Today's branch offices rely upon increasingly sophisticated business-critical applications to keep the distributed workforce as productive and efficient as possible. A branch office can be defined as a physical location that is separate from the primary headquarters of an enterprise. Branch offices range in size from a few people to a few thousand people. What they have in common is that they are part of a distributed network of applications and services. They may or may not have in-house IT staff that manages local servers, applications, and Internet access.
Under-defended branch offices make enterprises vulnerable to attacks that can harm productivity and to breaches that can expose information to compromise. Successfully defending the enterprise at the branch offices requires a collaborative, defense-in-depth approach
The Cisco Empowered Branch integrates complex, remotely manageable networked services to accommodate today's increasingly mobile work styles and rich media applications. It includes some or all of the following capabilities:
• Unified data, voice, and video converged on the network platform
• Optimized WAN with application-acceleration technologies
• Integrated, adaptive, and collaborative security
• Consistent headquarters-based applications and services available in all branch offices
The Cisco Empowered Branch also incorporates security into the network and at the endpoints to mitigate attacks and breaches. Enterprises need to ensure that branch office IT resources support regulatory compliance efforts to meet standards imposed by the Payment Card Industry (PCI), Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley (SOX), the Gramm-Leach-Bliley (GLB) Act, and other guidelines and legislation. The branch office IT infrastructure must be held to the same security standards as the headquarters network, able to defend itself against the same threats, accountable for protecting information privacy.
This document provides an overview of the security threats and risks common to branch offices. The it defines the parameters to consider when designing a secure network to address those risks. It presents essential Cisco security solution components and some of the Cisco services that can help enterprises deploy and manage adequate security solutions in Cisco Empowered Branches.
What are the Security Threats that Affect My Business?
Understanding ever-changing security threats to the Empowered Branch is the basis for developing effective security policies. Security threats fall into one of two types: disruptive threats or loss and damage threats.
Disruptive threats are non-specific, such as viruses, worms, and Trojan horses. More recently, disruptive threats come from malware and spyware inadvertently allowed into endpoint systems through e-mail attachments and Websites. These infections spread to other devices and systems throughout the enterprise. Branch offices need systems to enforce a security policy that quarantines affected systems to prevent proliferation while the system is scrubbed of malicious code.
Loss and damage threats are targeted attacks that seek to obtain sensitive or confidential information that can be sold for profit, such as stealing personal records for identity theft. Privacyrights.org reports that since 2005, more than 166 million records were breached in the United States alone, not counting unreported breaches or those breaches where actual losses were unknown.
Data breaches damage customer trust, making it more expensive to acquire and retain customers, a cost difficult to calculate. Preventing such losses costs less than cleaning up after them. On cleanup costs, Forrester Research estimates that the average cost of a breach in the United States averages $90 per record in an unregulated industry, and up to $305 per record in a regulated industry. On prevention costs, Gartner Group Analyst Avivah Litan says, "A company with at least 10,000 accounts to protect can spend, in the first year, as little as $6 per customer account for just data encryption, or as much as $16 per customer account for data encryption, host-based intrusion prevention, and strong security audits combined."
Enterprise Management Associates states that, "Disclosure of data security breaches can have a significant impact on share prices of publicly traded companies. Stock prices of those companies fell an average of 5 percent within the first month following the disclosure and remained between 2.4 and 8.5 percent below for the 8 months following. It took the stocks nearly one year to return to their original levels."
What Security Policies Do I Need to Put in Place?
To prevent and mitigate attacks in the Empowered Branch, security policies should address questions such as the following:
• Are all systems that connect to the network (wired and wireless computing and communication devices, video systems, and local servers) equipped with the latest system patches and endpoint protection software?
• How does the branch office access the Internet? If locally, is the connection protected from hackers and malicious code?
• Do employee computing systems and other endpoints have software that protects against threats from Web and e-mail content?
• Can the branch office network prevent viruses, malware, and spyware from gaining access to data center systems at headquarters?
• If there are local server resources, are they adequately defended?
• Are wireless networks configured for secure network access?
• Can local systems automatically prevent, detect, and mitigate attacks?
Questions to Consider When Designing Your Secure Branch Network
While a secure Empowered Branch should offer the same services as the headquarters network, it requires its own perimeter security, intrusion prevention, and content filtering. Securing a branch office for a particular enterprise begins with a design process that tailors the solution to both the functional considerations and physical requirements of the site. Deploying similar solutions at each site can simplify deployment and management, yet a universal approach may not suit the typical enterprise, where site requirements may vary for simple reasons, such as number of employees, or complex ones, such as local Internet access or servers.
