the following steps:
a. To enter parameters configuration mode, enter the following
command:
hostname(config-pmap)# parameters
hostname(config-pmap-p)#
b. To define the H.323 call duration limit, enter the following
command:
hostname(config-pmap-p)# call-duration-limit time
Where time is the call duration limit in seconds.
Range is from 0:0:0 to 1163:0:0. A value of 0 means never timeout.
c. To enforce call party number used ini call setup, enter the
following command:
hostname(config-pmap-p)# call-party-number
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
98
H.323 Configuration (cont’d)
§ d. To enforce H.245 tunnel blocking, enter the following command:
hostname(config-pmap-p)# h245-tunnel-block action {drop-connection | log}
§ e. To define an hsi group, enter the following command:
hostname(config-pmap-p)# hsi-group id
Where id is the hsi group ID. Range is from 0 to 2147483647.
§ f. To check RTP packets flowing on the pinholes for protocol
conformance, enter the following
command:
hostname(config-pmap-p)# rtp-conformance [enforce-payloadtype]
Where the enforce-payloadtype keyword enforces the payload type to be
audio or video based on
the signaling exchange.
§ g. To enable state checking validation, enter the following command:
hostname(config-pmap-p)# state-checking {h225 | ras}
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
99
ASDM 5.2 – New Features
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
100
ASDM 5.2 –
New Features
§ Object Groups: Now includes ICMP and IP grouping
§ New How do I help: New manageable Help File
§ ACL to Syslog: Reference to Logging from ACL
§ Rule table query: Multiple Objects search
§ HA Wizard: New Active/Active, Active/Standby Fail Over
Wizards and VPN Load Balancing Wizards
§ NAT IP address as Dst. (just like CLI)
§ Enhanced Live log Detail
§ Organized structure in Live log
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
101
ASDM 5.2 –
ICMP and IP object grouping support
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
102
ASDM 5.2 –
How Do I Help
§ Admin may add new “How Do I” help file later
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
103
ASDM 5.2 –
New ACL to Syslog
§ Now user can view syslog messages from a selected
ACE
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
104
ASDM 5.2 –
Rule Table Query
§ Admin can filter multiple criteria
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
105
ASDM 5.2 –
HA Wizard
§ New HA wizards includes-A/A, A/S FO and VPN LB
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
106
ASDM 5.2 –
NAT IP address as Destination
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
107
ASDM 5.2 – Live Log Enhancements
Detail and Organized Columns
§ New syslog columns and Detail button
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
108
Packet Tracer
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
109
Packet Tracer
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
110
Packet Tracer
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
111
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
112
Agenda
09:00 - 09:30 Registrazione
ü
Strategia Cisco per il 2007 e News dal Product Management ü
Come indirizzare i clienti verso ASAü
Coffee break
ASA New product lineup, New Features e Roadmap
ü
Cisco NAC
09:30 - 10:00 Benvenuto ed Introduzione ai lavori
10:00 - 10:30
10:30 - 10:45
10:45 - 11:15
11:15 - 12:00
12:00 - 12:45
12:45 - 13:30 Pausa Pranzo
13:30 - 14:00 Partner Self enablement tools
14:00 - 14:30 Security Management: What's new in MARS e CS-Manager
14:30 - 15:30 Technical Session: Analisi della sicurezza VoIP/IPT e contromisure
15:30 - 16:00 Chiusura Lavori ed estrazione ricchi premi!
marco misitano :: misi@cisco.com :: © 2006 Cisco , All rights reserved.
113
Armando Lombardi
Cisco Security Specialist
arlombar@cisco.com
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
114
AGENDA
• CCA overview
• NAC Appliance options
• Nuove Features in ultima release
• Feature in Roadmap
• Demo/movies
TM - Massafra
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
115
Four Key Capabilities of NAC
Securely
Identify
Device and User
What It
Means
Why It Is
Important
Without
it . . .
Who’s on?
What’s on?
Associating Users
with Devices
Enables Granular
Enforcement of
Policies by Role
or group
Critical to
associate users
and devices with
roles to know
which policies
apply; prevents
device spoofing.
Enforce
Consistent
Policy
Quarantine
and
Remediate
What are the
requirements
for access?
What are the
steps to meet
requirements?
How do I create
or modify
requirements?
Centralized policy
supports multiple
user roles
Scans for
infections, port
vulnerabilities,
hotfixes, AV, AS,
services running,
and files
Isolates noncompliant devices
using MAC and IP
addresses;
effective
at a per-user level
Network-based,
self-guided
remediation
Web-based
interface for easy
management of
roles, policies,
and remediation
steps
A decentralized
policy mechanism
(e.g. on endpoint)
can leave gaping
security holes.
Just knowing a
device is noncompliant is not
enough—
someone still
needs to fix it.
Configure
and
Manage
Policies that are
too complex or
difficult to create
and use will lead
to abandonment
of project.
A Comprehensive NAC Solution Must Have All Four
Capabilities: The Absence of Any One Weakens the Solution
TM - Massafra
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
116
Cisco NAC Appliance Components
§ Cisco Clean Access Manager
Centralizes management for administrators, support
personnel, and operators
§ Cisco Clean Access Server
Serves as enforcement point for network access
control
§ Cisco Clean Access Agent
Optional lightweight client for device-based registry
scans in unmanaged environments
§ Rule-set Updates
Scheduled automatic updates for anti-virus, critical
hot-fixes and other applications
TM - Massafra
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
117
Cisco NAC Appliance Sizing
Super
Manager
Enterprise and
Branch Servers
Standard
Manager
Manager
Lite
manages up to 40
manages up to 20
Enterprise and
Branch Servers
manages up to 3
Branch Office
or SMB Servers or ISR NM
2500 users each
1500 users each
100 users 250 users 500 users
TM - Massafra
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
118
NAC Appliance Conceptual Overview
THE GOAL
1. End user attempts to access a Web
page or uses an optional client
Network access is blocked until wired or
wireless end user provides login
information
Authentication
Server
Cisco Clean
Access Manager
2. User is
redirected to a login page
Cisco Clean
Access Server
Clean Access validates
username and password, also
performs device and network
scans to assess
vulnerabilities on the device
3a. Device is noncompliant
or login is incorrect
User is denied access and assigned
to a quarantine role with access to
online remediation resources
TM - Massafra
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Intranet/
Network
3b. Device is “clean”
Quarantine
Role
Machine gets on “certified
devices list” and is
granted access to network
119
Pre-Configured Policy Checks
simplify deployment
Critical Windows Updates, Anti-Virus Updates
Anti-Spyware Updates, 3rd Party Checks
NAC Appliance Supports Policies for 250+ Applications, Including These Vendors:
Customers can easily add customized checks
TM - Massafra
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
120
NAC Appliance One Product for all Use Cases
§ Wireless users — common
pain point addressed
LAN Endpoint Compliance
Wireless Compliance
Secured network access
only for compliant
wireless devices
Network access only for
compliant devices
§ LAN—Position L2 or L3
OOB with feature for L3
