Developing a Secure Network
Increasing Operations Security
After a network is installed, network operations personnel monitor and maintain it. From a security perspective, operations security attempts to secure hardware, software, and various media while investigating anomalous network behavior.
System Development Life Cycle
A computer network is a dynamic entity, continuously changing to meet the needs of its users. New network components are added and eventually retired.
The life of these components can be defined by the System Development Life Cycle (SDLC), which consists of five phases:
- Initiation
- Acquisition and development
- Implementation
- Operations and maintenance
- Disposition
Initiation
SDLC’s initiation phase consists of two security procedures:
- Security categorization: Security categorization, as the name suggests, categorizes the severity of a security breach on a particular network component. For example, a newly added network device might be categorized as having either a high, medium, or low security level.
- Preliminary risk assessment: Although a more formalized risk assessment follows in the SDLC, the preliminary risk assessment offers a high-level overview of a system’s security requirements.
Acquisition and Development
SDLC’s acquisition and development phase consists of multiple security procedures:
- Risk assessment: The risk assessment performed in the SDLC’s initiation phase serves as the foundation for this more formalized risk assessment, which specifies protection requirements.
- Security functional requirement analysis: This analysis identifies what is required to properly secure a system such that it can function in its intended capacity. For example, a requirement might state that a corporate security policy has to be written.
- Security assurance requirements analysis: Based on legal and functional security requirements, this analysis provides evidence that the network resource in question will be protected at the desired level.
- Cost considerations and reporting: A report is created that details the costs of securing a system. Included costs might include expenses for hardware, applications, personnel, and training.
- Security planning: A report is created that details what security controls are to be used.
- Security control development: A report is created detailing how the previously determined security controls are to be designed, developed, and implemented.
- Developmental security test and evaluation: Testing is performed to validate the operation of the implemented security controls.
Implementation
SDLC’s implementation phase consists of the following security procedures:
- Inspection and acceptance: The installation of a system and its functional requirements are verified.
- System integration: The system is integrated with all required components at its operational site, and its operation is verified.
- Security certification: The operation of the previously specified security controls is verified.
- Security accreditation: After the operation of required security controls is verified, a system is given appropriate administrative privileges to process, store, and/or transmit specific data.
Operations and Maintenance
SDLC’s operations and maintenance phase consists of the following security procedures:
- Configuration management and control: Before a configuration change is made to one part of a network, the potential impact on other parts of the network is considered. For example, change management software might be used to notify a variety of information security employees before a change is made to one of the integrated systems. Those employees could then evaluate the potential impact that such a change would have on the portion of the information system they are responsible for.
- Continuous monitoring: Even after a security solution is in place, it should be routinely monitored and tested to validate its operation.
Disposition
SDLC’s disposition phase consists of the following security procedures:
- Information preservation: Some information needs to be preserved because of legal restrictions. Also, archived information should periodically be transferred to more modern storage technologies, to ensure that, over time, the medium used to store the archived information is not an obsolete technology.
- Media sanitation: When storage media that contain sensitive information are disposed of, they should be “sanitized” so that no one can retrieve the information. For example, simply deleting a file from a hard drive does not necessarily prevent someone from retrieving it. A better practice might be to overwrite the old data to prevent its retrieval.
- Hardware and software disposal: When hardware and software components are retired, a formalized disposal procedure should be used. Such a procedure could help prevent someone with malicious intent from retrieving information from those components.
Operations Security Overview
Operations security recommendations attempt to ensure that no one employee will become a pervasive security threat, that data can be recovered from backups, and that information system changes do not compromise a system’s security. Table 2-2 provides an overview of these recommendations.
Evaluating Network Security
To verify that a network’s security solutions are acting as expected, you should test them occasionally. This network security evaluation typically occurs during the implementation phase and the operations and maintenance phase of SDLC.
During the implementation phase you should evaluate network security on individual system components, in addition to the overall system. By performing a network security evaluation during the implementation stage, you are better able to discover any flaws in your security design, implementation strategy, or operational strategy. You can also get a sense of whether your security solution will meet the guidelines of your security policy.
After a system enters its operation and maintenance phase, you should continue to perform periodic security evaluations to verify the performance of your security solution. In addition to regularly scheduled evaluations, Cisco recommends that evaluations be performed after you add a component (for example, a web server) to the information system.
