Cisco Security Routers Protecting your business while reducing costs Draft 1 v1 Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. 1 Security Trends Attacks on the Rise, Cause Substantial Damage • 95% of respondents detected at least 10 web site security incidents in 2005* • Losses due to theft of proprietary information doubled in the past 12 months to $355K per incident* Security is the highest spending priority for CIOs • 58% of CIOs expect spending increases in security over next 12 months† * CSI/FBI Security Study, 2005 † Deutsche Bank February CIO Poll, March 2005 Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. 2 Defending Business Operations Theft of Customer Data E-Mail Wireless Mandatory Disclosure Audio Conferencing Calendar Corporate Espionage Extortion Voice Messaging Web Application IP Telephony Instant Messaging IP Network Organized Crime Session Number Presentation_ID Blackmail © 2005 Cisco Systems, Inc. All rights reserved. Fraud Scams Information Harvesting 3 Typical Network Requirements Business Services Need Continuous Connectivity Connectivity, Requiring the Network to be Secure and Available A B C D Secure Connectivity Data & Identity Protection Secure Voice & Wireless Business Continuity • Encrypted VPN between sites or partners • Perimeter defense • Encrypted POS • Outbreak prevention • Secure remote access • Admission control Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. • Convergence of Voice and Data services • Integration of Wired and Wireless • WAN backup • Network foundation protection 4 Security Integrated Into the Network “The top emerging technology trend, regardless of site type or time frame, is the integration of security features like firewall, VPN, IDS, etc into routers.” Infonetics, 2005 VPN Application Firewall Intrusion Prevention Network Admission Control URL Filtering IP Telephony Wireless Network Foundation Protection WAN Backup Cisco Security Routers All-In-One Security for the WAN Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. 5 Cisco Security Routers— Driving Industry Growth Through Value “Worldwide VPN and Firewall growth was again driven by Cisco’s strength in hardware secure routers (up 25% this quarter)” Infonetics Research, 2005 • Security integrated into the network infrastructure Extends value of network • Industry leading VPN connectivity, high-performance Enables new applications • Continual integration of Advanced Technologies e.g. Voice, Wireless, SSL VPN, NAC, Outbreak Prevention Future proof investment • High market acceptance—millions of units deployed, fastest growing, largest network security segment Low technology adoption risk • Single device to configure and manage Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. Reduces complexity, OpEx 6 Cisco Security Router Portfolio WAN Aggregation Performance and Services Density 7600 Series 7200 Series INTEGRATED SERVICES ROUTERS Feature Breadth and Scale at Highest Performance 3800 Series High Density and Performance for Concurrent Services 2800 Series Embedded, Advanced Voice, Video, Data and Security Services 1800 Series 800 Series Embedded Wireless, Security and Data Head Office Session Number Presentation_ID Branch Office © 2005 Cisco Systems, Inc. All rights reserved. Small Branch SMB Small Office and Teleworker 7 Cisco 7200 and 7301 Routers Enterprise Head-End and SP-Edge with Security Services • Cisco 7200 Series : Up to OC3 performance with integrated services • Cisco 7301 : 1RU platform with onboard GE • Target : Enterprise core and Service Provider edge • Diverse deployment applications: WAN aggregation, Managed Security, IBM datacenter, SAA management, Broadband aggregation, MPLS PE, and Route Reflector • Modular engine options for improved performance • Onboard GE, High-density Port Adapters (supported across Cisco 7000 portfolio) New! SA-VAM2+ • Hardware acceleration for • Hot swappable interfaces, Redundant power AES wide keys (192 – 256 bit) • Provides >260 Mbps 3DES • Cisco IOS T, S and Mainline release support • Up to 5000 IPSec tunnels Release options to meet cutting-edge enterprise • Hardware accelerated IPPCP compression features or stability as key requirements Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. 8 Cisco Integrated Security Architecture Integrated Hardware Security Services Built-in VPN acceleration Secure voice High-performance AIM USB port • High-performance crypto offload • 3DES/AES encryption • 4x faster than previous platforms • PVDM modules • Support for SRTP • Optional AIM-VPN PLUS • 3DES, AES, and compression • 10x faster than previous platforms • Removable • Secure credentials Power + 802.3af GE GE HWIC VPN AIM HWIC AIM USB EVM HWIC USB HWIC NME Common Hardware Architecture Modular Design Investment Protection Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. 