Security Services

Table Of Contents

Overview

Key Drivers for Managed Security Solutions

Benefits of Managed Security Services

Market Adoption by Customer Size

Service Description

Phase I: Network Security Consulting Services

Phase II: Network Security Implementation Services

Phase III: Network Security Management Services

Phase IV: Network Security Education and Training Services

Service Offering by Customer Segment

Cisco Security Solutions

Cisco Secure Integrated Software

Cisco PIX Security Appliance

Cisco Intrusion Detection System

Cisco Access Control Server

Cisco Security Management Tools

Cisco Partners

Cisco Security Training Services

Cisco Secure Consulting Services

Network Management System (NMS) and Operations Support System (OSS) for Managed Security Services

For More Information

Overview

---

Managed Security Services

Service providers can help businesses stop intruders from shutting down networks, removing password files, stealing online corporate assets, intercepting sensitive e-mail, and fraudulently misrepresenting data or users. Security breaches like these affect companies where it matters most: the bottom line.

By providing reliable, effective, and affordable managed security solutions, service providers can help customers protect their information—and their businesses. This paper describes the managed security market in the United States and Canada. It examines growth prospects, market segments, and services. The paper also presents some important Cisco^® security solutions that service providers can use to protect their customers from security threats.

Key Drivers for Managed Security Solutions

The increased focus on network security is being driven by the devastating financial impact today's threats can have on an organization's productivity, resources, information, and reputation. The cost of security breaches has gone up 30-50 percent in the past five years. In a 2002
CSI/FBI Report on Computer Crime, in an investigation of over 500 Companies, 80 percent of respondents acknowledged financial losses.

As organizations increase their security, they are realizing that best-of-breed security products are only part of the solution. They also require the manpower, expertise, time, and budget to implement, monitor, and manage the security infrastructure. Resources that either do not currently exist or are better utilized focusing on growing the business. This realization has created a need to establish a security management partnership.

Businesses are looking to partner with a managed security services provider for many reasons:

•Fear of security breaches they may overlook

•To boost security quality and reliability

•To reduce the need to hire specialized IT resources

•To reduce the cost of a total security solution

•To rollout security services faster

•To reduce capital and operating expenses

•To have access to dynamic technology

•Increased complexity of e-business models

•Government regulation (such as the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act) that compels organizations to improve security to protect end users

Service providers can capitalize on these needs by offering services such as perimeter security, secure connectivity, intrusion detection, authentication, server and desktop protection and policy management, as well as security consulting, implementation, management, and training. The hardware investment can be minimized by utilizing the Customer's existing Cisco infrastructure and/or enabling multiple managed services on a single integrated platform.

IDC, a prominent international industry-analysis firm, frequently conducts studies of the managed security market. Combining small and medium-sized businesses (SMBs) and enterprises, they estimate that the managed security market was US$8.5 billion in 2002 and that it will grow to more than US$21 billion by 2007, as Figure 1 reveals. This forecast includes services for firewall management, virtual private networks, intrusion detection, virus scanning and vulnerability assessments, as well as consulting, implementation, and training.

Figure 1

Managed Security Market Potential

According to international market research and consulting firm, Infonetics, the United States represents over 50 percent of the managed security market expenditures, with European expenditures representing over 30 percent. The adoption rate for managed security in Europe is higher (over 25 percent) than in the United States (13 percent).

Benefits of Managed Security Services

In a 2002 survey of 240 small, medium-sized, and large companies, Infonetics found that respondents cited reliability as the leading criterion for choosing an outsourced managed security service. Other managed security benefits that companies value include:

•Increased security

•Access to security expertise

•Reduced operating and capital expenses

•Access to the latest security technologies

•Increased time and resources to devote to core business

•Improved efficiency of in-house IT staff

•Faster deployment of security solutions

Market Adoption by Customer Size

As Figure 2 illustrates, smaller companies are most likely to subscribe to managed security services. These companies can more cost-effectively capitalize on a service provider's experience, economies of scale, and technology than they can build security capabilities on their own.

Figure 2

Adoption Rate of Managed Security by Company Size

To best meet the varying managed security needs of these market segments, service providers should develop services that support a range of access speeds, protect varying numbers of assets (such as computers and servers), and accommodate different numbers of users. This approach allows service providers to offer flexible security-service packages.

