The Evolution of
Defense in Depth
Robert Perciaccante, CISSP
Security Systems Engineer – Cisco Systems
September 11, 2007 - Pittsburgh, PA
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
1
Good Morning!
 Introductions
 Brief History of Internet Threats
 “Old School Thinking” – Security in the
Beginning
 Changes in the Threat Model - ~2000 – Present
 Defense in Depth – What's mine is mine, and
its going to stay mine.
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
2
Quick Question:
 How many of you are directly involved with the security
and protection of your organization?
Technical Team Members?
Management?
 How many of you have been involved, in one way or
another, in a security breach, such as a malicious
action or a malware outbreak?
At your Work?
At your Home?
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
3
A Day In The Life of a
Security Professional…
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
4
What is a Threat?
 threat (thrět) n.*
An expression of an intention to inflict pain, injury, evil, or punishment.
An indication of impending danger or harm.
One that is regarded as a possible danger; a menace.
 A threat is any network-based attempt to compromise information, system,
or network resources
 They can originate from anywhere, any time
 They take advantage of operating system, application, protocol,
and psychological vulnerabilities
 They leverage all methods of entry to a system
 The can steal information, destroy data, deny access to servers,
shut down embedded devices
 They do not want to be found
“threat.: The American Heritage® Dictionary of the English Language, Fourth Edition.
Houghton Mifflin Company, 2004. 22 Jan. 2007.
<Dictionary.com http://dictionary.reference.com/browse/threat>
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
5
Sources of Threats
 Application vulnerabilities allow hackers to gain access to underlying databases
and improper levels of access to applications
 Improper data access through improperly configured firewalls and legacy firewall
technology
 Operating system vulnerabilities allow hackers control of computers
and enable information theft and improper system access
 E-Mail can offer spoofed links (e.g. phishing) and attachments infected with
spyware, viruses, and other malware
 Internet use introduces files through download, drive-by installations,
and errant software installations
 User access to information and resources that they either shouldn’t have or don’t
need
 Network system vulnerabilities can allow hackers to take over entire domains
(pharming)
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
6
Fateful Words
“Why would someone bother to attack me? I have
nothing that they would want.”
- IT Manager ~1998 during a firewall proposal meeting
FACT:
You may not have something that anyone would want, but you can
be used to get to something that they DO want, and where do you
think the FBI will come when they start their investigation? Not
only could this cause you to lose your operations center (frozen for
investigation by authorities), but you are open to liability issues as
a result of failure to perform due diligence.
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
7
Fateful Words - Example
 A datacenter was breached, and used to amplify a DDoS network (Smurf attack)
 Target network reported incident and source network to the FBI.
 The FBI identified the datacenter network as a source of the traffic, and seized
control of the network to perform forensic analysis.
 In doing so, the FBI removed all the devices from the network, taking the
company’s entire internet presence offline for 5 weeks.
 The datacenter network had to be rebuilt from scratch, with all new hardware, in
order to maintain operations during the course of the investigation.
 The cause was determined to be a failure to implement appropriate security
controls. The company who was the target of the DDoS sued the datacenter owner
for loss revenue as a result of the attack and won $750,000 in damages.
 Total cost to datacenter owner:
$750,000.00
$175,000.00
$400,000.00
$1,325,000.00
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Punitive Damages to victim
Legal resources due to legal action
Loss of revenue from downed datacenter
and internal resources for its recreation
Total Loss (and this does not include public image impact!)
Cisco Confidential
8
The Old Security Model: ~1997
IDS\IPS
(Maybe…)
Corporate
Network
Public Internet
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
9
The Old Security Model: ~1997
Generalizations:
 Everyone on the Internet is untrustworthy
 Everyone within my organization is essentially trustworthy
 The model was “hard exterior, soft gooey center”
Security efforts were focused on keeping the outsiders out
Internal personnel and\or systems were essentially permitted to go wherever
they needed: HTTP\S, FTP, P2P, IM all essentially permitted unchecked.