The results of your security evaluations can be used for a variety of purposes:
- Creating a baseline for the information system’s level of protection
- Identifying strategies to counter identified security weaknesses
- Complementing other SDLC phases, such as performing risk assessments
- Conducting a cost/benefit analysis when evaluating additional security measures
A variety of network evaluation techniques are available. Some of them can be automated, and others are manual procedures. Consider the following approaches to evaluating network security:
- Scanning a network for active IP addresses and open ports on those IP addresses
- Scanning identified hosts for known vulnerabilities
- Using password-cracking utilities
- Reviewing system and security logs
- Performing virus scans
- Performing penetration testing (perhaps by hiring an outside consultant to see if he or she can compromise specific systems)
- Scanning for wireless SSIDs to identify unsecured wireless networks Several tools and utilities are available for performing a security evaluation. Some are available as freeware, and other packages require the purchase of a license. The following is a sample of these tools and utilities:
- Nmap
- FI LANguard
- Tripwire
- Nessus
- Metasploit
- SuperScan by Foundstone, a division of McAfee
Nmap
To gain a sense of the features available in such evaluation tools, consider the Nmap utility. Nmap is a publicly available scanner that can be downloaded from http:// www.insecure.org/nmap. Nmap offers features such as the following:
- It has scanning and sweeping features that identify services running on systems in a specified range of IP addresses.
- It uses a stealth approach to scanning and sweeping, making the scanning and sweeping less detectible by hosts and IPS technology.
- It uses operating system (OS) fingerprinting technology to identify an operating
system running on a target system (including a percentage of confidence that the OS was correctly detected).
Figure 2-1 shows a GUI version of Nmap called Zenmap, which can be downloaded from the link just provided.
Disaster Recovery Considerations
With the potential for natural disasters (such as hurricanes, floods, and earthquakes) and man-made disasters (such as terrorist attacks) looming over today’s networks, network administrators need to have contingency plans in place. Although these plans are sometimes called business continuity plans or disaster recovery plans, disaster recovery planning tends to address actions taken during and immediately after a disaster.
Specifically, disaster recovery (which is just a subset of business continuity planning) is concerned with allowing personnel to again access the data, hardware, and software they need to do their jobs. Also keep in mind that although a disaster recovery plan often conjures up thoughts of redundant hardware and backup facilities, a comprehensive disaster recovery plan also considers the potential loss of key personnel.
The two primary goals of business continuity planning are
- Moving critical business operations to another facility while the original facility is under repair
- Using alternative forms of internal and external communication The overall goal of these plans is to allow an organization to perform critical business operations after a disaster. Three phases of recovery include
- Emergency response phase
- Recovery phase
- Return to normal operations phase
Because these plans cannot possibly address all conceivable scenarios, disaster recovery and business continuity plans typically target the events that are most likely to occur. To illustrate the severity of a critical data loss, consider that some companies reportedly spend approximately 25 percent of their IT budget on business continuity and disaster recovery plans. Cisco also offers the following statistics about companies that lose most of their computerized records:
- 43 percent never reopen.
- 51 percent close within two years.
- 6 percent survive long-term.
Types of Disruptions
Business continuity and disaster recovery plans should address varying levels of disruptions by specifying different responses based on the severity of the disruption. To assist you in quantifying a disruption, consider the categories presented in Table 2-3.
Types of Backup Sites
Redundancy is key to recovering from a disaster. For example, if a server is destroyed, you need a replacement server to assume its role. However, on a larger scale, you should also consider redundant sites, from where critical business operations can be resumed. Consider the three types of redundant sites described in Table 2-4.
Constructing a Comprehensive Network Security Policy
One of the main reasons security breaches occur within an organization is the lack of a security policy or, if a security policy is in place, the lack of effectively communicating that security policy to all concerned. This section discusses the purpose of a security policy, what should be addressed in that policy, how to maximize its effectiveness, and how to create awareness and understanding of the policy.
Security Policy Fundamentals
A security policy is a continually changing document that dictates a set of guidelines for network use. These guidelines complement organizational objectives by specifying rules for how a network is used.
The main purpose of a security policy is to protect an organization’s assets. An organization’s assets include more than just tangible items. Assets also entail such things as intellectual property, processes and procedures, sensitive customer data, and specific server functions (for example, e-mail or web functions).
