自防御網(wǎng)絡(luò)和可信網(wǎng)絡(luò)

1 2006 Cisco Sy stems, Inc. All rights reserv ed. 205524.A Cisco Confidential 自防御網(wǎng)絡(luò)和可信網(wǎng)絡(luò) 思科系統(tǒng)（中國(guó)）網(wǎng)絡(luò)技術(shù)有限公司 2006 2 2006 Cisco Sy stems, Inc. All rights reserv ed. 205524.A Cisco Confidential 議程 聚焦安全 思科的安全承諾 3 2006 Cisco Sy stems, Inc. All rights reserv ed. 205524.A Cisco Confidential RSA Conference 2006 概況 2月 14日 18日，在美國(guó)舊金山舉行 2006 RSA大會(huì) 2006年的 RSA會(huì)議規(guī)?？涨?，大約有 14000名安全領(lǐng)域?qū)I(yè)人士參加了這一盛會(huì)，比 2004年增長(zhǎng)了約 30 全球 275家安全領(lǐng)域的領(lǐng)先廠商，包括思科、微軟、 IBM、SUN、 HP、賽門(mén)鐵克、 CA等主流大型 IT廠商 200多場(chǎng)分會(huì)議 安全領(lǐng)域的分工非常之細(xì)，一些公司專(zhuān)攻一項(xiàng)安全技術(shù) 多位引領(lǐng) IT發(fā)展的超重量級(jí)人物出席 覆蓋的安全技術(shù)： applied security, compliance, government and policy, hackers and threats, identity management and wireless security 4 2006 Cisco Sy stems, Inc. All rights reserv ed. 205524.A Cisco Confidential RSA Conference 2006 Keynote Speech John Chambers, president and CEO, Cisco Systems, Inc. Bill Gates, chairman and chief software architect, Microsoft Corp. Scott McNealy, chairman and CEO, Sun Microsystems, Inc. John Thompson, chairman and CEO, Symantec, and Art Coviello, CEO and president, RSA Security Inc. . 5 2006 Cisco Sy stems, Inc. All rights reserv ed. 205524.A Cisco Confidential RSA Conference 2006 主旋律 開(kāi)放的安全架構(gòu) “應(yīng)用安全”唱主角 安全技術(shù)并購(gòu)行為，小公司為被收購(gòu)做準(zhǔn)備 大公司強(qiáng)力進(jìn)軍安全 信息安全，這一幾年前還略顯邊緣的 IT技術(shù)，正變得越來(lái)越主流 網(wǎng)絡(luò)安全從 2003年的第 12位，躍升為 2004年的第一名，超越了“降低成本”項(xiàng)目 6 2006 Cisco Sy stems, Inc. All rights reserv ed. 205524.A Cisco Confidential 對(duì)安全標(biāo)準(zhǔn)的思考 TCG模式： 設(shè)備身份 Intel Pentium III CPU 標(biāo)識(shí)符 (1999) 設(shè)備與用戶身份的關(guān)聯(lián)涉及消費(fèi)者隱私 TCPA (1999) TPM 硬件模塊與協(xié)議 為解決知識(shí)產(chǎn)權(quán) (IPR)問(wèn)題設(shè)立 TCG (2003) 設(shè)計(jì)被內(nèi)部采納后再公開(kāi)方案細(xì)則 （會(huì)員優(yōu)先） 繳費(fèi)會(huì)員制度 , 開(kāi)源界表示擔(dān)憂 重新定向于支持 DRM (與微軟的 Palladium 結(jié)合 ) IETF模式 7 2006 Cisco Sy stems, Inc. All rights reserv ed. 205524.A Cisco Confidential 來(lái)自 VeriSign公司的信息 眼下安全行業(yè)應(yīng)當(dāng)一改專(zhuān)利性方案，轉(zhuǎn)而接受開(kāi)放式、能夠協(xié)同工作的驗(yàn)證標(biāo)準(zhǔn) VeriSign - 開(kāi)放式驗(yàn)證參考體系結(jié)構(gòu)（ OATH）：為驗(yàn)證提供了一個(gè)參考體系結(jié)構(gòu)，所用的通用密鑰能夠?yàn)閼?yīng)用程序、多個(gè)設(shè)備以及內(nèi)外網(wǎng)絡(luò)所識(shí)別 8 2006 Cisco Sy stems, Inc. All rights reserv ed. 205524.A Cisco Confidential 來(lái)自 SUN公司的信息 開(kāi)放的架構(gòu)和共享代碼 Sun 的開(kāi)放架構(gòu) 從 Java到開(kāi)放源代碼 Solaris 10，能夠很好地解決安全問(wèn)題 9 2006 Cisco Sy stems, Inc. All rights reserv ed. 205524.A Cisco Confidential 來(lái)自 Cisco的信息 標(biāo)準(zhǔn)是網(wǎng)絡(luò)安全的必經(jīng)之路 安全必須是面向整個(gè)架構(gòu)的技術(shù)和方案 安全與網(wǎng)絡(luò)的融合是發(fā)展的必然 思科公司的安全戰(zhàn)略 自防御網(wǎng)絡(luò)（ Self-Defending Network）進(jìn)入了新階段 ATD（自適應(yīng)威脅防御） 應(yīng)用安全 智能控制 反間諜軟件和反廣告軟件 重視網(wǎng)絡(luò)的 4 7層的應(yīng)用安全上 2004年全球網(wǎng)絡(luò)安全市場(chǎng)的規(guī)模達(dá)到了 41億美元，其中思科公司占據(jù)了近 30的市場(chǎng)份額，牢牢占據(jù)了第一的位置。 