9 Cisco ISR – Integrated Wireless Access Optimized for Secure Mobility Integrated Wireless Access for 1841, 2800, 3800 Cisco 1800 Series (Fixed Configuration) Cisco 870 Series • Wire Speed Performance Cisco 850 Series • Higher performance • Stateful Firewall, VPN, IPS, Antivirus, NAC • Stateful Firewall and VPN • 4-port 10/100 switch • 802.11b/g option, single fixed antenna Session Number Presentation_ID • 802.11b/g option, multiple antennas • Advanced QoS features • Stateful Firewall, VPN, IPS, Antivirus, NAC • Integrated back up port for redundant WAN links and load balancing • 802.11a and 802.11b/g option, multiple antennas • 4-port 10/100 managed switch • 8-port 10/100 managed switch, internal power supply, optional internal POE • Up to 3 VLANs • Up to 8 VLANs © 2005 Cisco Systems, Inc. All rights reserved. 10 Deploy Security On Your Routers Up Front Reduce Costs, Worries Choose Cisco Security Router Bundles Proactive measure to protect your network Set up secure foundation for voice, wireless deployment Bundle discounts provide compelling ROI to buy security now versus adding later Migration programs offer credit towards Cisco and competitive equipment Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. 11 Cisco Security Router – Solutions Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. 12 Secure Connectivity A Business Requirements Site-to-Site VPN • Encrypted VPN connectivity between sites or partners • Secure remote access • Encrypted Point-of-Sale transactions • Network intelligence (routing, QoS, multicast) enables Voice, Video & Data • Centralized cookie-cutter configuration (Easy VPN) • Scalable full / partial mesh (DMVPN) • Simplified PKI deployment (CA Server, USB eTokens) Site-to-Site VPN High-Performance VPN • Interconnect branch offices over IP • For larger sites including head office aggregation Remote Access VPN • Full service network access with centralized policy-based management (Easy VPN) • Clientless secure access (SSL VPN) Branch Office Internet Remote Access VPN Small Branch Small Office & Telecommuter Session Number Presentation_ID Corporate Office © 2005 Cisco Systems, Inc. All rights reserved. • Hardware VPN for small offices & telecommuters • Software VPN for mobile users High Performance VPN • High performance and resiliency for larger sites • Strongest encryption (hardware-accelerated AES) 13 Business Requirements Analysis A • • • • Have you reviewed on-going costs of Leased Line or Frame Relay links? Are you considering migrating to VPN? Is your business regulated by HIPPA, SOX, EU Directive 95/46? Are you planning to offer secure remote access to employees or partners? NO • Many businesses are migrating for cost savings and/or broadband performance Show Case Study and ROI analysis • Businesses need encryption to ensure compliance with legislation With external entities and internally between buildings or groups Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. YES • Select a Secure WAN bundle based on performance and services Less expensive to purchase the Cisco Secure WAN solution now, versus upgrading later • Schedule a demo of appropriate VPN solutions EZ VPN, DMVPN, SSL VPN 14 A Compelling ROI for VPN Migration Before – Frame Relay After – IP VPN 1.5M (512k CIR) port speed 1.5M port speed 30 sites 30 sites 10% mesh ~ 2 PVCs per site Cost of 2811 x 29 sites = $78,800 Cost of 3845 head-end = $12,700 Total Nonrecurring Cost = $91,500 Access Charge/Site = $4,354 Management = $635 Total Branch Access = $4,989 Head End Access = $10,800 Total Cost/month (80%) = $124,384 Access Charge/Site = $1,420 Management = $ 550 Total Branch Access = $1,970 Head End Access = $10,800 Total Cost per month = $67,930 $56K Per Month Savings Equipment Paid Off in 2 Months Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. 15 A High Performance Security Bundles TCO Cheaper to Buy Now vs. Later • CapEx savings alone $2,000 - $10,000 • Additional OpEx savings (typically 10-50% price of platform) not included above Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. 16 A Secure Connectivity Case Study— Data Encryption for Frame Relay or Leased Lines Business Problem • Reduce risk of exposing customer data (e.g. credit card), avoid painful disclosure and negative publicity Real-Life Example • Online retailer with WAN connectivity via Frame Relay • Their Service Provider mis-provisioned a DLCI change • Another company’s network overlapped into their network… • Notification of Risk to Personal Data (NORPDA) mandates that all customers be notified of breach Solution • Customer now encrypts all traffic over their WAN Un-encrypted traffic is denied entrance to their FR network • Ensures security of customer data Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. 