Cisco Cisco ASA 5585-X Adaptive Security Appliance 백서
Cisco and Public Sector Cyberdefense
6
Assessment in the LAN
Nevertheless, identifying the user solves only part of the problem.
Although users might be allowed on the network based on the overall
security policy, the computers or devices they are using might not be
desired on the network. The pervasiveness of laptop computers and
handheld devices has increased worker mobility and productivity.
However, these devices are far more likely to become infected with a
virus or worm, which might be unintentionally carried into the network
environment. There must be a continual assessment of devices before
they are allowed on the network.
Although users might be allowed on the network based on the overall
security policy, the computers or devices they are using might not be
desired on the network. The pervasiveness of laptop computers and
handheld devices has increased worker mobility and productivity.
However, these devices are far more likely to become infected with a
virus or worm, which might be unintentionally carried into the network
environment. There must be a continual assessment of devices before
they are allowed on the network.
Cisco Network Admission Control (NAC) is an important part of
the Cisco security architecture. Whereas Cisco IBNS verifies the
identity of the user, NAC can verify both the identity of the user and the
“posture” of the user’s device.
the Cisco security architecture. Whereas Cisco IBNS verifies the
identity of the user, NAC can verify both the identity of the user and the
“posture” of the user’s device.
2
The Cisco Catalyst switching platforms
act in conjunction with the Cisco NAC appliance and agent to form the
NAC system. The Cisco NAC Agent collects security state information
from multiple security software clients, such as antivirus clients, and
communicates this information to the connected Cisco network, where
access control decisions are enforced. Application and operating system
status, such as antivirus and operating system patch levels or credentials,
can be used to determine the appropriate network admission decision.
NAC system. The Cisco NAC Agent collects security state information
from multiple security software clients, such as antivirus clients, and
communicates this information to the connected Cisco network, where
access control decisions are enforced. Application and operating system
status, such as antivirus and operating system patch levels or credentials,
can be used to determine the appropriate network admission decision.
The switches demand host credentials from the Cisco NAC Agent and
relay this information to policy servers, where NAC decisions are made.
Based on customer-defined policy, the network enforces the appropriate
admission control decision: permit, deny, quarantine, or restrict. These
ACLs are configured automatically in the edge switches based on the
policy returned to the switch. If clients do not authenticate correctly, they
can be placed in the “quarantine VLAN” so that they can update their
virus-checking software or client-based security agents. It is possible
that, based on 802.1x authentication, the port is enabled, only to be
restricted or denied because a device is not considered “safe.”
relay this information to policy servers, where NAC decisions are made.
Based on customer-defined policy, the network enforces the appropriate
admission control decision: permit, deny, quarantine, or restrict. These
ACLs are configured automatically in the edge switches based on the
policy returned to the switch. If clients do not authenticate correctly, they
can be placed in the “quarantine VLAN” so that they can update their
virus-checking software or client-based security agents. It is possible
that, based on 802.1x authentication, the port is enabled, only to be
restricted or denied because a device is not considered “safe.”
Cisco NAC is an important element in providing ongoing network
assessment of new threat vectors. While periodic point-in-time security
assessment of new threat vectors. While periodic point-in-time security
audits are a recommended best practice for any evolving network, Cisco
NAC provides ongoing, dynamic assessment of security status in the
intervals between such audits.
NAC provides ongoing, dynamic assessment of security status in the
intervals between such audits.
Detection in the LAN
While 802.1x and NAC can be very useful in normal network operations,
some focus must also be given to anomalous events in the network. Fully
authenticated users can still run programs that might threaten security.
New viruses, intrusion methods, and other threats are developing every
day. How can the network detect and protect itself from the unknown?
some focus must also be given to anomalous events in the network. Fully
authenticated users can still run programs that might threaten security.
New viruses, intrusion methods, and other threats are developing every
day. How can the network detect and protect itself from the unknown?
Cisco
NetFlow is an embedded instrumentation within Cisco IOS
®
Software to characterize network operation. Visibility into the network
is an indispensable tool for IT professionals. Cisco NetFlow creates an
environment where administrators have the tools to understand who,
what, when, where, and how network traffic is flowing. When the network
behavior is understood, an audit trail of how the network is utilized is
available. Cisco NetFlow has played an important role in the first version
of the US-CERT Einstein monitoring system, which is deployed at several
U.S. federal agencies
is an indispensable tool for IT professionals. Cisco NetFlow creates an
environment where administrators have the tools to understand who,
what, when, where, and how network traffic is flowing. When the network
behavior is understood, an audit trail of how the network is utilized is
available. Cisco NetFlow has played an important role in the first version
of the US-CERT Einstein monitoring system, which is deployed at several
U.S. federal agencies
.3
This increased awareness reduces vulnerability
of the network as related to outage and allows efficient operation of the
network.
network.
The ability to characterize IP traffic and understand how and where it
flows is critical for network availability, performance, and troubleshooting.
Monitoring IP traffic flows facilitates more accurate capacity planning
and makes sure that resources are used appropriately in support of
organizational goals. It helps IT determine where to apply quality of
service (QoS) and optimize resource usage, and it plays a vital role in
network security to detect denial-of-service (DoS) attacks, network-
propagated worms, and other undesirable network events. Cisco
NetFlow can be used for anomaly detection and worm diagnosis along
with applications such as the Cisco Security Monitoring, Analysis, and
Response System (Cisco Security MARS). Several third-party COTS
applications also use Cisco NetFlow to detect and respond to anomalous
traffic flows.
flows is critical for network availability, performance, and troubleshooting.
Monitoring IP traffic flows facilitates more accurate capacity planning
and makes sure that resources are used appropriately in support of
organizational goals. It helps IT determine where to apply quality of
service (QoS) and optimize resource usage, and it plays a vital role in
network security to detect denial-of-service (DoS) attacks, network-
propagated worms, and other undesirable network events. Cisco
NetFlow can be used for anomaly detection and worm diagnosis along
with applications such as the Cisco Security Monitoring, Analysis, and
Response System (Cisco Security MARS). Several third-party COTS
applications also use Cisco NetFlow to detect and respond to anomalous
traffic flows.
2
Cisco NAC is flexible and
interoperable with IBNS. It
can be configured to use
IBNS to check user identity,
or it can check user identity
by itself (without IBNS).
can be configured to use
IBNS to check user identity,
or it can check user identity
by itself (without IBNS).
3
The US-CERT Einstein
Program is a project that
builds cyber-related
situational awareness across
the federal government.
The program monitors
government agencies’
networks to facilitate the
identification and response
to cyberthreats and attacks,
improve network security,
increase the resiliency
of critical electronically
delivered government
services, and enhance
the survivability of the
Internet. It is a combination
of government off-the-shelf
(GOTS), COTS, and open
source technologies and
software.
Program is a project that
builds cyber-related
situational awareness across
the federal government.
The program monitors
government agencies’
networks to facilitate the
identification and response
to cyberthreats and attacks,
improve network security,
increase the resiliency
of critical electronically
delivered government
services, and enhance
the survivability of the
Internet. It is a combination
of government off-the-shelf
(GOTS), COTS, and open
source technologies and
software.
Continue
Previous