According to Infonetics, small, medium-sized, and enterprise companies today spend more on virus scanning and firewalls than on any other managed security service, but intrusion detection represents the fastest growing security service. Firewalls protect internal computers and networks from unauthorized access, and intrusion detection systems alert administrators to network normally undetected until after resources have been impacted.

Enterprise Businesses

Enterprise organizations tend to internally manage some network security requirements, but few companies have the expertise to build complete solutions themselves. Consequently, service providers can serve as consultants, helping enterprises to assess their security strengths and weaknesses and to develop security policies. This approach allows customers to outsource certain services rather than every aspect of their security programs.

Even large organizations such as banks and government departments that traditionally handle all their security in house are gradually outsourcing some security services. Service providers that enable large enterprises to control their network security services stand to make the greatest gains in this market.

Small and Medium-Sized Businesses

Strong outsourcing candidates, SMBs want managed firewalls and managed intrusion detection systems. Economical, one-box router and firewall devices are ideal solutions for these markets.

Segmentation by Industry Vertical

To target specific industries, service providers should use different service bundles. Driven by regulatory pressures, competition, or both, organizations in the financial, government, and health-care sectors require more stringent security controls than do companies in other industries. Service providers can cater to these high-need clients by combining managed firewall, intrusion detection, and virtual private network (VPN) services.

Service Description

IDC categorizes managed security services into four life-cycle phases:

•Consulting

•Implementation

•Management

•Education and training

Service providers should strive to address their clients' network security needs at each life-cycle phase. Service providers that lack the resources to offer services throughout their clients' life cycles should consider partnering with other companies to fill service gaps.

Phase I: Network Security Consulting Services

Many companies enter the security services life cycle in the consulting phase. Others subscribe to consulting services when they change their IT infrastructures. Consulting therefore offers service providers a way to win new business and generate extra revenue from existing customers. Service providers can partner with security consultants, IT companies, or integration firms to offer security consulting services, or they can build these services into their own portfolios.

Even companies that manage their own network security are candidates for consulting services, which can include:

•Reviewing and developing security policies

•Determining enterprise security needs and developing security plans

•Assessing technical weaknesses by testing current network security

•Analyzing routers, switches, firewalls, and other security controls to look for security shortcomings in operating systems, legacy equipment, databases, and network security services

•Auditing systems to determine how well they comply with government regulations or industry standards

Phase II: Network Security Implementation Services

At this stage, companies have a security plan. Now they need to implement the hardware and software to follow that plan. Service providers should note that clients usually hire their security consultants to handle implementation as well.

Implementation services can include:

•Reviewing and recommending security products

•Acquiring, inspecting, and connecting security hardware

•Obtaining, installing, and testing software

•Implementing access policies

•Setting up terminal ports, clients, users, groups, databases, and directories

•Integrating the new system into the network

•Training IT and other personnel

Phase III: Network Security Management Services

At this stage, customers have assessed their security needs and have implemented the security hardware and software to address those needs. They now require security management services that capitalize on their newly implemented systems. These management services can include firewall provisioning, intrusion detection, VPNs, content filtering and blocking, virus protection, and vulnerability testing.

Service providers can choose to offer end-to-end security management solutions, or they can provide security services individually. This latter approach allows service providers to gain a client's confidence with one security offering and then promote others as the relationship evolves.

Security management services can include:

•Managing security devices 24 hours per day

•Creating processes to escalate issues and respond to problems

•Authenticating users

•Employing managed firewall services to restrict network protocols and traffic

•Detecting intrusions or unauthorized access to networks, systems, services, applications, or data

•Protecting outsourced e-mail services, gateways, and firewalls from viruses

•Responding to security breaches or other security incidents

Phase IV: Network Security Education and Training Services

In this fourth phase, service providers can help clients learn about the network security products and technologies that protect their assets. Training can range from general security awareness sessions to product information clinics to formal certification programs.

Service providers that lack the resources to train clients may want to partner with other organizations to offer these types of services.

Service Offering by Customer Segment

This paper divides the market for managed security services into two main segments: enterprise organizations—businesses with more than 1000 employees—and small and medium-sized businesses defined as those with 1000 or fewer employees.