17 Why AES? AES 3DES Type of Algorithm Symmetric, block cipher Symmetric, feistel cipher Key Size (in bits) 128, 192, 256 112 or 168 149 trillion years 4.6 billion years Time to Crack* * Assume a machine could try 255 keys per second - NIST • The Secretary of Commerce approved the adoption of the AES as an official Government standard, effective May 26, 2002 • US Federal Government and other large Enterprise and Servie Provider customers are migrating their 3DES IPSec to AES • AES is designed to replace DES / 3DES Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. 18 Dynamic Multipoint VPN and VoIP Auto-meshing with Dynamic Routing Static public IP address 1. 2. Hub 3. Call Site 2 Where is 2? Site 1 Send 2’s public IP address On-Demand Tunnel (spoke-to-spoke) 4. Dynamic, Permanent Tunnel (spoke-to-hub) Dynamic (or static) public IP addresses Site n 5. Ring Site 2 • Reduced latency and jitter • Improved performance • Increased scalability • Easy to deploy and maintain Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. 19 IPSEC+GRE vs DMVPN Hub to Spoke FEATURE IPSEC+GRE DMVPN All traffic must go via the hub a a Easy to Deploy a a Small Hub Configuration Files X a NO Hub provisioning for new spokes X a Easy Configuration of dynamically addressed CPE X a DMVPN Hub to Spoke Benefits + Simplified and Smaller Configs for Hub and Spoke + Zero touch provisioning for adding spokes to the VPN + Easily supports dynamically addressed CPEs Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. 20 IPSEC+GRE vs DMVPN Spoke to Spoke Static Full Mesh vs Virtual Full Mesh FEATURE IPSEC+GRE DMVPN Direct spoke to spoke tunnels a a Connections to all the nodes with smaller spoke CPE X a Provisioning for adding a new node X a Scaling and support of a FULL mesh X a DMVPN Spoke to Spoke Benefits + On demand spoke to spoke tunnels – avoids dual encrypts/decrypts + Smaller spoke CPE can participate in the virtual full mesh Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. 21 Dynamic Multipoint VPN – Benefits • Simplified configuration Spokes use a proven registration protocol to connect to the hubs, then dynamic routing builds the network topology automatically Configuration files are much smaller and easy to manage No new hub provisioning for each new spoke added – zero touch for lower admin costs and higher up-time • Complete application (multicast/QoS) and authentication support • Coming soon: Dynamic VPN creation between spoke routers based on user traffic Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. 22 EasyVPN - Overview Central Site Branch Office Internet Home Office Legend: Cisco VPN S/W Client on PC/MAC/Unix • Remote device contacts central-site router/concentrator, and provides authentication credentials. • If credentials are valid, central-site “pushes” configuration data securely to the remote device and VPN is established. Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. 23 IPSec Virtual Tunnel Interface (VTI) • Simplifies VPN configuration by eliminating crypto maps, ACLs, GRE • Simplifies VPN design: 1:1 relationship between tunnels and sites with a dedicated logical interface • More scalable alternative to GRE (Generic Router Encapsulation) for VPN tunnel creation • VTI can support QoS, Multicast, and other routing functions that previously required GRE 192.168.100.0/30 .1 Tunnel 0 .2 .1 Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. 192.168.2.0/24 192.168.1.0/24 • Improves VPN interoperability with other vendors .1 25 Easy VPN IPSec Remote Access Dynamic Policy Push for Scalable Services Teleworker / Small Branch Office VPN functions are assigned IKE Mode Config Attributes; several parameters at once VPN Mobile Workers Central HQSite 6500 / 7600 VPNSM Cisco Easy VPN Server on Central Site 6500 or 7600 Policy Attributes Pushed Today Benefits • Dynamic VPN IP Address (via Pool) • Internal NetMask • Support dynamic connections with VPN • Internal DNS and WINS Servers • Split tunnel mode New Attributes Pushed starting in IOS12.2(18)SXD • Static VPN IP Address via RADIUS • Idle Timeouts • Split DNS • Max tunnels per VPN Group • VPN Group Lock • Personal Firewall (Are You There) Check • Include Local LAN • Save Password Control • Backup Head-End GW List • Per User AAA Attributes Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. • Enable small or large deployments without user intervention • Enforce consistent VPN Policy on all remote devices • Interoperability across Cisco access and security devices • No head end changes when adding extra devices • Cisco VPN Client is the only FIPS certified client in the industry! 