Professional Documents
Culture Documents
Sarthak Ganguly
Sarthak Ganguly
Sarthak Ganguly
11/12/2010
Page |2
Foreword
Since every business today depends on the Internet and LAN networks for some business critical
function, the need for security is more important than ever. A company that does not have strong
security can end up on the news as being hacked, their stock can plummet, and they can be out of
business in no time. Once released, viruses and worms can hit businesses and consumers around the
world in a matter of seconds or minutes. However, you and y our company don't have unlimited funds;
you can't just put in every solution you discover. You have to weigh the level of investment in security
with the level of risk that is perceived by y our business. It's tough to decide how much to invest and
what solutions to choose, but you must ensure that y our network is reasonably secure.
“When we build a security environment that is flexible, manageable, and layered, we can handle any
new challenges that may appear. Our solution definitely gives us this capability.”
Contents
VRF-Aware Firewalling 13
Bibliography 16
References 17
Page |4
The theory of SDN is that the network has the ability and the intelligence to protect itself from threats.
However, this can only happen if the components of the network are working together to ensure this
level of security , intelligence, and adaptability .
Self-Defending Network: Combining Best-of-Breed Products and Services with a Systems Approach
● An eroding network perimeter—The traditional network barriers that separated trusted from
untrusted and “inside” from “outside” are now disappearing. As more applications become directly
accessible to remote users and systems, the concept of the network perimeter becomes increasingly
vague and more difficult to protect.
● Evolving threats—Information attacks of the past were largely an issue of cyber-vandalism, with
hackers primarily looking for fame. Today’s attacks are a profit-driven business, often controlled by
organized crime. The modern attacker uses a patient, “stealth” approach to eventually achieve a
successful attack. In addition, modern attackers often avoid technology defenses, using spam, phishing
attacks, and fraudulent Web links to target an organization’s weakest link: human beings.
As security risks have evolved, so have organizations’ approaches to them. Where information security
was once a technology issue, today it is a business issue—representing a more significant cost and
operational challenge, but a fundamental business enabler as well. More and more organizations are
implementing formal programs to reduce IT risk, especially security and compliance risks. As regulatory
compliance becomes a core requirement for organizations in more industries, businesses must develop
new capabilities for controlling the kinds of information traversing their network, how that information
is used, and who can access it. Organizations not only face the challenge of becoming compliant, but of
staying compliant as the network continuously evolves with business needs.
Page |5
In addition, the attempt of the SDN is to provide end-to-end visibility of the network's security events
and status.
Network dev ices must work together and be integrated in order for the SDN to do its job. Therefore,
you probably aren't going to have third-party network components on your network participate in the
SDN.
Page |6
● Network and endpoint security—The Self-Defending Network integrates firewall, VPN, IPS, and
other security services into network devices and endpoints to create an integrated, adaptive, and
collaborative defense system.
● Content security— product and security innovations extend network defenses beyond the
traditional network perimeter to protect data in motion, incorporating e-mail, Web interactions, instant
messaging systems, and other applications that require content inspection and control.
offers a lot of services revolving around the Self-Defending Network. Figure B illustrates these
offerings:
In Figure C, you can see how the device identification is checked, then the operating system and
application posture, and the user identity , based on username, password, and security certificate keys.
“Web applications, while empowering users, open the door to application abuse as traffic
traverses multiple networks and potentially picks up virulent code,” says Jayshree Ullal, senior
vice president of ’s Security Technology Group.
Page |9
● Empower security teams to manage network security more efficiently, with fewer touch points
To address these emerging threats and provide protection beyond the network perimeter, offers a
portfolio of best-of-breed content security technologies. content security tools include ASA 5500
Series content security technologies; IOS Software content filtering and voice security technologies;
and industry-leading Web and e-mail security technologies from IronPort, now a company. These
technologies incorporate innovative content security strategies such as:
● Treating all threats as “day-zero”attacks— content security solutions are designed to analyze an
unlimited number of variants, rather than seeking out a small set of targets. Using behavior- and
reputation-based analysis, these technologies can identify attacks that share functions, even if they
don’t share a specific attack signature.
● Providing scalability to address myriad attacks—Modern attacks are extremely diverse, ranging from
simple e-mail fraud to sophisticated, multivector threats such as the NIMDA worm, which can infect and
propagate across thousands of hosts using multiple means. content security technologies are designed
to recognize all attacks as unique threats, regardless of scale.
● Providing tools to manage multiple techniques and sources of attack—Cyber-criminals may target
everything from office applications to collaboration software to e-mail, employing a variety of self-
propagating and user-propagating techniques. content security solutions provide strong protection
regardless of attack source, transmission medium, or propagation method.
P a g e | 11
● Layer-7 application protection for vulnerabilities in office and Web applications, Web servers, and
application servers
At the core of ’s application security strategy is the ACE Web Application Firewall. The technology
provides comprehensive HTML and XML Web application traffic inspection to prevent application
hacking, secure both custom and packaged applications, and address the full range of Web application
threats. These capabilities protect organizations from attacks such as identity theft, data theft,
application disruption, and targeted attacks, while simplifying compliance with regulatory requirements
such as Payment Card Industry (PCI) data security standards. Ultimately, they allow businesses to take
full advantage of modern Web communication and collaboration applications while protecting critical
assets and reducing compliance and IT risk.
P a g e | 12
P a g e | 13
VRF-Aware Firewalling
As mentioned, the new base firewall code is also included in IOS Software Release 12.3(14)T. This step
has rendered the IOS Firewall virtual routing and forwarding (VRF)-aware.
In other words, a router that is running multiple routing instances (functioning, in effect, as multiple
routers within a single chassis), can now also run multiple IOS firewalls within that chassis to match,
explains Tom Guerrette, product manager in ’s IOS and Router Security Marketing Group.
The new software release applies IOS Firewall functionality to each VRF interface, allowing customers
to configure per-VRF firewalls. The firewall inspects IP packets that are sent and received within a VRF. A
few noteworthy capabilities about the VRF-aware IOS firewall:
■ It supports overlapping IP address space, thereby allowing traffic from nonintersecting VRFs to have
the same IP address.
parameters and denial-of-service (DoS) parameters. In the case of a service provider managed service,
for example, the VRF- aware firewall can run as multiple instances allocated to various VPN customers.
■ The VRF-specific syslog messages it generates can be seen only by a particular VPN, allowing network
administrators to manage the firewall.
■ It supports the ability to limit the number of firewall sessions per VRF.
The same capabilities apply to the PIX 7.0 Firewall and Adaptive Security Appliances, as well.
P a g e | 14
P a g e | 15
With the disappearance of a definable network perimeter and security threats coming at networks from
every angle, point products alone no longer are an adequate defense. An integrated and proactive
multilayered system makes the Self-Defending Network—now a requirement to ward off the
consequences of rapid-propagating attacks—possible. And security will be an ongoing process that will
likely be forever evolving as networks, applications, and threats themselves change.
However, devices still don't easily integrate with other security dev ices, as they aren't easy to
implement and are typically expensive. Even though the SDN framework has been around for over six
years, there's still a lot of work left to be done before networks can truly be self-defending.
P a g e | 16
Bibliography
I thank all my friends who cooperated in this project, helped me with information, tips, corrected terms
and provided encouragement. I thank my parents and teachers for their unflinching support and
blessings. Without them I would not been able to create this report. I also thank Ben Sangster for
providing a wonderful presentation online for research and study. To all those mentioned I thank you.
P a g e | 17
References
PACKET
by David Davis