Cisco Security Routers
Protecting your business while reducing costs
Draft 1 v1
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
1
Security Trends
Attacks on the Rise, Cause Substantial Damage
•
95% of respondents detected at least 10 web site security
incidents in 2005*
•
Losses due to theft of proprietary information doubled in the
past 12 months to $355K per incident*
Security is the highest spending priority for CIOs
•
58% of CIOs expect spending increases in security over next
12 months†
* CSI/FBI Security Study, 2005
† Deutsche Bank February CIO Poll, March 2005
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
2
Defending Business Operations
Theft of
Customer Data
E-Mail
Wireless
Mandatory
Disclosure
Audio
Conferencing
Calendar
Corporate
Espionage
Extortion
Voice Messaging
Web Application
IP Telephony
Instant Messaging
IP Network
Organized
Crime
Session Number
Presentation_ID
Blackmail
© 2005 Cisco Systems, Inc. All rights reserved.
Fraud
Scams
Information
Harvesting
3
Typical Network Requirements
Business Services Need Continuous Connectivity
Connectivity,
Requiring the Network to be Secure and Available
A
B
C
D
Secure
Connectivity
Data & Identity
Protection
Secure Voice
& Wireless
Business
Continuity
• Encrypted VPN
between sites
or partners
• Perimeter
defense
• Encrypted POS
• Outbreak
prevention
• Secure remote
access
• Admission
control
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
• Convergence of
Voice and Data
services
• Integration of
Wired and
Wireless
• WAN backup
• Network
foundation
protection
4
Security Integrated Into the Network
“The top emerging technology trend, regardless of
site type or time frame, is the integration of security
features like firewall, VPN, IDS, etc into routers.”
Infonetics, 2005
VPN
Application
Firewall
Intrusion
Prevention
Network
Admission
Control
URL
Filtering
IP
Telephony
Wireless
Network
Foundation
Protection
WAN
Backup
Cisco Security Routers
All-In-One Security for the WAN
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
5
Cisco Security Routers—
Driving Industry Growth Through Value
“Worldwide VPN and Firewall growth was again
driven by Cisco’s strength in hardware secure
routers (up 25% this quarter)”
Infonetics Research, 2005
• Security integrated into the network infrastructure
Extends value of
network
• Industry leading VPN connectivity, high-performance
Enables new
applications
• Continual integration of Advanced Technologies
e.g. Voice, Wireless, SSL VPN, NAC, Outbreak Prevention
Future proof
investment
• High market acceptance—millions of units deployed,
fastest growing, largest network security segment
Low technology
adoption risk
• Single device to configure and manage
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
Reduces complexity,
OpEx
6
Cisco Security Router Portfolio
WAN Aggregation
Performance and Services Density
7600
Series
7200
Series
INTEGRATED SERVICES ROUTERS
Feature Breadth
and Scale at
Highest
Performance
3800 Series
High Density and Performance
for Concurrent Services
2800 Series
Embedded, Advanced Voice, Video, Data and
Security Services
1800 Series
800 Series
Embedded Wireless, Security and Data
Head Office
Session Number
Presentation_ID
Branch Office
© 2005 Cisco Systems, Inc. All rights reserved.
Small Branch
SMB
Small Office and
Teleworker
7
Cisco 7200 and 7301 Routers
Enterprise Head-End and SP-Edge with Security Services
• Cisco 7200 Series : Up to OC3 performance with
integrated services
• Cisco 7301 : 1RU platform with onboard GE
• Target : Enterprise core and Service Provider edge
• Diverse deployment applications:
WAN aggregation, Managed Security, IBM datacenter,
SAA management, Broadband aggregation, MPLS PE,
and Route Reflector
• Modular engine options for improved performance
• Onboard GE, High-density Port Adapters
(supported across Cisco 7000 portfolio)
New!
SA-VAM2+
• Hardware acceleration for
• Hot swappable interfaces, Redundant power AES wide keys (192 – 256 bit)
• Provides >260 Mbps 3DES
• Cisco IOS T, S and Mainline release support
• Up to 5000 IPSec tunnels
Release options to meet cutting-edge enterprise • Hardware accelerated IPPCP
compression
features or stability as key requirements
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
8
Cisco Integrated Security Architecture
Integrated Hardware Security Services
Built-in VPN acceleration
Secure voice
High-performance AIM
USB port
• High-performance crypto offload
• 3DES/AES encryption
• 4x faster than previous platforms
• PVDM modules
• Support for SRTP
• Optional AIM-VPN PLUS
• 3DES, AES, and compression
• 10x faster than previous platforms
• Removable
• Secure credentials
Power + 802.3af
GE
GE
HWIC
VPN
AIM
HWIC
AIM
USB
EVM
HWIC
USB
HWIC
NME
Common Hardware Architecture
Modular Design
Investment Protection
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
9
Cisco ISR – Integrated Wireless Access
Optimized for Secure Mobility
Integrated Wireless
Access for 1841,
2800, 3800