Segmenting markets according to size helps service providers offer solutions that fit with their clients' traffic loads and number of users, servers, databases, and applications.

Enterprise Businesses

Enterprise businesses typically operate networks with high-bandwidth connectivity, employ numerous teleworkers, and oversee multiple remote sites. These companies often need to protect a wide variety of information assets, each with potentially different security levels.

Customer Requirements

As Figure 3 illustrates, more than half of all enterprises today deploy firewalls, virus scanning, intrusion detection, encryption, authentication, and vulnerability testing services. According to Infonetics, this number will increase to over 80 percent by 2006. Note that even though the firewall market seems saturated, many large firms are likely to implement second and third firewalls to further improve security.

Figure 3

Security Technology Usage—Large Business

Enterprises typically rely on in-house IT experts to provide these security services, but service providers are gaining business in this market by offering the following:

•Access to security expertise and the latest security technology

•Compatibility with existing equipment

•A full suite of managed security offerings

•Individual security services and secure service bundles

•Consulting, implementation, and training services

•Effective and rapid management of threats and incidents that could compromise network security

•Excellent customer service

•Partnerships with best of breed vendors

•Penalty-based service-level agreements (SLAs)

•Lower prices from economies of scale

Service providers that offer these features can help large businesses:

•Focus on core competencies

•Free staff from day-to-day security administration

•Reduce operational costs

•Take advantage of service provider expertise and economies of scale

•Capitalize on incident reports

•Identify potential security threats and attacks

Solution Sets

It is recommended that service providers sell managed security services individually. This approach allows enterprises to outsource portions of their network security operations while keeping the ability to change policies, manage real-time user access, update services online, and control other security-related activities—important concerns for large businesses.

This paper looks briefly at two services that service providers can offer individually: managed firewall and intrusion detection.

Managed Firewall Services

Managed firewall services for enterprise customers typically consist of a Cisco PIX^® 525 or Cisco PIX 535 Security Appliance at customer headquarters and Cisco PIX 515 Security Appliance at branch offices. Alternatively, service providers could install Cisco 1700, 2600, 3600, 3700, or other Cisco series routers with Cisco IOS^® Software at the branch offices. Service providers could also manage an internal firewall, such as Cisco PIX 515s, to protect systems within the clients' LANs.

To add value or options, service providers can offer Web portals for reporting, 24-hour-per-day monitoring, SLAs, high-availability options, and customer network management.

Intrusion Detection Services

To provide managed intrusion detection services, service providers would typically install Cisco IDS 4230s or Cisco Catalyst^® 6000 Series IDS modules on critical network segments. Service providers would also install host sensors on hosts and critical systems behind the external firewall. They could add value by including 24-hour-per-day monitoring, failover, load balancing, SLAs, and automatic response services.

Positioning

Service providers compete primarily with in-house IT teams. Consequently, service providers should position their managed services as reliable, allowing customers to control policy changes and user access. As well, service providers should show that by reducing security breaches and associated downtime, they can help corporate IT teams better support in-house applications and networks—an attractive productivity boost.

Small and Medium-Sized Businesses

With fewer employees and branches, SMBs typically have lower bandwidth connectivity than do large businesses. They also need to protect fewer information assets, they are more price-sensitive, and they are more likely to outsource than are enterprise clients.

Customer Requirements

As Figure 4 illustrates, IDC reports that more than 75 percent of medium-sized businesses use virus scanning and firewalls. The chart also reveals that between 50 and 75 percent of medium-sized companies employ several security technologies.

Figure 4

Security Technology Usage—Medium Business

Figure 5 below indicates that small organizations are least interested in network security services. Yet, these customers are more inclined to purchase managed security services than are either medium-sized or enterprise businesses. Small businesses are more likely to subscribe to virus scanning and firewall services.

Figure 5

Security Technology Usage—Small Business

SMB customers want managed security service providers to do the following:

•Protect their IT investments and systems for relatively low monthly fees

•Allow them to conduct Internet business securely

•Enable them to focus on their core businesses

•Act as a single resource for security services

•Bundle Internet access, VPN, and Web hosting with managed security or offer these services as options

•Provide access to security expertise and the latest security technology

•Produce frequent incident reports

•Identify security threats and attacks

•Recommend responses

•Offer excellent customer service

•Guard broadband Internet connections

Solution Sets

With less in-house expertise and fewer resources, customers in the SMB segment will more readily outsource their security solutions than will enterprise businesses. Outsourcing allows SMBs to take advantage of the skills and economies of scale that service providers offer—an important benefit.

