Security Business Guide
Introduction
The Internet provides rich, new opportunities for business growth and development. By utilizing
the variety of services and solutions now available on the network, companies are able to better
care for their customers, create synergies between geographically distant employees, and
establish opportunities for revenue through electronic access to a broader and more diverse
customer base.
These opportunities include such things as customer care services, inventory control, ecommerce web sites, interactive e-learning, workforce optimization, remote user access to the
network, business-to-business co-opetition, and IP telephony. Solutions such as these provide
unprecedented opportunities to reduce operating costs, improve productivity and communication,
and generate new revenue.
Unfortunately, as these opportunities continue to grow, the threat of cyber-crime means there are
serious risks involved in deploying these solutions. More than ever, it is imperative that
companies integrate security into the architecture of their network in order to mitigate such threats
and to achieve the potential for growth inherent in a networked environment be realized.
Influencing Factors For Purchasing Security
It is critical to understand the risks associated with any IBS (Internet Business Solution) strategy.
According to Meta Group Consulting, the top two concerns executives have are:
Damage to company image after a breach. There is a concern that a publicized security breach
could severely alter the public’s perception of a company. While the comparisons may be
inaccurate, many customers, vendors, and business partners may feel that something as simple
as hackers defacing a web site may indicate deeper problems related to security, and may curtail
e-business activities as a result.
Legal liabilities resulting from a breach. Companies are increasingly being held liable for
incomplete or improperly applied security solutions. Many of today’s attacks, such as Distributed
Denial of Service (DDoS) attacks compromise a network, load the systems on that network with
agent software, and then use that network to launch an attack on another. Similarly, a network
that is broken into may allow a hacker to gain unauthorized access to customer credit cards,
account or personal information, direct access to extranet partners and their networks, and more.
Finally, companies are increasingly being held liable by their shareholders when a preventable
security breach results in the loss of critical R&D d information or corporate data assets.
The challenge in addressing these and other concerns is that many executives do not understand
the problems, nor are they able to identify a solution which can adequately address these threats.
According to DataMonitor, It is expected that global business-to-business and business-toconsumer e-Commerce revenues will reach US $5.9 trillion and US $663 billion by 2005
respectively. This growth can not happen, however, without correcting security expenditures.
For example, while "e-Security breaches cause over US $15 billion damage worldwide annually",
more than 50% of businesses worldwide spend 5% or less of their IT budget on security. In many
cases, they spend less than they do on coffee and soda for their employees. And yet, according
to the FBI, 58% of companies reported that they had been broken into ten or more times in the
course of a single year!
So, what prevents companies from implementing appropriate security solutions in their network?
According to the Gartner Group, there are four key reasons why they don’t implement security.
1. Unable to quantify security threats, leading to decision paralysis. In spite of their efforts to
implement some sort of security measures, many companies find that the solutions they
implement are simply inadequate. This is often the result of two things. First, they simply do not
understand what security risks are associated with their e-business strategies, and second, they
do not have a systematic way to intelligently secure their entire network.
2. Unable to measure severity and probability of risk. Companies have little or no idea of the
costs associated with an electronic break-in. They have not quantified the value of their electronic
data, and do not understand the extent to which damage can be done should a break-in occur.
They have not adequately analyzed their e-business strategy and implementation, and used it as
a foundation for building an appropriate security policy.
3. Preconceived notions that security cost is excessive. Most executives still believe that
security problems are solved by buying and installing a box of some sort (a firewall, intrusion
detection devices, access control system, etc.) But purchasing equipment without a security
policy and implementation plan can lead to excessive costs and trial-and-error challenges. The
best solution is to first, develop an appropriate security policy, second, leverage the security