Functional considerations may include the following:
• WAN type: Does the branch office connect to the headquarters through a dedicated leased line or use a VPN over the Internet? How much bandwidth does it support? Is there enough bandwidth?
• Internet access architecture: Do branch office users access the Internet through a local connection (called split tunneling), or over the WAN through a single headquarters connection?
• Traffic mix: What applications do branch offices use? Which applications handle confidential data? Are applications transactional (such as Citrix) or do they use real-time streaming, such as IP voice or video? What kinds of traffic traverse the WAN or local Internet connection?
• Server architecture: Are there local application or database servers onsite that need protection, or are all servers consolidated into centralized data centers?
• Endpoint control: How do you protect endpoints, including user devices, servers, and network components, and ensure that they have the latest system patches and signature files?
• Application types: The types and confidentiality of data passing between the headquarters data center and branch offices, along with factors such as regulatory compliance, determine whether to encrypt data through the WAN connection or VPN.
• User profiles: Who is using networked resources at the branch: employees, contractors, partners, customers, and other guests? What are their access privileges?
• Guest access: Many branch offices interact with customers and partners who need network services when they visit. These users and endpoints are not predictable, but their accessibility to the network should be controlled and their actions should be monitored and limited to reduce risks.
• Wireless laptops and phones: Is there a local wireless network? Does the wireless network support user passwords or wireless encryption?
• Unified communications systems: How vulnerable are the phones, TelePresence, and unified messaging systems? Do voice calls require encryption? Can messages carry spyware and viruses to phones or PCs?
Physical considerations may include the following:
• Size: How many users and endpoints does the branch office support? This factor affects the choice of WAN type and speed, and whether to use a local or central Internet access.
• Number of branches: Enterprises with a few branch offices may have more budgetary flexibility than companies with hundreds, or thousands, of branch offices, where cost quickly becomes a limitation for both deployment and management.
• Available expertise: Most branch offices do not have IT personnel onsite; remotely manageable security is usually an essential requirement.
Cisco Security Solutions
The Cisco Self-Defending Network offers a variety of technologies and solutions for securing the Empowered Branch. The Cisco Self-Defending Network has an integrated, end-to-end security architecture that adapts to detect and mitigate changing threat profiles. It contains collaborative capabilities that allow security functions to interoperate.
Defense-in-Depth at the Empowered Branch
The Cisco Self-Defending Network security architecture of the Empowered Branch includes many of the same components as the headquarters security architecture, scaled to the size of the branch office. Deploying the same technologies throughout the organization, including the campus, data centers, and branch offices facilitates consistency across your architectures and reduces the number of management systems required to operate and secure the network. This efficiency lowers both capital and operational expenditures.
The secure Empowered Branch should include the following security functions:
• Perimeter access security: This firewall functionality permits or denies access into the network at all entry points, including local Internet access and private WAN links to central resources. A perimeter defense in the branch also protects headquarters resources from incidents that occur in the branch office, such as a spyware infection or attempted hacker penetration.
• Intrusion prevention: Examines higher-layer content of network traffic, using signatures and anomalous-behavior-detection algorithms to detect, quarantine, or stop unusual or unpermitted behaviors such as deliberate hacking or malware proliferation within the network infrastructure.
• Content security: Protects users from downloading or receiving malicious code.
• Access control: Enforces security policies defining who may enter the network through a VPN or LAN connection. Authentication verifies user identity and presents an opportunity to validate device configurations. Such validation helps ensure that devices allowed onto the network have the proper level of operating system patches and endpoint security software. Authorization permits or denies activities to a user or device, such as preventing a guest from logging into sensitive databases.
• Endpoint security: Software on endpoint devices such as laptop and desktop computers, servers, gateway routers, and other devices scans for anomalous behavior to detect and eradicate malware and other malicious activities.
• Secure communications: Protects voice and video streams and endpoints in a converged IP network through firewall filtering, call encryption, and malware filtering.
• Remote management: Supports configuration and monitoring actions from the central management console.
One Box or Many?
After defining design requirements, the next decision is whether to deploy a single-box or multiple-appliance solution at each branch office (Figure 1). Single-appliance solutions may be the best choice where cost and footprint are more important, such as a retailer with 1500 branch locations without onsite IT staff.
Multiple-appliance solutions may be necessary where regulatory compliance requires more granular security, where applications require higher security performance, or to cost-effectively supplement security capabilities in an existing network. In both solution architectures, remote manageability allows centralized control and policy enforcement.
