Cisco Cisco ASA 5585-X Adaptive Security Appliance 백서
Cisco and Public Sector Cyberdefense
9
causing the failure be identified and remediated? To counter these
attacks, features are needed that are as flexible as possible, in terms of
both classification and mitigation capabilities. While antivirus, intrusion
detection, and other capabilities can respond to well-known attacks,
there is also a need to quickly take action against new attacks, for which
the attack signature might not be known.
attacks, features are needed that are as flexible as possible, in terms of
both classification and mitigation capabilities. While antivirus, intrusion
detection, and other capabilities can respond to well-known attacks,
there is also a need to quickly take action against new attacks, for which
the attack signature might not be known.
Cisco
Flexible Packet Matching (FPM) provides the means to
configure match criteria for any or all fields in a packet’s header, as well
as bit-patterns within the packet’s payload within the first 256 bytes. This
allows the characteristics of an attack (source port, packet size, byte
string) to be uniquely matched and for a designated action to be taken.
FPM provides a flexible Layer 2–7 stateless classification mechanism.
The user can specify classification criteria based on any protocol and
any field of the traffic’s protocol stack. Based on the classification result,
actions such as drop or log can be taken.
as bit-patterns within the packet’s payload within the first 256 bytes. This
allows the characteristics of an attack (source port, packet size, byte
string) to be uniquely matched and for a designated action to be taken.
FPM provides a flexible Layer 2–7 stateless classification mechanism.
The user can specify classification criteria based on any protocol and
any field of the traffic’s protocol stack. Based on the classification result,
actions such as drop or log can be taken.
The offset or depth at which to begin matching can be referenced from
several locations in the packet. Some of these locations are dependent
upon loading a Protocol Header Definition File (PHDF). FPM can work
with well-known, established protocols such as IP, TCP, and UDP (PHDFs
for these and other protocols are available for download) or with custom
protocols that are described with a user-defined PHDF. The ability to
define and dynamically upload protocol definitions to a Cisco switch or
router is the key capability here. The attack signature for an Internet virus,
worm, or DDoS attack might be identified before security vendors have
an opportunity to update their software definitions to defend against
the attack. FPM provides the user with the capability to encode that
signature in the switch or router on the fly, and be protected while waiting
for a more comprehensive solution.
several locations in the packet. Some of these locations are dependent
upon loading a Protocol Header Definition File (PHDF). FPM can work
with well-known, established protocols such as IP, TCP, and UDP (PHDFs
for these and other protocols are available for download) or with custom
protocols that are described with a user-defined PHDF. The ability to
define and dynamically upload protocol definitions to a Cisco switch or
router is the key capability here. The attack signature for an Internet virus,
worm, or DDoS attack might be identified before security vendors have
an opportunity to update their software definitions to defend against
the attack. FPM provides the user with the capability to encode that
signature in the switch or router on the fly, and be protected while waiting
for a more comprehensive solution.
Another technology that increases the flexibility of response to security
incidents is Cisco IOS Embedded Event Manager (EEM). A series of
event detector processes designed to monitor explicit operational
aspects of the switch are built into Cisco IOS Software. They can be
primed to look for a specific event, and when that event occurs, they can
act as a trigger to start up a user-loaded script. That script can then be
invoked to perform a series of actions to remedy, troubleshoot, or
incidents is Cisco IOS Embedded Event Manager (EEM). A series of
event detector processes designed to monitor explicit operational
aspects of the switch are built into Cisco IOS Software. They can be
primed to look for a specific event, and when that event occurs, they can
act as a trigger to start up a user-loaded script. That script can then be
invoked to perform a series of actions to remedy, troubleshoot, or
facilitate a set of actions. This unique capability, which is integrated into
the Cisco Catalyst switching platforms, can significantly enhance the
network’s operational efficiency and speed the response to security
threats.
the Cisco Catalyst switching platforms, can significantly enhance the
network’s operational efficiency and speed the response to security
threats.
Many Cisco customers are starting to utilize EEM, which has numerous
uses that are enabled through its scripting capabilities. The user can
define an event (or multiple events) on which EEM should take action:
for example, generating a specific syslog message, invoking a specific
CLI command, inserting or removing a line card, or having a system
resource such as CPU or memory usage cross a threshold to trigger
invoking a script. When that event occurs, a script can be invoked to start
a series of predetermined actions. The script has the ability to invoke
any combination of CLI commands, generate custom Simple Network
Management Protocol (SNMP) traps or syslog messages, conduct
email and page alert network operations, and more. Its abilities are only
limited by the imagination of the administrator. The power of EEM is
now available across both the Cisco Catalyst 6500 and 4500 modular
switching platforms as well as the Cisco Catalyst 3750 family of switches.
uses that are enabled through its scripting capabilities. The user can
define an event (or multiple events) on which EEM should take action:
for example, generating a specific syslog message, invoking a specific
CLI command, inserting or removing a line card, or having a system
resource such as CPU or memory usage cross a threshold to trigger
invoking a script. When that event occurs, a script can be invoked to start
a series of predetermined actions. The script has the ability to invoke
any combination of CLI commands, generate custom Simple Network
Management Protocol (SNMP) traps or syslog messages, conduct
email and page alert network operations, and more. Its abilities are only
limited by the imagination of the administrator. The power of EEM is
now available across both the Cisco Catalyst 6500 and 4500 modular
switching platforms as well as the Cisco Catalyst 3750 family of switches.
Before moving on to other areas of the network, it should be noted that
the technologies discussed above are just part of the rich portfolio of
security capabilities of Cisco Catalyst Switches. Table 3 calls out some
additional capabilities on Cisco Catalyst Series switches which can
be used to provide network security. Some of these capabilities will
be discussed further in subsequent sections. Figure 2 maps specific
technologies to places in the network where they would likely be
deployed.
the technologies discussed above are just part of the rich portfolio of
security capabilities of Cisco Catalyst Switches. Table 3 calls out some
additional capabilities on Cisco Catalyst Series switches which can
be used to provide network security. Some of these capabilities will
be discussed further in subsequent sections. Figure 2 maps specific
technologies to places in the network where they would likely be
deployed.
Continue
Previous