already inherent in the existing network, and third, purchase and apply network-intelligent security
solutions designed to be part of the network architecture, and which support the implementation
of new network services and solutions.
4. Preconceived notion that security will interfere with access. One of the biggest problems
companies face is that they have separated their security function from their networking solutions.
This is largely because most security devices are designed to restrict access, and are often far
slower than the network they are protecting. But by implementing high-performance devices
designed as part of the network architecture this concern becomes a non-issue.
In fact, Marcus Ranum, who was one of the inventors of the modern firewall, recently said, “We
security folks have got to stop treating security like it’s a separate problem from network
management. Error detection, intrusion detection, and link outages - these are all aspects of the
same network management problem.”
First Things First – Building A Security Policy
Bruce Schneier, one of the world’s foremost authorities on security, stated in his recent book
Secrets and Lies, that “Security is not a product; it’s a process. You can’t just add it to a system
after the fact. It’s vital to understand the real threats to a system, design a security policy
commensurate with those threats, and build in appropriate security countermeasures.”
Unfortunately, buying security products without a clear understanding of their security needs is
exactly what most companies do. There is simply little relationship between their business model
and their security implementation.
This problem can be corrected with an intelligent security policy – one which takes into account
the organization’s business strategy and which is designed to both address the actual risks such
a strategy creates, and which takes into account the entire network, both components and
services, and not just one portion of it. In a recent Meta Group Consulting report, it was found that
28% of organizations stated that some portion of their infrastructure fell out of the scope of their
security programs.
So, what goes into a security policy? There are numbers of resources designed to address this
topic in much greater detail. (for example, see RFC 2196, or NIST’s policy section and Site
Security Handbook found at http://csrc.nist.gov/policies/.)
But essentially, all security policy is based on four things:
1. A clear description of your business model. There is no sense in designing or deploying a
security solution which is not based on what your business goals are. Clearly identify your
business objectives, including the types of services and access which are necessary to
accomplish those goals.
2. A detailed understanding of the associated risks. If you plan to host a DMZ and provide ecommerce activities, for example, you need to understand all of the ways that hackers will try to
exploit those systems and services. What are the risks if the web page is defaced, or if a server is
compromised, or if a customer database is attacked? In what ways are such attacks undertaken?
Do they bypass the firewall by hiding in the permitted web traffic, or exploit vulnerabilities in
unpatched operating systems? These issues must be carefully examined and understood before
moving on to the next step. And remember, as new systems or services are added to a network,
new risks are introduced. Regular and comprehensive vulnerability assessment must be part of
this step.
3. A systematic approach to mitigating those risks. Everything in a network is a target,
including routers, switches, hosts, applications, networks, and operating systems. A security
policy must take all of these components into account if it is to be effective. Remember the three
“P’s” when implementing security solutions: People, Products, and Process. You must have
skilled technicians implementing the policy, you must use tools designed specifically to support
your e-business strategy, and you must combine this with good system administration and
review.
4. Remembering that security is a process. A security policy is not a “set and forget” solution.
Security demands regular review, analysis, and improvement if it is to provide the level of
protection that your organization requires. You may also want to consider purchasing a
vulnerability assessment tool, as well as contracting with a third-party security audit partner in
order to double-check your policy, process, and implementation, and in some circumstances to
even off-load labor-intensive security monitoring.
When developing a security policy, keep in mind the following list of “top ten” security tips,
complied by the Cisco Security Consulting Services team.
Top Ten Cyber-Security Tips:
1. Encourage or require employees to choose strong passwords. Hacker programs available
on the Internet contain tens of thousands of common passwords, which can be used to break into