Figure 1. When to Choose Single Box vs. Multiple Box Solutions
All-in-One Multifunction Security Solutions
Cisco offers two solution options for a consolidated security architecture in the Empowered Branch: Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Integrated Services Routers, both of which support comprehensive, virtually identical suites of security technologies and functions in a single appliance (Figure 2). While both multifunction platforms can also serve in a multiple-appliance architecture (see next section), in general, the Cisco ASA 5500 Series is ideal for environments that require higher-performance security with larger scaling requirements. The Cisco Integrated Services Router platform is the more cost-effective security option for deployments into a large number of branch offices or increasing the security posture of an existing installed base.
Figure 2. Mutifunction Security Appliances
Cisco ASA 5500 Series Adaptive Security Appliances are purpose-built, high-performance security solutions that integrate the latest technologies from Cisco PIX® 500 Series Security Appliances, Cisco IPS 4200 Series Sensors, and Cisco VPN 3000 Series Concentrators. These powerful multifunction network security appliances provide the security breadth and depth for protecting Empowered Branches while reducing overall deployment and operational costs and complexities. The Cisco ASA 5500 Series provides proactive threat defense that stops attacks before they spread through the network, controls network activity and application traffic, and delivers flexible VPN connectivity.
The flexible design of the Cisco ASA 5500 Series provides exceptional investment protection through programmable hardware, integrated Gigabit Ethernet connectivity, and a diskless, flash-based architecture. The series features a modular architecture and a flexible multiprocessor design, enabling high performance for multiple concurrent security services such as advanced firewall services, IPS services, content security services, and IP Security (IPsec) and Secure Sockets Layer (SSL) VPN services.
Its module slot allows enterprises to add other high-performance security services such as the Cisco ASA 5500 Series Content Security and Control Security Services Module (CSC SSM). The CSC SSM provides comprehensive antivirus, anti-spyware, file blocking, anti-spam, anti-phishing, URL blocking and filtering, and content filtering capabilities in a remotely manageable solution.
Cisco Integrated Services Routers support data, security, voice, and wireless networking services on a single platform for fast, scalable delivery of mission-critical applications. Their comprehensive security capabilities combine with proven Cisco IOS® Software functions and industry-leading LAN and WAN connectivity. An integrated solution is cost-effective, reducing the overall number of managed devices to lower the costs of training, management, power, and service contracts.
Cisco integrated router security solutions allow enterprises to equip the Empowered Branch to do the following:
• Protect the router itself, defending against attacks targeted directly at the network infrastructure
• Use existing infrastructure, delivering many security features on the router through Cisco IOS Software without deploying additional hardware
• Offer perimeter security with firewall, IPS, and VPN features
• Protect gateways, both WAN connections to the data center and local Internet access
Cisco integrated services routers also deliver advanced protection through three specialized security modules:
• Cisco IPsec VPN Advanced Integration Module optimizes VPN performance for both IPsec and SSL VPN deployments.
• Cisco Intrusion Prevention System Advanced Integration Module (IPS AIM) can identify, classify, and stop malicious traffic, including worms, spyware, adware, network viruses, and application abuse.
• Cisco Network Admission Control (NAC) Network Module integrates feature-rich Cisco NAC Appliance Server capabilities, allowing administrators to authenticate, authorize, evaluate, and remediate wired, wireless, and remote users and their machines prior to allowing users onto the network.
Multiple Appliance Solutions
Larger branch offices or locations with high security requirements (such as strict regulatory compliance) may need a multiple-appliance security architecture, which allows more granular control and higher overall performance than a single-box architecture (Figure 3).
Figure 3. Multiple Appliance Security Solution
The foundation of the multiple-appliance architecture is a Cisco ASA 5500 Series appliance or a Cisco integrated services router platform, which offer firewall, intrusion prevention, content security, and some access-control capabilities. Alongside these components, the Empowered Branch may require one of the following: Cisco IPS 4200 Series Sensors and Cisco IronPort® S-Series™ Web security appliances.
The Cisco IPS 4200 Series Sensor offers the same IPS technology that is integrated into the IPS modules for the Cisco ASA 5500 Series appliance and Cisco integrated services routers. As a signature-based appliance, the sensor can accurately identify, classify, and stop malicious traffic, before it affects your business. It delivers precision impact-threat analysis and a rich set of response actions for flexible and precise response policies. Its management and correlation tools focus on policy, providing granularity to fine-tune the IPS configuration.
The Cisco IronPort S-Series is the industry's fastest Web security appliance, combining a high-performance security platform with exclusive Cisco IronPort Web Reputation technology and the breakthrough Cisco IronPort Dynamic Vectoring and Streaming™ (DVS) engine, a new scanning technology that enables signature-based spyware filtering. Robust management and reporting tools deliver ease of administration and complete visibility into threat-related activity.
