Security Solutions for Enterprise

White Paper

Protecting IP Communications
with Cisco's Integrated Security Solutions

The Importance of Security

Savvy organizations are exploiting the power of the Internet to tap new markets, attract and keep customers, and increase productivity and profitability. The resulting network convergence is affecting networking strategies and the types of products and solutions becoming available to enterprises over the coming years. Business is being redefined. To have a profitable and productive e-business, customers will need to scale to new technologies that support expanded capabilities—and at the same time, manage potential network resiliency threats such as viruses and worms, which can spell out downtime if networks are not properly protected.

An IT challenge is to provide users with seamless access to these new network services—wherever they are in the world. The goal is to create an "extended enterprise" that gives users access from their homes, in their offices, in an airport or hotel, or in a remote office, either locally or on another continent. Services like voice and voice mail, instant messaging, contact center, storage, video and video conferencing, e-mail, Web access, and e-fax are no longer seen as luxuries or novelties, but ways in which nimble organizations are using their infrastructures to create competitive advantages.

Because these services have become fundamental, employees, customers, partners, and suppliers want excellent service, regardless of how they interact with the organization. As a result, IP networks have become the foundation for this growing list of mission-critical e-business applications, which has in turn increased the need for high operational uptime. In part, this requires implementing industry best practices for network security technologies and operating procedures—as new services make the network increasingly useful and complex, they also make it a more attractive target of attack. Hackers, vindictive employees, and even human error all represent danger to networks and their critical services. And with the new generation of debilitating viruses, Trojan horse programs, data interception, electronic theft, and denial-of-service (DoS) interruptions, significant damage can be sustained in a matter of minutes or even seconds.

The Scope of Security Threats

All IT managers agree that protecting network resources against security breaches is a necessity, but many are not willing to commit to the continual effort required. Without adequate network security, the organization is open to numerous risks—all of which are detrimental to profitability. Research firm Computer Economics projects that the likelihood that organizations will be hit with a network security attack is growing. Computer crime grew by approximately 42 percent between 2000 and 2001, and by approximately 21 percent between 2001 and 2002.

The eighth annual Computer Crime and Security Survey—conducted by the Computer Security Institute (CSI) with the participation of the San Francisco Federal Bureau of Investigation (FBI) Computer Intrusion Squad—provides an updated look at the impact of computer crime in the United States. Responses from 530 computer security practitioners in U.S. corporations, government agencies, financial institutions, medical institutions, and universities confirm that the threat from computer crime and other information security breaches continues unabated, and that the financial toll is mounting. Seventy-five percent of respondents (primarily large corporations and government agencies) detected computer security breaches within the last 12 months. Forty-seven percent (251 respondents) were willing or able to quantify their financial losses, and reported an average of $201,797,340 in financial losses, compared to average annual losses during the three years prior to 2000 of $120,240,180.

Economic Impact of Malicious Code Attacks

Viruses and other malicious code attacks are growing in number, and so is the cost incurred by companies, government organizations, and private individuals to clean up systems and get them back into working order. Malicious code attacks include worms and viruses of all types. The following tables show Computer Economics' analysis of the worldwide economic impact of malicious code attacks. Data is provided for specific high-profile incidents (Table 1). Economic impact includes the costs to eliminate the virus, the costs to clean and restore systems, lost revenue, and the effects on worker productivity.

So far, damages from the Blaster worm are estimated to be at least $525 million, and Sobig.F damages are estimated to be from $500 million to more than one billion dollars (according to BusinessWeek and the London-based mi2g, among other reports in the media). The cost estimates include lost productivity, wasted hours, lost sales, and extra bandwidth costs. The Economist (August 23, 2003) estimated that Sobig.F was responsible for one of every 16 e-mail messages that crossed the Internet.

The SAFE Blueprint for Secure e-Business: The Proven Security Blueprint from Cisco

Fighting back against network security violators requires that you develop policies and procedures. The first step in any network security plan is to instill an awareness of system vulnerability—in all users of computer systems. If your organization does not employ security experts, bring in a consultant. Be prepared to respond to the consultant's recommendations, but keep in mind that even with the best of consultants, a security breach is inevitable. Your organization should be prepared to respond to a network security attack.

The principle goal of the SAFE Blueprint for Secure E-Business from Cisco is to provide best practices information to interested parties on designing and implementing secure networks. The SAFE Blueprint serves as a guide to network designers considering the security requirements of their networks, taking a defense-in-depth approach to network security design. This type of design focuses on the expected threats and methods of mitigation, rather than on "put the firewall here, put the intrusion detection system there." The SAFE strategy results in a layered approach to security, where the failure of one security system is not likely to lead to the compromise of network resources. While the SAFE Blueprint comes to you from Cisco Systems^®, and can be best implemented based on integrated products from Cisco and its partners, it also allows for the implementation of products from other vendors.

The SAFE Blueprint is a revolutionary way of designing networks, providing a fundamental blueprint for making networks secure. Based on real-world situations and thousands of hours of testing in Cisco security labs, the SAFE Blueprint emulates as closely as possible the functional requirements of enterprise networks. The SAFE Blueprint is updated regularly to help ensure that the most current information is provided.