VoIP in 4.1
CAMPUS BUILDING 1
802.1Q
Remote LAN Compliance
Network access only for
compliant devices
WIRELESS BUILDING 2
Guest Compliance
Restricted internet
access only for guest
users
VPN User Compliance
Intranet access only for
compliant remote access
users
INTERNET
IPSec
CONFERENCE ROOM
IN BUILDING 3
§ Guest users — common pain
point addressed by 3 options
PLUS pitch hotspot app in 4.1
TM - Massafra
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
§ Remote LAN—Complex positioning with a
roadmap:
Today à Remote CAS, L3 IB, L3 OOB
121
NAC Appliance Options
Customers can choose from a variety of product and deployment
options to tailor NAC Appliance for individual networks
Software-only
(customer provides hardware)
Virtual Gateway
TM - Massafra
or
Appliance
(Cisco provides hardware)
Real-IP Gateway
(bridged)
or
Edge Deployment
or
Central Deployment
L2 Client Access
or
L3 Client Access
In-band Server
or
Out-of-band Server
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
(routed)
122
CAS Foundation: Virtual Gateway
§ Direct Bridging: Frame Comes
In, Frame Goes Out
§ VLAN IDs are either passed
through untouched or mapped
from A to B
§ DHCP and Client Routes point
directly to network devices on
the Trusted side
§ CAS is an IP passive bump in
the wire, like a transparent
firewall
TM - Massafra
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
123
CAS Foundation: Real IP / NAT Gateway
§ CAS is Routing, Packet
Comes In, Packet Goes Out
§ VLAN IDs terminate at the
CAS, no pass-through or
mapping
§ DHCP and Client Routes
usually point to the CAS for
/30
§ CAS is an active IP router, can
also NAT outbound packets **
TM - Massafra
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
124
CAS Foundation: Edge Deployment
§ Easiest deployment option to
understand
§ CAS is logically inline, and
Physically inline
§ Supports all Catalyst Switches
§ VLAN IDs are passed straight
through when in VGW
10 à 10
§ Installations with multiple
Access Layer closets can
become complex
TM - Massafra
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
125
CAS Foundation: Central Deployment
§ Most common deployment
option
§ CAS is logically inline, NOT
physically inline
§ Supports 6500 / 4500 / 3750 /
3560 **
§ VLAN IDs are mapped when in
VGW
110 à 10
§ Easiest installation
§ Most scalable in large
environments
TM - Massafra
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
126
CAS Foundation: Layer 2 Mode
§ Client is Layer 2 Adjacent
to the CAS
§ MAC address is used as a
unique identifier
§ Supports both VGW and
Real IP GW
§ Supports both In Band and
Out of Band
§ Most common deployment
model for LANs
TM - Massafra
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
127
CAS Foundation: Layer 3 Mode
§ Client is NOT Layer 2
Adjacent to the CAS
§ IP Address is used as a
unique identifier
§ Supports both VGW and
Real IP GW
§ Supports In Band Mode**
§ Needed for WAN and
VPN deployments
TM - Massafra
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
128
CAS Foundation: In Band
§ Easiest deployment option
§ CAS is Inline ( in the data path )
before and after posture
assessment
§ Supports any switch, any hub,
any AP
§ Role Based Access Control
Guest, Contractor, Employee
§ ACL Filtering and Bandwidth
Throttling
TM - Massafra
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
129
CAS Foundation: Out of Band
§ Multi-Gig Throughput
deployment option
§ CAS is Inline for Posture
Assessment Only
§ Supports most common Cisco
Switches **
§ Port VLAN Based and Role
Based Access Control
§ ACL Filtering and Bandwidth
Throttling for Posture
Assessment Only
TM - Massafra
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
130
Out Of Band Process Flow
1. New MAC Notification sent to CAM
2. Unauthenticated client discovery ( Agent popup or new traffic )
3. CAS challenges for credentials
TM - Massafra
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
131
Out Of Band Process Flow
4. Client sends credentials to CAS
5. CAS performs Posture Assessment
6. CAM changes VLAN from Auth to Access
TM - Massafra
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
132
CAS Foundation Summary
TM - Massafra
1
Virtual Gateway mode is usually the easiest
integration into existing networks
2
Central deployments will make up 99% of designs
3
Layer 2 adjacent clients give more options for
security with Layer 2 strict mode
4
Pay close attention to In-Band math: it’s 1Gig for
1500 users.
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
133
NAC Appliance Overview: Web Login
Login
Screen
Scan is performed
(types of checks depend on user role/OS)
Click-through remediation
TM - Massafra
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
134
End User Experience: with Agent
Login
Screen
Scan is performed
(types of checks depend on user role)
Scan fails
Remediate
4.
TM - Massafra
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
135
Recent NAC Appliance Innovations
Deployment Features
Layer 3 Out-of-Band
Reduces the number of Servers
required for deployments with multiple
locations
“Super” Manager
Manages up to 40 Server failover pairs
VLAN by Name
Simplifies the administration of VLANs
Expanded Failover Options
Multiple options for failover in case of
CAS link failure
New 2500-user CAS
Additional option for larger-user
environments
TM - Massafra
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Authentication Features
Windows Active Directory Single
Sign-On
Vastly improves user experience by
automatically passing through
Windows login credentials
Corporate Asset Authentication
Ability to apply network admission
control to corporate assets not
associated with specific users (IP
phones, printers, etc.)
136
Recent NAC Appliance Innovations, cont
Agent Features
Seamless Agent Provisioning
Enables Agent updates without
requiring user to have admin privileges
Auto-Remediation for Windows
Single button for auto-launching
Windows Updater
MacOS Authentication Agent
Extends network admission control to
Macintosh desktops
TM - Massafra
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Platform Options
Expanded Platform Support
In addition to software option, now
available on new hardware for higher
performance
137
NAC STRATEGY-SOLUTIONS
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
138
NAC Strategy – Microsoft Support
Current
Roadmap
Window OS Support
GPO Launch post Authentication (4.1)
XP (Home/Pro/MCE/Tablet), 2000/ME/98
(Agent)
Ability to launch GPO to tie AD desktop
policy to access VLAN
WinCE/WinMobile (Agentless)
WSUS Agent immediate launch (4.1)
AD Single-Sign-On
Ability to force WSUS agent to remediate
now
Windows 2003/2000 Server
Microsoft SMS Agent remediation (4.1.x)
Windows Hotfixes/AV Checks
Auto-updates to pre-configured hotfix and
oneCare AV checks
Launch SMS Agent during remediation or xdays old
IE7.0 and Vista Support
Windows Update via WSUS
Ability to configure Windows Updater and
launch WSUS agent for auto-remediation
Vista Agent within 30-45 days of Vista
commercial availability
Login Script “hold” Configuration
Provide a configuration to hold login script
mapping till access VLAN
TM - Massafra
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
139
NAC Strategy – Microsoft Support
CAM
DNS/DHCP Server
Switch
VLAN 10
WSUS Server
Laptop with
CCA Agent
VLAN 10
AD Server
VLAN 110
CAS
1.
End user attaches a laptop to
network
2.
TM - Massafra
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Switch sends MAC address via SNMP-based
notification to CAM
140
NAC Strategy – Microsoft Support
CAM
DNS/DHCP Server
Switch
VLAN 10
WSUS Server
VLAN 110
Latptop with
CCA Agent
AD Server
VLAN 10
VLAN 110
CAS
4.