26 Cisco IOS PKI Certificate Server • Router can now be Certificate Authority Server (CA) Eliminates complexity of installing separate PKI/CA Server • Key Rollover for Certificate Renewal Allows the certificate renewal request to be made before certificate expires • Easy VPN now works with PKI Certificates Can use Cisco IOS CA server for enrollment Branch Office A CA Server Internet Corporate CA Server Headquarters Branch Office B Session Number Presentation_ID Branch Office C © 2005 Cisco Systems, Inc. All rights reserved. 27 USB Secure Token & Flash Storage Integrated USB Ports (Integrated Services Routers) Support for Secure Token and FLASH Memory 1. Simplified Provisioning • Zero-touch Deployment 2. Distribution and Storage of VPN credentials • Easy to provision and distribute encryption keys • Encryption keys are securely stored and removable 3. Bulk Flash for image distribution/storage • Alternative to Compact Flash deployment 2 USB Ports: 3800, 2851, 2821, 2811, 1811, 1812, 871 1 USB Port: 2801, 1841 Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. Available from Aladdin 28 28 Data & Identity Protection B Business Requirements Perimeter Defense • Defend against worms, viruses, trojans, hacks • Enforce policy-based control to network assets • Segregate network assets into trusted & untrusted zones Perimeter Defense Outbreak Prevention • Policy Firewall (L3) • Transparent Firewall (L2) • Application Firewall (L4-7) • Intrusion Prevention • Distributed Threat Mitigation • Incident Control • Application-aware inspection and defense against port 80, IM, P2P misuse Outbreak Prevention • Network-based protection against virus/worm/trojans and other threats • Distributed protection across entire network at minimum cost Branch Office • Rapid response to emerging threats Internet Identity & Controlled Access Small Branch Small Office & Telecommuter Session Number Presentation_ID Corporate Office • Network Admission Control • URL Filtering • Port-Level Security (802.1x) © 2005 Cisco Systems, Inc. All rights reserved. Controlled Access • Controls who/what gets access to the network and what they can do • Detects and isolates noncompliant devices 29 Business Requirements Analysis B • • • • Need perimeter protection against worms, viruses and trojans? Concerned with unauthorized access, security posture of laptops & PCs? Need to comply with information privacy laws e.g. SOX, HIPAA, EU Directive 95/46? Required to enforce Internet surfing policies, prevent illegal downloads? NO YES • Mitigating infections at the perimeter conserves WAN bandwidth, allows faster response • Select the right Secure WAN bundle • Companies need to protect their customer records and privacy to pass security audits • URL filtering monitors and enforces surfing policies, reduces legal risks Less expensive to purchase the Cisco Secure WAN solution now, versus upgrading later • Schedule a demo of the appropriate Data & Identity Protection solutions Application firewall, IPS, DTM, NAC, URL filtering • Check case study and ROI analysis Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. 30 Data & Identity Protection Drivers— Loss of Data, Time B The Total Cost of a Major Security Incident* Type of Cost Cost / Time Disruption to business Time spent responding $93,850 – $281,550 1 – 3 days $5,631 – $11,262 10 – 20 man days Direct cash spent responding $9,385 – $18,770 Direct financial loss $3,754 – $7,508 Damage to reputation $9,385 – $37,540 Annual Loss from Unauthorized Access to Information Survey Year Loss per respondent 2005 $303,234 2004 $51,545 2003 $12,592 * Source: CSI/FBI Computer Crime and Security Surveys, Morgan Stanley Research $122,000 – $356,630 Total cost * Source: UK Study, 2004 Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. 31 Data & Identity Protection Drivers— B Legislation • Sarbanes-Oxley, Section 404 Severe CEO / Corporate penalties for non-compliance • Health Insurance Portability & Accountability Act (HIPAA) Affects health care Up to $250,000 in fines and 5 years in Jail – per violation • Gramm-Leach-Bliley Act (GLBA) Affects financial services CIO Level Staff can be held personally liable plus penalties and class action suits • Notification of Risk to Personal Data Act (NORPDA) ALL customers must be notified of breach • SB1386 (California) ALL customers must be notified of breach Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. 32 Data & Identity Protection Case Study B Business Problem • Compliance with government regulations Real-Life Example • Infineon – Large global semiconductor Enterprise • Required maximum security for Intellectual Property Solution • Network security integration, low OpEx Single chassis Catalyst 6500 for VPN, Security, Routing, Switching • IPSec VPN over LAN and encrypted multicast IPSec VPN Shared Port Adapter AES encryption in line with federal and government agency standards • High performance data security, wireless Service Modules for Firewall, Intrusion Detection, Network Analysis, WLAN Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. 