Building a Security Strategy

Date: Mar 24, 2016

Bob Vachon introduces network security-related concepts and summarizes how security policies are implemented using a lifecycle approach.

The chapter covers the following topics:

Cisco Borderless Network Architecture

Borderless Security Products

Cisco SecureX Architecture and Context-Aware Security

Cisco TrustSec
TrustSec Confidentiality
Cisco AnyConnect
Cisco Talos

Threat Control and Containment

Cloud Security and Data-Loss Prevention

Secure Connectivity Through VPNs

Security Management

Cisco Borderless Network Architecture

Traditional approaches to network security used well-defined borders to protect inside networks from outside threats and malware. Employees used corporate computers secured with antivirus and personal firewalls. Perimeter-based networks were protected using network-scanning devices (firewalls, web proxies, and email gateways).

Today, network borders are dissolving as users want to access to resources from any location, on any type of endpoint device, using various connectivity methods. Cisco has addressed this with the Borderless Network Architecture, which integrates the following components:

Borderless end zone	The zone offers deployment flexibility and strong security services in multiple dimensions as users connect to the network. End-user access is based on the security posture of the connecting endpoint using the Cisco AnyConnect SSL VPN Client. Infrastructure protection is provided using firewalls, intrusion prevention systems (IPSs), web security, and email security.
Borderless Internet	Implemented by performing Layer 2 through Layer 7 scanning engines managed by enterprises and cloud providers. Scanning engines assume the role of firewalls, intrusion detection/prevention systems (IDSs/IPSs), network proxies, and web gateways.
Borderless data center	Layers virtualized components on top of existing infrastructure components to provide security solutions for the cloud.
Policy management layer	The security policy is managed in central locations and then enforced throughout the network based on context-specific variables. It provides the following: Access policy (who, what, when, where, and how) Dynamic containment policy Policy for on and off premise

Borderless Security Products

The architectural approach to security found in the Borderless Network Architecture results in distinct categories of Cisco products, technologies, and solutions:

SecureX and context-aware security
Threat control and containment
Cloud security and data-loss prevention
Secure connectivity through VPNs
Security management

Cisco SecureX Architecture and Context-Aware Security

To respond to the evolving security needs of today’s borderless network environments, Cisco developed the SecureX architecture. It is a new context-aware security architecture that enforces security policies across the entire distributed network, not just at a single point in the data stream.

The architecture starts with a solid network technology foundation that ensures the network infrastructure is not compromised in any way. It has security enforcement elements in the form of appliances, modules, or cloud services built on top. This architecture can deal with the full spectrum of devices, ranging from the traditional corporate PC or Mac, all the way to next-generation mobile devices such as iPads and Androids. With Cisco AnyConnect, security is enforced in the network by tethering these myriad devices into the security infrastructure at the most optimal point and attaching seamlessly.

The components of the SecureX strategy include the following:

Context awareness
Cisco TrustSec
Cisco AnyConnect
Cisco Talos

Figure 3-1 illustrates the components of the SecureX strategy.

Figure 3-1 Cisco SecureX Components

Components of the Cisco SecureX strategy include the following:

Context-aware policies	Allows enforcement elements such as infrastructure devices to use user information (for example, user identity, security posture of the connecting device, and the point of access to the network) to define the access policy.
Cisco TrustSec	TrustSec is an intelligent and scalable access control solution that mitigates security access risks across the entire network to provide access to anyone, anywhere, anytime.
Cisco AnyConnect Client	AnyConnect Client provides for secure connectivity across a broad set of PC- and smartphone-based mobile devices. The enforcement devices provide posture assessment, access control services, and policy enforcement.
Cisco Talos	Cisco Talos Security Intelligence and Research Group (Talos) correlates data of almost a million live data feeds from deployed Cisco email, web, firewall, and IPS solutions to detect, analyze, and protect against both known and emerging threats. Information is shared with Cisco customers and devices on demand.

Cisco TrustSec

TrustSec is an umbrella term that encompasses the Cisco next-generation Network Access Control (NAC) framework, including the following:

Policy-based access control
Identity-aware networking based on roles
Data confidentiality
Data integrity

It does so by incorporating the following technologies:

IEEE 802.1x (Dot1x)
Cisco NAC Appliance
Profiling technologies
Guest services
Security group tags (SGTs) and security group ACLs (SGACLs)
MACSec (802.1AE)
Access Control Server (ACS)
Identity Services Engine (ISE)

When user TrustSec identities are not based on IP addresses or usernames, they are role based. When users authenticate, their privileges are based on their SGT and SGACL.

Cisco ISE combines the functionality of other Cisco products—such as the Cisco Secure Access Control Server (ACS) for authentication, authorization, and accounting (AAA) services, and Network Admission Control (NAC)—into this next-generation policy server.

