1 002, Cisco Systems, Inc. All rights reserved. Cisco IP Solution Center Scalable Security Management
1© 2002, Cisco Systems, Inc. All rights reserved.
Cisco IP Solution CenterScalable Security Management
www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.
Challenges Managing Scalable Security Deployments
www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.
Security Management Scope in the 90’s Network Silos & Point Protection Security Solution
FINANCEFINANCEERP
MANUFACTURINGMANUFACTURING
MRP
HRHRHR Apps
PARTNERSPARTNERS
CUSTOMERCUSTOMER
Reached mostly by phone/fax
Individual applicationsCreated/used by individual
departments
Headquarters Remote offices
Lease Line
ISDN
Lease Line
PSTNAnti Virus Application
Anti Virus Application
Anti Virus Application
Anti Virus Application
NAT Protection
Intrusion Detection
www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.
Security Management Scope Today Connected Networks & Complex Security Technologies
FINANCEFINANCE
ERP MRP
HRHR
SALESSALES
Sales Automation
CUSTOMERCUSTOMER
Departmental applications
available throughout
Headquarters
REMOTE OFFICE
Reached mostly by Web/Extranet
HR apps
MANUFACTURINGMANUFACTURING
PARTNERSPARTNERS
TELEWORKERTELEWORKER
•VPN
•VPN
•VPN
•VPN
•VPN
•VPN•VPN
•VPN •VPN
•VPN
•firewall
•Fire Wall
•Fire Wall
•Fire Wall
•Fire Wall
•Fire Wall
•IDS•IDS
•IDS
www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.
Complex Security Policy Management
Centralized definition of network wide security policiesIntegrated management of VPN, FW, NAT and QOS policiesGlobal modification of security policiesReal time policy auditOn going policy monitoring and alerting
High Level Security Policies
VPN Encryption Policy
FW policy rules
•Real Time Security Rules Verification
•Dynamic Access Point Policy Mgmt
access-list outside icmp
access-list outside permit
access-list outside permit
access-list outside permit
access-list outside permit
access-list outside permit
access-list outside gre host
access-list outside ah host
access-list outside permit ah
www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.
Scalable And Cost Efficient Deployment
Management of hundreds of thousands of security access pointsMass deployment of security policiesMove of devices, addition of new devicesSimultaneous multiple client access
• Fro
nt
En
d S
cal
abil
ity
• Bac
k E
nd
Sca
l ab
ilit
y
www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.
Role Based Access Control
Different service view into the same networkDifferent administration role with different access privilegesSupport of multiple portioning, multiple groups and end usersPhysical/logical inventory, internal/external access management
Technical Support Design Team
Distributors
Deployment ForceExternal Customers
Internal Users Suppliers
Sales Force
PartnersTelecommuters
www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.
Cisco Scalable Security Management Solution
Cisco IP Solution Center Security Management
www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.
Cisco IP Solution Center Integrated IP Service Life Cycle Management
www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.
Cisco IP Solution Center (ISC) Security Management Solution
Security Policy DefinitionISC:SM provides policy based securityservice design tool allowing users to efficiently design security policies for Firewall, NAT, IDS or IPsec VPN services
Configuration & ProvisioningISC: SM analyze current network configuration, dynamically generate the security device configurations and manage the large scale security deployment
Security Policy AuditISC: SM delivers high volume security policy auditing capability to ensure the policy integrity
Security AlarmISC:SM provides comprehensive Security soft alarm management featurealong with partner’s security alarmmanagement capability
Vulnerability Assessment ISC:SM enables customers to proactively secure their IT Infrastructure through our VA partners automated real-time security risk analysis tool
Reporting ISC:Security Management provides tunnel report,VPN testing report along withSIM partner’s security eventanalysis report
ISC: MSS
Security Policy Definition
Configuration& Provisioning
VulnerabilityAssessment
Security Policy Audit
Security Alarm
Reporting
www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.
Cisco IP Solution CenterIntegrated System Design
Centralized system resource management
Integrated resource pool
Inventory management
Topology tool
Device view
Device Group
Internal/External Customer
Provider view
Logical Partitioning
Work flow control
Monitoring
Scheduling
Open interface
www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.
Cisco IP Solution CenterRole Based Access Control Model
Technical Support
Design Team
Distributors
External Customers
Internal Users
Sales Force
•IP Solution Center
www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.
Cisco IP Solution CenterScalable System Architecture
Web Browser
(X)HTM LXM LXSLTApplet
ClientApplication
ClientTier
InterfaceTier
ControlTier
DistributionTier
Web Server
Servlet JSP
Orbix 2000OR
XML/SOAP
TIBCOEventBus
Repository API (JDBC)
Scheduler
M asterWatchdog
R BACU ser Access
C ontro l& Logging
Task M anager
DeviceRepository
Service Model
Repository
CollectionRepository
TaskRepository
RelationalDatabase
Collection Server
C ollectionTasks
TelnetG atew ay
Server
D ataAggregator
W atchdog
D ata Storage M anager
W ebServer
Processing Server
ProvisioningAuditing
Tasks
Tem plateEngine
O therTasks
W atchdog Task Log
W ebServer
C NS SPEPolicyStore
•Scalable Front End •Scalable Back End
www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.