Aside from protecting organizational assets, a security policy serves other purposes, such as the following:
- Making employees aware of their obligations as far as security practices
- Identifying specific security solutions required to meet the goals of the security policy
- Acting as a baseline for ongoing security monitoring
One of the more well-known components of a security policy is an acceptable use policy (AUP), also known as an appropriate use policy. An AUP identifies what users of a network are and are not allowed to do on the network. For example, retrieving sports scores during working hours via an organization’s Internet connection might be deemed inappropriate by an AUP.
Because an organization’s security policy applies to various categories of employees (such as management, technical staff, and end users), a single document might be insufficient. For example, managerial personnel might not be concerned with the technical intricacies of a security policy. Technical personnel might be less concerned with why a policy is in place. End users might be more likely to comply with the policy if they understand the reasoning behind the rules. Therefore, a security policy might be a collection of congruent, yet separate, documents.
Security Policy Components
As previously mentioned, an organization’s security policy typically is composed of multiple documents, each targeting a specific audience. Figure 2-2 offers a high-level overview of these complementary documents.
Figure 2-2 Components of a Security Policy
Governing Policy
At a very high level, a governing policy addresses security concepts deemed important to an organization. The governing policy is primarily targeted at managerial and technical employees. Following are typical elements of a governing policy:
- Identifying the issue addressed by the policy
- Discussing the organization’s view of the issue
- Examining the relevance of the policy to the work environment
- Explaining how employees are to comply with the policy
- Enumerating appropriate activities, actions, and processes
- Explaining the consequences of noncompliance
Technical Policies
Technical policies provide a more detailed treatment of an organization’s security policy, as opposed to the governing policy. Security and IT personnel are the intended targets of these technical policies, and these personnel use these policies in performing their day-to-day tasks. Typical components of technical policies include specific duties of the security and IT staff in areas such as the following:
- Wireless networks
- Remote access
End-User Policies
End-user policies address security issues and procedures relevant to end users. For example, an end user might be asked to sign an acceptable use policy (AUP) for Internet access. That AUP might state that Internet access is only for business purposes. Then, if an end user is found using the Internet for personal reasons, he or she could face the consequences outlined in the governing policy.
More-Detailed Documents
Because the governing policy, technical policies, and end-user policies each target a relatively large population of personnel, they tend to be general in nature. However, a comprehensive security policy requires a highly granular treatment of an organization’s procedures. Therefore, more-detailed documents, such as the following, are often contained in a security policy:
- Standards: Standards support consistency within a network. For example, a standard might specify a limited number of operating systems to be supported in the organization, because it would be impractical for the IT staff to support any operating system that a user happened to select. Also, standards could apply to configuring devices, such as routers (for example, having a standard routing protocol).
- Guidelines: Whereas standards tend to be mandatory practices, guidelines tend to be suggestions. For example, a series of best practices might constitute a security policy’s guidelines.
- Procedures: To support consistency in the network, and as dictated by the previously mentioned standards, a security policy might include a collection of procedures. These procedures are very detailed documents providing step-by-step instructions for completing specific tasks (such as steps for configuring port security on a Cisco Catalyst switch).
Security Policy Responsibilities
The ultimate responsibility for an organization’s security policy rests on the shoulders of senior management (for example, the Chief Executive Officer [CEO]). However, senior
management typically oversees the development of a security policy, as opposed to being intimately involved with the policy’s creation. Senior security or IT personnel usually are directly involved with the creation of the security policy. These individuals might create the policy themselves or delegate its creation. Examples of senior security or IT personnel include
- Chief Security Officer (CSO)
- Chief Information Officer (CIO)
- Chief Information Security Officer (CISO)
As soon as a security policy is created, the security and IT staff are responsible for implementing it within the organization’s network. End users are responsible for complying with the security policy.
Risk Analysis, Management, and Avoidance
Network security concerns mitigating risks to the network. Therefore, network security designers need to identify threats facing the network. This process is known as threat identification.
However, beyond basic identification of threats, a key design decision revolves around analyzing the probability that a threat will occur and the severity of the consequences if that threat does occur. This analysis is called risk analysis.
When performing risk analysis, one of two broad approaches can be used: quantitative or qualitative.
Quantitative Analysis
A quantitative analysis mathematically models the probability and severity of a risk. As an example of one quantitative analysis formula, consider the following:
ALE = AV * EF * ARO
This formula calculates the annualized loss expectancy (ALE). The ALE produces a monetary value that can be used to help justify the expense of security solutions. The factors contributing to the ALE value are defined in Table 2-5.