Cisco 1800 Series (Fixed
Configuration)
Cisco 870 Series
• Wire Speed Performance
Cisco 850 Series
• Higher performance
• Stateful Firewall, VPN, IPS,
Antivirus, NAC
• Stateful Firewall and
VPN
• 4-port 10/100 switch
• 802.11b/g option, single
fixed antenna
Session Number
Presentation_ID
• 802.11b/g option, multiple
antennas
• Advanced QoS features
• Stateful Firewall, VPN, IPS,
Antivirus, NAC
• Integrated back up port for
redundant WAN links and load
balancing
• 802.11a and 802.11b/g
option, multiple antennas
• 4-port 10/100 managed
switch
• 8-port 10/100 managed
switch, internal power supply,
optional internal POE
• Up to 3 VLANs
• Up to 8 VLANs
© 2005 Cisco Systems, Inc. All rights reserved.
10
Deploy Security On Your Routers Up Front
Reduce Costs, Worries
Choose Cisco Security Router Bundles
 Proactive measure to protect your network
 Set up secure foundation for voice, wireless
deployment
 Bundle discounts provide compelling ROI to
buy security now versus adding later
 Migration programs offer credit towards
Cisco and competitive equipment
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
11
Cisco Security Router – Solutions
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
12
Secure Connectivity
A
Business Requirements
Site-to-Site VPN
• Encrypted VPN connectivity between sites or partners
• Secure remote access
• Encrypted Point-of-Sale transactions
•
Network intelligence (routing,
QoS, multicast) enables Voice,
Video & Data
•
Centralized cookie-cutter
configuration (Easy VPN)
•
Scalable full / partial mesh
(DMVPN)
•
Simplified PKI deployment (CA
Server, USB eTokens)
Site-to-Site VPN
High-Performance VPN
• Interconnect branch
offices over IP
• For larger sites including
head office aggregation
Remote Access VPN
•
Full service network access
with centralized policy-based
management (Easy VPN)
•
Clientless secure access (SSL
VPN)
Branch Office
Internet
Remote Access VPN
Small Branch
Small Office &
Telecommuter
Session Number
Presentation_ID
Corporate Office
© 2005 Cisco Systems, Inc. All rights reserved.
• Hardware VPN for small
offices & telecommuters
• Software VPN for mobile
users
High Performance VPN
•
High performance and
resiliency for larger sites
•
Strongest encryption
(hardware-accelerated AES)
13
Business Requirements Analysis
A
•
•
•
•
Have you reviewed on-going costs of Leased Line or Frame Relay links?
Are you considering migrating to VPN?
Is your business regulated by HIPPA, SOX, EU Directive 95/46?
Are you planning to offer secure remote access to employees or partners?
NO
• Many businesses are migrating for
cost savings and/or broadband
performance
Show Case Study and ROI analysis
• Businesses need encryption to
ensure compliance with legislation
With external entities and internally
between buildings or groups
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
YES
• Select a Secure WAN bundle based
on performance and services
Less expensive to purchase the Cisco
Secure WAN solution now, versus
upgrading later
• Schedule a demo of appropriate
VPN solutions
EZ VPN, DMVPN, SSL VPN
14
A
Compelling ROI for VPN Migration
Before – Frame Relay
After – IP VPN
1.5M (512k CIR) port speed
1.5M port speed
30 sites
30 sites
10% mesh ~ 2 PVCs per site
Cost of 2811 x 29 sites
= $78,800
Cost of 3845 head-end
= $12,700
Total Nonrecurring Cost = $91,500
Access Charge/Site
=
$4,354
Management
=
$635
Total Branch Access
=
$4,989
Head End Access
= $10,800
Total Cost/month (80%) = $124,384
Access Charge/Site
=
$1,420
Management
=
$ 550
Total Branch Access
=
$1,970
Head End Access
= $10,800
Total Cost per month
= $67,930
$56K Per Month Savings
Equipment Paid Off in 2 Months
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
15
A
High Performance Security Bundles TCO
Cheaper to Buy Now vs. Later
• CapEx savings alone $2,000 - $10,000
• Additional OpEx savings (typically 10-50% price of platform)
not included above
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
16
A
Secure Connectivity Case Study—
Data Encryption for Frame Relay or Leased Lines
Business Problem
• Reduce risk of exposing customer data (e.g. credit card),
avoid painful disclosure and negative publicity
Real-Life Example
• Online retailer with WAN connectivity via Frame Relay
• Their Service Provider mis-provisioned a DLCI change
• Another company’s network overlapped into their network…
• Notification of Risk to Personal Data (NORPDA) mandates that all
customers be notified of breach
Solution
• Customer now encrypts all traffic over their WAN
Un-encrypted traffic is denied entrance to their FR network
• Ensures security of customer data
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
17
Why AES?
AES
3DES
Type of Algorithm
Symmetric, block
cipher
Symmetric, feistel
cipher
Key Size (in bits)
128, 192, 256
112 or 168
149 trillion years
4.6 billion years
Time to Crack*
* Assume a machine could try 255 keys per second - NIST
• The Secretary of Commerce approved the adoption of the AES