DHCP address is assigned as DHCP/DNS traffic
traverses the CAS using VLAN mapping.
5.
Laptop performs authentication to AD with CAS
permitting AD ports access.
TM - Massafra
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
3.
CAM instructs switch to place port to
Authentication VLAN (110).
141
NAC Strategy – Microsoft Support
CAM
DNS/DHCP Server
Switch
VLAN 10
Web Server
VLAN 110
Latptop with
CCA Agent
VLAN 10
AD Server
VLAN 110
CAS
6.
During AD login, GPO policy and login scripts are
downloaded to the laptop.
7.
Laptop runs login scripts with “hold” configuration
during drive mapping.
TM - Massafra
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
142
NAC Strategy – Microsoft Support
CAM
DNS/DHCP Server
Switch
VLAN 10
WSUS Server
VLAN 110
Latptop with
CCA Agent
VLAN 10
AD Server
VLAN 110
CAS
8.
CCA Agent performs SSO to CAM.
9.
CAM determines “role” based on AD attributes
and passes posture requirements to CCA Agent.
TM - Massafra
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
143
NAC Strategy – Microsoft Support
CAM
DNS/DHCP Server
Switch
VLAN 10
WSUS Server
AV Server
VLAN 110
Latptop with
CCA Agent
VLAN 10
AD Server
CAS
VLAN 110
10. CCA Agent determines missing hotfix and
launches WSUS Agent for remediation.
11. CCA Agent determines AV definition not updated
and launches AV Agent for remediation.
TM - Massafra
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
12. Upon remediation, CAM instructs
switch to place port onto Access
VLAN (10) based on port mapping
(or the role assignment).
144
NAC Strategy – Microsoft Support
CAM
DNS/DHCP Server
Switch
VLAN 10
WSUS Server
Latptop with
CCA Agent
VLAN 10
AD Server
CAS
VLAN 110
13. If role assignment is used, CCA Agent performs release/renew. Laptop
user now sees “Successfully Logged In.”
14. CCA Agent launches GPO Update in Access VLAN.
15. Login scripts removes “hold” and completes drive mapping.
16. “Successfully Logged In” dialog box closes in x seconds.
TM - Massafra
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
145
NAC Strategy – Microsoft Support
Considerations
Agent Installation
Does not support Embedded XP or XP running on 64bits (roadmap 2007)
Support most WinXP/2000 with language packs but not tested on all (see Release Notes)
AD SSO (Single Sign-On) Support
Pay attention to typo details when you configure SSO/KTPASS
One CAS to one AD domain controller
Manual login across untrusted domains
Microsoft SMS Launch
Requires signed application (.exe) to launch
Login Scripts
Modify login scripts for drive-mapping “hold”
Mandatory Hotfix Requirement
Must click next button to continue.
TM - Massafra
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
146
NAC Strategy – Leverage Infrastructure
Current
Roadmap
AV and AS Applications
Patch Management Applications (4.1)
Over 250+ partner AV and AS Applications
supported today
Authentication Servers
Support key Patch Management applications
(IBM Tivoli, SMS, Citadel, Altiris, Bigfix, etc.)
DICOM Applications
Any Radius/Kerberos/LDAP/Novell backend
Custom Checks
Support NAC Appliance enforcement for
DICOM routing of PACS in healthcare
Any application/file/service checks
Firewall Applications
Open APIs
Support pre-configured checks for
FW/HIDS/HIPS vendors (CSA is supported)
GreatBay Software provides network device
profiling and automated synchronization to
CAM and CAS enforcement via Open APIs.
Iconium provides compliance policy
acceptance and synchronized enforcement
via Open APIs.
VisitorNet provides Guest Access registration
and CAS policy enforcement via Open APIs.
TM - Massafra
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Encryption Applications
Support pre-configured checks for desktop
encryption vendors
802.1x Overlay Support
Support any 802.1x supplicants in in-band
today and wired 802.1x in future overlay
147
AGENDA
• CCA overview
• NAC Appliance options
• Nuove Features in ultima release
• Feature in Roadmap
• Demo/movies
TM - Massafra
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
148
NAC STRATEGY
ROADMAP
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
149
NAC Appliance Roadmap
Release 4.0/Dash
Corporate asset compliance
Agent stub for
installs/updates
VLAN by Name (OOB)
Layer 3 OOB
Windows AD SSO
Windows Update Launch
May 06
Release 4.1/Syndrome
Release 4.5/Elastigirl*
Silent Audit
Remediation Reporting
CAS Fallback
L3OOB for VoIP
MAC Auth Agent
Agent Language Template
Patch Management Launch
Guest Portal (external)
Temporal Agent
Silent Remediation
MAC Posture Agent
Preconfigured PFW rules
802.1x Overlay Support
Oct 2006
Nov 2006
1H CY07
Release 5.5/Mr.
Incredible*
NAC Framework support:
• NAC Manager
• NAC Agent
• HCAP
2H CY07
NOW
Release 4.0.x/Brunella
Cisco NAC Appliance 3300 Series
CAS 2500
SuperCAM
Release 5.0/Edna*
Release 4.1.x/Angera* CC Distributed CAM
CAS on ISR NM Blade
Enhanced Syslog
Enhanced Reporting
DBCS Support
MOM
* subject to concept commit, not a customer commit
TM - Massafra
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
150
NAC Appliance Expansion Phase 1
TODAY
OUT-OF-BAND
NETWORK
ACCESS
DEVICE
NAC
Appliance
Agent
Policy & Remediation Partners
NAC
Appliance
Server
IN-BAND
HTTPS
NAC
Appliance
Manager
HTTPS
NETWORK
ACCESS DEVICE
.1x
HTTPS
1H 2007
OUT-OF-BAND
RADIUS
802.1x
ISR NM
NAC AGENT
IN-BAND
TM - Massafra
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
NAC SERVER
802.1x Proxy
HTTPS
NAC
Appliance
MANAGER
151
NAC Appliance Expansion Phase 2
TODAY
OUT-OF-BAND
Policy & Remediation Partners
ISR NM
NETWORK
ACCESS
DEVICE
NAC
Appliance
Agent
802.1x
NAC
Appliance
Server with
.1x overlay
IN-BAND
HTTPS or
Radius
NAC
Appliance
Manager
HTTPS
Policy & Remediation Partners
OUT-OF-BAND
HCAP,
GAME
CTA
API
CTA
NETWORK
ACCESS DEVICE
HTTPS
VISION
RADIUS
UDP, 802.1x
HTTPS
NAC AGENT
NAC SERVER
NAC
MANAGER
IN-BAND
TM - Massafra
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
152
Agenda
09:00 - 09:30 Registrazione
ü
Strategia Cisco per il 2007 e News dal Product Management ü
Come indirizzare i clienti verso ASAü
Coffee break
ASA New product lineup, New Features e Roadmap
ü
Cisco NAC
ü
Pausa Pranzo
09:30 - 10:00 Benvenuto ed Introduzione ai lavori
10:00 - 10:30
10:30 - 10:45
10:45 - 11:15
11:15 - 12:00
12:00 - 12:45
12:45 - 13:30
13:30 - 14:00 Partner Self enablement tools
14:00 - 14:30 Security Management: What's new in MARS e CS-Manager
14:30 - 15:30 Technical Session: Analisi della sicurezza VoIP/IPT e contromisure
15:30 - 16:00 Chiusura Lavori ed estrazione ricchi premi!
marco misitano :: misi@cisco.com :: © 2006 Cisco , All rights reserved.