From two of these factors, another metric can be calculated. The single loss expectancy (SLE) value represents the expected monetary loss from a single occurrence of an anticipated risk. The SLE can be calculated from the following formula:
SLE = AV * EF
Qualitative Analysis
A qualitative analysis is often more appropriate than a quantitative analysis because of the large scale of the network being analyzed. For example, in a nationwide network deployment, it might be considered impractical to list all the assets installed in all facilities across the country. Therefore, a qualitative analysis uses a scenario model, in which scenarios of risk occurrence are identified.
Risk Analysis Benefits
The exercise of performing a risk analysis yields a variety of benefits:
- It identifies a cost/value ratio for the cost of security measures versus the anticipated value of the security measures.
- It justifies requested capital expenditures for security solutions.
- It identifies areas in the network that would benefit most from a security solution.
- It provides statistics for future security planning.
Risk Analysis Example: Threat Identification
As an example of the threat identification process, consider an e-commerce company that sells products online and collects customer credit card information as part of its transactions. Potential risks to such an e-commerce company might include the following:
- An attacker could compromise one of the e-commerce servers and potentially gain access to customer credit card information.
- An attacker could falsify transactions. This could, for example, cause the e-commerce server to inaccurately charge customers for products that customers did not purchase.
- An attacker could launch a denial-of-service attack on one of the e-commerce servers, rendering it unusable for legitimate transactions.
Managing and Avoiding Risk
Risk mitigation involves risk management and/or risk avoidance:
- Risk management: Risk management assumes that not all potential threats can be eliminated. It attempts to reduce the anticipated damage from risks to an acceptable level. For example, in the previous lists of potential threats, IPS, IDS, HIPS, and firewall solutions might be introduced to reduce the likelihood and impact of the identified threats.
- Risk avoidance: Risk avoidance can eliminate the identified risks by not exposing a system to end users. This would be impractical for the e-commerce application just mentioned. However, if network designers can identify a way to deploy a service while simultaneously eliminating potential risks, that approach could prove highly lucrative. Factors Contributing to a Secure Network Design A common temptation when designing a security solution for a network is to make the network so secure that it cannot easily be used for its intended purpose. Therefore, when designing a network security solution, designers should recognize that business needs supersede all other needs. However, other factors do enter into the design equation. Consider the following elements of a secure network design:
- Business needs: Business needs dictate what an organization wants to accomplish with its network. Note that this need is the most important of all the needs.
- Risk analysis: As previously discussed, a comprehensive risk analysis can be used to assign an appropriate level of resources (for example, an appropriate amount of money) to a potential security risk.
- Security policy: Earlier in this chapter you read about the elements of a security policy. A security policy typically contains multiple documents, targeting specific audiences within an organization. These individual documents provide day-to-day guidance, relating to network security, for all organizational employees.
- Best practices: Rather than the mandatory rules imposed by a security policy, a set of best practices (developed internally and/or externally) can offer proven methods for achieving a desired result.
- Security operations: Day-to-day security operations entail responding to an incident, monitoring and maintaining a system, and auditing a system (to ensure compliance with an organization’s security policy).
Design Assumptions
A system’s security often becomes compromised because of incorrect assumptions made by the network designer or the person responsible for the initial network configuration. For example, the group of users assumed to be the routine users of a system might be incorrect. Also, the types of attacks to which a network might be subjected could be incorrectly assumed. To avoid making incorrect assumptions about network design and implementation, consider the following recommendations from Cisco:
- Analyze how the failure of one system component impacts other system components.
- Determine which elements in a network fail open. Specifically, suppose a security
component of a network (such as an IPS appliance) fails. If that component defaults to a mode in which it forwards traffic, rather than performing its previous security function on that traffic, the component is said to be operating in fail-open mode. However, if a security component denies traffic that it cannot inspect, the component is said to be operating in fail-closed (also known as fail-safe) mode, which would be the more secure of the two modes. - Identify all possible attacks to which a network might be exposed.
- Evaluate the likelihood that a particular attack will be launched against a network.
- If an attack seems unlikely because of required processor resources, extrapolate to consider the fact that processor resources will be more readily available in the future.
- Consider the inevitability of user error in compromising a system’s security.
- Subject your assumptions to review by other knowledgeable parties within your organization.
Minimizing Privileges
One approach to securing a network is to assign users the minimum privileges they require to complete their assigned duties. This approach, called the least-privilege concept, helps reduce potential system vulnerabilities resulting from a user being assigned too many privileges. Also, the least-privilege concept can expedite the identification of security weaknesses in a system.
