Cisco - Packet(TM) Magazine - Online Exclusive - June 2001 - Holistic Security - High-Tech Tools and Old Fashioned Evangelism Keep Cisco's Network Secure

MONTHLY ONLINE EXCLUSIVE ARCHIVE

Current Online Exclusive

Online Exclusive Archive

Holistic Security
High-Tech Tools and Old Fashioned Evangelism Keep Cisco's Network Secure

FURTHER READING

Did you miss the Packet Magazine security issue (1st Quarter 2001)? Read it online.
Read more about the Cisco Secure Intrusion Detection System.
Find out more about Cisco VPN 3000 Concentrator Series.
Get more information on Cisco Security products.
Learn more about Cisco Secure Consulting Services.

Effective LAN security isn't merely a function of technology, but the result of a carefully crafted corporate culture. That's the message from the Cisco internal security team, InfoSec. But at the core of Cisco's information technology security umbrella is state of the art technology that protects important information from both intentional and accidental breaches in security.

The Threat
When people think of information security threats, they usually imagine malicious hackers trying to steal corporate secrets or vandalize company Web sites. According to Richard Perlotto, manager of Cisco's security operations, more than 70 percent of security threats at Cisco -- and most large enterprises -- come from within the organization, and the vast majority of those are unintentional.

Security breaches can occur in a variety of ways. A well-meaning engineer might load a new piece of network management software, unaware that the technology's default settings are apt to cause some machines on the network to crash. Even if no crashes occur, the presence of new software on the network could set off intrusion detection alarms, causing the security team to spend valuable time hunting down the culprit.

Other problems may occur when poorly coded software reveals information unintentionally, or when an employee creates a virtual window into his office workstation from his home PC, inadvertently giving hackers a route into the network.

External threats to Cisco's network have been increasing at an alarming rate, a rise Perlottosays he can't easily attribute to any one cause. Most often, the attacks come from "script kiddies," amateur hackers using generic scripts in random attempts to break into a big company's network. Almost none of these attempts are successful, and the few that are cause little trouble. Of more concern are the professional hackers using sophisticated tools to attempt a break-in, but as Perlotto explains, "I'm not worried about the guy who shows up in my logs. I'm worried about the one who doesn't."

The Security Puzzle
Perlotto says the role of InfoSec is simple. "Our job is to prevent a security incident that would otherwise put Cisco on the front page of The Wall Street Journal," he says. "If we're doing everything right, then nobody should even know we're here."

Achieving that level of invisibility isn't easy. To secure the company's LAN from internal and external threats, the InfoSec team relies on a multi-pronged approach combining sophisticated technology and employee awareness.

View diagram, Cisco SAFE: A Vision for Secure E-Business. (PDF)
The InfoSec team's use of technology closely maps the Cisco SAFE Blueprint for Secure E-Business, combining layers of protection that include the Cisco Secure Intrusion Detection System (IDS), Cisco PIX® Firewalls and Cisco virtual private network technology (VPN).

Sleeping With One Eye Open
InfoSec depends on Cisco Secure IDS, deployed throughout the Cisco network worldwide. Cisco Secure IDS is a real-time, network-based intrusion detection system designed to detect, report, and terminate unauthorized activity throughout a network. Perlotto notes that Cisco is, in fact, one of the 20 largest users of its own IDS products.

There are generally two types of IDS products on the market -- signature-based and role-based. Cisco Secure IDS is a signature-based product, which demands significantly less network resources than role-based systems.

Cisco Secure IDS uses a Fast Ethernet sensor and functions as a network sniffer, sitting on a network segment and monitoring traffic as it passes by. Sensors detect unauthorized activity traversing the network and respond to these events by terminating the offending session. The built in management console, called the "Director," provides a visual alarm display to alert network administrators of the intrusion.

Intrusion Detection

Intrusion Detection: The Cisco Secure Intrusion Detection System (IDS) supports a broad range of deployments, providing protection for small and large networks alike. Dedicated IDS network appliances, Catalyst® Switch IDS module (IDSM) line cards, and IDS functionality within Cisco IOS® Software ensure early detection and termination of unauthorized network activity.

To keep the technology up-to-date, Cisco's InfoSec staff spends significant time researching new threats and sharing information with security organizations such as the System Administration, Networking, and Security (SANS) Institute. The remote configuration and administrative capabilities of Cisco Secure IDS enable efficient management of IDS units to protect against the latest technological threats. The full line of Cisco Secure IDS products support a broad range of deployments, from large enterprise campuses, such as Cisco's main campus in San Jose, to smaller branch offices or small business locations.

But as Rob Rolfsen, Cisco information security architecture group manager, explains, IDS is only one weapon in the full arsenal of LAN security tools. The InfoSec team continuously looks for a correlation of data to ensure adequate protection and to validate intrusion incidents.