Cisco IP Solution CenterSecurity Management Overview
DeviceInventory
CustomerInventory
LogicalNetworkTopology
ServiceData Store
Service Relationship
RBAC Data Store
PIXIOS VPN3K
Site to Site VPN Remote Access VPN EZVPN DMVPN
Firewall NAT IDS(IOS) Network Based IPsec
IOS device driver
VPN3k device driver
Pix device driver
Technology abstraction layer
Policy based security management framework
Technology abstraction allows for multi-type (ie. IOS, PIXs, VPN3K) Cisco device support
New device support requires only development of new device adapter
Cross linked models in a single store allow for Integration of technologies
Open XML/HTTP interfaces allow for security ISV partner integration
CNS: Config engine allows for zero touch security mgmt
ISC: Security Mgmt
Integrated VPN, FW, IDS(IOS) and NAT Mgmt
www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.
Cisco IP Solution Center Integrated VPN Management
Site-to-Site VPN EZVPN, DMVPN,
Network Based IPsec VPN topologies:
Hub-and-spoke, full mesh, and partial mesh
Automatic generation of unique pre-shared keys
Templates for certificate enrollment
Provisioning routing protocols over GRE tunnels: OSPF, EIGRP, RIP
Remote Access VPN VPN Reporting and
MonitoringVPN connectivity test report
VPN policy audit report VPN SLA report via SAA CNM views
www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.
Cisco IP Solution Center Firewall Management
Policy-based firewall management
Common firewall policy for multi-type (ie. IOS, PIXs, VPN3K) Cisco device support
Hierarchical policies High-level policy rules:
Support for both filter rules and inspect rules
URL Filtering Authentication Proxy:
http, https, ftp, telnet Inheritance in device
containment hierarchy CNM views for
customer policy
Can be used as an independent service or in conjunction with another service such as IPsec VPN, QoS, MPLS VPN…etc
•IP Solution Center
www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.
Cisco IP Solution Center Quality of Service Control
Policy Associated with QoS Service Classes
Implemented using MQC & non-MQC commands – Rate Limiting
All classes contained in the DiffServ architecture are supported (DSCP - 64 classes, IP Prec - 8 classes)
Default Policy shall support 3 classes – VoIP, Business-Data, & Best-Effort
Link-level QoS policy
www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.
Cisco IP Solution Center Enabled Network-Based IPsecA Solution To The N Square Limitation
ProviderNetworks
CorporateCorporateIntranetIntranet
BranchBranchOfficeOffice AccessAccess
Remote Users/ Telecommuters
IP, MPLS or Layer 2 based VPNIPsec SessionIP IP
Cable/DSL/ISDN ISP
MPLS/Layer 2Based Network
CiscoIOS
Router
VPN A
VPN B
SP Shared NetworkSP Shared Network
Customer B
Customer Ahead office
Customer C
PEPE
PEPE
PEPE
VPN C
SOHO
Local or Direct Dial ISP
One or Two Box Network Based IPsec Solution
Cisco IP Solution Cetner: SM Hybrid VPN - IPSec To MPLS
Cisco IOS VPN Routers or Cisco Client 3.x Customer A
branch office
PEPE
www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.
Cisco IP Solution CenterNAT Management Tool
Support for multi-type (ie. IOS, PIXs, VPN3K) Cisco device support
Support for static translation: Network based, Host based or Port based
Support for dynamic translation: Standard or PAT
Support for overlapping address space
Can be used as an independent utility or in conjunction with another technology such as IPsec VPN
Other Integrated Security Management Tools
Cisco IP Solution CenterCERT Management Tool
Templates for cert enrollment on one or more routers
Verify presence of the root cert & device cert for a given trust point’s cert chain
Verify re-enrollment of certifications according to the auto-enroll percentage parameter
Summary report indicating cert enrollment status or expiration status on desired VPN routers
Routine verification or certification update
www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.
Self Managed Large Scale Security DeploymentTruck Roll Saving, Plug & Play
InternetInternet
IP Solution Center + Cisco CNS
IP Solution Center + Cisco CNS
Cisco CNS
•HQ
Branch n
Branch 1
Branch 2
•Cisco CNS
Cisco CNS
Cisco CNS
1. 1. Cisco ship out the router directly to customer end site
2. with bootstrap configuration
3. Upon connectivity device events IP Solution Center via Cisco CNS4. IP Solution Center dynamically configure the security device
5. Each device informs ISC of success deployment Complex security policy deployed
6. Periodic security policy audit
1. 2. Define security policy
www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.
CiscoPoweredNetwork
CiscoPoweredNetwork
Self Managed Large Scale Security DeploymentTCO Analysis – Cisco IP Solution Center Solution
EquipmentNetwork
60%
EquipmentNetwork
60%
Operations(OSS & Staff)
40%
Operations(OSS & Staff)
40%
IP Security TCO
• Multi-disciplined expertise required (VPN, Firewall, NAT, QoS…)
• Heavy applications duplicate effort and investment
• Can’t hire and train enough people to manage the deployment and changes of security policies
• ISC: manages the complexity of security technologies
• Efficient security policy audit to guarantee the security integrity
• Self managed zero touch deployment environment
Operations(OSS & Staff)Operations(OSS & Staff)
OP
EX
OP
EX
Operations(OSS & Staff)Operations(OSS & Staff)
OP
EXOperations
(OSS & Staff)Operations(OSS & Staff)
OP
EX
Operations(OSS & Staff)Operations(OSS & Staff)
OP
EX
Cisco ISC - Reduced Op TCO
www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.
Cisco IP Solution CenterSummary
• Single Application for VPN, Firewall, NAT, QoS and IDS (IOS) for heterogenous platforms
• Integrated policy-based management
• Scalable 4-tier architecture
• Industry leading VPN feature set support
• L2, L3 and VPN topology views
• Intelligent provisioning and auditing engine
• Open interfaces
www.cisco.com© 2002, Cisco Systems, Inc. All rights reserved.
787878© 2001, Cisco Systems, Inc. All rights reserved.Presentation_ID