153
Agenda
09:00 - 09:30 Registrazione
ü
Strategia Cisco per il 2007 e News dal Product Management ü
Come indirizzare i clienti verso ASAü
Coffee break
ASA New product lineup, New Features e Roadmap
ü
Cisco NAC
ü
Pausa Pranzo
09:30 - 10:00 Benvenuto ed Introduzione ai lavori
10:00 - 10:30
10:30 - 10:45
10:45 - 11:15
11:15 - 12:00
12:00 - 12:45
12:45 - 13:30
13:30 - 14:00 Partner Self enablement tools
14:00 - 14:30 Security Management: What's new in MARS e CS-Manager
14:30 - 15:30 Technical Session: Analisi della sicurezza VoIP/IPT e contromisure
15:30 - 16:00 Chiusura Lavori ed estrazione ricchi premi!
marco misitano :: misi@cisco.com :: © 2006 Cisco , All rights reserved.
154
Partners Enablement
Strumenti per progettazione e supporto
Marco Voi – Channel Systems Engineer
mvoi@cisco.com
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
155
Training
Tools &
Methodologies
Selling &
Marketing
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
156
Partner Help Online
§ http://www.cisco.com/web/partners/tools/helponline/index.html
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
157
Service Support Center
http://www.cisco.com/go/ssc
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
158
Strumenti di progettazione
http://www.cisco.com/go/qb
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
159
Cisco Discovery
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
160
Deliver
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
161
Modello di “Transfer of Information”
Partner Virtual Team
https://programs.regweb.com/cisco/pvt_07/
P.I.N.T.
http://www.cisco.com/it/go/pint
Partner E-Learning Connection
www.cisco.com/go/pec
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
162
Partner VT elements
1. Address Pre-sales Knowledge Transfer and
Competency
2. Create an environment for Partners to network and
collaborate as a community
3. Provide Demonstrations, Design Sessions, Hands-On
Labs, Interactive discussion
4. Social and Fun
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
163
Partner VT Updates
Product / Technology Update
and Feedback
Hands-On Labs
TAC/AS Technical Update*
Trusted
Technical
Advisor
(TTA)
Trusted
Technical
Advisor
(TTA)
Partner
SE Team
Design Sessions / BOF
*Where available
Presentation_ID
TTA Forums
© 2006 Cisco Systems, Inc. All rights reserved.
TTA Interaction and Networking
Evening Meal – Another chance to Network
Cisco Confidential
164
Partner VT Enrolment Process
Trusted Technical Advisor is invited to attend
Partner VT update events
Partner SE becomes a Trusted Technical Advisor and a
member of Partner VT
Partner SE achieves Specialisation Accreditation (CQS/CCIE)
Cisco SE invites via PSS - one or two elite engineers from
Specialised, ATP or Learning Partner per Technology stream
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
165
Partner VT Entry Accreditation – FY2007
Routing and Switching Partner VT
Security Partner VT
Cisco Channel SE Sponsorship
Convergence Partner VT
VPN or Firewall or IPS
Specialist
Advanced Security
Solutions Design Specialist
Cisco Certified Security
Professional
CCIE Security
Data Centre Partner VT
Wireless Partner VT
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
166
Partner VT Collaboration Site
https://tools.cisco.com/cws/livelink?func=ll&objId=723876&objAction=browse&sort=name
Partner VT Presentations in pdf format are stored on this restricted access external site
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
167
Networkers
http://www.cisco.com/global/EMEA/networkers/2007/index.shtml
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
168
Newsletter per i partner di Cisco Italia
§ Italy-channel-newsletter-rs@cisco.com
§ Italy-channel-newsletter-security@cisco.com
§ Italy-channel-newsletter-ipc@cisco.com
§ Italy-channel-newsletter-wireless@cisco.com
§ Italy-channel-newsletter-storage@cisco.com
§ Cisco Customized Partner Intelligence
http://www.cisco.com/web/partners/news/subscribe.html
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
169
ISCRIZIONE AUTOMATICA
inviare una email a
mailer@cisco.com
contentente il comando:
subscribe italy-channel-newsletter-nome
dall’indirizzo dal quale ci si vuole sottoscrivere.
–Il comando dev’essere nel CORPO del messaggio,
non nel SUBJECT
–Inviare la mail in PLAIN TEXT, NO HTML, no formattazione.
–si riceverá una mail di conferma e welcome
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
170
CANCELLAZIONE AUTOMATICA
inviare una email a
mailer@cisco.com
contentente il comando:
unsubscribe italy-channel-newsletter-nome
dall’indirizzo dal quale ci si vuole sottoscrivere.
–Il comando dev’essere nel CORPO del messaggio,
non nel SUBJECT
–Inviare la mail in PLAIN TEXT, NO HTML, no formattazione.
–non si riceve email di conferma
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
171
Agenda
09:00 - 09:30 Registrazione
ü
Strategia Cisco per il 2007 e News dal Product Management ü
Come indirizzare i clienti verso ASAü
Coffee break
ASA New product lineup, New Features e Roadmap
ü
Cisco NACü
Pausa Pranzo
Partner Self enablement tools
ü
Security Management: What's new in MARS e CS-Manager
09:30 - 10:00 Benvenuto ed Introduzione ai lavori
10:00 - 10:30
10:30 - 10:45
10:45 - 11:15
11:15 - 12:00
12:00 - 12:45
12:45 - 13:30
13:30 - 14:00
14:00 - 14:30
14:30 - 15:30 Technical Session: Analisi della sicurezza VoIP/IPT e contromisure
15:30 - 16:00 Chiusura Lavori ed estrazione ricchi premi!
marco misitano :: misi@cisco.com :: © 2006 Cisco , All rights reserved.