Unlike large businesses that want service providers to provide individual security services, SMBs prefer bundled services. Service providers that bundle managed firewall and intrusion detection services with Web hosting, high-speed Internet access, or VPN services will therefore appeal to this segment. Service providers may want to avoid promoting consulting and implementation services because the SMB segment may find them too expensive.

A typical managed solution for the SMB market would consist of a Cisco PIX 515 Security Appliance or Cisco IOS Software within either a Cisco 1700, 2600, 3600, or 3700 series, or other router. Service providers would provide intrusion detection service based on Cisco IOS Software to all critical segments over an IP Security (IPSec) protocol site-to-site and over a remote-access VPN network. Optionally, service providers could manage host sensors on hosts and critical systems behind the external firewall.

Positioning

Service providers compete primarily with other service providers for SMB business revenues. To best appeal to this market, service providers should promote their network security expertise and position their services as reliable and attractively priced.

Cisco Security Solutions

Service providers can use Cisco products to provide an extensive variety of security services. This section describes some of the most powerful and popular Cisco security technologies and solutions available today.

Cisco Secure Integrated Software

The security feature set in Cisco IOS software is collectively called the Cisco Secure Integrated Software and includes the firewall feature set, intrusion detection feature set, authentication proxy feature set, and port application mapping feature set. Service providers can add Cisco Secure Integrated Software to the Cisco 800, uBR900, 1400, 1600, 1700, 2500, 2600, 3600, 3700, 7100, 7200, and 7500 series routers. The software is also available on the Cisco Catalyst 5000 Series Route Switch Module (RSM).

Cisco PIX Security Appliance

Customers that want even greater security can install Cisco PIX Security Appliances, which combine Stateful Firewall, VPN and Intrusion Detection/Protection in a hardened appliance. Providing unmatched reliability and functionality, the Cisco PIX Security Appliance scales to fit a wide variety of customer requirements and network sizes. Several models exist, ranging from high-capacity units that can handle half a million concurrent connections to lower-capacity versions designed for the small office-home office (SOHO) market.

A Cisco Firewall Solution

Companies can use both Cisco Secure Integrated Software and Cisco PIX Security Appliance to establish multiple lines of defense. For instance, companies could put their external servers—Web, e-mail, public File Transfer Protocol (FTP), and others—behind Cisco routers equipped with Cisco Secure Integrated Software. The routers serve as the first line of defense.

Cisco PIX Security Appliances represent the second line of defense. In the event of a first-line network security breach, Cisco PIX Security Appliances help prevent intruders from accessing corporate private network servers, mail hubs, and clients. To further strengthen security, service providers can deploy network-based intrusion detection systems, which are discussed below.

Cisco Intrusion Detection System

The Cisco Intrusion Detection System (IDS) allows businesses of all sizes to identify and reduce network threats. It helps them to detect, prevent, and react to unauthorized network activity.

The NIDS primarily address attacks targeted at network devices, network services, and applications. Each is described briefly here.

Cisco Network-Based IDS Sensors

The Cisco Intrusion Detection System is an integral part of a total threat prevention implementation. It is a real-time network-based IDS (NIDS) designed for banks, the military, and other organizations that operate critical networks. Cisco engineered its IDS family to prevent denial-of-service attacks, detect intruders, and defend e-commerce business.

Cisco IDS scales to meet a wide variety of customer requirements and network sizes and consists of three models: the Cisco Catalyst 6000 IDS, the Cisco IDS 4230, and the Cisco IDS 4210.

Cisco Host-Based IDS Sensors

Network intruders frequently target host servers. Consequently, Cisco developed its IDS Host Sensor to identify attacks and prevent unauthorized access to critical server resources. Whereas other host defense systems merely detect problems, the Cisco IDS Host Sensor lessens potential damage by stopping intruders from accessing servers.