The Great Wall
The Cisco InfoSec team uses a combination of Cisco Secure PIX Firewalls and Cisco Secure Access Control Servers (ACS) to protect various segments of the network.

Cisco Secure PIX Firewalls are an integrated hardware and software solution that provides full firewall security protection. Unlike typical CPU-intensive, full-time proxy servers that perform extensive processing on each data packet at the application level, PIX Firewalls use a non-UNIX, secure, real-time, embedded system that allows rapid processing of data traffic. Although the InfoSec team uses a number of PIX Firewalls, they are currently preparing to deploy the high-capacity, Cisco Secure PIX 535 Firewall at key locations to keep pace with ever-growing traffic volumes. The PIX 535 has the ability to support more than 500,000 concurrent connections and 1 Gigabit per second throughput.

Firewall protection is supplemented by Cisco Secure ACS, which is a network security software solution that authenticates users by controlling dial-in access to a network access server (NAS) device, such as an access server, PIX Firewall, or router. But as Cisco InfoSec security architect Rakesh Bharania explains, the vast scope of the Cisco network is too much for any single technology to provide adequate protection.

"Our access list is 5,000 lines long," Bharania says. "We have an extensive network of interrelationships, and because we are a provider company, we always have a need to test this piece of technology here, or that piece of technology there." To address these concerns, the InfoSec team uses Cisco 7500 Series routers with extended access lists for external protection of the overall network.

Tunnel Home
One growing area of concern for the InfoSec team is the proliferation of mobile workers who need access to e-mail and other network functions while on the road or at home. Some 25,000 Cisco employees are sometime telecommuters, and thousands more contractors, partners and vendors need regular access to the corporate network. Until recently, these road warriors could only connect via dial-up modem, a tedious and tenuous proposition, or through a dedicated ISDN or DSL circuit. Now, a user that has Cisco's VPN client software loaded on her remote PC or laptop can access Cisco's network via any Internet connection.

Product Photo
Enterprise VPN: The Cisco VPN 3000 Concentrator Series is an enterprise-class, remote-access VPN solution that can support up to 10,000 simultaneous remote access sessions.

At the central site, InfoSec implemented Cisco's own VPN 3000 Concentrator Series remote access VPN devices, which offer support for Cisco's centrally controlled VPN client on Windows platforms. Remote users can establish secure, end-to-end, encrypted tunnels back to the VPN 3000 Concentrators via the Cisco VPN Client. The VPN 3000 Concentrator's unique purpose- built architecture enables high capacity, availability and scalability for Cisco's remote access VPN deployment.

Getting the Message Out
With 30,000 users inside Cisco's firewalled network, and nearly 20,000 additional active accounts on the network, including vendors, contractors, partners and telecommuters, perhaps the most important part of Cisco's security program is education.

Security policies are woven into each new employee's orientation, and InfoSec keeps the message current with posters, e-mail reminders, even messages from CEO John Chambers.

Campus Photo Cisco Campus in San Jose: Maintaining network security is everyone's job at Cisco. Whether it's John Chambers, Cisco chief executive officer, or the InfoSec team, reminders that our intellectual assets are our most important assets abound. "The key," says Richard Perlotto, "is to create a security-conscious environment where everyone understands both how to maintain a secure workplace and why it's vital to do so."

"Security evangelism is a big thing here," says Rolfsen. "For example, one of the areas we're constantly focused on is passwords. Users must change passwords that don't comply with detailed company guidelines, and passwords must be changed regularly."

A big part of Cisco's security-consciousness comes from the hands-on involvement of senior management in the security effort. As new products are rolled out in the company, InfoSec is represented early in the lifecycle to ensure that security is built into the system, not tacked on later as an afterthought. Also key to this effort is a thorough security review of Cisco's own products prior to any deployment on the Cisco network. The Cisco Secure Consulting team routinely provides these product assessments in addition to quarterly Security Posture Assessments (SPAs). A SPA gives the InfoSec team a snapshot of all the vulnerabilities that exist on the corporate network - an essential piece to measuring risk.

Twice a year, InfoSec meets with members of the Cisco board of directors to report on anticipated security risks and suggest possible ways to address them. Every quarter, the team, armed with fresh SPA results, meets with an executive steering committee for ongoing guidance and support. "Two important factors to a successful security program are senior management support and managing security from a risk-management perspective", says Bob Spiegel, director of corporate information security. "We focus on identifying and reducing risk. It is a progress, not an event."

InfoSec representatives also meet regularly with employees throughout the company to ensure that security awareness is ingrained into the day-to-day operations of the company.

"In a lot of companies, the prevailing attitude is that the security department is seen as a roadblock, only interested in saying no," says Rolfsen. "At Cisco, we see ourselves as an enabler of the business. We're here to help the business accomplish whatever it needs to, in the most secure fashion possible."

Return to the Packet home page.