For automated, real-time signature updates, Cisco IronPort solutions can harness the Cisco IronPort SenderBase Network, which provides an unprecedented real-time view into security threats from around the world. SenderBase data powers Cisco IronPort Virus Outbreak Filters™, a preventive security service that protects enterprises from viruses well before antivirus vendors publish virus signatures. SenderBase examines the broadest set of data in the industry, currently examining more than 40 different parameters about Web traffic. This data is derived from a highly diverse group of more than 100,000 organizations, including the largest networks in the world, which contribute information to SenderBase in five billion messages per day.
Access and Endpoint Control
Access and endpoint control are vital components of Empowered Branch security. They form the first line of defense against threats such as spyware and viruses. The access-control system authenticates users and devices and authorizes their activities on the network. The authentication system should also include the ability to enforce the latest operating system patches and antivirus signature updates on fixed and mobile computing devices before permitting access. Authorization associates a specific user with a user profile that defines what the user may or may not do on the network. At the Empowered Branch, the Cisco Self-Defending Network includes the Network Admission Control (NAC) architecture in the network and Cisco Security Agent inside endpoints.
At the Empowered Branch, NAC functionality can be deployed as a Cisco NAC Network Module in the Cisco integrated services router. When router slots are full, or as performance requirements demand, a dedicated Cisco NAC Appliance can perform admission control for one or a group of branch offices. Both solutions communicate through the WAN with the Cisco NAC Appliance Manager at the central security operations console. A Cisco NAC agent on each endpoint helps the NAC architecture to identify each user and device requesting a network connection.
Cisco NAC supports single sign-on through a Windows password, and is compatible with authentication systems that support a variety of protocols such as Lightweight Directory Access Protocol (LDAP), RADIUS, and Microsoft Active Directory. This discussion does not consider centralized access-control servers and third-party authentication and authorization solutions, because they are not deployed in a branch office.
The critical actions that the Cisco NAC Appliance performs are the following:
• Recognizes users, their devices, and their roles in the network. This first step occurs at the point of authentication, before malicious code can cause damage.
• Evaluates whether machines are compliant with security policies. Security policies can include specific antivirus or antispyware software, OS updates, or security patches. The Cisco NAC Appliance supports policies that vary by user type, device type, or operating system.
• Enforces security policies by blocking, isolating, and repairing noncompliant machines.
• Noncompliant machines are redirected into a quarantine area, where remediation occurs at the discretion of the administrator.
Among the policies that Cisco NAC can enforce is a requirement for Cisco Security Agent in all endpoints attached to the network. Cisco Security Agent protects against threats in server, desktop, laptop, and point-of-service (POS) computing systems. It goes beyond conventional endpoint security solutions, providing an industry-leading defense against targeted attacks, spyware, rootkits, and day-zero attacks. It offers proactive protection against unknown threats, new exploits, and variants trying to take advantage of recently announced vulnerabilities. Security operators can put granular controls in place to manage policy compliance for users, applications, systems, locations, and network addresses.
Cisco Security Agent provides "zero update" system integrity protection for critical servers that cannot be taken out of service to apply OS- or application-specific vulnerability patches. It helps reduce emergency patching of systems to respond to vulnerability announcements, minimizing patch-related downtime and IT labor.
Cisco Security Agent offers more than a standalone endpoint security solution. It collaborates with network security devices to increase the effectiveness of the overall network deployment:
• Firewall: Cisco Security Agent can enhance the firewall and application inspection capabilities of Cisco ASA and Cisco PIX security appliances to examine particular applications based on Cisco Security Agent traffic markings.
• Intrusion prevention: Cisco Security Agent collects host information that it can share with Cisco IPS modules and devices to enhance the overall awareness and relevance of IPS actions in the network.
• VPN: Cisco VPN capabilities in the Cisco ASA 5500 Series can take advantage of Cisco Security Agent personal firewall and host IPS features to provide robust endpoint security for IPsec and SSL VPN remote-access users.
• NAC: Cisco Security Agent prevents modification to the NAC agent, helping to ensure consistent NAC policy enforcement.
Centralized Management
The Cisco Self-Defending Network at the Empowered Branch supports remote manageability. Centralized control enables consistent policy enforcement and facilitates rapid responses to security incidents at a remote location. Cisco offers two solutions that deliver manageability to the Empowered Branch. Cisco Security Manager supports security deployment and configuration, while Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS) provides operational incident and performance monitoring for ongoing vigilance.