Cisco Access Control Server

The Cisco Secure Access Control Server (ACS) allows organizations to centrally control network login and user privileges from a Web-based graphical interface. Using Cisco ACS, network administrators can determine which account information to record for security audits or account billing. They can also set up network access and command controls for lower level network administrators.

Cisco Security Agent Software

Network intruders frequently exploit vulnerabilities in servers and desktops. Even when patches are available to prevent an exploit, many organizations simply do not have the time or resources to continuously update their systems. Until recently, the only method of attempting to protect these systems was with a Host Intrusion Detection System. These systems only run on servers thereby offering no protection to the large number of user desktops in an organization. Because of their dependence on signatures, servers were left vulnerable until a signature was created to identify an exploit and the Host IDS software was updated.

In response to the inefficiencies of H-IDS products, Cisco has developed the Cisco Security Agent network security software that provides threat protection for server and desktop computing systems, also known as endpoints. The Cisco Security Agent goes beyond conventional endpoint security solutions by identifying and preventing malicious behavior before it can occur, thereby removing potential known and unknown security risks that threaten enterprise networks and applications. Because the Cisco Security Agent analyzes behavior rather than relying on signature matching, its solution provides robust protection with reduced operational costs.

Cisco Security Management Tools

VPN/Security Management Solution

CiscoWorks VPN/Security Management Solution (VMS), an integral part of the SAFE Blueprint from Cisco, combines Web-based applications for configuring, monitoring, and troubleshooting enterprise VPNs, firewalls, and network and host-based intrusion detection systems. Table 1 lists CiscoWorks VMS modules and their functions:

Table 1  CiscoWorks VPN/Security Management Solution Components

Module	Usage
Management and Monitoring Centers:
Management Center for PIX security appliances	Configures PIX security appliance
Management Center for IDS Sensors	Configures network-based IDS
Management Center for VPN Routers	Configures VPN routers
Monitoring Center for Security	Monitors network and host-based IDS events, Cisco IOS Software, and PIX syslog
Auto Update Server	Permits configurations to be pulled from update server
Common Services	Provides a set of common software and services for the management centers
Cisco Secure Policy Manager	Configures PIX Security Appliance, Cisco IOS firewall, and VPN Policies
Cisco CSA Management Console	Configures and Monitors Cisco Security Agents, to protect critical servers and desktops
VPN Monitor	Monitors IPSec-based site-to-site and remote access
VPN Resource Manager Essentials	Provides operational management such as software distribution, change audit, and syslog analysis
CD One/CiscoView	Provides graphical device management

Cisco Partners

Several partners provide management solutions for Cisco security products. Two of these solutions are noted here.

SolfSoft is a UNIX-based management tool that supports the Cisco Secure Integrated Software Firewall and Cisco PIX security appliance. It allows users to define, deploy, enforce, and audit security policies from a central location.

netForensics features a full set of e-business security management reporting services. It allows users to analyze Internet security devices postmortem and produce reports.

Cisco Security Training Services

Cisco offers numerous security courses and a Cisco Security Specialist designation. Please refer to the Cisco Security Training Services Web site at:

http://www.cisco.com/en/US/learning/le3/le30/le55/learning_learning_path.html

Cisco Secure Consulting Services

Cisco Secure Consulting Services help companies protect their IP networks. Rather than concentrating on policy-intensive exercises and reviews, Cisco security consultants focus on network bits and bytes—uncovering security gaps, fixing them, and removing intruders when they strike.

Cisco offers two types of security consulting services: a Cisco Security Posture Assessment that allows organizations to understand the security strengths and weaknesses of their networks and a Security Design Review that provides expert insights into and reviews of existing network security plans and design documents.

Network Management System (NMS) and Operations Support System (OSS) for Managed Security Services

The IP Solution Center is a unified service-management solution for Cisco routing, switching, and security products. The Cisco IP Solution Center manages:

•VPNs based on Multiprotocol Label Switching (MPLS) Border Gateway Protocol (BGP), IPSec, ATM over MPLS, and Frame Relay over MPLS

•Metro Ethernet services such as Ethernet Virtual Connection services (EVCS) transparent LAN services (TLS); and Ethernet to the home, building, or campus (ETTx)

•MPLS traffic engineering and MPLS-based bandwidth protection solution

•Security services such as IPSec VPNs, managed firewalls, and Network Address Translation (NAT)

The Cisco IP Solution Center Security Management Application management solution provides service providers with a robust and centralized management platform that minimizes the operational costs of network security and prevents inconsistent security policies. It also enables effective deployment and management throughout the entire life cycle of security services, including policy-based VPN, firewall, and NAT provisioning, as well as integrated security monitoring and security vulnerability reporting (via integration with third-party security software vendors).