In actual practice, however, the least-privilege concept is often challenging to implement consistently. For example, users might occasionally require a level of permission beyond that which they are currently assigned to accomplish a legitimate task. These “exceptions to the rule” might result in an unacceptable level of day-to-day configuration on the part of administrators and might also result in an overall loss of productivity.
To understand the least-privilege concept, consider Figure 2-3. The firewall only allows the user to communicate with the e-mail server via SMTP and/or POP3. This example of the least-privilege concept could result in an issue if web-based e-mail access were added. In such an instance, the user might attempt to connect to the e-mail server using HTTP to connect to the newly configured web-based e-mail feature. However, the user would be denied, because the firewall permits only SMTP and POP3 access to the e-mail server. Additional firewall configuration would then be required by the administrator to enable the web-based e-mail access.
Figure 2-3 Least-Privilege Concept
Simplicity Versus Complexity
A final principle of security network design considers the complexity of a security solution. A complex security solution, by its nature, can make it difficult for network administrators to effectively troubleshoot security-related issues. Additionally, if users are faced with a complex security procedure they must perform to accomplish their tasks, they might seek a simpler work-around to improve their productivity.
Therefore, Cisco recommends the simplest solution possible that still accomplishes the desired results. A comparatively simple security solution can do the following:
- Help administrators more effectively troubleshoot security issues
- Encourage users to follow security practices
- Make security vulnerabilities more visible
User Awareness and Training
A properly written security policy and proper installment of security mechanisms can be rendered largely ineffective if the users of a system do not use security best practices
Therefore, a critical component of an effective security deployment is a security awareness program. For example, administrative assistants, accountants, and human resources employees might need periodic reminders to follow recommended security practices, because security is not the focus of their daily tasks. A security awareness program, which can provide continual reinforcement of security concepts for all end users, should do the following:
- Identify the scope of the program: A comprehensive program should provide training to all users of a system and/or network.
- Select trainers: The trainers should be competent at communicating current security issues.
- Identify groups of users to receive training: Because different categories of users require different training (for example, different users require varying levels of technical training), the end-user community should be categorized into different audiences.
- Encourage full participation: Obtaining management buy-in to a security awareness program can help motivate other users to participate.
- Continually administer, maintain, and evaluate the program: As a system’s security needs evolve, a security awareness program must be subjected to periodic review and be updated accordingly.
With proper awareness training in place, all categories of end users (such as executives, managers, staff, and temporary employees) can contribute to the network’s overall security.
Note that awareness training, a security policy, and properly installed network defenses are insufficient when used in isolation. However, these security elements complement one another when used together.
Creating a Cisco Self-Defending Network
Many modern security threats rapidly propagate across the Internet and internal networks. As a result, security components need to be able to respond rapidly to emerging threats. To combat these threats, Cisco offers the Cisco Self-Defending Network, which is its vision for using the network to recognize threats and then prevent and adapt to them. This section describes the implementation of the Cisco Self-Defending Network approach, which leverages Cisco products and solutions.
Evolving Security Threats
As computing resources have evolved over the past couple of decades, security threats have kept pace. For example, in the 1980s, boot viruses presented a threat to computer systems. However, such viruses took weeks to propagate throughout an individual network. During the 1990s, more-advanced viruses, denial-of-service (DoS) attacks, and other hacking attacks evolved. These attacks could impact multiple networks and propagate in a matter of days.
Modern networks face threats such as blended threats, which combine worm, virus, and Trojan horse characteristics. Such advanced threats can spread throughout regional networks in a matter of minutes. Future threats are anticipated to spread globally within just a few seconds.
One of the challenges of protecting against these evolving threats is the ambiguity of network boundaries. For example, consider the following:
- Port 80 traditionally is thought of as the port used for web traffic. Because it is often an open conduit entering “secured” networks, attackers can attempt to send malicious traffic in the form of port 80 payloads.
- Because traffic is often sent in an encrypted format (for example, using Secure Socket Layer [SSL] or Transport Layer Security [TLS]), malicious traffic can often escape recognition (for example, by Intrusion Prevention System [IPS] or Intrusion Detection System [IDS] appliances).
- Clients often have multiple network connections (for example, a wireless laptop connected to a corporate wireless access point and also acting as a peer in a wireless ad-hoc network). Therefore, those clients might act as conduits for malicious users to access a “secured” network.