172
Security Management:
What's new in MARS and
CS-Manager
Managing the Self-Defending Network
Zeno Dequal
Systems Engineer
Cisco Systems Italy
173
Today? Cisco Security Management Suite
Cisco®
Security
Manager
Cisco®
Security
Mars
Simplified Policy
Administration
End-to-End
Configuration
Rapid Threat
Identification and
Mitigation
Network wide or
Device Specific
Topology
Awareness
Data Correlation
FABRIC
174
CS Manager 3.1
Key Features
175
CS-Manager 3.1 – xDM cross launch
ASDM, SDM, IDM, IEV
No embedded DM
code required on
the device
Open FW from
CS manager
server to device
No need to open
FW’s from user
desktop to device
Much faster
startup
176
CS-Manager 3.1 – xDM
Device log/Signature event to policy cross launch
Packet tracer
• K
Leverage DM logs to
cross launch to
policy
Leverage packet
tracer in ASDM
177
CS-Manager 3.1 – Native Cat6000 Mgmt
Interfaces, VLANs, VLAN groups
• Natively manage
Cat6500/Cisco7600,
No more launching
CVDM
• Manage all the
VLANs, interfaces,
VLAN groups and
mappings
• Comprehensive
Summary page to
show all the
mappings
178
CS-Manager 3.1 – Cat6500 RACL Management
(3.0.1)
• Manage the L3
Access Control
List on MSFC of
Cat6500/Cisco7600
• Use the same
powerful rule table
as other devices
like ASA/PIX or
ISRs
179
CS-Manager 3.1 – Inventory Report
Single view of all critical device information
One place to see all
critical inventory
information
Device, VPN status
Deployment status
What policies
assigned
Status from external
sources
180
CS-Manager 3.1 – Management Protocol Testing
Server to Device protocol and credentials
Test available
from Device
Properties page
When adding a
device
181
CS-Manager 3.1 – Activity Report
What fields changed, what objects changed
182
CS-Manager 3.1
High Availability & Disaster Recovery
• Optional High
Availability and Disaster
Recovery
Configurations
• Off-the-shelf hardware
(servers, storage
arrays) and software
(Symantec/Veritas) +
specific customizations
for CS Manager
• Supports a wide variety of deployment options based on customer requirements
Single, dual-node cluster for high availability
Multiple geographically diverse clusters for disaster recovery
Fully automated failure detection and recovery
Shared local storage for zero data loss
Synchronous or asynchronous replication between sites for zero or near-zero
data loss
183
CS Manager 3.1
IPS relating Features
184
CS-Manager 3.1
Management Roadmap Update
• Supports IPS 5.1, 6.0, and IOS 12.4(11)T
42xx Appliances, IDSM2, NM-CIDS, SSM-10, SSM-20
• 1 Additional RBAC: Modify Policy Image
Additional role for deploying IPS updates
• Auto Update, Rollback, Config Archive, Filtering,
Copying, Cloning
• Signature Update Performance – Streamlined
sigupdate package/process
185
CS Manager 3.1
VPN relating Features
186
Multi-box Management CS-Manager (CSM) 3.1
Supported SSL VPN features on ASA
• SVC (IP layer SSL VPN), DHCP, DNS, WINS, and split tunneling
• Clientless (URL list, CIFS, and Citrix)
• Thin client (Port Forwarding) and applet auto download
• Authentication, authorization and accounting
• Password expiration and management
• Netegrity single sign-on and auto sign-on
• Cisco Secure Desktop enabling and configuration
• Web-type access control list
• Login and portal page customization
• HTTP proxy and proxy bypass (limited content rewrite)
• CIFS File encoding
• Cache
• Interface and SSL port configuration
187
CS Manager 3.1
ASA relating Features
188
CS-Manager
Managing the Cisco ASA 5500 Series
• Support all ASA models
• Support ASA7.0/7.1 and 7.2
• Manage both Routed and
Transparent mode and
multi-context
• Comprehensive coverage of
ASA feature sets
• Cross-launch Read-Only
version of ASDM for quick
device status and
troubleshooting
189
CS Manager
Advantages
190
CS-Manager
Policy Sharing, Inheritance, Interface Rolls and Work-Flow
LEAD
LEAD
LEAD
191
CS-Manager
Device Override, AUS/CNS-CE, SDP, RBAC
LEAD
192
CSM is able to share all kinds of policies, not just
Firewall Rules
• With CSM you can share syslog policies between devices
• This is true for many more settings
193
Changing column order of rule base
If you want interface first, that is possible!
194
Rule creation
• Objects can be used
but are not required!
195
ACL Hitcount
HitCount !
CSM can show how many hits a rule is getting
196
Superior support for IOS routers
• Manage ACL’s on all routers just like any other FW
• Support for many new ISR security features, deep packet
inspection etc
• Share policies between ASA/FWSM and IOS
197
You want a map….
• Map per user
• Custom
backdrop
• Nested Maps
• Manage from
the MAP
198
CS Manager
Zero Touch Deployment—
Scale through AUS and CNS-CE
4
1
3
Subscriber
2
1.
2.
3.
4.
Shipped
to User
CS Manager
Pre provision device in CS Manager
Order through config express
Drop ship to end user
End user loggs in using corp ID
199
CS-MARS
Updates
200
MARS Product Line
Positioning
Enterprise
MARS 200
10,000 EPS
Mid-Market
Low-Enterprise
MARS 100
5000 EPS
MARS 100E
3000 EPS
SMB
MARS 50
1000 EPS
NEW
MARS 20R
50 EPS
MARS 20
500 EPS
* EPS = Events per second
201
CS-MARS 4.2.2
• FWSM 3.1 Device Support.
• Multi-Threaded implementation for
IDS/IPS/Windows events pulling will
provide better performance.
• Improves GC and LC communication.
202
MARS differentiators for IPS
MARS Update for IPS
• Trigger packets
Captured in MARS, detected in an IPS alert message
Transformed into an event and used in queries, reports,
keywords.
Packet content can be seen in raw message
• IP Session Logging
MARS captures complete TCP based sig-attack
• Dynamic ARP inspection + spanning tree (L2/L3 complete
knowledge)
MARS provides attack paths and mitigation actions
• Global end-to-end view of security posture
Knowledge of device configurations, MAC address tables
Uses Netflow, SNMP, SDEE, Host event data
203
MARS - Real-time events, multi-Vendor, rules
based correlation, threat mitigation
LEAD
LEAD
Incident dashboard
Rules Engine
• Consolidated
view of security
posture
• 100+ pre-defined
system rules
• Day-zero
identification
based on
behavior
analysis
• Prioritized
Incident views
• Graphical view
of topology
• Multiple
compliance
reports “out-ofthe-box”
• Simple
customization of
rule set
Security Management EBC Presentation 2006
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
2
Security Management EBC Presentation 2006
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
4
Cisco Confidential
5
LEAD
Mitigation Views
Reporting
• Mitigation
monitoring and
recommendation
• Customizable
reporting engine
• Scheduled
reports
• Incident replay
Attack vector
• Over 150 predefined reports
Graphical path
representation
• Drill down to
event level detail
Security Management EBC Presentation 2006
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
3
Security Management EBC Presentation 2006
© 2006 Cisco Systems, Inc. All rights reserved.
204
Cisco Security Conversion
Tool (SCT)
Check Point™ to Cisco Conversion Tool
For Cisco Security Partners
205
The Problem
• Large install base of legacy Check Point firewalls.
• Customers want to migrate these Check Point
firewalls to new Cisco equipment.
• Each firewall conversion takes months to complete
and is error-prone.
• It requires a person that is knowledgeable in both
Check Point and Cisco equipment.
• The daunting task causes the customer to delay
their migration strategy and to consider other
firewall vendors.
206
The Solution
• Provide a tool to convert a Check Point configuration
to a Cisco ASA/PIX/FWSM configuration.
• Create a Cisco configuration that can be managed
with CLI, PDM, ASDM or Cisco Security Manager.
• Provide an option to optimize the rule table display
when used in Cisco Security Manager.
• Make the tool available at no cost to the Cisco SE’s,
Advanced Services, and Cisco Security Partners.