 Traffic headed to externally facing systems, such as webservers etc, was typically
protected through a single layer of firewall protection
 Limited or no internal segregation of networks or personnel
 Hosts were protected with Anti-virus, perhaps a hardened image, but typically was
unprotected
 Enterprise event monitoring did not exist
There was no significant market uptake for centralized logging and\or
monitoring of events – It simply was not done
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
10
Challenges with the “Old Model”
 Disparate security devices meant segregation of administrative controls
Firewall Management
Domain Management
User Management
IDS\IPS Management
Router\Switch Management
 Too much data in too many different places
Inability to get the “Big Picture” because most personnel only had
access to a piece of the puzzle
 Exterior-only protection meant insiders had free reign
No protection from the “Insider Threat”
Inability to reconstruct unauthorized access for investigative or
prosecutorial processes
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
11
Changes in Internet Use and Abuse…
 As the Internet became more ingrained into the minds of business and personal
users, the number of systems attached to the Internet increased.
 Increased complexity of networks and access
 With this increased attach rate, the importance for layered security grew from a
nice to have to a MUST have:
Regulatory compliance
Demonstrability of “Due Diligence”
SOX, GLBA, PCI, etc
Business needs for connectivity
Email
Website\eCommerce
Vendor\Remote Access
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
12
… leads to an Increase in Complexity
 Forensics and Investigations more complex
Complexity of networks make the forensic reconstruction of events
incredibly more difficult to do accurately
 Resource diversification
Resources may be segmented (i.e. Network Admins and Security
Admins) making communications and collaboration more difficult in
determining root cause
 Intercommunications between companies and partners more complex
Application communications are more complex, requiring a much
higher degree of network and application understanding to be able to
determine what is right and wrong in terms of behaviors
 Monitoring and management more difficult
De-centralized monitoring typically the case, makes recreation of event
timelines very problematic
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
13
Unlimited Entry Points
 Virtually unlimited application, operating system,
driver, and firmware updates annually
 Each has undiscovered vulnerabilities
 This creates virtually unlimited access by hackers
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
14
Evolution of Threats and Exploits 19942007
Complexity
High
Blended Threats
Intelligent Bots
Dynamic Capabilities
Pulsing
Zombies
Packet Forging/Spoofing
Stealth Diagnostics
Sniffers
Self Installing Root Kits
Sweepers
Session Hijacking
Back Door Exploits
Audit Disablement
Vulnerability Scanning
Password
Cracking
Self Replicating Code (WORM)
Low
Password Guessing
Time
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
15
Evolution of Security Challenges
Target and Scope
of Damage
Rapidly Escalating Threat to Businesses
GLOBAL
Seconds
Infrastructure
Impact
REGIONAL
Networks
Minutes
MULTIPLE
Days
Networks
INDIVIDUAL
Networks
INDIVIDUAL
Computer
Weeks
First Gen
 Boot
viruses
Second Gen
 Macro
viruses
 Denial of
Service
1980s
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
1990s
Cisco Confidential
Third Gen
 Distributed
Denial of
Service
 Blended
threats
Today
Next Gen
 Flash
threats
 Massive
“bot”-driven
DDoS
 Damaging
payload
worms
Future
16
The Evolution of Intent
From Hobbyists to Professionals
Threats becoming increasingly difficult to detect and mitigate
FINANCIAL
Theft & Damage
THREAT SEVERITY
FAME
Viruses and Malware
TESTING THE WATERS
Basic Intrusions and Viruses
1990
Presentation_ID
1995
© 2006 Cisco Systems, Inc. All rights reserved.
2000
Cisco Confidential
2005
WHAT’S NEXT?