unsecured computer systems. A password should have a minimum of 8 characters. They should
be non-dictionary words. They should combine upper and lower case characters. You can even
mix in a symbol, like a $. An ideal password might be something like 2B3#N3$.
2. Require new passwords every 90 days. By the time the hacker gets your password, it will
already be outdated.
3. Make sure your virus protection subscription is current. Most businesses purchase virus
protection programs from companies like Symantec, Trend Micro, or McAfee. These companies
regularly offer patches and updates to their programs to respond to new threats. Companies
should regularly check for defense improvements and be sure their subscription to virus
protection updates remains current.
4. Educate employees about attachments. Just because it's in the "in-box" doesn't mean it's
been cleared through any security mechanism. Attachments, particularly executables (and not
always with “.exe” at the end) can be dangerous, dropping off a little software code called a
Trojan Horse that corrupts your system or allows it to be infiltrated at a later time. Employees
should be educated about security basics, including the need to avoid opening attachments from
unknown sources.
5. Install a total solution. If you’re securing your own system (instead of relying upon an ISP or
web host), don't just throw a firewall at a network and call it secure. Firewalls do a great job of
securing a perimeter, but no one device will do the trick. Complete solutions should include
firewalling, host and network intrusion protection, access control servers and devices, secure
connectivity (like IPSec VPNs), applying proper filtering and ACLs to limit and manage traffic, and
secure device and policy management.
6. Assess your security posture regularly. Don't secure and run. Hackers are constantly
updating their technology. Small and medium businesses need to know how they stack up
against the most current types of attack. If you’re relying on a Web host or ISP, be sure to choose
a vendor who is security savvy. Compare their offerings to those of other companies.
7. When an employee leaves a company, remove the employee's network access
immediately. When asked to evaluate the internal security posture of networks, the Cisco
Security Consulting team finds vulnerabilities in almost every network tested. Just as you ask
departing employees to turn in their keys to the front door, you should take away their key to the
network when they leave. Disgruntled employees are the greatest threat to any systems’ security.
8. If you allow people to work at home, provide a secure, centrally managed server for
remote traffic. Telecommuting increases worker satisfaction and productivity. But it also
presents a security challenge. It makes little sense to spend $10,000 on a security system for
your Web site while you allow people to dial-in to your network unabated.
9. Update your Web server software regularly. Stay on top of security updates and patches.
These are often available for free over the Web. Make sure you're always running the latest
versions of software to stay ahead of hackers, who are certainly working to stay ahead of you.
10. Don't run any unnecessary network services. If your employees don't need Web access,
don't provide it. Disable unneeded network interfaces. If you don't need services such as NFS,
Finger, Echo or some of the other programs that are routinely provided with software suites,
make sure they're turned off. Often, a variety of services are provided by default in a program.
Exploitation of these services is one of the most common hacks seen by Cisco's customers.
Issues To Consider BEFORE Selecting A Security Solution
Once a security policy has been developed and is in place, there are a number of issues which
need to be carefully considered before implementing a solution.
Security Threats are Changing. As discussed earlier, there is a gap between the desire for
security and the failure to implement it. The primary reason behind this lies is the fact that the
sophistication of the network has outpaced the development of the products designed to protect
it.
In many cases, the security devices companies have implemented were simply designed for
older, less complicated networks than those in use today. Ten years ago, for example, when
most security devices were first conceived, networks were closed and easier to secure data. The
perimeter was easily defined, and simple security devices did an adequate job of closing security
holes since little to no network intelligence is required in order to do their job. These legacy
security solutions tend to be simple access control devices used primarily to disable common
network traffic.
But while networks have changed dramatically since that time, the vast majority of security
devices have not. The Internet has matured into the “Corporate Information Highway”, and with it
has come the Open Network of telecommuting, the connecting of branch offices, and new