TrustSec Confidentiality

TrustSec implementation follows this process:

A user connects to a switch using 802.1X. The switch relays the authentication credentials to an ISE. The ISE authenticates the user and assigns the user an SGT.
Traffic from the authenticated user is tagged with its specific SGT. Network devices along the data path read this tag and enforce its associated policy by restricting access to predetermined network destinations and resources. The devices do so by using SGACLs.
TrustSec can also provide data confidentiality by using MACSec. For example, if a policy requires that data should be secured, Cisco TrustSec understands this policy and dynamically encrypts the user data.

Cisco AnyConnect

Cisco AnyConnect protects mobile employees on PC-based or smartphone platforms using an SSL or IP Security (IPsec) virtual private network (VPN) to deliver a more seamless, always-on, and always-protected experience to end users, while enabling IT administrators to enforce policies and block malware with cloud-based or hybrid web security.

Cisco AnyConnect provides the following:

Device support regardless of device type (for example, PC, laptop, smartphone, tablet, or PDA)
Multifunctional security by combining multiple security controls in one client application
Consistent experience by providing an always-on intelligent connection for seamless experience and performance

Cisco Talos

Cisco Talos combines the Cisco Security Intelligence Operations (SIO) and Sourcefire VRT to provide collective security intelligence. Talos baselines the current global state of threats and provides the network with valuable information to detect, prevent, and react to threats. It operates as an early-warning system by correlating threat information from the SensorBase, analyzed by the Threat Operations Center. This information is then provided to enforcement devices such as the Cisco Adaptive Security Appliance (ASA), Integrated Services Router (ISR), and IPS device for real-time threat prevention.

Threat Control and Containment

The Cisco threat control and containment solution regulates network access, isolates infected systems, prevents intrusions, and protects critical business assets. This solution counteracts malicious traffic before it affects a business.

Threat prevention products include the following:

Cisco ASAs	The Adaptive Security Appliance devices provide proven firewall services and integration of VPN and IPS technologies.
Cisco ISRs	Integrated Services Routers provide network security controls using zone-based policy firewall (ZPF), IOS IPS, and VPN technologies.
Cisco IPS	Intrusion prevention is provided using dedicated appliances or is integrated into ASA and ISR devices. These IPS sensors support a variety of IPS technologies, including signature-based, anomaly-based, policy-based, and reputation-based techniques.

Cloud Security and Data-Loss Prevention

Adding to the complexity of securing a network is the fact that many modern network designs now incorporate cloud computing. Threats in cloud computing include the following:

Abuse of cloud computing
Account or service hijacking
Data loss in the cloud
Unsecure interfaces and application programming interfaces (APIs)
Malicious insiders

Administrators, because they are ultimately responsible for data residing on networks over which they have no control, must also consider the consequences if the cloud environment is not properly secured.

Two following traditional key services must now be secured in the cloud:

Securing web access	Cisco Cloud Web Security (CWS), formerly known as Cisco ScanSafe, is a cloud-based solution that provides comprehensive web security as a service (SaaS). Cisco CWS provides enhanced security for all endpoints while they access Internet websites using publicly available wireless networks including hotspots and mobile cellular networks. With Cisco CWS, administrators can set and enforce specific web use policies to control access to websites and specific content in web pages and applications as well as SaaS applications.
Securing web access	Cisco Web Security Appliance (WSA) is a type of firewall and threat monitoring appliance that provides secure web access, content security, and threat mitigation for web services. It also provides advanced malware protection, application visibility and control, insightful reporting, and secure mobility.
Securing email access	Cisco Email Security Appliance (ESA) is a type of firewall and threat monitoring appliance for email traffic. It provides the capability to quickly block new email-based blended attacks, to control or encrypt sensitive outbound email, control spam, and more.

Secure Connectivity Through VPNs

There are two VPN-based solutions to implement secure connectivity:

Secure communications for remote access	Provides secure customizable access to corporate networks and applications by establishing an SSL or IPsec VPN tunnel between the remote host and central site
Secure communications for site-to-site connections	Provides secure site-to-site IPsec VPN access between two or more sites

Security Management

Cisco network management systems help automate, simplify, and integrate a network to reduce operational costs; improve productivity; and achieve critical functions such as availability, responsiveness, resilience, and security.

The hierarchy of tools available for security management is as follows:

Device managers	Web interface tool that simplifies the configuration and monitoring of a single device.
Cisco ASA Security Device Manager (ASDM)	A GUI-based device management tool for ASAs.
Cisco Security Manager	An enterprise-level application solution to configure and manage thousands of firewalls, routers, switches, IPS sensors, and other security solutions. Scalability is provided using intelligent policy-based management techniques that simplify administration.