33 Cisco IOS IPS New Features and Engines – All Inline! • Router-based IPS enables broadly-deployed worm and threat mitigation services -- even to remote branch offices • String Engines enable custom matching of any string in the packet – Customize signatures for quick reaction to new threats – TCP String, UDP String, ICMP String, Trend Micro • 400 worm and attack signatures added – an everincreasing number of signatures from which to dynamically select • Supports Trend Micro Signatures Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. 34 Companies Are Opening Port 80 Attacks Enter Through Web-enabled Applications Internal Users 98% Internet access Rich media 43% IM traffic 43% Web enabled apps Web services 55% Port 80 43% Internet 64% of enterprises have opened Port 80 on their firewalls for their growing web application traffic Session Number Source: Aug Presentation_ID “…75% of successful attacks against Web servers are entering through applications and not at the network level.” 2002 InfoWorld/Network Computing survey of reserved. IT Professionals © 2005 Cisco Systems, Inc. All rights 80 – HTTP John Pescatore, VP and Research Director, Gartner, June 2002. 36 Cisco IOS Firewall Advanced Application Inspection and Control I am email traffic… honest! Payload Port 25 Payload Port 80 I am http web traffic… honest! HTTP Inspection Engine • Delivers application level control through inspection of port 80 tunneled traffic Convergence of Cisco IOS Firewall and Inline IPS technologies • Control port 80 misuse by rogue apps that hide traffic inside http to avoid scrutiny Example: Instant messaging and peer-to-peer applications such as Kazaa Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. Server Farm Corporate Office Email Inspection Engine • Control misuse of email protocols • SMTP, ESMTP, IMAP, POP inspection engines Inspection Engines provide protocol anomaly detection services 37 Integrated Content Security URL Filtering and Content Engine Network Module Cisco IOS URL Filtering - Integrated with Cisco IOS Firewall - Supports Websense and N2H2 Web filtering clients - Works with external Websense and N2H2 servers - Static “good” list / “bad” list URL filtering in IOS Branch Office NM-CE Content Engine Network Module - Internet Proxy Cache - URL Filtering Application Server - Pre-loaded OEM Websense and Smartfilter filtering applications - Enforces Application Use Policy - Traffic logging and reporting - Anti-Virus Gateway (ICAP) to scan, clean, and cache Web content Internet Corporate Headquarters IPSEC TUNNEL Server Server ULR Database NM-CE URL Database IOS FW Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. X www.hackershomepage.com 38 Cisco IOS Virtualized Services VRF-Aware “Virtual” Firewall & IP Sec “Virtual” Interface VRF-Aware “Virtual” Firewall IPsec “Virtual” Interface Engineering Cisco IOS FW Corporate LAN .1 Internet .1 Tunnel 0 .2 .1 Accounting • VRF supports multiple independent contexts (addressing, routing and interfaces) at the branch location for separation of departments, subsidiaries, or customers • VRF-Aware FW allows customers to add FW to the list of services available at the individual context level Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. • Simplified IPsec VPN configuration and design (Network-aware IPsec) • Easier and scalable management, and faster deployment of IPsec technology • Enhanced support for V3PN applications through Multicast, QoS and Routing support 39 802.1x Identity Authentication Support • Support for 802.1x Authentication New 4 & 9 Port EtherSwitch HWIC and current 16 and 36 Port NM all Support 802.1x AND Power over Ethernet (POE) HWIC-ESW 4 and 9 port Hi-Speed WAN Interface Card All new router Ethernet ports also support 802.1x • Survivable Remote User Authentication NM-ESW 16 and 36 ports of 10/100 Ethernet 802.1x Identity Enforcement Branch Router with 4 Port EtherSwitch AAA Server Router Network Corporate Headquarters Session Number Presentation_ID Branch Router with 802.1x © 2005 Cisco Systems, Inc. All rights reserved. 