17
Emerging Threats
More access, always on,
from everywhere
Corporate “Edge” becoming
harder to define and control
Wireless Networking Density
Anonymous access to or through
legitimate networks, data leakage,
remote point of attack against endpoints
SSL and other single sided technologies
Allow for scaling and instant DR
Loss of control over corporate assets
significantly changes security posture
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
18
Viruses Aren’t Dead
 During January 2007, 19 new major viruses
were released
 Average response time of 21 leading AV engines
was 8 hours
 40% of the virus attacks in January 2007 had
peaked before the AV signature was released
 The trend is getting worse, not better. Signature-based
solutions must be combined with day-zero protection to
protect today’s networks.
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
19
Security Breach Example Costs
Cost of Recent Customer Records Breach
 $6.5 Million: DSW Warehouse Costs from Data Theft
 $5.7 Million: BJ’s Wholesale Club from Data Breach
Additional impact/cost due to lost customers
 20% of customers have ended a relationship with a
company after being notified of a breach (Ponemon
Institute)
 58% said the breach decreased their sense of trust and
confidence in the organization reporting the incident
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
20
Prevention Costs
 Prevention may be cheaper then reaction:
 Multiple independent studies have estimated the cost of
customer record losses to be between $90 and $182
per record
“A company with at least 10,000 accounts to protect
can spend, in the first year, as little as $6 per customer
account for just data encryption, or as much as $16 per
customer account for data encryption, host-based
intrusion prevention, and strong security audits
combined,”
Gartner analyst Avivah Litan
Presentation_ID
© 2007
2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
21
TJX Security Breach—Jan. 17, 2007
 NEW YORK, Jan 17 (Reuters)
—TJX Cos Inc. (TJX), which
operates the T.J. Maxx and Marshalls
chains, said on Wednesday that its computer
systems that process customer transactions had been
breached, and customer information has been stolen.
 Trading of TJX stock was halted on the floor
of the NY stock exchange as the news broke.
 TJX took a $5M charge to cover the investigation,
legal fees and costs associated with explaining the
problem to its customers
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
22
January 18, 2007—Congress Responds
 Washington, DC—House Financial
Services Committee Chairman Barney
Frank (D-MA) today issued the following
statement regarding another major data
breach potentially impacting millions of
credit card holders:
“I learned of the latest data breach from a financial institution that may have to
bear the costs of informing customers and issuing new credit cards but they
were not told why. This is further evidence of the need for a provision over
data security. Mainly, those institutions where breaches have occurred must be
identified and they must bear responsibility. Specifically, this means retailers or
wholesalers must take responsibility for financial losses, contrary to what common
practice is today.”
Barney Frank, House Financial Services Committee Chair
Presentation_ID
© 2007
2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
23
The TJX Saga Continues
 Feb 22: TJX indicates that data thefts could reach
back into 2005
 March 21: TJX indicates that fraudulently obtained information
was used in an $8M gift card scheme
 March 29: Company reports SEC filing with loss
of 45.7M records, along with 455k return records containing SSNs,
Military IDs, and other info
 April 22: Company clarifies records theft dates back
to July 2005 (17 months)
 April 26: Class action lawsuit filed by MA, CT, ME
 May 4: WSJ Reports TJX had outdated wireless security, failed to install
firewalls, and not properly installed other layers of security …
http://online.wsj.com/article_email/article_print/SB11782444622
6991797-lMyQjAxMDE3NzA4NDIwNDQ0Wj.html
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
24
Breaches occur more often than you
think…
155,048,651
 Reported records breached since 2005*
 “unknowns” not counted
Source: privacyrights.org as of June 8, 2007
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
25
Common Myths
 Only specific users have access to my systems
 We patch at every release and are therefore secure
 We air-gap the <insert name here> network and it’s therefore not
exploitable
 Our firewall is bulletproof
 We use more than one vendor in each tier, so we are more secure.
This reduces visibility, increases resource requirements, and significantly
increases the likelihood of human error!
 Repeat after me: it is vulnerable, it is exploitable, someone will access it
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
26
New Opportunity:
Proliferation of Devices
The Challenge

Opportunities for Attack

New types of devices are
joining the network:
All of these systems provides an ingress
point into some form of back-end system
Hand-helds, smart phones, cameras,
tools, physical
security systems, etc.