10 2006 Cisco Sy stems, Inc. All rights reserv ed. 205524.A Cisco Confidential 安全需要開(kāi)放標(biāo)準(zhǔn) 網(wǎng)絡(luò)開(kāi)放標(biāo)準(zhǔn)是為能互相協(xié)作而制定的 廣泛參與性（公司，政府，開(kāi)源界，個(gè)人） 開(kāi)放標(biāo)準(zhǔn)參與者在用戶功能與通用功能之間權(quán)衡 多種重疊標(biāo)準(zhǔn)會(huì)制造困難 與互相協(xié)作沖突 長(zhǎng)遠(yuǎn)來(lái)講維護(hù)分立市場(chǎng)需付出更高代價(jià) 11 2006 Cisco Sy stems, Inc. All rights reserv ed. 205524.A Cisco Confidential 議程 2006 RSA Conference 聚焦安全 思科的安全承諾 安全無(wú)憂 12 2006 Cisco Sy stems, Inc. All rights reserv ed. 205524.A Cisco Confidential Business Processes Applications and Services Networked Infrastructure Active participation in application and service delivery A systems approach integrates technology layers to reduce complexity Flexible policy controls adapt this intelligent system to your business though business rules 智能化信息網(wǎng)絡(luò)支撐網(wǎng)絡(luò)安全 Connectivity Intelligent Networking Utilize the network to unite isolated layers and domains to enable business processes Cisco Network Strategy Resilient Integrated Adaptive 14 2006 Cisco Sy stems, Inc. All rights reserv ed. 205524.A Cisco Confidential 自防御網(wǎng)絡(luò)對(duì)安全的承諾 利用網(wǎng)絡(luò)發(fā)現(xiàn)、防范和消除威脅 整個(gè)網(wǎng)絡(luò)中的服務(wù)和設(shè)備通過(guò)協(xié)作制止威脅 協(xié)作 讓每個(gè)組件都成為一個(gè)防御和策略實(shí)施點(diǎn) 集成 可以自動(dòng)防范威脅的 主動(dòng)安全技術(shù) 適應(yīng) 15 2006 Cisco Sy stems, Inc. All rights reserv ed. 205524.A Cisco Confidential VPN Concentrator Cisco Firewall IPS Cisco ASA 行業(yè)領(lǐng)先的安全技術(shù) 最豐富的安全防護(hù)技術(shù) Cisco IOS VPN 行業(yè)領(lǐng)先的網(wǎng)絡(luò)技術(shù) 20多年 Routing & Switching 專(zhuān)業(yè)經(jīng)驗(yàn) Cisco ISR Cisco Catalyst 集成安全 基礎(chǔ)設(shè)施安全 Protect the network infrastructure from attacks Control Plane Policing, NBAR, AutoSecure Leverage the network to intelligently protect Endpoints NAC, 802.1x Secure and scalable network connectivity Secure Voice (sRTP, V3PN), DMVPN, MPLS & IPSec Prevent and respond to network attacks and threats such as worms Intrusion Prevention, Netflow, App Firewall, OPS Securing the IP Fabric with Integrated Security 16 2006 Cisco Sy stems, Inc. All rights reserv ed. 205524.A Cisco Confidential 協(xié)作安全 安全超越單一邊界 幾乎所有設(shè)備都是 Multi-homed 網(wǎng)絡(luò)真正的起止點(diǎn)在那里？ 許多設(shè)備不由企業(yè)控制，但公司需要給咨詢顧問(wèn)或客人等等提供上網(wǎng)權(quán)利 怎樣為某一特定邊界提供保護(hù)？ 怎樣符合法規(guī)？ Multi-Homed Mobile Devices Peer-2-Peer 802.11 VoIP Content 17 2006 Cisco Sy stems, Inc. All rights reserv ed. 205524.A Cisco Confidential 思科 NAC網(wǎng)絡(luò)準(zhǔn)入控制架構(gòu) Cisco Clean Access AUTHENTICATION POLICY ENFORCEMENT DISCOVERY REMEDIATION Clean Access Agent The best technological approach for Enterprise Begin Long-Term Enterprise Solution with integrated product and services CCA on top of NAC framework provides future proofing The best turnkey appliance product for all vericals Address immediate pain-points with CCA 1 2 3 NAC Framework REMEDIATION (VENDOR) Cisco Trust Agent AUTHENTICATION