business-to-business strategies. These more complex, dynamically changing networks require
more sophisticated security solutions, designed specifically to support new technologies as an
intelligent addition to the architecture of the network.
In such networks there is no easily defined perimeter, and network security changes every time
someone connects to the network. Where do you place traditional security products in an open
network environment? Legacy security solutions designed for yesterday’s networks are not
sophisticated or intelligent enough to defend complex network environments being used to run
Internet Business Solutions.
Internet Business Solutions are comprised of a variety of solutions working together to
accomplish a single goal: efficient and secure e-business. Security is just one small piece of this
complex networking solution, which also includes such things as messaging, contact centers,
multimedia, voice call processing, collaboration, video on demand, content delivery, personal
productivity, policy management, SLA management, and address management. Companies who
have or who plan to implement traditional security solutions in such an environment – security
tools which are NOT network intelligent and which are NOT designed to support these new
technologies – can severely limit their ability to create a secure Internet business solution.
Such solutions simply do not provide an adequate shield against determined and increasingly
well-armed cyber-criminals. When most people read about Internet hacking incidents, they get
the impression that these are highly complex, technical attacks that require a genius to
coordinate. But the reality is that while the really smart people first come up with these highly
complex, technical attacks, they freely share the information – and the tools – required to execute
them. Such “open sharing” of hacking information and tools allows individuals with minimal
technical knowledge to duplicate complex attacks. In many instances it is simply as easy as
downloading the appropriate attack tool from the Internet and launching it against targets. A
hacker doesn’t need to know anything other than how to point-and-click to run the attack tool.
The bottom line is that it doesn’t take a genius to successfully attack systems and networks, it just
takes someone downloading attack tools. Unfortunately, there is no single security device in
existence today which can adequately protect all of the devices and services under attacks.
Limitations of Legacy Security Systems. So, as we have discussed, many of the problems
companies face in regards to inadequate security is the result of deploying security tools which
are simply not designed or equipped to protect the network, or to respond to the sophisticated
attacks being employed today.
One of the primary problems behind this is that these tools are not designed to understand or
interoperate with the network to create a layered-defense strategy, which is really the only viable
defense against the types of attacks occurring today. Additionally, the solutions available from
any given security vendor are very limited in approach and scope. They tend to build and sell only
one or two tools, such as a firewall or a VPN device, and then market these solutions as a “cureall” for all network security needs.
Unfortunately, such solutions have limited network intelligence, and cannot support most network
services or technologies. The result is two-fold. First, implementing single-box solutions tends to
leave gaping security holes in the network, since these limited solutions simply do not cover all of
the possible vulnerabilities which exist in any given segment of the network. Secondly, overconfidence in these solutions may be a major reason why companies are broken into repeatedly.
It is therefore critical to understand the drawbacks of deploying legacy security technologies in a
world quickly moving toward Intelligent Network Solutions.
One way these companies try to address at least part of this problem is to create multi-vendor
bundles of products. Unfortunately, this solution often creates more problems than the single-box
solution. First, these products still have the inherent problem of NOT providing nor supporting
intelligent networking. Next, these solutions often rely on multi-vendor kludges, resulting in a
complex maze of patches, interoperability issues, and technical support finger-pointing. Finally,
there are still numerous security issues they still cannot address and security targets they cannot
protect. In addition, cost-of-ownership for such multi-vendor solutions is prohibitive, and singlepoint management is virtually non-existent.
In short, once a customer buys into the skewed logic being used by these vendors, they find
themselves vulnerable simply because of the limited scope or poor implementation of security in
the devices being sold. These problems include being at the mercy of:

Incomplete point ‘solutions’ (limited security for a single point on the network)

One-box-fixes-all fallacy (creates over-confidence and leaves security vulnerabilities)

Legacy application of overlay security (used primarily to disable traffic)

No network intelligence (not part of the network architecture)

Kludging of technologies (no real interoperability, management, or unified support)

Complicated product updating and patches, including feature parity between vendors

Vulnerabilities inherent in the security platform (NT or UNIX OS in many cases)

Compatibility and performance issues with generic hardware platforms

Multiple vendor service and support (finger-pointing)

No support QA across the various vendors

No control or protection of the internal network
Security as part of Intelligent Networking. Companies developing intelligent network
environments are integrating many solutions into a single framework. Functions like integrated
video, voice, and data, multimedia viewing, mobility access, QOS, and e-commerce are critical to
increasing productivity and profitability. In this integrated environment security is a small, but
important component. In order for it to function properly, security needs to be part of the network
architecture.
Such security solutions must be designed with the intelligent network in mind, and support and
interoperate with rich network services. This includes security solutions which are integrated into
the network infrastructure as distributed technology, which function as both overlay and
integrated technology (leveraging the IOS intelligence), and which are designed to enrich and
enable Internet Business Solutions.
Cisco Systems is in a unique position to be able to deliver such security solutions. Because Cisco
developed most of the networking products/solutions that power the Internet, no one understands
better how they work, where they are headed in terms of development, and how to leverage the
intelligence of the network to secure your IBS strategy.
Two things we can be sure of are that networks will continue to evolve, and that criminals and
vandals will continue to exploit the network in order to commit crimes. Since security issues touch
all network components (in fact, with dynamic networks changing every time a customer,
employee, or partner becomes part of, or disconnects from your network, the network itself is the
only constant in an ever-changing environment), security should be an integral part of your
NETWORKING strategy.
Which is why we believe that the company to secure a network should be the company that
developed it. And we’ve put our money where our mouth is on this point, because Cisco Systems
is now the largest network security company in the world. Our combined security product set,
including firewalls, VPNs, access control devices, network and host intrusion protection,
professional services, training, and single-station management, as well as security inherent in
IOS itself, means we have the broadest range of security solutions helping more companies than
any other security vendor in the world.
SAFE
Now that we have identified the problem, namely more sophisticated networks = more
sophisticated attacks, and legacy security devices are not designed to address this new reality,
we will take a look at the revolutionary way in which Cisco addresses today’s security needs.
Our security solutions model is based on the SAFE documents, which a best practices guideline
for designing and implementing secure networks. Implementing SAFE is essential for the secure
implementation of new network technologies and Internet Business Strategies (IBS). In a simple,
step-by-step process, SAFE breaks a network down into its core functionalities, isolates all of the
security issues related to each of these network segments based on actual threats encountered
in today’s dynamic networks, and identifies security solutions and practices which mitigate those
threats.
Unlike any other security solution available today, SAFE starts by addressing security as a
process based on business goals, security policy, and leveraging all available resources as part
of the security strategy, rather than focusing on the features of a particular product. And because
it is modular in approach, it allows companies to omit network elements which do not apply to
their business model, prioritize the remaining segments according to their security needs, and
implement security over time as part of a cost-effective security strategy.
Key SAFE concepts include:

Security is a process, NOT a product

Security and attack mitigation should be based on a security policy

Security implementation should be applied throughout the infrastructure (not just on
specialized security devices)

Security should be cost-effective, and allow for modular deployment for scalability and
flexibility

Security requires a layered defense strategy, with multiple solutions working together to
create a seamless end-to-end security solution

Everything is a target, including Routers, Switches, Hosts, Networks (local and remote),
Applications, Operating Systems, Security Devices, Remote Users, Business Partners,
Extranets, etc.

There are two types of threats:
o
Threat from internal users – According to the FBI, 60% of attacks and 80% of
financial loss is caused by trusted network users
o
Threat from the outside – Primarily, threats to publicly addressable hosts
connected to the Internet