as an official Government standard, effective May 26, 2002
• US Federal Government and other large Enterprise and Servie
Provider customers are migrating their 3DES IPSec to AES
• AES is designed to replace DES / 3DES
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
18
Dynamic Multipoint VPN and VoIP
Auto-meshing with Dynamic Routing
Static
public IP address
1.
2.
Hub
3.
Call Site 2
Where is 2?
Site 1
Send 2’s public
IP address
On-Demand Tunnel
(spoke-to-spoke)
4.
Dynamic,
Permanent Tunnel
(spoke-to-hub)
Dynamic
(or static) public
IP addresses
Site n
5.
Ring
Site 2
• Reduced latency and jitter
• Improved performance
• Increased scalability
• Easy to deploy and maintain
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
19
IPSEC+GRE vs DMVPN Hub to Spoke
FEATURE
IPSEC+GRE
DMVPN
All traffic must go via the hub
a
a
Easy to Deploy
a
a
Small Hub Configuration Files
X
a
NO Hub provisioning for new
spokes
X
a
Easy Configuration of dynamically
addressed CPE
X
a
DMVPN Hub to Spoke Benefits
+ Simplified and Smaller Configs for Hub and Spoke
+ Zero touch provisioning for adding spokes to the VPN
+ Easily supports dynamically addressed CPEs
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
20
IPSEC+GRE vs DMVPN Spoke to Spoke
Static Full Mesh vs Virtual Full Mesh
FEATURE
IPSEC+GRE
DMVPN
Direct spoke to spoke tunnels
a
a
Connections to all the nodes with
smaller spoke CPE
X
a
Provisioning for adding
a new node
X
a
Scaling and support
of a FULL mesh
X
a
DMVPN Spoke to Spoke Benefits
+ On demand spoke to spoke tunnels – avoids dual encrypts/decrypts
+ Smaller spoke CPE can participate in the virtual full mesh
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
21
Dynamic Multipoint VPN – Benefits
• Simplified configuration
Spokes use a proven registration protocol to connect to the hubs, then
dynamic routing builds the network topology automatically
Configuration files are much smaller and easy to manage
No new hub provisioning for each new spoke added – zero touch for
lower admin costs and higher up-time
• Complete application (multicast/QoS) and authentication
support
• Coming soon: Dynamic VPN creation between spoke
routers based on user traffic
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
22
EasyVPN - Overview
Central Site
Branch Office
Internet
Home Office
Legend:
Cisco VPN S/W
Client on
PC/MAC/Unix
• Remote device contacts central-site router/concentrator, and
provides authentication credentials.
• If credentials are valid, central-site “pushes” configuration data
securely to the remote device and VPN is established.
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
23
IPSec Virtual Tunnel Interface (VTI)
• Simplifies VPN configuration by eliminating crypto maps, ACLs, GRE
• Simplifies VPN design:
1:1 relationship between tunnels and sites with a dedicated logical interface
• More scalable alternative to GRE (Generic Router Encapsulation) for VPN tunnel
creation
• VTI can support QoS, Multicast, and other routing functions that previously required
GRE
192.168.100.0/30
.1
Tunnel 0
.2
.1
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
192.168.2.0/24
192.168.1.0/24
• Improves VPN interoperability with other vendors
.1
25
Easy VPN IPSec Remote Access
Dynamic Policy Push for Scalable Services
Teleworker /
Small Branch
Office
VPN functions are assigned IKE Mode Config
Attributes; several parameters at once
VPN
Mobile
Workers
Central
HQSite
6500 / 7600
VPNSM
Cisco Easy VPN Server on
Central Site 6500 or 7600
Policy Attributes Pushed Today
Benefits
•
Dynamic VPN IP Address (via Pool)
•
Internal NetMask
• Support dynamic connections with VPN
•
Internal DNS and WINS Servers
•
Split tunnel mode
New Attributes Pushed starting in IOS12.2(18)SXD
•
Static VPN IP Address via RADIUS
•
Idle Timeouts
•
Split DNS
•
Max tunnels per VPN Group
•
VPN Group Lock
•
Personal Firewall (Are You There) Check
•
Include Local LAN
•
Save Password Control
•
Backup Head-End GW List
•
Per User AAA Attributes
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
• Enable small or large deployments without
user intervention
• Enforce consistent VPN Policy on all remote
devices
• Interoperability across Cisco access and
security devices
• No head end changes when adding extra
devices
• Cisco VPN Client is the only FIPS certified
client in the industry!
26
Cisco IOS PKI Certificate Server
• Router can now be Certificate Authority Server (CA)
Eliminates complexity of installing separate PKI/CA Server
• Key Rollover for Certificate Renewal
Allows the certificate renewal request to be made before certificate expires
• Easy VPN now works with PKI Certificates
Can use Cisco IOS CA server for enrollment
Branch
Office A
CA Server
Internet
Corporate
CA Server Headquarters
Branch
Office B
Session Number
Presentation_ID
Branch
Office C
© 2005 Cisco Systems, Inc. All rights reserved.
27
USB Secure Token & Flash Storage
Integrated USB Ports (Integrated Services Routers)