Note: The output from this tool should be reviewed by a
Cisco SE, Advanced Services, or Cisco Security Partner to
verify the accuracy and completeness of the conversion.
207
Benefits / ”What’s in it for me?”
• Reduced time to convert a customer from Check Point to
Cisco firewalls.
• Increased profitability in your service to convert from Check
Point to Cisco firewalls.
• Increased accuracy in the conversion from Check Point to
Cisco firewalls.
• Allows your customer to use Cisco TAC for questions/support
on their new Cisco firewalls.
• Optimized option to convert from Check Point to the new
Cisco Security Manager.
• Increased traceability since inline comments are created to
indicate which Check Point commands correlate to which
Cisco commands.
• Automated report that summarizes the conversion process.
208
What is Cisco Security Conversion Tool?
• Cisco Security Conversion Tool (SCT) is a software
program to assist in converting a Check Point
Firewall™ configuration into a Cisco ASA, PIX, or
FWSM configuration.
• The software installs on your PC.
• Simple wizard-based GUI.
• Converts one Check Point configuration at a time.
209
What is Cisco Security Conversion Tool?
• Several assumptions are made during the
conversion process since Check Point and
Cisco firewalls are managed differently. A
user must manually review and verify the
output from Cisco SCT.
210
System Requirements
• Runs on Windows XP and 2000 platforms.
• Converts from Check Point 4.x and NG Firewalls.
• Converts to an ASA/PIX 7.0(4) or 7.1 and FWSM 2.3
or 3.1.
211
What Will Be Converted?
• Access rules (security policies)
• Network objects and network object groups
• Service objects and service object groups
• NAT rules
• Static routes
• Interface-related configuration
212
Cisco SCT Output
• Corresponding ASA, PIX, or FWSM CLI configuration.
• Summary of what was converted.
• Conversion report indicating any errors or warnings
during the conversion.
• Detailed HTML report with hyperlinks from the CLI
conversion to the original Check Point policy.
213
Additional Cisco SCT Resources
• Download Site (requires a CCO user ID):
http://www.cisco.com/web/partners/sell/technology/security/resources.html#technical
• Technical Support:
sct-support@cisco.com
• Report your wins!!!
sct-wins@cisco.com
214
Agenda
09:00 - 09:30 Registrazione
ü
Strategia Cisco per il 2007 e News dal Product Management ü
Come indirizzare i clienti verso ASAü
Coffee break
ASA New product lineup, New Features e Roadmap
ü
Cisco NACü
Pausa Pranzo
Partner Self enablement tools
ü
Security Management: What's new in MARS e CS-Manager
ü
Technical Session: Analisi della sicurezza VoIP/IPT e contromisure
09:30 - 10:00 Benvenuto ed Introduzione ai lavori
10:00 - 10:30
10:30 - 10:45
10:45 - 11:15
11:15 - 12:00
12:00 - 12:45
12:45 - 13:30
13:30 - 14:00
14:00 - 14:30
14:30 - 15:30
15:30 - 16:00 Chiusura Lavori ed estrazione ricchi premi!
marco misitano :: misi@cisco.com :: © 2006 Cisco , All rights reserved.
215
VoIP & Security
Marco Misitano
misi@cisco.com
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
216
(pochi) Concetti di Base…
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
217
Building a Call
PBX ‘A’
PSTN
PBX ‘B’
Call leg ‘2’
Call leg ‘1’
Call leg ‘1’
§ Two call legs bridged together
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
218
Call Flow
PBX ‘A’
PSTN
Call leg ‘1’
§ Caller A lifts receiver “off hook”
§ PBX responds with dial-tone
§ Call leg 1 is “created”
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
219
Call Flow (Cont.)
PBX ‘A’
PSTN
Call leg ‘2’
Call leg ‘1’
§
§
§
§
Caller A dials number
PBX maps dialed number to trunk circuit
Call leg 2 is “created”
Two call legs “conferenced” together
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
220
Call Flow (Cont.)
PSTN
PBX ‘B’
Call leg ‘2’
Call leg ‘1’
§ PBX ‘B receives call setup from PSTN
§ “Creates” first call leg (“2”)
§ Maps received digits to extension
§ Alerts extension, “creating” second call leg (“1”)
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
221
Call Conferenced
PBX ‘A’
PSTN
PBX ‘B’
Call leg ‘2’
Call leg ‘1’
Call leg ‘1’
§ Each PBX has bridged two call legs, each of local significance only
§ Neither PBX has knowledge of the other PBX’s
second call leg
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
222
Packet Voice Replacement
Router ‘A’
Data Network
Router ‘B’
Call leg ‘2’
Call leg ‘1’
Call leg ‘1’
§ Simply replace PBX and PSTN with Router and data packet network
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
223
Quindi ?
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
224
Voice and Data Threat Models Merge
§ IP Telephony inherits IP data network threat models:
Reconnaissance, DoS, host vulnerability exploit, surveillance,
hijacking, identity, theft, misuse, etc.
§ QoS requirements of IP Telephony increase exposure
to DoS attacks that affect:
Delay, jitter, packet loss, bandwidth
§ PC endpoints typically require user authentication,
phones typically allow any user
(exceptions: access/billing codes, Class of Service)
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
225
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
226
IP Telephony in a Nutshell
Configuration server
IP Telephony Server
•Phone software
•Phone registration
•Phone configuration
3) Registration
4) Call Signaling
•Connecting phones
•Billing
5) Media Stream
1) Booting
2) Configuration
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
227
Normal IP Telephony Traffic: Booting /1
IP Phone
L2 Switch
L3 Router
Server
802.1Q
DHCP Server
DHCP Discover
DHCP Offer
DHCP Request
DHCP Confirm
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
228
Normal IP Telephony Traffic: Booting /2
IP Phone
L2 Switch
L3 Router
Server
ARP Request
TFTP GET config file (multiple packets)
TFTP DATA (multiple)
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
TFTP Server
ARP Reply
229
Normal IP Telephony Traffic: Signalling/3
IP Phone
L2 Switch
L3 Router
Server
TCP/UDP Handshake for SCCP/SIP
Key pressed …
Dial tone, ringing tones, …
IPT Server
SCCP/SIP registration
Listen on UDP port x and send to IP address Y on port z
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
230
Normal IP Telephony Traffic: Media Stream /4
IP Phone
L2 Switch
IP Phone
ARP Request
ARP Reply
Dual ARP exchange
RTP Stream over dynamic UDP port
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
231
Vulnerabilities: Booting /1
L2 Switch
802.1Q
Switch allows only
specific VLAN
DHCP Offer
Rogue DHCP server can
reply w/ fake TFTP &
router information
DHCP Request
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Server
Very little information leakage,
mainly MAC address
DHCP Discover
DHCP Confirm
L3 Router
DHCP starvation/
Pool depletion
Cisco Confidential
DHCP Server
IP Phone
232
Vulnerabilities : Booting /2
L2 Switch
ARP Request
ARP Reply
Router
Server
Very L3
little
information leakage,
mainly MAC address
Fake ARP reply (can
even be sent after
original). Can pretend to
be the router in order to
get all traffic
Information leakage, can
get configuration of any
phones
TFTP GET config file (multiple packets)
TFTP DATA (multiple)
Fake TFTP replies (difficult,
must be synchronized w/
requests).