SAFE solutions combine market-leading security products, proven security practices, and
single-station management, while leveraging the security inherent in your existing Cisco
network infrastructure.
You can learn more about SAFE, and download FREE copies of all of the SAFE documents, by
logging onto www.cisco.com/go/safe.
Cisco Security Product Line
Cisco provides the widest range of security products and devices available from any single
vendor. These tools can be integrated into the SAFE guideline designs, and are developed
specifically to secure your intelligent networking environment. They also provide the added
protection of single-call support, integrated product management, and the Cisco assurance of
quality and vendor stability.
Cisco PIX Firewall
The Cisco PIX Firewall is a hardware appliance which manages access to the network, or
segment of the network. It is the electronic equivalent of the locked door which only allows those
with a key or access card to enter. It creates a protective layer between the network and the
outside world, and is placed at the access point between the two where it negotiates network
access and filters out unauthorized or potentially dangerous material from entering the network.
The Cisco PIX Firewall series delivers strong security in an easy-to-install, integrated
hardware/software firewall appliance that offers exceptional performance. Cisco’s world-leading
PIX Firewall family spans the entire end-user spectrum, from cost-conscious desktop firewalls for
remote users to carrier-class gigabit firewalls for the most demanding enterprise and service
provider environments.
Key Features
Security – Purpose-built firewall appliance with a proprietary, hardened operating system that
eliminates security holes.
Performance – Stateful connection-oriented firewall capable of 500,000 concurrent connections
and 1.7 Gbps of throughput
Reliability – High availability support via a redundant hot standby/failover unit that maintains
concurrent connections through automatic stateful synchronization
Virtual Private Network (VPN) – Support for both standards-based IPSec and L2TP/PPTPbased VPN services
VPN Accelerator Card – 3DES VPN throughput can scale to nearly 100 Mbps as the
encryption/decryption processes are handled by specialized coprocessors
Intrusion Detection System (IDS) – Provides intrusion protection using a set of IDS signatures
designed for firewall use for real-time intrusion monitoring, interceptions, and responses to
network misuse
Network Address Translation (NAT) and Port Address Translation (PAT) – Conceals internal
IP addresses and expands network address space
Denial-of-Service (DoS) Attack Protection – Protects the firewall, as well as internal servers
and clients, from disruptive hacker attempts to flood the network with illegitimate or trivial data
Web-Based Management via PIX Device Manager (PDM) – Allows for simple, GUI-based
configuration and usage reports
Platform Extensibility – Supports from two 10/100 Ethernet interfaces up to ten Gigabit Ethernet
interfaces
Low Cost of Ownership – Simple installation and configuration, maximum up time (MTBF of
over 60,000 hours), and straightforward management for minimal time investment combined with
impressive price/performance
Cisco IOS Firewall
The Cisco IOS Firewall enriches Cisco IOS security capabilities by integrating robust PIX firewall
functionality and intrusion detection into network devices, allowing you to add firewall protection
and functionality throughout your infrastructure. Broad implementation allows you to create zones
of defense, or “fire cells” within your network design for layered defense.
When combined with Cisco IOS IPSec VPN software and other Cisco IOS Software-based
technologies, such as L2TP tunneling and quality of service (QoS), it provides a complete,
integrated virtual private network solution.
Because it is available for a wide range of Cisco routers, it gives customers the flexibility to
choose a solution that meets their bandwidth, LAN/WAN density, and multiservice requirements,
while providing advanced security functionality
Key Features
Powerful Firewall Functionality – Using a stateful firewall process called Context-Based Access
Control (CBAC), the Cisco IOS Firewall provides secure, stateful, application-based filtering and
access management, supporting the latest networking protocols and advanced applications
Intrusion Detection System (IDS) – Provides intrusion protection services for real-time intrusion
monitoring, interceptions, and responses to network misuse
Access Control – Dynamic, per-user authentication/authorization for LAN, WAN, and VPN
clients
Management – Graphical configuration and management via the ConfigMaker Security Wizard
Virtual Private Network (VPN) Security – Provides strong perimeter security for a complete
Cisco IOS Software-based VPN solution, including IPSec, QoS, and tunneling, for a wide range
of Cisco router
Cisco Secure Intrusion Protection
With 60% of incidents and 80% of financial loss resulting from attacks occurring inside the
network perimeter, it is critical to be able to monitor traffic for suspicious activity, and respond in
real-time to malicious events or unauthorized network access. Cisco provides two powerful and
complementary IDS solutions, network and host-based, for the most comprehensive IDS solution
available on the market.
Network Intrusion Detection System (NIDS)
The Cisco Secure Intrusion Detection System delivers a family of high-performance security
surveillance solutions for both enterprise and service provider networks. Designed to address the
increased requirements for security visibility, denial-of-service (DoS) protection, anti-hacking