Diversity of OSs:
Both the method of communication and
the device itself are targets

More devices means more operating
systems and custom applications

IT department often not involved in
procurement—little attention paid to
security
For example, one environment
got hacked from an oscilloscope

User Expectations
Users want to use the technology that
are used to using at home
Attacks on the device
Proliferation leaves many opportunities
for taking control
of a system
Embedded OSs
Process controllers, kiosks, ATMs, lab
tools, etc.
Attacks on the back-end

Attacks on data
Sensitive data is becoming increasingly
distributed and uncontrolled

Attacks from “Trusted” Devices
Mobility of devices means devices move
out of your protected network and then
back in, possibly bringing malware with it.
For example, family member of an
employee installs software onto laptop
that contains a virus.
Example: Wireless networking, cellular
network access
Presentation_ID
© 2007
2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
27
True Layered Protection
Public Internet
Internet Gateway
DMZ
DMZ Gateway
Secure DMZ
S-DMZ Gateway
Internal Network
Internal Servers
Internal Clients
Internal Servers
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
• In order to minimize an organization’s risk, it
is IMPERATIVE that security be pervasive
throughout every layer of the network and
integrated into both technology and
business processes.
• While the ROI on security has historically
been difficult to calculate, many good ROI
models have been published to help
minimize overall risk (both operational and
financial) as well as provide guidance on
the appropriate level of protection
• EXCELLENT article on the US-CERT
website:
https://buildsecurityin.uscert.gov/daisy/bsi/articles/knowledge/busine
ss/677.html
28
Implement Concept of Security Domains
Literal Layer
Public Internet
Internet Gateway
Domain Affiliation
Wholly
Untrusted
DMZ
DMZ Gateway
Partial Trust
Secure DMZ
S-DMZ Gateway
Internal Network
Internal Servers
Internal Clients
Internal
Trust
Domain Definitions:
Wholly Untrusted
• No operational access or control
over devices in this environment
Partially Trusted:
• Operationally controlled by
organization
• Accessed by systems not
controlled by organization
Internal Trust:
• Operationally controlled by
organization
• NOT accessed by hosts not
managed by organization
• Individuals using these systems
or devices have undergone
administrative review
Internal Servers
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
29
Security Domains in a Nutshell
Define technical and administrative controls for communications from a higher
trust-level domain to a lower trust-level domain
Example: Connections from an internal laptop to a DMZ system must be only
permitted on FTP or SFTP
Define technical and administrative controls for communications from a lower
trust-level domain to a higher trust-level domain
Example: Information that is needed for a web-facing application cannot be
fetched directly from an internal database. Instead a secure-DMZ database
may receive replicated data from the internal source, and the web application
may access the secondary database using strong authentication, and secure
communications.
Will require a lot of thought and planning, but will result in a very strong
security infrastructure and reduced overall costs!
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
30
Implementing True Defense in Depth:
Public Internet
Internet Gateway
DMZ
DMZ Gateway
Secure DMZ
S-DMZ Gateway
Internal Network
Internal Servers
Internal Clients
Internal Devices
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
• Example: Anonymous Internet User
• Consider participants of the Public Internet
as hostile:
• If they cannot be inherently trusted,
then they must by default treated as
automatically hostile.
• Minimize the number of services available
to hosts that are not trusted
• Provide a means to authenticate or
establish the trust of external hosts through
VPN use, SSL Certification authentication,
etc.
• Move everything that touches or is touched
by the Public Internet behind a perimeter
defense point
31
Implementing True Defense in Depth:
Public Internet
Internet Gateway(s)
DMZ
DMZ Gateway
Secure DMZ
S-DMZ Gateway
Internal Network
Internal Servers
Internal Clients
Internal Devices
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
• Example: Perimeter Firewall
• Establish formally accepted guidelines for
standardization of perimeter security
devices, and services that are permitted in
both directions!