Cisco Security Manager delivers comprehensive policy administration and enforcement for the Cisco Self-Defending Network from a central management console. It delivers provisioning of Cisco firewall, VPN, and IPS services across Cisco routers, Cisco security appliances, and Cisco switch services modules. Its powerful policy-based management techniques allow provisioning and configuration management through a GUI that supports device-centric and map-centric views. It includes flexible configuration templates to speed deployment and security configuration changes to devices in all Empowered Branches.
Cisco Security MARS is deployed in the Empowered Branch as an appliance that communicates with a central device in the security operations center. It is an easy-to-use threat-mitigation appliance that enables operators to centralize, detect, mitigate, and report on priority threats using the network and security devices already deployed in the infrastructure.
Cisco Security MARS performs these activities:
• Integrates network intelligence to modernize correlation of network anomalies and security events
• Visualizes validated incidents and automating investigation
• Mitigates attacks by taking full advantage of your existing network and security infrastructure
• Monitors systems, network, and security operations to aid in compliance
Cisco Security MARS requires no endpoint software; instead, it reads and correlates event data generated by devices in its domain, which can be a single branch or a group of branch offices. The appliance centrally aggregates logs and events from a wide range of popular network devices (such as routers and switches), security devices and applications (such as firewalls, IPSs, vulnerability scanners, and antivirus applications), hosts (such as Windows, Solaris, and Linux syslogs), applications (such as databases, Web servers, and authentication servers), and network traffic (such as Cisco NetFlow).
The Cisco Security MARS appliance supports event data from both Cisco and third-party security solutions, enabling complete visibility to the security posture of the network it monitors. Cisco maintains the current list of supported products online at http://www.cisco.com/en/US/products/ps6241/products_device_support_tables_list.html
Cisco Security MARS integrates tightly with Cisco Security Manager. Cisco Security MARS also provides centralized reporting for Cisco NAC.
Cisco Security Services
Cisco Security Services deliver comprehensive security operations management to your enterprise, enabling you to control expenditures as you effectively maintain the integrity and privacy of sensitive information, and maximize network availability, reliability, and stability.
Cisco Security Remote Management Services help your enterprise manage security across dozens or hundreds of branch offices. These services help you to maximize the value of security investments by keeping devices available and operational, offloading the day-to-day security monitoring and management operations of the Empowered Branch infrastructure. Your enterprise saves time, money, and effort by scaling change, configuration, and release management processes with Cisco support staff available 24 hours a day.
Cisco Security Remote Management Services help your enterprise to manage security functions in Cisco Empowered Branch networks and increase security-posture awareness. This set of services delivers 24-hour access to a team of highly trained and certified security and networking experts who provide:
• Operational support for security-incident monitoring
• Security solution fault- and performance-incident management
• Problem resolution, security infrastructure tuning
• Secure network access-control support
Cisco Security Remote Management Services encompass three complementary services:
• Cisco Security Access Control Remote Management Service offers a detailed set of monitoring, management, and reporting methodologies for access control that help create a more tightly controlled, more closely monitored, and more secure environment.
• Cisco Security Intrusion Prevention Remote Management Service offers a detailed set of monitoring, managing, and reporting methodologies for accurately detecting known threats, helping your enterprise to closely patrol Empowered Branch networks for intrusions and to effectively mitigate security incidents.
• Cisco Security VPN Remote Management Service offers a detailed set of monitoring, management, and reporting methodologies that help improve the security and performance of VPN solutions.
The Cisco IPS Signature Management Service provides access to signature updates for Cisco IPSs deployed as dedicated appliances or integrated into Cisco ASA 5500 Series appliances or Cisco integrated services routers. This automated "push" service eliminates the need for staff to remember to check for updates. This remote release-management and signature-tuning service enables the Empowered Branch security infrastructure to adapt to emerging threats and to patch vulnerabilities, automatically preventing intrusions. Cisco security analysts help central security management staff to deploy signature updates and tune each new release to specific environments with lower cost and less effort than manual adjustments.
Security in a Changing Landscape
The Cisco Empowered Branch supports the increasingly mobile and collaborative work styles of the 21st century. The diversity and availability of networked services pose a daunting security challenge: providing high-quality data, voice, video, and mobility services to authorized users while preventing disruptive and targeted attacks on the enterprise network and its resources. The Cisco Self-Defending Network provides a manageable, integrated, adaptive, and collaborative architecture for protecting enterprise branch offices. Along with the expertise and cost-effectiveness of Cisco Security Services, the Cisco Self-Defending Network enables your enterprise to do business effectively-and safely-at your Cisco Empowered Branches.