Support for Secure Token and FLASH Memory
1. Simplified Provisioning
• Zero-touch Deployment
2. Distribution and Storage of VPN credentials
•
Easy to provision and distribute encryption keys
•
Encryption keys are securely stored and removable
3. Bulk Flash for image distribution/storage
•
Alternative to Compact Flash deployment
2 USB Ports: 3800, 2851, 2821, 2811, 1811, 1812, 871
1 USB Port: 2801, 1841
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
Available from Aladdin
28
28
Data & Identity Protection
B
Business Requirements
Perimeter Defense
• Defend against worms, viruses, trojans, hacks
• Enforce policy-based control to network assets
• Segregate network assets into
trusted & untrusted zones
Perimeter Defense
Outbreak Prevention
• Policy Firewall (L3)
• Transparent Firewall (L2)
• Application Firewall (L4-7)
• Intrusion Prevention
• Distributed Threat Mitigation
• Incident Control
• Application-aware inspection
and defense against port 80,
IM, P2P misuse
Outbreak Prevention
• Network-based protection
against virus/worm/trojans
and other threats
• Distributed protection across
entire network at minimum
cost
Branch Office
• Rapid response to emerging
threats
Internet
Identity & Controlled
Access
Small Branch
Small Office &
Telecommuter
Session Number
Presentation_ID
Corporate Office
• Network Admission Control
• URL Filtering
• Port-Level Security (802.1x)
© 2005 Cisco Systems, Inc. All rights reserved.
Controlled Access
• Controls who/what gets
access to the network and
what they can do
• Detects and isolates noncompliant devices
29
Business Requirements Analysis
B
•
•
•
•
Need perimeter protection against worms, viruses and trojans?
Concerned with unauthorized access, security posture of laptops & PCs?
Need to comply with information privacy laws e.g. SOX, HIPAA, EU Directive 95/46?
Required to enforce Internet surfing policies, prevent illegal downloads?
NO
YES
• Mitigating infections at the perimeter
conserves WAN bandwidth, allows
faster response
• Select the right Secure WAN bundle
• Companies need to protect their
customer records and privacy to
pass security audits
• URL filtering monitors and enforces
surfing policies, reduces legal risks
Less expensive to purchase the Cisco
Secure WAN solution now, versus
upgrading later
• Schedule a demo of the appropriate
Data & Identity Protection solutions
Application firewall, IPS, DTM, NAC,
URL filtering
• Check case study and ROI analysis
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
30
Data & Identity Protection Drivers—
Loss of Data, Time
B
The Total Cost of a
Major Security Incident*
Type of Cost
Cost / Time
Disruption to business
Time spent responding
$93,850 – $281,550
1 – 3 days
$5,631 – $11,262
10 – 20 man days
Direct cash spent
responding
$9,385 – $18,770
Direct financial loss
$3,754 – $7,508
Damage to reputation
$9,385 – $37,540
Annual Loss from
Unauthorized Access
to Information
Survey
Year
Loss per
respondent
2005
$303,234
2004
$51,545
2003
$12,592
* Source: CSI/FBI Computer Crime
and Security Surveys, Morgan
Stanley Research
$122,000 – $356,630
Total cost
* Source: UK Study, 2004
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
31
Data
&
Identity
Protection
Drivers—
B
Legislation
• Sarbanes-Oxley, Section 404
Severe CEO / Corporate penalties for non-compliance
• Health Insurance Portability & Accountability Act (HIPAA)
Affects health care
Up to $250,000 in fines and 5 years in Jail – per violation
• Gramm-Leach-Bliley Act (GLBA)
Affects financial services
CIO Level Staff can be held personally liable plus penalties and
class action suits
• Notification of Risk to Personal Data Act (NORPDA)
ALL customers must be notified of breach
• SB1386 (California)
ALL customers must be notified of breach
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
32
Data & Identity Protection Case Study
B
Business Problem
• Compliance with government regulations
Real-Life Example
• Infineon – Large global semiconductor Enterprise
• Required maximum security for Intellectual Property
Solution
• Network security integration, low OpEx
Single chassis Catalyst 6500 for VPN, Security, Routing, Switching
• IPSec VPN over LAN and encrypted multicast
IPSec VPN Shared Port Adapter
AES encryption in line with federal and government agency standards
• High performance data security, wireless
Service Modules for Firewall, Intrusion Detection, Network Analysis, WLAN
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
33
Cisco IOS IPS
New Features and Engines – All Inline!
• Router-based IPS enables broadly-deployed worm and
threat mitigation services -- even to remote branch
offices
• String Engines enable custom matching of any string
in the packet
– Customize signatures for quick reaction to new threats
– TCP String, UDP String, ICMP String, Trend Micro
• 400 worm and attack signatures added – an everincreasing number of signatures from which to
dynamically select
• Supports Trend Micro Signatures
