EXECUTIVE OVERVIEW
Network security threats increasingly target applications. As a result, organizations are forced to make difficult tradeoffs between opportunity and risk when using online processes to reach corporate objectives. The Cisco® Self-Defending Network application abuse prevention solution allows organizations to manage network security risk associated with the deployment of online business processes, helping to ensure that organizations achieve their objectives, while managing associated risks.
OVERVIEW
Information technology creates strategic opportunities, but these opportunities bring risks that must be managed as new applications and a global network are driving change and extending relationships with customers, partners, and suppliers. Organizations of all sizes are relying on mission-critical applications that are increasingly Internet-enabled and that cross traditional security boundaries. Meanwhile, application attacks are increasingly more creative, more dangerous, and faster, with decreased time to impact. The silo-based "fortress" model cannot provide the necessary defenses. A new approach to security is needed that is integrated, collaborative, and adaptive-enabling organizations to reach their business objectives, while managing risk.
THE CHALLENGE
Network and Internet-based applications are fundamentally changing the way systems are built and how they interact with other systems. Collectively, these trends are dramatically changing traditional business models and creating new opportunities for outsourcing, offshoring, supply chaining, insourcing, and in-forming, all of which are being amplified and turbocharged" by new technology applications such as wireless and voice over IP (VoIP). These new approaches are enabling business collaboration in a way that is "digital, mobile, virtual, and personal"*.
In order to take advantage of these trends to meet business objectives for growth and revenue, organizations are moving toward new application delivery frameworks and consolidated infrastructures. As a result, service-oriented architectures are driving new forms of collaboration, while data center consolidation is driving application delivery and operational efficiency models. These new delivery systems and centralized architectures are fundamentally changing the way internal systems are built and how they interact with other systems.
As a result, organizations are moving more business processes, such as finance, HR, manufacturing, or sales, online. In addition, Web browsing, e-mail communications, and IP telephony are becoming core elements of the business infrastructure. Messaging and presence applications (instant messaging, for example) are increasingly seen as valuable business tools for communication among employees, as well as with partners and customers.
* Thomas Friedman, "The World is Flat: A Brief History of the Twenty-first Century"
But greater business collaboration brings increased risk that must be managed. Despite an increase in security spending worldwide, Internet crime is on the rise. And according to research firm Computer Economics, the criminals are winning, with a total worldwide damage from attacks in 2004 at US$17.5 billion, which is a record-and is 30 percent higher than 2003**. Experts agree these numbers will increase with the growth of extended collaboration and new applications based on Internet services.
Part of the problem is that as organizations have increased their reliance on the network and Internet-based distributed computing, mission-critical business applications that used to be contained within a data center behind a company's firewall are now available anytime, anywhere across traditional security boundaries-leaving applications vulnerable to abuse. Application behavior such as "port-hopping" and tunneling allows applications to intelligently scan for and find open ports in a firewall, such as for Internet browsing (Port 80), and to tunnel themselves through those openings-making it virtually impossible for traditional security devices that operate at lower levels to enforce policy. In addition, the most common forms of attacks, such as SQL Injection, authorization problems, or buffer overflows take advantage of known Web site vulnerabilities that are difficult to test for because of the amount of new code added daily to servers (Severre Huseby, Common Security Problems in the Code of Dynamic Web Applications, 2005).
Compounding these problems are an organization's users. One of the greatest threats to business processes is not from hackers or competitors, but from employees, partners, and trusted insiders with authorized access to a company's networks, systems, and information. Protecting systems from insiders requires a different approach-developing and enforcing security policies that can prevent users from damaging systems and data or opening holes that others can exploit, either through negligence or bad intent.
In an effort to keep up, many organizations purchase one network security tool after the next, increasing the complexity of their security functions and creating a level of "security noise' that has made it difficult to determine legitimate incidents. Understaffed, they are often caught in a repetitive cycle, trying to keep up with the latest security patches while exhausting valuable time and resources. This lack of control over applications can drain employee productivity and network resources, and can expose an organization to regulatory and legal concerns.