detection, and e-commerce business defenses, Cisco Secure IDS leads the market in innovative
security monitoring solutions.
The product line consists of sensing devices (high-speed security analysis appliances) and high
performance line card modules for the Cisco Catalyst 6000 series switches. These IDS sensors
analyze packets traversing the network to determine if the traffic is authorized or malicious. If the
data stream in a network exhibits unauthorized or suspicious activity, sensors can detect the
policy violation in real-time, terminate the offending session(s), and send alarms back to a central
management console.
The management console can centrally monitor the activity of multiple sensors, provides a visual
alarm display, and acts as a remote system configuration utility.
Key Features
Market-Leading Technology – Cisco IDS is a leading in the development and implementation of
innovative and award-winning IDS solutions
Sophisticated Attack Detection and Anti-Hacking Protection – Uses “intelligent” signature
strings to maximize performance and improve the ability to detect attacks
Transparent Operation – The IDS sensor ports do not have an advertisable address, which
means they cannot be detected by hackers sniffing a network segment
Scalable Sensing Performance – provides between 45 Mbps to over 1Gbps of performance
Integrated Into the Network – The Catalyst 6000 IDS Modules allow you to actually embed
security into the fabric of the network for maximum performance and security control
Active Response – Unlike other IDS tools, the Cisco IDS solution is network-intelligent. This
allows it to not only detect and alarm on attacks, but to actually respond by either dropping an
offending session, or accessing the nearest router to write an ACL to shun the attacker from
attempting to re-enter the network segment.
Host-Based Intrusion Detection System (HIDS)
Hosts and servers are the most frequently attacked devices on a network. Hackers attempt to
take advantage of the sophisticated services these devices provide, as well as the extreme
complexity of the devices themselves. This complexity makes them especially prone to human
error, and furthermore, most attempts to secure such devices result in limiting the very services
the host os designed to provide.
Cisco Host IDS, powered by Entercept, is designed to solve this problem. It provides real-time
intrusion detection, reaction, and prevention for hosts using industry-leading technology and
requiring minimal overhead on the devices on which it is installed.
The Cisco Host IDS agent installs close to the Operating System and intercepts System and API
Calls. By comparing them with known exploit behavior, it can reject them before the OS
processes them in case of malicious intent. For web servers, it provides shielding technology to
provide a protective envelope around the web server’s activities, ensuring the integrity of the
server, its applications, and files, including customers' valuable data, based on function.
Key Features
Standard Edition
Prevents Break-Ins – Access attempts, such as buffer overflow exploits, are specifically denied
Prevents Hacks – OS protection disallows hacker tools from executing
OS Protection – protects the OS from alteration, including modification of registry files, enabling
previously disabled services, etc.
Prevents Authorization Escalation – Does not allow hackers to elevate privileges in order to
gain root access to the device
Web Server Edition
In addition to all of the services provided in the Standard Edition, the Web Server Edition also
provides the following features:
Prevents Hidden Attacks – Monitors, identifies, and drops malicious HTTP traffic
Resource Protection – Prevents alteration of web server files to prevent such things as web
defacements of implanting of malicious codes, and limits resources to pre-defined usage
parameters
Cisco VPN 3000 Family
Virtual Private Networks (VPNs) are private, usually encrypted connections, or tunnels, over
public networks, such as the Internet. They are deployed to connect telecommuters, mobile
workers, branch offices, and business partners to each other, or to the corporate network. These
VPN connections allow organizations to take advantage of significant cost-savings over traditional
leased or toll dial-up lines.
The Cisco VPN 3000 Concentrator Series is a family of purpose-built, remote access virtual
private network (VPN) platforms which incorporates high availability, high performance, and
scalability with the most advanced encryption and authentication techniques available today.
The series solutions scale from small office to large organizations requiring up to 10,000
simultaneous remote users per unit. With load balancing configured, multiple units can be
clustered to enable virtually unlimited numbers of remote access users. Its unique “push policy”
design creates significant scalability, security, and management advantages as all policy is stored
centrally and pushed out to the client during tunnel creation to allow for granular policy
enforcement and modification.
Key Features
Cisco VPN 3000 Concentrators
Standards Based – Support for industry standard IPSec DES/3DES
NAT Support – Supports Cisco IPSec/NAT for VPN access through Port Address Translation
firewalls
Free VPN Client – Unlimited-use license for broad Cisco VPN Client distribution at no cost per
seat or user
Standards-Based Authentication – Supports RADIUS, SDI Tokens, and Digital Certificates
Load Balancing – Allows for multiple units to cluster as a single shared pool
Stateful IPSec Failover – Hot-swappable cards allow for single-box redundancy
Cisco VPN 3002 Hardware Client
A hardware version of the Cisco VPN Client, this tool allows for high-performance VPN
connectivity in a mixed OS or SOHO environment.