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
34
Companies Are Opening Port 80
Attacks Enter Through Web-enabled Applications
Internal
Users
98%
Internet access
Rich media
43%
IM traffic
43%
Web enabled apps
Web services
55%
Port 80
43%
Internet
64% of enterprises have opened Port
80 on their firewalls for their growing
web application traffic
Session Number
Source: Aug
Presentation_ID
“…75% of successful attacks against
Web servers are entering through
applications and not at the network
level.”
2002 InfoWorld/Network
Computing
survey
of reserved.
IT Professionals
© 2005 Cisco
Systems, Inc.
All rights
80 –
HTTP
John Pescatore, VP and Research Director, Gartner, June 2002.
36
Cisco IOS Firewall
Advanced Application Inspection and Control
I am email
traffic… honest!
Payload Port 25
Payload Port 80
I am http web
traffic… honest!
HTTP Inspection Engine
• Delivers application level control through
inspection of port 80 tunneled traffic
Convergence of Cisco IOS Firewall and Inline
IPS technologies
• Control port 80 misuse by rogue apps that
hide traffic inside http to avoid scrutiny
Example: Instant messaging and peer-to-peer
applications such as Kazaa
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
Server Farm
Corporate
Office
Email Inspection Engine
• Control misuse of email
protocols
• SMTP, ESMTP, IMAP,
POP inspection engines
Inspection Engines
provide protocol
anomaly detection
services
37
Integrated Content Security
URL Filtering and Content Engine Network Module
Cisco IOS URL Filtering
- Integrated with Cisco IOS Firewall
- Supports Websense and N2H2 Web
filtering clients
- Works with external Websense and
N2H2 servers
- Static “good” list / “bad” list URL
filtering in IOS
Branch Office
NM-CE
Content Engine
Network Module
- Internet Proxy Cache
- URL Filtering Application Server
- Pre-loaded OEM Websense and
Smartfilter filtering applications
- Enforces Application Use Policy
- Traffic logging and reporting
- Anti-Virus Gateway (ICAP) to scan,
clean, and cache Web content
Internet
Corporate
Headquarters
IPSEC TUNNEL
Server
Server
ULR Database NM-CE
URL Database IOS FW
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
X
www.hackershomepage.com
38
Cisco IOS Virtualized Services
VRF-Aware “Virtual” Firewall & IP Sec “Virtual” Interface
VRF-Aware “Virtual” Firewall
IPsec “Virtual” Interface
Engineering
Cisco IOS FW
Corporate LAN
.1
Internet
.1
Tunnel 0
.2
.1
Accounting
• VRF supports multiple independent
contexts (addressing, routing and
interfaces) at the branch location
for separation of departments,
subsidiaries, or customers
• VRF-Aware FW allows customers to
add FW to the list of services
available at the individual context
level
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
• Simplified IPsec VPN configuration
and design (Network-aware IPsec)
• Easier and scalable management,
and faster deployment of IPsec
technology
• Enhanced support for V3PN
applications through Multicast, QoS
and Routing support
39
802.1x Identity Authentication Support
• Support for 802.1x Authentication
New 4 & 9 Port EtherSwitch HWIC and current 16 and
36 Port NM all Support 802.1x AND Power over
Ethernet (POE)
HWIC-ESW
4 and 9 port
Hi-Speed WAN Interface Card
All new router Ethernet ports also support 802.1x
• Survivable Remote User Authentication
NM-ESW
16 and 36 ports of 10/100 Ethernet
802.1x Identity Enforcement
Branch Router
with 4 Port
EtherSwitch
AAA Server
Router
Network
Corporate
Headquarters
Session Number
Presentation_ID
Branch Router
with 802.1x
© 2005 Cisco Systems, Inc. All rights reserved.
40
Network Admission Control (NAC)
Delivering Collaborative Security Systems
NAC Solution: Leverages the
network to intelligently enforce
access privileges based on
endpoint security posture
Hosts
Attempting
Network
Access
3800, 2800, 1800,
or 800 Router
Credentials
Policy Server
Decision
Points
Policy (AAA)
Vendor
Server
Server
Credentials
Credentials
RADIUS
Notification
Cisco
Trust
Agent
Session Number
Presentation_ID
Coalition of market-leading vendors
Access
Rights
Comply?
Enforcement
www.cisco.com/go/nac
© 2005 Cisco Systems, Inc. All rights reserved.
Focused on limiting damage
from viruses and worms
Limits network access to
compliant, trusted endpoints
Restricts network access by
noncompliant devices
Supports multiple AV vendors
& Cisco Security Agent
The 3800, 2800, and 1800
Security Bundles ship with
NAC capability
41
C
Secure Voice and Wireless
Business Requirements
Secure Voice
• Security & convergence of Voice and Data services
• Security & integration of Wired and Wireless
• Business ready voice: local
call processing & audio
conferencing (CCME)
Employee
Mobility
Secure Wireless
• Dual-band wireless
(802.11 a, b/g)
• Public wireless hotspot
Guest
Access
IP Video
Internet
PSTN
• High-performance
encrypted voice and video
(V3PN)
• Security for voice and data
applications (Policy
Firewall)
• Reduced TCO (Toll-bypass,
network/equipment
consolidation)