As a consequence, the cost of application abuse has become staggering. Damage caused by a single attack can disrupt business operations worldwide. An organization can also suffer directly through productivity losses and a damaged brand or reputation. Indirect costs also add up-lost sales, weakened customer relations, or legal liabilities. Traditional firewall, intrusion detection, and antivirus solutions no longer provide adequate protection. In addition, these solutions lack the critical network services and performance profile required for deployment in a modern network. For example, business-critical traffic, such as IP telephony, must be highly available, and delivered across the network with toll-quality service. It is unacceptable for security services to impact service delivery across the network. The Cisco Self-Defending Network application abuse prevention solution allows organizations to manage network security risk associated with the deployment of online business processes, helping to ensure that organizations achieve their objectives efficiently, while managing associated risks.
THE SOLUTION
A comprehensive application security solution requires application awareness across a network's applications and must meet the demanding performance and services requirements of today's networks. In addition, advanced inline detection, correlation, and mitigation technologies are needed to recognize and stop today's more complex attacks. In terms of scalability and deployment flexibility, these technologies must be integrated into the fabric of the IP infrastructure to facilitate cost-effective adoption, deployment, and operation.
** Business Week, May 2005, "Hacker Hunters: an elite force takes on the dark side of computing"
Desktops and servers must also assist in defining which applications have access to the network. These systems must establish and enforce application security rules and policies, providing "day zero" update prevention for known and unknown attacks without needing signature updates, allowing organizations to take control of deploying updates while reducing associated costs. Finally the solution must be tied together with a single management platform that allows for security device configuration across the network, desktops, and servers and allows for the monitoring of heterogeneous environments to reduce security noise and increase protection.
The Cisco Self-Defending Network was designed to enable this comprehensive approach to application security. It includes Cisco ASA 5500 Series adaptive security appliances or Cisco PIX® security appliances; Cisco Intrusion Prevention System (IPS) software and hardware; Cisco Security Agent; Cisco Security Monitoring, Analysis, and Response System (CS-MARS); CiscoWorks VPN/Security Management Solution (VMS), and; Cisco IOS® Software and Cisco IOS router and switch modules. Working together, these technologies protect against application abuse providing comprehensive application security without the compromise of traditional solutions (Figure 1).
Figure 1. Cisco Self-Defending Network
Comprehensive Application Inspection
Comprehensive application network security requires application inspection and control across the full breadth of the network. To meet this challenge, the Cisco Self-Defending Network application abuse prevention solution includes Cisco application network security technology for application inspection and Cisco Security Agent (CSA) software for desktops to provide inventory, investigation, and control.
Located between security boundaries, Cisco application network inspection engines span all major network protocols to bring a new level of defense and policy control to networks. Each inspection engine monitors the application flow, and can flag and block protocol violations as appropriate to the specific protocol. In addition to protocol compliance, application network security inspection engines extend the access control toolset of security administrators through a robust set of controls that govern the use of individual features or capabilities within an application. All of these services are configurable in the simple yet powerful Cisco Adaptive Security Device Manager (ASDM) Web-based management solution, which uses wizards and an intuitive interface to enable rapid deployment of robust application protection.
Desktop endpoints must also participate in application investigation and control to prevent users from installing and running applications that are not allowed, or to mitigate threats for known and unknown attacks that circumvent traditional security boundaries. In addition, desktop endpoints must also control behavior using policies that disallow the execution of applications, or that allow the execution but block the bad behavior. To meet this challenge, Cisco Security Agent provides a wide range of application inventory and investigation capabilities, including:
• Controlling which applications are installed on a computer or group of computers and have access to the network
• Controlling behavior based on policy by blocking harmful actions but allowing execution of trusted code
• Defining and enforcing user-based security rules and policies
• Providing hot fixes and service pack checking
• Controlling installation of harmful software and removal of critical files
Comprehensive deployment solutions enable Cisco application inspection engines and desktop protection applications to scale to fit in all environments, from small and medium-sized businesses and branch office locations to large enterprises and service providers. Cisco's purpose-built application security platforms include Cisco ASA 5500 Series adaptive security appliances, Cisco PIX security appliances, and Cisco Catalyst® 6500 Series switch modules. The Cisco IOS Firewall Services Module (FWSM) for Cisco access routers provides coverage for small offices and branch offices, or between business partner systems, while Cisco Security Agent scales to more than 100,000 desktops.