40 Network Admission Control (NAC) Delivering Collaborative Security Systems NAC Solution: Leverages the network to intelligently enforce access privileges based on endpoint security posture Hosts Attempting Network Access 3800, 2800, 1800, or 800 Router Credentials Policy Server Decision Points Policy (AAA) Vendor Server Server Credentials Credentials RADIUS Notification Cisco Trust Agent Session Number Presentation_ID Coalition of market-leading vendors Access Rights Comply? Enforcement www.cisco.com/go/nac © 2005 Cisco Systems, Inc. All rights reserved. Focused on limiting damage from viruses and worms Limits network access to compliant, trusted endpoints Restricts network access by noncompliant devices Supports multiple AV vendors & Cisco Security Agent The 3800, 2800, and 1800 Security Bundles ship with NAC capability 41 C Secure Voice and Wireless Business Requirements Secure Voice • Security & convergence of Voice and Data services • Security & integration of Wired and Wireless • Business ready voice: local call processing & audio conferencing (CCME) Employee Mobility Secure Wireless • Dual-band wireless (802.11 a, b/g) • Public wireless hotspot Guest Access IP Video Internet PSTN • High-performance encrypted voice and video (V3PN) • Security for voice and data applications (Policy Firewall) • Reduced TCO (Toll-bypass, network/equipment consolidation) Secure Wireless Secure Voice POS Registers IP Phone • Integrated IP-PBX and PSTN gateway • Voice, video & data over VPN • Extensive wireless security (.1x, WPA, EAP-TLS, TKIP) • Integrated wired/wireless (VLANs, QoS) • Reduced infrastructure cost (inline power EtherSwitch) Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. 42 C Increased ROI with Secure Voice – Example Before – 17XX & 26XX No. IP Telephony Users After – 2800 ISR 24 32 FXS 6 8 FXO 10 12 CCME/SRST License 36 48 CUE (Voice Mail/AA) 18 24 Conferencing/Transcoding 4/4 6/6 Typical Router for Data 1760 2611 Platform Needed with IPT 3725 3745 Price of Base Chassis $8500 $12,000 Price per Seat (for Chassis) $354 $372 TRUNKS } Same Requirements Integrated Service Router Price of V3PN Bundle Price per Seat (for Chassis) 2811 2821 $2,495 $3,895 $103 $121 CapEx Reduced 3x OpEx Reduced Due to Single Box Solution Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. 43 C Secure Voice (V3PN) Bundles TCO Cheaper to Buy Now vs. Later • V3PN Bundles include: Router, AIM-VPNII PLUS, DSPs Cisco IOS Advanced IP Services Feature Set Cisco Call Manager Express, Voice Mail (Optional) Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. 44 The ROI of Wireless C The Business Benefits: 2003 NOP Study Shows Rise in Productivity from 2001 Study End-User Average Network Connection Time 2001 2003 1¾ Hours More per Day 3½ Hours per Day 70 Minutes 90 Minutes +23% +27% $7K $14K Average Daily Time Savings End-User Productivity Value of Time Saved per Employee Source: NOP World Technology, Sep 2001 and 2003 Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. 45 C Business Requirements Analysis • Are you considering IP Communication applications at your campus or branch office? • Do you need Wireless Access for employees, guests, customers? • Do you plan to reduce telecom costs by consolidating voice and WAN links? NO • Many businesses are implementing IP Telephony and Wireless services for cost savings and improved productivity Check Case Study and ROI analysis • Existing investment in voice and WLAN equipment could be further leveraged through consolidation of separate networks onto ISRs Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. YES • For voice, consider V3PN bundles— high application performance & resiliency Less expensive to purchase Secure WAN bundle now, versus upgrading later • Schedule a demo of Secure Voice & Wireless solutions 46 C Secure Voice Case Study Business Problem • Secure voice & data for remote sites Real-Life Example • ePlus – Financial solutions & enterprise software • Needed to unify dispersed nationwide workforce Solution • Voice functions integrated into Cisco ISRs Replaced 35 disparate phone systems Now employees reach co-workers anywhere with four-digit extension • Connectivity costs cut by $840K per year by migrating from Frame Relay to DMVPN • Future video conferencing, content caching, intrusion prevention and NAC services “The Cisco ISRs allow us to centralize everything into a router. By the time we have completed our deployment, we will have doubled …our organization, while reducing maintenance and circuit costs.” Chris Fairbanks, Principal Network Architect, ePlus Inc. • Quick business expansion – cookie-cutter deployment, phones for new sites up in 2 hours Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. 47 V3PN: Secured Site-to-Site Multi-Service VPN Based on GRE/IPSec Delivering voice and video over an IPSec VPN requires more than just encrypting RTP packets Cisco IOS VPN Routers provide: • Reliable voice quality in network congestion Voice-centric QoS w/ IPSec– basic queuing alone does not ensure voice and video quality • Support for multicast voice and video applications IPSec can break multicast IP Telephony and Video applications • Resiliency at all points in the network Telephony and VPN resiliency at all sites • Cisco Powered Network “IP VPN-Multiservice” designation for V3PN Ensures quality for enterprises Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. 