Secure Wireless
Secure Voice
POS
Registers
IP Phone
• Integrated IP-PBX and
PSTN gateway
• Voice, video & data
over VPN
• Extensive wireless security
(.1x, WPA, EAP-TLS, TKIP)
• Integrated wired/wireless
(VLANs, QoS)
• Reduced infrastructure cost
(inline power EtherSwitch)
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
42
C
Increased ROI with Secure Voice – Example
Before – 17XX & 26XX
No. IP Telephony Users
After – 2800 ISR
24
32
FXS
6
8
FXO
10
12
CCME/SRST License
36
48
CUE (Voice Mail/AA)
18
24
Conferencing/Transcoding
4/4
6/6
Typical Router for Data
1760
2611
Platform Needed with IPT
3725
3745
Price of Base Chassis
$8500
$12,000
Price per Seat (for Chassis)
$354
$372
TRUNKS
}
Same Requirements
Integrated Service Router
Price of V3PN Bundle
Price per Seat (for Chassis)
2811
2821
$2,495
$3,895
$103
$121
CapEx Reduced 3x
OpEx Reduced Due to Single Box Solution
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
43
C
Secure Voice (V3PN) Bundles TCO
Cheaper to Buy Now vs. Later
• V3PN Bundles include:
Router, AIM-VPNII PLUS, DSPs
Cisco IOS Advanced IP Services Feature Set
Cisco Call Manager Express, Voice Mail (Optional)
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
44
The ROI of Wireless
C
The Business Benefits: 2003 NOP Study
Shows Rise in Productivity from 2001 Study
End-User Average Network
Connection Time
2001
2003
1¾ Hours More
per Day
3½ Hours
per Day
70 Minutes
90 Minutes
+23%
+27%
$7K
$14K
Average Daily
Time Savings
End-User Productivity
Value of Time Saved
per Employee
Source: NOP World Technology, Sep 2001 and 2003
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
45
C
Business Requirements Analysis
• Are you considering IP Communication applications at your campus or
branch office?
• Do you need Wireless Access for employees, guests, customers?
• Do you plan to reduce telecom costs by consolidating voice and WAN links?
NO
• Many businesses are implementing
IP Telephony and Wireless services
for cost savings and improved
productivity
Check Case Study and ROI analysis
• Existing investment in voice and
WLAN equipment could be further
leveraged through consolidation of
separate networks onto ISRs
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
YES
• For voice, consider V3PN bundles—
high application performance &
resiliency
Less expensive to purchase Secure
WAN bundle now, versus upgrading
later
• Schedule a demo of Secure Voice &
Wireless solutions
46
C
Secure Voice Case Study
Business Problem
• Secure voice & data for remote sites
Real-Life Example
• ePlus – Financial solutions & enterprise software
• Needed to unify dispersed nationwide workforce
Solution
• Voice functions integrated into Cisco ISRs
Replaced 35 disparate phone systems
Now employees reach co-workers anywhere with
four-digit extension
• Connectivity costs cut by $840K per year by
migrating from Frame Relay to DMVPN
• Future video conferencing, content caching,
intrusion prevention and NAC services
“The Cisco ISRs allow
us to centralize
everything into a
router. By the time we
have completed our
deployment, we will
have doubled …our
organization, while
reducing maintenance
and circuit costs.”
Chris Fairbanks, Principal Network
Architect, ePlus Inc.
• Quick business expansion – cookie-cutter
deployment, phones for new sites up in 2 hours
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
47
V3PN: Secured Site-to-Site
Multi-Service VPN Based on GRE/IPSec
Delivering voice and video over an IPSec VPN
requires more than just encrypting RTP packets
Cisco IOS VPN Routers provide:
• Reliable voice quality in network congestion
Voice-centric QoS w/ IPSec– basic queuing alone
does not ensure voice and video quality
• Support for multicast voice and video applications
IPSec can break multicast IP Telephony and Video applications
• Resiliency at all points in the network
Telephony and VPN resiliency at all sites
• Cisco Powered Network “IP VPN-Multiservice” designation for V3PN
Ensures quality for enterprises
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
48
Business Continuity
D
Business Requirements
WAN Backup
• Uninterrupted operation of business-critical applications
• Network must stay up in the face of attacks & disasters
• Seamless recovery from
link failures
• Stateful head-end failover
minimizes application
interruption
• Independent remote site
telephony operation during
disasters (SRST)
WAN Backup
• Backup VPN over Broadband
(DSL, Cable) or Dial (PSTN, ISDN)
• Head-end redundancy
• Survivable remote telephony
Network Foundation
Protection
• Device availability
Control Plane Protection,
AutoSecure, rate limiting
Branch Office
• Secure management access
Corporate Office
Internet
Network Foundation
Protection
Small Branch
Small Office &
Telecommuter
Session Number
Presentation_ID
• DDoS protection
• Secure remote management
• Forensics
© 2005 Cisco Systems, Inc. All rights reserved.
SSL, SSHv2 for CLI
SDM for web-based
• Security incident analysis