Advanced Detection, Correlation, and Prevention
New and emerging application attacks require advanced detection, correlation, and prevention technologies. Cisco's application abuse prevention solution includes Cisco IPS Sensor Software, which stops application abuse in the network, and Cisco Security Agent, which provides protection at the server endpoints via day-zero update capabilities. Cisco IPS Sensor Software stops more attacks with greater confidence through:
• Accurate Prevention Technologies-provide the confidence to take preventive actions on a broader range of threats without the risk of dropping legitimate traffic.
• Risk Ratings-reduce false positives on a per-signature basis by applying application security algorithms.
• Comprehensive Response Actions-can be tied to policy violations.
Server endpoints must also participate in the enforcement of application policy and behavior. Cisco Security Agent provides "zero update" prevention for known and unknown attacks without needing signature updates, giving organizations control in deploying updates while reducing associated costs. In addition, Cisco Security Agent aggregates and extends multiple endpoint security functions, providing host intrusion prevention, distributed firewall, malicious mobile code protection, spyware/adware prevention, operating system integrity assurance, and audit log consolidation-all within a single agent. Desktops and servers are proactively protected against entire classes of attacks, including port scans, buffer overflows, Trojan horses, malformed packets, malicious HTML requests, and e-mail worms.
Comprehensive deployment solutions provide intrusion prevention solutions for all environments, from small and medium-sized businesses and branch office locations to large enterprises and service providers. Cisco's purpose-built IPS platforms include Cisco IPS 4200 Series sensor appliances, Cisco Catalyst 6500 Series switch modules, and the Advanced Inspection and Prevention Security Services Module (AIP-SSM) for Cisco ASA 5500 Series adaptive security appliances. The IDS module for Cisco access routers provides traditional detection with enhanced capabilities. Additionally, a focused set of intrusion prevention capabilities is available as a Cisco IOS Software solution for Cisco routers.
Unified Management
To protect applications and systems, security decisions must be made in real-time. Cisco Security Monitoring, Analysis, and Response System provides unmatched insight and control over an existing security deployment. Because Cisco Security MARS learns and functions with full network intelligence and real-time knowledge of network activities, it can quickly relate information arriving from application logs with the information arriving from the network to:
• Make sense out of separate, often puzzling messages from applications, and build actionable incidents
• Graphically show how the abuse is introduced (source) and what assets are being targeted
• Use the application intelligence resident in network IPSs and firewalls, enabling these adaptive components to work together to build a total "solution" instead of discrete point products
• Validate important information across intelligent devices in order to tune them and increase their accuracy
A key component of Cisco's security management lifecycle, Cisco Security MARS provides the means for security and network organizations to identify, manage, and counter application abuse. It uses existing network and security investments to identify, isolate, and remove offending elements. It also helps maintain internal policy compliance and can be an integral part of the overall regulatory compliance solution.
For device configuration and event viewing, Cisco solutions include the Cisco Device Manager for single device management and event monitoring, and CiscoWorks VMS, which combines Web-based tools for configuring, monitoring, and troubleshooting VPNs, firewalls, network IDSs, and host IPSs. CiscoWorks VMS also includes network device inventory, change audit, and software distribution features.
A Unified Approach to Protect Against Application Abuse
New applications and a global network are driving change and extending relationships with customers, partners, and suppliers. Organizations of all sizes are relying on service-oriented architectures and mission-critical applications that are increasingly Internet-enabled and that cross traditional security boundaries. Meanwhile, application attacks are becoming more creative, more dangerous, and faster, with decreased time to impact. An integrated, collaborative, and adaptive approach is needed to enable organizations to reach their business objectives, while managing risk.
To meet these needs, the Cisco Self-Defending Network application abuse prevention solution allows organizations to manage network security risk associated with the deployment of online business processes, helping to ensure that organizations achieve their objectives efficiently, while managing associated risks. The Self-Defending Network is a system-based architecture that enables enterprises to better implement network security controls that support industry control frameworks and best practice, increasing an organization's overall security posture while readying it to meet legal and regulatory compliance requirements. Unlike the point product approach that other vendors offer, the Cisco Self-Defending Network application abuse protection solution provides a system-based shift to network security that helps manage network security complexity, cost, and compliance.
To find out more about Cisco Self-Defending Network application abuse prevention solutions, please visit: http://www.cisco.com/go/AppAbuse