POLICY DISCOVERY AAA (ACS) POLICY ENFORCEMENT NAC Convergence = Future Proof 18 2006 Cisco Sy stems, Inc. All rights reserv ed. 205524.A Cisco Confidential ANTI VIRUS CLIENT SECURITY 安全需要合作 -思科與業(yè)界的合作 AUDIT REMEDIATION 19 2006 Cisco Sy stems, Inc. All rights reserv ed. 205524.A Cisco Confidential MAC IP TCP Application Protocol Payload SECURED UN-SECURED 思科網(wǎng)絡(luò)安全的下一個(gè)重點(diǎn) -應(yīng)用安全 Policy match must include major application protocol and payload data: HTTP, SIP, Email, FTP, DNS Full complement of security services at the application protocol and payload level: encryption, logging, intrusion prevention, access control, rewrite, QoS Result: Security services once only available through software coding are now core network services SECURED 20 2006 Cisco Sy stems, Inc. All rights reserv ed. 205524.A Cisco Confidential 思科的 “Anti-X” 技術(shù) -Multi-Vector Attack Mitigation Heuristicstatistically based algorithms to rate limit alarms produced by sensing engine Anomalytraffic and protocol anomaly detection to complement signature based analysis Policytraffic filtering based on security policy Exploit-specific protection from unknown threats and quickly mutating viruses Vulnerability encoding signatures to the underlying vulnerability for day-zero protection Multiple techniques utilized to block broad classes of attacks Fast Signature extraction Viruses/Worms Anti-Spam DoS/DDoS Spyware/Adware Trojans/Backdoors Bots/Zombies P2P/IM Abuse Port 80 Misuse Anti-X 21 2006 Cisco Sy stems, Inc. All rights reserv ed. 205524.A Cisco Confidential 自適應(yīng)安全 Cisco ASA 提供全面的安全保護(hù) THREAT TYPES PROTECTION Viruses Spyware Malware Phishing Spam Inappropriate URLs Identity Theft Offensive Content Unauthorized Access Intrusions & Attacks Insecure Comms. NEW Anti-X Service Extensions Resource & Information Access Protection Hacker Protection Client Protection DDoS Protection Protected Email Communication Protected Web Browsing Protected File Exchange Unwanted Visitor Control Audit & Regulatory Assistance Non-work Related Web Sites Identity Protection Granular Policy Controls Comprehensive Malware Protection Advanced Content Filtering Integrated Message Security Easy to Use ASA 5500 with CSC-SSM 22 2006 Cisco Sy stems, Inc. All rights reserv ed. 205524.A Cisco Confidential 思科安全管理體系 Integration to Cisco Secure Access Control Server Role Based access control Privileged based access to management functionality With the Context of Auditing Services Cisco Security Mars Rapid Threat Identification and Mitigation Topology Awareness Data Correlation Simplified Policy Administration End-to-End Configuration Network wide or Device Specific Cisco Security Manager FABRIC 23 2006 Cisco Sy stems, Inc. All rights reserv ed. 205524.A Cisco Confidential 思科 MARS安全分析、監(jiān)控與響應(yīng)中心 多廠商 Powerful monitoring, analysis, response system Multivendor support Correlate events from m