Syslog, NetFlow, IP Source
Tracker
49
D
Business Requirements Analysis
• Do you have a disaster recovery plan that includes your business critical
network services?
• Are you considering using IP VPN as a backup for Frame Relay / Leased
Lines?
• Do you have a plan to protect your network infrastructure from DDoS
attacks, or targeted attacks?
NO
YES
• Network downtime due to natural or
man-made disasters impacts
uninterrupted access to missioncritical applications
• Select the right Secure WAN bundle
based on performance and services
• Many businesses use IP VPN as a
backup – flexible and cost-effective
• If you are migrating to Broadband
(xDSL), leverage existing Dial/ISDN
links for Dial backup
Less expensive to purchase the Cisco
Secure WAN solution now, versus
upgrading later
• Schedule a demo of appropriate
Business Continutity solutions
Dial backup, Stateful failover, SRST,
CPP, AutoSecure, SDM
• Check Case Study and ROI analysis
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
50
D
Business Continuity Drivers—
Industry Averages for Costs of Downtime
Revenue/
Hour
Revenue/
EmployeeHour
Energy
$2,817,846
$569
Telecommunications
$2,066,245
$186
Manufacturing
$1,610,654
$134
Financial institution
$1,495,134
$1,079
Insurance
$1,202,444
$370
Damaged reputation
Retail
$1,107,274
$244
Employee frustration
Transportation
$668,586
$107
$1,010,536
$205
• Cost of downtime
$205 per employee hour
• More than just revenue
impacted
Impaired performance
Industry Sector
Average
Source: META Group, April 2004
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
51
Business Continuity Case Study
D Backup for Frame Relay Using VPN
Business Problem
• Business continuity through VPN backup for WAN
Real-Life Example
• Network Appliance – Unified storage solutions
• Rapid growth – Adding new offices, moving several large locations
• Needed flexibility and security to use connectivity options available at each site
Solution
• Field offices have direct WAN and ISP connections
If WAN link goes down, traffic re-routed to hub sites over the ISP link
• ISRs provide single solution for T1/E1, DSL, Cable and DS3
• Scales incrementally – can deploy multiple DS-3 links to each router without
having to replace the router itself
• Built-in Security and QoS
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
52
Network Foundation Protection (NFP)
Secure Business Must be Built on a Secure Fabric
www.cisco.com/go/nfp
Infrastructure Control
Performance Protection
Network Lockdown
Cisco Network Foundation Protection
Device Protection
System-Wide Protection
Lock down the network device
and protect services
Protect traffic through device
Device remains operational
even under attack
Proactively mitigate against
network attacks
Hardened Devices Connected to Deliver System-Wide Security
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
53
NFP - Maintaining Network
Availability During DDoS Attacks
Control Plane Policing
Protects access to control plane, even during DDoS
attacks. Monitors packets, increases infrastructure
reliability, and availability
Netflow monitoring
Provides early warning while visibility on traffic
flows help you optimize network availability
Out-of-band management
Ensures access despite DoS attacks, or congestion
Network-based Application
Recognition (NBAR)
Helps identify worms and other attacks by tracking
Layer 4-7 applications and protocols
Role-based CLI Access
Provides partitioned, non-hierarchical, access to CLI
commands for secure, logical separation of router
users (eg. NetOps and SecOps)
Netflow Collector
or NAM
Internet
Router
Session Number
Presentation_ID
Branch VPN
Router
© 2005 Cisco Systems, Inc. All rights reserved.
Corporate
Headquarters
54
Summary
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
55
Cisco Security Routers
Solving Enterprise Network Security Needs
A
B
C
D
Secure
Connectivity
Data & Identity
Protection
Secure Voice
& Wireless
Business
Continuity
• Encrypted VPN
connectivity
between sites or
partners
• Perimeter defense
• Convergence of
Voice and Data
services
• Secure remote
access for
telecommuters
• Admission control
VPN
• Outbreak
prevention
Application
Firewall
Intrusion
Prevention
Network
Admission
Control
URL
Filtering
• Integration of
Wired and
Wireless
IP
Telephony
Wireless
• WAN backup
• Network
foundation
protection
Network
Foundation
Protection
WAN
Backup
Cisco Security Router
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
56
Summary
• Cisco Security Routers give you defense-in-depth
network protection
• Invest in Security Bundles now
• Gain migration credit for existing equipment
www.cisco.com/go/routersecurity
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
57
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
58
Secure WAN Bundles Summary
Cisco 800 – 3800 Routers
Baseline
Security
Bundles
High
Performance
Bundles
Secure
Voice
Bundles
Secure
Wireless
Bundles
(-SEC)
(-HSEC)
(-V3PN)
(W-AG)
• Site-to-Site VPN