Cisco IP Solution Center Security Management solution offers complete life-cycle management, from creating the security policy to real-time provisioning, service activation, service auditing, service assurance, and policy reconfiguration. Cisco IP Solution Center was designed to effectively accommodate the dynamic nature of security technologies, facilitating fast additions of devices, device upgrades or relocations, and other changes that allow customers to responsively address the needs of corporate clients. Designed for reliability, scalability, and flexibility, Cisco IP Solution Center enables customers to maintain security with no service disruptions.

Figure 6

Cisco IP Solution Center Security Management Application Accurately and Cost-Effectively Manages the Complete Life-Cycle of a Security Service Deployment

Featuring:

•Policy-based security management: Cisco IP Solution Center centrally manages the configuration of firewall and VPN site-to-site VPN, network-based VPN, remote-access VPN, DMVPN, and Easy VPN devices, allowing customers to effectively deploy hundreds of thousands of security policies to their networks.

•Cisco IP Solution Center Security Policy Manager allows customers to define global service-level policies. The software will then automatically generate the device-level commands and provision the network accordingly. Once defined, global policies can be reused across multiple networks. This powerful management platform enables customers to:

–Easily manage full-mesh, hub-and-spoke, or partial-mesh VPN topologies

–Efficiently deploy site-to-site, network-based VPN, remote-access VPN, DMVPN, and Easy VPN technologies

–Manage integrated generic routing encapsulation (GRE)

–Design and deploy complex firewall rules

–Automate failover and load-balancing configuration

–Enable large-scale NAT configuration

–Manage integrated QoS services

•Easy and automatic, or "plug and play," deployment: As business increases, companies typically add new security devices to their networks. Cisco IP Solution Center, working in collaboration with embedded Cisco CNS intelligent agents, can detect and manage newly added security devices dynamically and automatically. This gives our customers the ability to rapidly and dynamically deploy security services in a cost-effective manner. Once a new device is added to the network, the intelligent, embedded Cisco CNS Agent informs the Cisco CNS 2100 Series server, which operates Cisco IP Solution Center software, in real time of all the latest information about that particular device. Subscribing to the Cisco CNS Message Bus, Cisco IP Solution Center is then able to dynamically manage the security policy, which applies to each new device, accordingly. Because of the dynamic nature of networks, device configuration or status can be changed at any time. The intelligent, embedded Cisco CNS Agent can notify the Cisco CNS 2100 Series server of all the changes in network security devices—such as the change of the Dynamic Host Configuration Protocol (DHCP)-assigned IP address, loop-back interface, and so on—creating a network security management environment that does not require human intervention.

•Flexible administration: Cisco IP Solution Center provides role-based access control (RBAC) administration to enable granular management privileges control over network devices, services, provision actions, user groups, and all other possible components. Users can define administrative roles once and easily assign these roles to multiple users and user groups.

•High-performance service auditing: Cisco IP Solution Center Service Auditor validates IP service configurations and identifies faults to ensure high network integrity and service quality. Cisco IP Solution Center also generates reports about the status of service deployment (requested, pending, deployed, or operating). Service assurance features ensure that IP service target devices remain provisioned correctly and that the service itself is operational.

•SLA monitoring and reporting: Cisco IP Solution Center SLA Manager monitors IP-aware SLAs for round-trip times, availability, and usage. Thresholds can be configured that allow violations to be reported and recorded for billing purposes.

•Highly scalable open architecture: Cisco IP Solution Center is a highly scalable, open security management platform. The system's four-tier architecture, consisting of client, interface, control, and distribution tiers, means it can manage tens of thousands of security systems and devices.

Cisco IP Solution Center implements a business-centric, service-level management model that allows companies to define high-level policies, while the application of those policies to specific network devices is offloaded to the Cisco IP Solution Center software.

For More Information

To learn more about Cisco Managed Security Services, please contact your Cisco account manager.