Constructing a Cisco Self-Defending Network
When a Cisco Self-Defending Network is constructed, consideration is given to how the individual security products work together. As a result, a Cisco Self-Defending Network integrates a collection of security solutions to identify threats, prevent those threats, and adapt to emerging threats.
Figure 2-4 highlights the three core characteristics of a Cisco Self-Defending Network, which are described in Table 2-7.
Figure 2-4 Cisco Self-Defending Network Core Characteristics
Cisco Self-Defending Networks can be more cost-effective, as compared to merely implementing a series of standalone solutions (also known as point solutions). This is
because a complementary infrastructure simplifies management and administrative tasks. Similarly, equipment upgrade cycles can be better coordinated. Construction of a Cisco Self-Defending Network begins with a network platform that has integrated security. Then, strategic security features such as the following are layered on top of the already secure foundation:
- Threat control: Strategies to contain and control threats include the following:
- Endpoint threat control defends endpoints against threats, typically sourced from the Internet, such as viruses and spyware.
- Infrastructure threat control protects servers and shared applications from internal and external threats.
- E-mail threat control blocks security threats sourced from e-mail, such as malicious attachments.
- Confidential and authenticated communication: Technologies such as IPsec and SSL VPNs can provide confidential and authenticated communications channels. Specifically, the Cisco Secure Communications solution offers a set of products that can be categorized into one of two broad categories:
- Remote-access communications security secures transmission to an organization’s network and applications via a secure tunnel formed across the Internet on an as-needed basis.
- Site-to-site communications security secures transmission between an organization’s primary site and other sites (for example, home offices or business partners) via an Internet-based WAN infrastructure.
- Management solutions: Products that provide system-wide control of policies and configuration offer a variety of benefits:
- Efficiency of rolling out a new policy to multiple devices while maintaining consistency of the configuration
- Comprehensive view of a network’s end-to-end security status
- Quick response to attacks
- Improved congruity with an organizational security policy
Figure 2-5 shows the hierarchical structure of a Cisco Self-Defending Network.
Figure 2-5 Cisco Self-Defending Network Hierarchical Structure
Cisco Security Management Suite
As an organization’s network begins to grow, end-to-end security management becomes a more daunting task. Fortunately, Cisco offers a suite of security management tools, the main components of which are Cisco Security Manager and Cisco Security Monitoring, Analysis, and Response System (MARS).
Cisco Security Manager
The Cisco Security Manager application can be used to configure security features on a wide variety of Cisco security products. From a scalability perspective, Cisco Security Manager can be useful on smaller networks (for example, networks with fewer than ten devices), and it can also help more efficiently manage networks containing thousands of devices. As a few examples, the Cisco Security Manager application offers these features:
- Provisioning security on a variety of Cisco platforms, including Cisco IOS-based routers, Cisco ASA 5500 series security appliances, Cisco PIX 500 series security appliances, Cisco IPS 4200 sensors, and the Advanced Inspection and Prevention Security Services Module (AIP-SSM), available for the Cisco Catalyst 6500 series switch platform
- Performing configuration tasks via a graphical interface
- Applying a centralized policy, which maintains consistency throughout a network and that can be inherited by newly installed devices
- Interoperates with Cisco Secure Access Control Server (ACS) to provide different sets of permissions to different users
NOTE The following URL offers a flash-based introduction to Cisco Security Manager: http://www.cisco.com/cdc_content_elements/flash/sec_manager/index.html
Cisco Security MARS
The Cisco Security MARS product offers security monitoring for security devices and applications. In addition to Cisco devices and applications, Cisco Security MARS can monitor many third-party devices and applications. As a few examples, Cisco Security MARS performs these functions:
- It uses event correlation to collect events from multiple devices in the network, thereby reducing the number of false positives.
- It identifies appropriate mitigation strategies for specific security challenges.
- It uses Cisco NetFlow technology to more readily identify network anomalies.
NOTE The following URL offers a flash-based introduction to Cisco Security MARS:
http://www.cisco.com/cdc_content_elements/flash/security_mars/demo.htm
Cisco Integrated Security Products
A Cisco Self-Defending Network relies on a collection of complementary security solutions. Table 2-8 identifies some of the products available in the Cisco product line that could contribute to a Cisco Self-Defending Network.
Figure 2-6 Cisco ASA 5500 Series Security Appliances
Figure 2-7 Cisco PIX 535 Security Appliance
Figure 2-8 Cisco 4200 Series IPS Appliances