48 Business Continuity D Business Requirements WAN Backup • Uninterrupted operation of business-critical applications • Network must stay up in the face of attacks & disasters • Seamless recovery from link failures • Stateful head-end failover minimizes application interruption • Independent remote site telephony operation during disasters (SRST) WAN Backup • Backup VPN over Broadband (DSL, Cable) or Dial (PSTN, ISDN) • Head-end redundancy • Survivable remote telephony Network Foundation Protection • Device availability Control Plane Protection, AutoSecure, rate limiting Branch Office • Secure management access Corporate Office Internet Network Foundation Protection Small Branch Small Office & Telecommuter Session Number Presentation_ID • DDoS protection • Secure remote management • Forensics © 2005 Cisco Systems, Inc. All rights reserved. SSL, SSHv2 for CLI SDM for web-based • Security incident analysis Syslog, NetFlow, IP Source Tracker 49 D Business Requirements Analysis • Do you have a disaster recovery plan that includes your business critical network services? • Are you considering using IP VPN as a backup for Frame Relay / Leased Lines? • Do you have a plan to protect your network infrastructure from DDoS attacks, or targeted attacks? NO YES • Network downtime due to natural or man-made disasters impacts uninterrupted access to missioncritical applications • Select the right Secure WAN bundle based on performance and services • Many businesses use IP VPN as a backup – flexible and cost-effective • If you are migrating to Broadband (xDSL), leverage existing Dial/ISDN links for Dial backup Less expensive to purchase the Cisco Secure WAN solution now, versus upgrading later • Schedule a demo of appropriate Business Continutity solutions Dial backup, Stateful failover, SRST, CPP, AutoSecure, SDM • Check Case Study and ROI analysis Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. 50 D Business Continuity Drivers— Industry Averages for Costs of Downtime Revenue/ Hour Revenue/ EmployeeHour Energy $2,817,846 $569 Telecommunications $2,066,245 $186 Manufacturing $1,610,654 $134 Financial institution $1,495,134 $1,079 Insurance $1,202,444 $370 Damaged reputation Retail $1,107,274 $244 Employee frustration Transportation $668,586 $107 $1,010,536 $205 • Cost of downtime $205 per employee hour • More than just revenue impacted Impaired performance Industry Sector Average Source: META Group, April 2004 Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. 51 Business Continuity Case Study D Backup for Frame Relay Using VPN Business Problem • Business continuity through VPN backup for WAN Real-Life Example • Network Appliance – Unified storage solutions • Rapid growth – Adding new offices, moving several large locations • Needed flexibility and security to use connectivity options available at each site Solution • Field offices have direct WAN and ISP connections If WAN link goes down, traffic re-routed to hub sites over the ISP link • ISRs provide single solution for T1/E1, DSL, Cable and DS3 • Scales incrementally – can deploy multiple DS-3 links to each router without having to replace the router itself • Built-in Security and QoS Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. 52 Network Foundation Protection (NFP) Secure Business Must be Built on a Secure Fabric www.cisco.com/go/nfp Infrastructure Control Performance Protection Network Lockdown Cisco Network Foundation Protection Device Protection System-Wide Protection Lock down the network device and protect services Protect traffic through device Device remains operational even under attack Proactively mitigate against network attacks Hardened Devices Connected to Deliver System-Wide Security Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. 53 NFP - Maintaining Network Availability During DDoS Attacks Control Plane Policing Protects access to control plane, even during DDoS attacks. Monitors packets, increases infrastructure reliability, and availability Netflow monitoring Provides early warning while visibility on traffic flows help you optimize network availability Out-of-band management Ensures access despite DoS attacks, or congestion Network-based Application Recognition (NBAR) Helps identify worms and other attacks by tracking Layer 4-7 applications and protocols Role-based CLI Access Provides partitioned, non-hierarchical, access to CLI commands for secure, logical separation of router users (eg. NetOps and SecOps) Netflow Collector or NAM Internet Router Session Number Presentation_ID Branch VPN Router © 2005 Cisco Systems, Inc. All rights reserved. Corporate Headquarters 54 Summary Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. 