Can pretend to be the IPT
Server
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
TFTP Server
IP Phone
233
Vulnerabilities : Signaling /3
L2 Switch
TCP/UDP Handshake for SCCP/SIP
SCCP/SIP registration
Relies on TCP J
Difficult to inject packets
Key pressed …
IPT Server
IP Phone
Potential DoS against Call
Manager L3
(SYN
flooding) Server
Router
Dial tone, ringing tones, …
Listen on UDP port x and send to IP address Y on port z
Everything in the clear…
can be sniffed and
modified. Neither
confidentiality nor integrity
nor authentication
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
234
Vulnerabilities : Media Stream /4
L2 Switch
IP Phone
IP Phone
Fake ARP reply (can even be sent
after original). Can pretend to be
the other phone in order to get all
traffic. ARPSPOOF
ARP Request
ARP Reply
Dual exchange
RTP Stream over dynamic UDP port
Assume that the switch does not
flood the frames on all ports. CAM
Flooding or MACOF
Assume good
quality of
transmission
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
235
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
236
Securing the Infrastructure
§ Goal: protect the voice through the infrastructure
Protecting the network element
Prevent layer 2 tricks
Don’t forget
physical security for Voice
Securing
the Infrastructure
Secure
the the
Network
Element
Protect
IPT servers!
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
237
Securing the Infrastructure
Prevent Layer 2 Tricks
§ CAM is the forwarding table for a switch
Filled dynamically based on source MAC address
If destination MAC address is unknown => flood frame within VLAN
CAM overflow:
overflow sends zillions of fake source MAC to fill MAC
=> learning is disabled
=> all frames are flooded: no confidentiality
Prevention: port security (small and finite number of MAC per port)
§ DHCP
Rogue DHCP:
DHCP malicious (fake DNS, GW) allows for Man in the Middle
Attacks
Prevention: DHCP snooping,
snooping drop all replies coming from non trusted
DHCP servers
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
238
Securing the Infrastructure
Prevent Layer 2 Tricks (cont.)
§ ARP is the protocol to link MAC & IP addresses
ARP spoofing:
spoofing attacked sends fake MAC/IP bindings
Redirect traffic to the attacker
Breach of confidentiality and integrity
Prevention:
Prevention: DHCP snooping to learn trusted bindings, drop all violation
§ Virtual LAN used to logically segregate traffic on physical LAN
VLAN Hopping:
Hopping sends/receives frames on another VLAN
Prevention:
Prevention
well known configuration techniques,
dropping wrong VLAN frames
§ Spanning Tree Protocol, the ‘routing’ protocol, detects loops
Fake BPDU => re-routing, computation (DoS)
Prevention:
Prevention: drop BPDU on all access port, partially static topology
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
239
Prevent DHCP Spoofing and Exhaustion
§ DHCP Snooping creates binding of IP address
to MAC address
DHCP Server
§ Defines ports that can DHCP Reply
10.1.1.2
§ Rate limit DHCP messages
bb-bb-bb-bb-bb-bb
§ Resets with loss of link
DHCP-S:
Nope!
10.1.1.1
DHCP
Reply
aa-aa-aa-aa-aa-aa
10.1.1.1
10.1.1.2
10.1.1.3
aa-aa-aa-aa-aa-aa
bb-bb-bb-bb-bb-bb
cc-cc-cc-cc-cc-cc
1/0
1/1
1/2
DHCP
Reply
X
DHCP
Request
10.1.1.3
cc-cc-cc-cc-cc-cc
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
dd-dd-dd-dd-dd-dd
240
Stop Man-in-the-Middle Attacks
§ Built on DHCP Binding Table
§ Dynamic ARP Inspection watches ARP/GARP for violations
§ IP Source Guard examines every packet
§ Will shun packets or disable port
SUCCESSFULLY STOPS
ETTERCAP, DSNIFF DAI:
10.1.1.1
No,
You’re Not!
aa-aa-aa-aa-aa-aa
ARP Cache
10.1.1.2 bb
cc
10.1.1.3 cc
10.1.1.4 dd
GARP:
I’m 10.1.1.1
10.1.1.2
Static
10.1.1.3
© 2006 Cisco Systems, Inc. All rights reserved.
ISG: I Don’t
Think So!
aa-aa-aa-aa-aa-aa
bb-bb-bb-bb-bb-bb
dd-dd-dd-dd-dd-dd
1/0
1/1
1/3
10.1.1.2
bb-bb-bb-bb-bb-bb
DAI Off
On
X X
TCP:
I’m 10.1.1.2
DHCP
10.1.1.4
cc-cc-cc-cc-cc-cc
Presentation_ID
10.1.1.1
10.1.1.2
10.1.1.4
Cisco Confidential
ARP Cache
10.1.1.1 cc
aa
10.1.1.3 cc
10.1.1.4 dd
dd-dd-dd-dd-dd-dd
241
Prevent MAC Flooding Attacks
X
X
macof
macof
Limit Port to No More than 3 Mac Addresses
§ Why 3 macs?
§ Phone on data
VLAN
§ Phone on voice
VLAN
§ PC on data VLAN
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
242
Ignore Gratuitous ARP
§ Block acceptance of Gratuitous ARP (GARP) by the phone
§ Prevents malicious device from assuming the identity of something else
(default router) to become man-in-the-middle
§ Doesn’t really ignore it; just doesn’t update ARP cache
§ Can lead to DoS attack—“I have your address”
Better to do this in layer two
10.1.1.2
10.1.1.3
10.1.1.1
I’m 10.1.1.1
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
I’m 10.1.1.2
Cisco Confidential
I’m Not
Listening
You Are?
I’m Getting a
New
Address.
243
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
244
Securing IPT Servers
Host-Based Intrusion Prevention
§ Policy-Based, not signature based
§ Zero Updates
§ “Day Zero” support
§ Effective against existing & previously
unseen attacks
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
245
Design a Secure IP Telephony Network
§ Place all IP telephony servers, and IP phones on different
security domains (logically separate networks)
§ Enforce a security policy by limiting access from the data
network to the IP telephony network
§ Enforce security posture everywhere (to prevent worms
degrading QoS degrading QoS )
§ Place SCCP/SIP/MGCP aware firewalls in front of all IPT
servers and gateways
§ Design a voice network over a IPsec VPN when IPT is not
protected
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
246
Firewall and NAT and IP Telephony
§ Perform stateful inspection of voice signaling protocols
exists for SIP, SCCP, H.323, and MGCP
§ Issue if the signaling does not follow the media streams
2) Media Stream
3) No state
=> block
1) Signaling
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
247
Authentication of IP Phones
Types of Certificates in Phones
§ Manufacturing Installed Certificate (MIC)
Installed in non-erasable, non-volatile memory
Rooted in Manufacturer Certificate Authority
§ Locally Significant Certificate (LSC)
Installed by local authority
Supercedes MIC
Can be erased via factory reset
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
248
Trusted Certificates
Certificate Trust
List contains list
of trusted devices
Who am I ?
Who do I trust ?