• Implement active defense methodology that
will be flexible enough to respond to
changing business needs and internet
threats such as the implementation of both
firewall and intrusion prevention.
• Utilize best-of-breed technologies that
maximize capital expenses, reduces
internal resources, and provides the
greatest ability to identify and respond to
threats
32
Implementing True Defense in Depth:
Public Internet
Internet Gateway(s)
DMZ
DMZ Gateway
Secure DMZ
S-DMZ Gateway
Internal Network
Internal Servers
Internal Clients
Internal Devices
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
• Example: Webserver Farm
• Establish formally accepted guidelines for
standardization of perimeter security
devices, and services that are permitted in
both directions.
• Provide heightened level of security over
standard hosts through formal lock-down
procedures.
• Implement active response protection
through the implementation of agent- and
policy-based monitoring such as
configuration monitoring and behaviorbased agents.
• Restrict access to these systems, even
from your internal systems!
33
Implementing True Defense in Depth:
Public Internet
Internet Gateway(s)
DMZ
DMZ Gateway
Secure DMZ
S-DMZ Gateway
Presentation_ID
• Example: Firewall between DMZ and
Secured DMZ
• Establish formally accepted guidelines for
standardization of perimeter security
devices, and services that are permitted in
both directions!
• Protect higher-trust networks from
potentially compromised hosts.
Internal Network
Internal Servers
• Create a mid-tier for shared information
between the DMZ and the internal network
by creating a secure DMZ.
Internal Clients
Internal Devices
• Restrict both ingress and egress through
this gateway!
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
34
Implementing True Defense in Depth:
Public Internet
Internet Gateway(s)
DMZ
DMZ Gateway
Secure DMZ
S-DMZ Gateway
Internal Network
Internal Servers
Internal Clients
Internal Devices
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
• Example: Network used to replicate
information from internal data sources to
externally-facing systems
• Establish formally accepted guidelines for
specifically what data must go through the
S-DMZ, and what hosts may pull from or
push to hosts in this network.
• Implement active response protection
through the implementation of agent- and
policy-based monitoring such as
configuration monitoring and behaviorbased agents.
• Restrict access to these systems, even
from your internal systems!
35
Implementing True Defense in Depth:
Public Internet
Internet Gateway(s)
DMZ
DMZ Gateway
Secure DMZ
S-DMZ Gateway
Internal Network
Internal Servers
Internal Clients
Internal Devices
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
• Example: Firewall between Internal network
and Secured DMZ
• Establish formally accepted guidelines for
standardization of perimeter security
devices, and services that are permitted in
both directions!
• Protect higher-trust networks from
potentially compromised hosts.
• Very much like the controls in place for the
DMZ and Perimeter gateways
• Restrict both ingress and egress through
this gateway!
36
Implementing True Defense in Depth:
Public Internet
Internet Gateway(s)
DMZ
DMZ Gateway
Secure DMZ
S-DMZ Gateway
Internal Network
Internal Servers
Internal Clients
Internal Devices
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
• Example: Internal routers and switches (access
and distribution)
• Define formal paths for traffic flows (assists in
incident containment)
• Implement layered approach through security
applied on each device, switch, etc.
• Use VLAN’s as a means to segregate LIKE
traffic, but not as a means to separate security
domains
• VLAN hopping is possible in certain
situations
• Create internal segregation to further
compartmentalize traffic and access (guests,
vendors, etc)
• Utilize strong authentication and encryption
• WEP is not security, it can be cracked in
under 3 mins with a very low skill level
• Use Network Access Control to authenticate and
assign additional restrictions as necessary
• Implement internal intrusion prevention to keep
unauthorized traffic under control and to provide
additional alerts for early-warning of outbreaks,
etc.