55 Cisco Security Routers Solving Enterprise Network Security Needs A B C D Secure Connectivity Data & Identity Protection Secure Voice & Wireless Business Continuity • Encrypted VPN connectivity between sites or partners • Perimeter defense • Convergence of Voice and Data services • Secure remote access for telecommuters • Admission control VPN • Outbreak prevention Application Firewall Intrusion Prevention Network Admission Control URL Filtering • Integration of Wired and Wireless IP Telephony Wireless • WAN backup • Network foundation protection Network Foundation Protection WAN Backup Cisco Security Router Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. 56 Summary • Cisco Security Routers give you defense-in-depth network protection • Invest in Security Bundles now • Gain migration credit for existing equipment www.cisco.com/go/routersecurity Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. 57 Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. 58 Secure WAN Bundles Summary Cisco 800 – 3800 Routers Baseline Security Bundles High Performance Bundles Secure Voice Bundles Secure Wireless Bundles (-SEC) (-HSEC) (-V3PN) (W-AG) • Site-to-Site VPN • Remote Access VPN Solution Sets Secure Connectivity A • High-Performance VPN Data and Identity Protection B • Perimeter Defense • Outbreak Prevention • Network Admission Control Secure Voice and Wireless C • Voice Gateway, Call Manager Express • Wireless Business Continuity D Session Number Presentation_ID • WAN Backup • Network Foundation Protection © 2005 Cisco Systems, Inc. All rights reserved. 59 Secure WAN Bundles Summary Cisco 7xxx Routers 7200 High Performance VPN Bundles 7301 High Performance VPN Bundles 7600 High Performance VPN Bundles • Site-to-Site VPN • Remote Access VPN WebVPNSM (Optional) • High-Performance VPN • Perimeter Defense FWSM (Optional) • Outbreak Prevention IDSM2 (Optional) • Network Admission Control Optional upgrade? Optional upgrade? — • WAN Backup • Network Foundation Protection Solution Sets Secure Connectivity A Data & Identity Protection B Secure Voice & Wireless C • Voice Gateway, Call Manager Express Business Continuity D Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. 60 Award-Winning ISRs Network Computing 2005 Well Connected Awards Product of the Year—Cisco Systems 2800 and 3800 Series “…Cisco's new 3800 Series ISRs are products to "DIE" for this year… designed with security and voice over IP, firewall, QoS, intrusion detection and call processing all without compromising performance.” Product of the Year! Network Magazine 2005 Innovations Awards Network Hardware Product Breakthrough Cisco Systems Integrated Services Routers “The combination of routing, switching, firewalling, NAT, intrusion prevention, (NAC), and encryption capabilities, coupled with its ability to provide a host of telephony services and voice mail, makes the ISR our choice … ” CRN 2005 Channel Champions Award in Routing and Switching “For partners, the introduction of Cisco’s Integrated Services Router platform … has been significant. “…very few vendors …are offering solutions that fundamentally change the way companies do business,” (Ron Temske of Localis) said. “But Cisco does.” Interop Tokyo 2005 Best of Show – Cisco Systems 1812JW “1812 JW integrates various security features -- such as firewall, VPN, IPS-- into one box, with excellent cost performance. Designed to have the required features and price to meet Japanese users’ needs, we see Cisco Japan's efforts and commitment to capture Japan market.” Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. 61 Cisco Security Management Suite Integrated Device Manager (SDM) Quickest way to setup a • Quickest way to device setup a device •Wizards Configures all to configure FW, device parameters IPS, VPN, QoS and Wireless • Ships with device Ships with device Cisco Security MARS Cisco Security Manager New solution for configuring routers, Solution for appliances, switches configuring routers, New user centered appliances, design switches and New levels of endpoints scalability CiscoSecurity Security Cisco Auditor Auditor Solution for monitoring and mitigation Today auditing highly manual and costly Uses control capabilities within infrastructure to eliminate attacks Automated solution to audit against predefined best practice policies Visualizes attack paths Identifies violations and provides recommendations Session Number Presentation_ID © 2005 Cisco Systems, Inc. All rights reserved. 62