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
IPT Server trust list is
contained in dynamic list
(i.e. use of CRL, DN must be
known, …)
Cisco Confidential
249
Protecting the Signaling
TLS is the
transport for
signed,
authenticated and
encrypted
signaling
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
250
SRTP: Secure RTP
• RFC 3711 for transport of secure media
• Uses AES-128 for both authentication and encryption
• High throughput, low packet expansion
V
P X
CC
M
PT
sequence number
timestamp
synchronization source (SSRC) identifier
contributing sources (CCRC) identifiers
…
RTP extension (optional)
RTP payload
SRTP MKI -- 0 bytes for voice
Authentication tag -- 4 bytes for voice
Authenticated portion
Encrypted portion
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
251
Protecting the Media Streams
SRTP is the transport for
authenticated and encrypted
media
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
252
Some Caveats with Firewalls
2) What is
this?
3) Media Stream
1) Signaling
4) Unknown
traffic
=> Drop!
§ If signaling is encrypted, how can firewall inspect the traffic?
§ IETF is investigating multiple solutions: MIDCOM, NSIS, …
Stay tuned
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
253
Latency/Delay Budget
Hardware-Based Encryption Adds Minimal Latency
Service
Provider
Campus
Branch Office
Propagation
CODEC Queuing Encrypt Serialization and Network Decrypt
10–50ms Variable Minimal
2–10ms
Variable
Latency < 150ms Ideal
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Jitter
Buffer
6.3 µs/Km + Minimal
20–100 ms
Network
2–10ms
Delay
< 250ms Acceptable
254
G.729 CODEC IPSec
G.729
60 Bytes
IPSec ESP
Tunnel Mode
112 Bytes
IPSec ESP ESP
Hdr Hdr IV
20
8
8
IP
Hdr
UDP
20
8
IP
Hdr
UDP
20
8
RTP Voice
12
20
RTP Voice
12
20
ESP ESP
Pad/NH Auth
2–257
12
Encrypted
Authenticated
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
255
G.729 CODEC with GRE and IPSec
IP
Hdr
UDP
20
8
IP
Hdr
UDP
20
8
G.729
60 Bytes
IP GRE GRE IP
GRE
84 Bytes
Hdr
20
4
RTP Voice
12
20
RTP Voice
12
20
IPSec ESP Tunnel Mode 136 Bytes
IPSec ESP ESPGRE IP
GRE
Hdr Hdr IV Hdr
20
8
8
20
IP
Hdr
UDP
20
8
4
RTP Voice
12
20
ESP ESP
Pad/NH Auth
2–257
12
Encrypted
Authenticated
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
256
G.711 CODEC with GRE and IPSec
G.711
200 Bytes
IP GRE GRE IP
GRE
224 Bytes
Hdr
20
4
IP
Hdr
UDP
RTP
Voice
20
8
12
160
IP
Hdr
UDP
RTP
Voice
20
8
12
160
IP
Hdr
UDP
RTP
Voice
20
8
12
160
IPSec ESP Tunnel Mode 280 Bytes
IPSec ESP ESPGRE IP
GRE
Hdr Hdr IV Hdr
20
8
8
20
4
ESP ESP
Pad/NH Auth
2–257
12
Encrypted
Authenticated
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
257
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
258
Ringraziamenti
Jason Halpern
§ Eric Vyncke
§ Fabio Ganzaroli
§ Maria Lidia Del Vasto
§ Alessio “Mayhem” Pennasilico
§ Antonio Mauro
§ Andrea Pasquinucci
§…
§
NIST, VoIPSA, AIPSI, CLUSIT,
§ wwwin/search, Google
§
§Voi(p)
Presentation_ID
che siete stati ad ascoltare…
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
259
Links For More Information
§ cisco.com/go/ipcsecurity
§ J.Halpern, Cisco SAFE: IP Telephony Security In Depth
§
http://cisco.com/warp/public/cc/so/cuso/epso/sqfr/safip_wp.pdf
§ Misitano, Pasquinucci, VoIP: una interessante novitá….
§
http://misitano.com/pubs/voip-ictsec.pdf
§ NIST: Security considerations for VoIP Systems
§ http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
260
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
261
Agenda
09:00 - 09:30 Registrazione
ü
Strategia Cisco per il 2007 e News dal Product Management ü
Come indirizzare i clienti verso ASAü
Coffee break
ASA New product lineup, New Features e Roadmap
ü
Cisco NACü
Pausa Pranzo
Partner Self enablement tools
ü
Security Management: What's new in MARS e CS-Manager
ü
Technical Session: Analisi della sicurezza VoIP/IPT e contromisureü
Chiusura Lavori ed estrazione ricchi premi!
09:30 - 10:00 Benvenuto ed Introduzione ai lavori
10:00 - 10:30
10:30 - 10:45
10:45 - 11:15
11:15 - 12:00
12:00 - 12:45
12:45 - 13:30
13:30 - 14:00
14:00 - 14:30
14:30 - 15:30
15:30 - 16:00
marco misitano :: misi@cisco.com :: © 2006 Cisco , All rights reserved.
262
Prossimi eventi.. (non avrete piú scuse per dire “non lo sapevo…”)
§ Networkers 30 Gennaio-2 Febbraio 2007, Cannes
§ ASA Training 18/19 Dicembre, Monza (2gg)
§ ISR Security 18 Gennaio 2007 Monza
§ ISR Security 19 Gennaio 2007 Roma
§
Expo 6-7 Marzo 2007
§ PINT Security 16 Maggio 2007 (Monza+Roma)
§ Security Sales Enabler Seminar
11 Gennaio Vimercate, 12 Gennaio Roma
marco misitano :: misi@cisco.com :: © 2006 Cisco , All rights reserved.
263
§ 3000+ attendees expected from Europe, Middle East and Africa
§ The 2007 Technology Roadmap is articulated around 9 technology tracks:
§ Application Optimisation Technologies, Campus and Wireless Evolution, Data Centres, IP & MPLS
Infrastructure Evolution, IP NGN Architectures and Technologies, Management and Operations,
Mobility, Security, Unified Communications Technologies
More than 100 sessions delivering in-depth innovation technology content
Technology panels and case studies sessions
22 techtorials covering technology updates or project based case studies (on techtorial day – Dec 12)
Targetting 111 Strategic Solutions partners showcasing innovation solutions in the world of solutions
(exhibition)
NEW: 11 labs offering hands on mentored technology sessions
The Networkers Innovation Awards Ceremony will be rewarding those companies that have deployed
and successfully implemented innovative technologies
1 FREE Cisco Career Certification or CCIE Written Exam per registrant
200+ Cisco technology experts in all technology areas available
And… a customer appreciation event not to be missed!
Registration Live at www.cisco.com/networkers
marco misitano :: misi@cisco.com :: © 2006 Cisco , All rights reserved.
264
Marco L. Misitano
CISSP, CISA, CISM
Consulting Systems Engineer
Cisco Italy
misi@cisco.com
Presentation_ID
marco misitano :: misi@cisco.com :: © 2006 Cisco , All rights reserved.
265
marco misitano :: misi@cisco.com :: © 2006 Cisco , All rights reserved.
266