37
Implementing True Defense in Depth:
Public Internet
Internet Gateway(s)
DMZ
DMZ Gateway
Secure DMZ
S-DMZ Gateway
Internal Network
Internal Servers
Internal Clients
Internal Devices
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
• Example: Infrastructure computational
devices such as file\print servers, email
servers, etc
• Develop strong security lock-down and
configuration standards for all hosts.
• Implement active response protection
through the implementation of agent- and
policy-based monitoring such as
configuration monitoring and behaviorbased agents.
• Utilize centralized authentication (LDAP,
etc) to speed provisioning, and respond to
personnel changes.
• Restrict access to these systems, even
from your internal systems!
38
Implementing True Defense in Depth:
Public Internet
Internet Gateway(s)
DMZ
DMZ Gateway
Secure DMZ
S-DMZ Gateway
Internal Network
Internal Servers
• Example: End-user laptops, desktops, or
terminals.
• Develop strong security lock-down and
configuration standards for all hosts.
• Implement active response protection
through the implementation of agent- and
policy-based monitoring such as
configuration monitoring and behaviorbased agents.
• Utilize centralized authentication (LDAP,
etc) to speed provisioning, and respond to
personnel changes.
Internal Clients
Internal Devices
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
39
Implementing True Defense in Depth:
Public Internet
Internet Gateway(s)
• Example: Shared resources, such as
network-enabled printers, IP-based
controls, etc.
DMZ
DMZ Gateway
Secure DMZ
S-DMZ Gateway
• Develop standardized hardware, software,
and configuration procedures, and secure
where possible
Internal Network
Internal Servers
• Remember: Most network devices use an
embedded operating system, and can be
used as a jumping-off point for further
attacks or infection!
• Minimize the number of these devices, and
ensure that they are not accessible
Internal Clients
Internal Devices
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
40
Calculate the Value of your Data
 Use a deterministic approach to security
Apply the appropriate amount of protection based on business risk
analysis, not FUD
 Calculate the ROI of security vs “protect everything at
any cost”
Ensure that you are reducing the overall risk of your organization
through the application of appropriate controls
Don’t protect data worth $1,000 with a $100,000 device
Determine and document what is an acceptable loss, and prepare for it
 Create a “Risk Acceptance” process that will allow for
documented exceptions, reducing the likelihood of
undocumented changes being made in order to
circumvent the formal procedure.
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
41
General Controls: Gateway Controls
 Utilize best-of-breed technology
 Create a policy that documents what is considered acceptable
traffic, and publish these standards.
Once published, they can be incorporated into your project
management methodology, allowing for automates enforcement and
more uniform adoption.
 Utilize both firewall and intrusion prevention technologies to
maximize the effectiveness of your perimeter defense against
known and unknown attempts.
 Define all points of ingress and egress, and apply these controls to
all of these gateways uniformly
This reduces the complexity and chances for human error.
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
42
General Controls: Pervasive Network
Controls
 Add security to every layer of your network
 Utilize the concept of security domains, even within your internal
network
Segregate infrastructure servers from mission-critical systems from
desktops from network printers etc…
 Implement Network Access Control to limit access to your network
from personnel on the inside such as guests, vendors, etc.
 Use strong encryption and strong authentication everywhere – if
you cannot secure it properly, don’t deploy it until you can!
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
43
General Controls: Host-Based
 Develop strong security configurations for hosts as appropriate
 Implement Behavioral- and Policy-based protection
Provides the flexibility to adapt to new threats, as well as support any
application you may be running internally.
Prevents the need for signature updates, prevents zero-day attacks
based on how the attack behaves, not what it’s signature is.
Implementation of host-based fire-walling technologies to prevent
connections from occurring in the first place.
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
44
General Controls: Enterprise Visibility
 Implement a centralized logging and monitoring
environment
Send all logs (or as many as practical based on business risk profile) to
a centralized event correlation environment
Provides “instant” visibility into issues potentially before they become
widespread
Ensures that the forensic review of issues is concise, resource group
independent, and forensically sound
 If you do not already have one, prepare an incident response plan,
and practice it often!
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
45
Questions?
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
46