We now have to deal with zero-hour damage
strategy for self-defending networks includes protection from known, unknown
and DDoS attacks. To ensure this, Cisco is offering security mechanisms at various
levels. K.C. Soh, Senior Manager, Advanced Technologies, Asia Pacific,
Cisco Systems gives us the details. by Brian Pereira
Why has Cisco devised yet another security strategy? What's
it all about?
Today's security paradigm is changingit's no longer
about point products. You don't put in a product and feel that you are protected.
We are now talking about zero-day attack or zero-hour damage.
Which means, stopping an unknown attack as it happens.
Our self-defending strategy includes integrated security,
industry collaboration with the anti-virus & alliance partners, and system
We want to address customer concerns
about security; this goes beyond point products. We will develop, partner, and
acquire companies to provide technology to protect the network and what's around
it (including the servers). Explain the concept of self-defending networks.
The concept of self-defending networks
was announced at the end of 2003. The idea is to provide in-depth defense. It's
about having different levels of security at different layers. One level is
Threat Defense, where you look at solutions like firewalls (guarding the edge
of the network), IDS (patrolling the interior), and the Cisco Security Agent
CSA is a policy-based security software
that resides on clients and servers. It warns you when there's a violation of
policy. If the CSA detects abnormal behavior in the PC, it raises an alert and
stops the attack. So you have a combination of signature based anti-virus software
(for known attacks) and CSA behavioral based technology (for unknown attacks).
At other levels in this strategy map,
you have Trust and Identity, Secure Communication, and Management.
What about protection from Distributed Denial of Service
While CSA protects the server from
actions that do not comply with the security policy, it is not a solution for
a distributed denial of service (DDoS) attack.
We are in the process of acquiring
a company (and a technology for this). The company is called Riverhead and it
offers a product that protects servers from DDoS attacks.
When the Riverhead security product
(an appliance) detects the DDoS attack, it redirects all the bad DDoS traffic
out of the networkand allows only the good traffic to pass through, and
reach the server.
So, known threats will be blocked by
signature based anti-virus; unknown threats will be tackled by CSA (based on
behavior). DDoS attacks will be handled by the Riverhead appliance.
Comment on the integration of Cisco
security technologies with those of commercial security products.
We are working closely with three major
anti-virus companies and building technology that will prevent clients and servers
from connecting to the networkunless their anti-virus software is updated.
We are providing the three anti-virus
vendors with Cisco Trusted Agent and they can integrate it into their solutions.
These products will interface with Cisco IOS networks. The anti-virus agents
will communicate with Cisco IOS to report the status level (availability of
new signatures and so on). And IOS network will determine whether they have
permission to enter the network (network admission control.)
Network Admission Control (NAC) means
controlling PCs (or servers) that attempt to become a part of the network.
How does an organization make its existing network a self-defending
NAC will be available on the new release
of IOS software. The end-point security like CSA involves installing a piece
of software on desktops and servers, and for integrated security the trend is
to put more firewalls and IDS functionality on servers and routers. For existing
Cisco customers it means installing or upgrading software, maybe putting in
an additional card into the routerand they will have all these features.
Brian Pereira can be reached at firstname.lastname@example.org