• Remote Access VPN






Solution Sets
Secure Connectivity
A
• High-Performance VPN
Data and Identity Protection
B
• Perimeter Defense




• Outbreak Prevention




• Network Admission Control




Secure Voice and Wireless
C

• Voice Gateway, Call Manager Express

• Wireless
Business Continuity
D
Session Number
Presentation_ID
• WAN Backup




• Network Foundation Protection




© 2005 Cisco Systems, Inc. All rights reserved.
59
Secure WAN Bundles Summary
Cisco 7xxx Routers
7200 High
Performance
VPN Bundles
7301 High
Performance
VPN Bundles
7600 High
Performance
VPN Bundles
• Site-to-Site VPN



• Remote Access VPN


WebVPNSM
(Optional)
• High-Performance VPN



• Perimeter Defense


FWSM (Optional)
• Outbreak Prevention


IDSM2 (Optional)
• Network Admission Control



Optional
upgrade?
Optional
upgrade?
—
• WAN Backup



• Network Foundation Protection



Solution Sets
Secure Connectivity
A

Data & Identity Protection
B
Secure Voice & Wireless
C
• Voice Gateway, Call Manager Express
Business Continuity
D
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
60
Award-Winning ISRs
Network Computing 2005 Well Connected Awards Product of the
Year—Cisco Systems 2800 and 3800 Series
“…Cisco's new 3800 Series ISRs are products to "DIE" for this year…
designed with security and voice over IP, firewall, QoS, intrusion
detection and call processing all without compromising performance.”
Product of the Year!
Network Magazine 2005 Innovations Awards Network Hardware
Product Breakthrough Cisco Systems Integrated Services Routers
“The combination of routing, switching, firewalling, NAT, intrusion
prevention, (NAC), and encryption capabilities, coupled with its ability
to provide a host of telephony services and voice mail, makes the ISR
our choice … ”
CRN 2005 Channel Champions Award in Routing and Switching
“For partners, the introduction of Cisco’s Integrated Services Router
platform … has been significant. “…very few vendors …are offering
solutions that fundamentally change the way companies do
business,” (Ron Temske of Localis) said. “But Cisco does.”
Interop Tokyo 2005 Best of Show – Cisco Systems 1812JW
“1812 JW integrates various security features -- such as firewall, VPN,
IPS-- into one box, with excellent cost performance. Designed to have
the required features and price to meet Japanese users’ needs, we see
Cisco Japan's efforts and commitment to capture Japan market.”
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
61
Cisco Security Management Suite
Integrated Device
Manager (SDM)
Quickest
way to setup a
•
Quickest way to
device
setup a device
•Wizards
Configures
all
to configure
FW,
device
parameters
IPS, VPN, QoS and Wireless
•
Ships with device
Ships with device
Cisco Security
MARS
Cisco Security
Manager
New solution for
configuring
routers,
Solution
for
appliances,
switches
configuring
routers,
New user centered
appliances,
design
switches and
New
levels of
endpoints
scalability
CiscoSecurity
Security
Cisco
Auditor
Auditor
Solution for monitoring
and mitigation
Today auditing highly
manual and costly
Uses control capabilities
within infrastructure to
eliminate attacks
Automated solution to audit
against predefined best
practice policies
Visualizes attack paths
Identifies violations and
provides recommendations
Session Number
Presentation_ID
© 2005 Cisco Systems, Inc. All rights reserved.
62