Broad OS Support – Works with most operating systems, including Windows, Linux, Solaris,
MAC, etc.
Auto-Upgrade – centrally distributed automated upgrades without user intervention
Full Client Technology – Employs push policy and automatic address assignment from the
central site concentrator
Cisco Secure Scanner
Regular vulnerability analysis is critical to maintaining the health of the network’s security. The
Cisco Secure Scanner conducts detailed analyses of networked systems to compile an electronic
inventory of assets, and to detect vulnerabilities associated with those assets, such as known OS
vulnerabilities, enabled services vulnerable to exploit, etc. This technology allows network
managers to identify and resolve security weaknesses before they can be exploited by intruders.
The Cisco Secure Scanner is an enterprise-class software tool offering proactive, preventative
security through superior network system identification, innovative data management, flexible
user-defined vulnerability rules, and comprehensives security reporting capabilities. It allows you
to measure security, manage risk, and eliminate security vulnerabilities – thereby enabling more
secure network environments.
Key Features
Flexible Licensing – Designed to serve the changing needs of customers, and to provide
unprecedented scanning flexibility
Easy-to-Use Interface – Allows you to quickly perform a network scan without pre-existing
knowledge of the network or security vulnerabilities
Comprehensive Scanning Engine – Can analyze and identify targeted networked systems,
including Web servers, firewalls, routers, switches, and workstations
Flexible Data Analysis and Reporting – Includes graphics-generating feature and report wizard
User-Defined Implementation – Includes scheduling, specialized profiles, and customizable
scanning rules for legacy or proprietary systems
Unique Matrix Browser and Display – Allows users to easily navigate through data
Regular Vulnerability Updates – Bi-monthly updates of signatures and rules files
Extensive Network Security Database – Provides descriptions of security problems, risk-level
ratings, repair options such as links to patches and updates, and hacker information to inform you
of how cyber-criminals can exploit found vulnerabilities
Cisco Secure Access Control Server
Before a user can gain access to a network with a password, the network must evaluate the
password to determine it is valid, and to see if there are any access limitations associated with
that password. Access control servers provide AAA services (authentication, authorization, and
accounting) by validating the user’s identity, determining which areas or information the user can
access based on stored user profiles, and keeping track of the user’s activities while connected to
the network.
Cisco Secure Access Control Server (ACS) is a highly scalable, high performance access control
device which operates as a centralized RADIUS or TACACS+ server system controlling the
authentication, authorization, and accounting of users accessing corporate resources through the
network.
Cisco Secure ACS supports access control and accounting for tradition network access, dial-up
access servers, VPNs, firewalls, voice over IP (VoIP), and wireless access.
Key Features
Ease of Use – Web-based user interface simplifies and distributes configuration
Scalability – ACS supports large environments with support for redundant servers, remote
databases, and user database backup services
Extensibility – LDAP authentication forwarding for authentication of user profiles stored in
directories from key vendors such as Netscape, Novell, Oracle, and Microsoft
Management – Windows 2000 Active Directory and NT database support consolidates Windows
username/password management, and utilizes the Windows Performance Monitor for real-time
statistics viewing
Administration – Different access levels for each administrator and ability to group network
devices to facilitate enforcement and changes of security policies
Product Flexibility – ACS can be used with most Cisco router/network access servers when
running a RADIUS or TACACS+ embedded Cisco IOS version
Third-Party Token Support – Token Server support for RSA SecurID, Axent Technologies,
Secure Computing, and CryptoCard tokens
Control – Dynamic quotas for time-of-day, network usage, number of logged sessions, and dayof-week access restrictions
Cisco IOS Solutions
IOS-based and hardware-enabled Security and IPSec VPN solutions are available for the Cisco
800, 1700, 2600, 3600, 7100, 7200, and 7400 Series routers.
Centralized Management and Support
Cisco offers a variety of security device and policy management solutions designed for SMB and
enterprise environments, managing everything from a single box to hundreds of appliance and
IOS security and VPN devices. Companies can realize significant cost-of-ownership savings
through the implementation of single-station management.
In addition, Cisco also provides its award-winning 24X7 technical support for its entire range of
security solutions. There is never any finger-point or multi-vendor confusion. Just a single number
to call, day or night, seven days a week, for comprehensive product support.
AVVID Security Partners
Cisco Systems has extended its AVVID Partner program to include security solutions. These
solutions have been extensively reviewed by Cisco and independently tested in a third-party
laboratory to ensure compatibility with Cisco products and environments. Certified products are
available in a wide variety of categories, including virus scanning, filtering, management and
reporting, identification, PKI and digital certificates, as well as other VPN and security-related
functionalities.