Even though implementation decisions can vary, depending on the network capability required, the following design objectives, listed in order of priority, guided the SAFE Blueprint development process:

The SAFE Blueprint is a network security design guide. It can prevent most attacks from successfully affecting valuable network resources. It also addresses attacks that succeed in penetrating the first line of defense, or that originate from inside the network, by helping you accurately detect and quickly contain them in order to minimize the effect on the rest of the network. The SAFE Blueprint uses several solutions, including traditional security devices, hardening traditional infrastructure devices, and implementing Cisco's patented host-based intrusion prevention technology to harden your servers, call managers, and desktops from both known and unknown attacks.

The SAFE Blueprint takes into consideration the need for the network to continue to provide critical services that users expect. Because these elements have been brought together by Cisco, proper network security and effective network functions can be provided simultaneously for the first time.

Critical Elements of Network Security

Cisco delivers integrated network security solutions on modular scalable platforms that include a Cisco routing and switching infrastructure, security specialized appliances, and security management software, consulting, and educational services. Cisco Integrated Network Security solutions incorporate five elements that Cisco believes are critical to effective network security.

1. Extended Perimeter Security

This element provides the means to control access to critical network applications, data, and services so that only legitimate users and information can pass through the network. Routers and switches with access control lists and stateful firewalls, as well as dedicated firewall appliances, provide this control.

2. Data Privacy and Secure Connectivity

When information must be protected from eavesdropping or tampering, the ability to provide authenticated, confidential communications on demand is crucial. Two complementary architectures satisfy this requirement. Multiprotocol Label Switching (MPLS)-based VPNs help to ensure confidentiality via traffic separation, similar to the technique used in trusted Frame Relay or ATM network environments. IP Security (IPSec)-based VPNs provide confidentiality and integrity assurance through the use of strong encryption technologies.

MPLS is best deployed at the network core. IPSec VPNs, in turn, employ a flexible suite of encryption and tunneling mechanisms at the IP network layer. IPSec is most useful at the local loop, at the edge, and off-net.

3. Identity

Identity is the accurate and positive identification of network users, hosts, applications, services, and resources. Standard technologies that enable identification include authentication protocols such as RADIUS and TACACS+, Kerberos, and one-time password tools, as well as new technologies such as 802.1x, digital certificates, and smart cards. New requirements for flexible policies, scale, and mobility are assuming an increasingly important role in identity solutions.

4. Intrusion Protection

To help ensure that hosts and networks remain secure, it is important to secure the endpoints, and regularly test and monitor the state of security preparation. Network vulnerability scanners can proactively identify areas of weakness, while intrusion detection systems can monitor and respond to security events as they occur. Endpoint security solutions can help reduce an organization's dependence on constant software patching, reduce downtime, and increase system integrity. Using intrusion protection solutions, organizations can obtain unprecedented visibility into both the network data stream and the security posture of the network.

5. Security Management

As networks grow in size and complexity, the requirement for centralized management tools to manage device, configuration, and security events grows as well. Sophisticated tools that can define, distribute, enforce, and audit the state of network security policy through browser-based user interfaces enhance the usability and effectiveness of network security solutions.

Why Cisco for Security?

Cisco is the only company that takes a comprehensive, integrated systems approach to security in order to adequately defend and protect an organization's business processes. Three aspects are unique to the Cisco approach:

1. Collaboration between networking and security technologies

2. Transparent integration of security into IP services—data, voice, video, wireless, and storage

3. Voice-over-IP (VoIP)-ready security services that deliver voice-ready secure infrastructures—VoIP inspection on firewalls or toll-quality voice over VPN

In addition, Cisco also provides:

The Cisco IP Communications Value Proposition

It is possible to boost productivity and operational gains while growing your customer base with enhanced collaborative business communications. Unlike IP-enabled solutions from traditional voice vendors, Cisco IP Communications systems extend the value of your data network, delivering unparalleled management, quality of service (QoS), and security, as well as offering productivity applications which are severely limited (or simply not available) on proprietary voice networks.

You can empower your people with communications that enable them to interact with anyone, anytime, and anywhere. Cisco IP Communications systems take full advantage of the voice-ready intelligent information network, and provide a firm foundation for rolling out scalable convergence-based applications services. And you can protect that investment through resilient, stable solutions that deliver communications continuance during business fluctuations.

Best of all, these solutions interoperate with existing voice technology to help you accelerate your migration from traditional communications to IP Communications, giving you the ability to reap the full benefits of IP Communications as quickly as possible, resulting in a highly effective and empowered work environment.

Cisco IP Communications systems deliver measurable ROI by lowering administrative costs, enhance employee productivity and operational efficiency, and improve customer service and loyalty—and are built on a mission-critical resilient infrastructure. Isn't it time you took advantage of the high-impact solutions available to you from Cisco Systems?

Related Links

To reach Cisco:
http://www.cisco.com/

For more details about Cisco Integrated Security:
http://www.cisco.com/go/security

For more details about the SAFE Blueprint from Cisco:
http://www.cisco.com/go/safe

For more information about security services from Cisco and its partners:
http://www.cisco.com/en/US/products/svcs/ps2961/ps2952/serv_group_home.html