Croc: Management of information security (Cisco Powered Managed Security) of services

Management of information security (Cisco Powered Managed Security) of services - a complex of the technological solutions aimed at security of network infrastructure.

Installation and configuring of components of an information security system is a part of service of management of information security (Cisco Powered Managed Security) of services:

• firewalls;
• system of detection of invasion.

Features of service:

• fast deployment and setup of service;
• possibility of flexible scaling of service under the changing requirements of the customer;
• lack of expenses on support and service;
• use of the checked and certified solutions for security.

Firewalls

Structures of Cisco company with firewalling modules operate as the software, each of which performs processing of multi-legal traffic at a speed of 10 Gbps. For increase in fault tolerance of work of server applications duplication of the chassis of devices and modules is used. All Inter - and intra-the chassis modules of Cisco firewalls integrate in a cluster. A cluster interfaces connect to switches of a core of network of the Customer on Etherchannel technology. For interaction of participants of a cluster the isolated VLAN network which appears both on firewalling modules, and on devices of a core of network is among themselves used. All participants of a cluster are in an active mode balancing with the passing traffic among themselves. At failure of one of the Cisco ASA chassis, traffic it is transparent passes to the working Cisco ASA chassis; at failure of one of the modules ASA traffic is readdressed on less loaded operable ASA module of one of the Cisco ASA chassis thereby providing high availability and redundancy of network services.

Passing of traffic through a cluster of ASA, (2015) devices

At the time of failure of one of cluster modules, all subsequent packets are readdressed to the remained modules, balancing with loading among themselves. For traffic 10 Gbps interfaces which also connect to switches of a core of network are used, using Etherchannel technology for the LACP protocol, according to the recommendations of the producer. The clustering of firewalls provides high redundancy and the aggregated capacity. So one module performs traffic handling at a speed of 10 Gbps in the multilegal mode, and the cluster of modules of firewalls in general provides speed to 28 Gbps.

The firewall executes routing of traffic, using static routing and dynamic routing of EIGRP. The access network of each system is available via the corresponding VLAN interface of the switch of a core. The firewall protects internal network of the Customer from a non-authorized access and different attacks. For the purpose of the analysis inspection of traffic at the level of applications (Application Inspection) is configured. All traffic which passes through the firewall is analyzed using an adaptive algorithm of security. Within the analysis of traffic the firewall can also reveal security risks of network of the enterprise.

Means of the firewall provide functionality:

Support of Network Address Translation (NAT)

Allows the customer to use the nonunique addresses and to hide the internal address space behind one or several public addresses. Thus, attacking has no opportunity to get access to these devices, having learned the private address. Also the NAT service allows private ip of network (local unicast) to get Internet access ottranslirovav the addresses in IP-header.

Support of De-Militarized Zone (DMZ)

Service is used when the customer needs to protect the servers published on the Internet. Usually the network is separated into different segments, everyone with the level of protection. For example, the internal zone has the highest level of protection, and the Internet — the smallest. The standard policy of protection permits connections from within-outside, but not on the contrary. Users of the internal and external interface should have access to the servers which are in DMZ a segment which usually has the average level of protection, i.e. below, than at an internal interface, but above than at external. DMZ cannot initiate a session in internal network.

Support of stateful firewall inspection

Stateful firewall inspection traces a status of traffic or connections in turn to permit legitimate to traffic "come" from the Internet to corporate network. It is provided due to monitoring of the set sessions from within-outside and only in this case the return packets can return. Not only level from which the packet, but also a status of traffic and connections came is checked. The example of it, the TCP mechanism when at establishment of a session SYN is sent, in reply comes SYN-ACK if the session is set.

Support of authentication proxy

The option allowing network administrators to create in case of need the security policies (individual for each user) allowing to provide access to network only after authentication passing. If authentication is not undergone or the loaded rules for this user do not permit specific traffic, then the user will not get access to a required resource.

Support of transparent firewall

In need of implementation of firewalls without routing violation (i.e. firewalls should be transparent and not require change of settings of other equipment). For this purpose firewalls support the special mode of transparency which only condition is that the entering and proceeding interfaces for traffic should be different.

Support of stateful inspection for the ciphered traffic

If for providing external services enciphering is used VPN HTTPS (or), the firewall will not see traffic contents. For check of traffic on compliance to security policies the special design allowing to make at first decoding of traffic is used (VPN-or SSL-decryption). In case of need traffic can be ciphered and sent further again.

Identification of users and providing access

The firewall traces a status of sessions and their quantity. It guarantees protection against overflow of memory of the device and against the increased loading of CPU (both the firewall, and end devices). Sheets of access restriction (ACL) allow to segment users during the work with resources (both external, and internal), and use of technology of separate tunneling describes rules by which it conforms to cipher / not to cipher the user traffic.

Control of applications

The technology of inspection of contents of packets allows the firewall to detect traffic of transmission systems of instant messages and a point-to-point and also to block it if necessary. Contents of packets are checked for compliance of headings of packets to their filling for the known formats (HTTP, SMTP, etc.) and if, for example, in a packet of TCP/80 there is not HTTP traffic, and another, or the heading HTTP is not correctly created, then such traffic is discarded to exclude influence of such undesirable traffic on the server.

Control of Internet Control Message Protocol (ICMP)

Firewalls are capable to monitor work of the ICMP protocol. In particular ICMP answers will be from the outside resolved only if the request was sent from within, only packets of echo-reply, time-exceeded, destination unreachable and timestamp reply will be expected at the same time.

Blocking of Java

The technology of inspection of contents of packets allows the firewall to detect Java in HTTP traffic. As accomplishment of the Java code can do harm, it is possible to reset traffic of HTTP from Java code to exclude influence of such undesirable traffic on the server or on the end user.

Control of Session Initiation Protocol (SIP)

The firewall inspects contents of the SIP packets which are responsible for signaling of voice traffic. As the heading of a SIP packet contains information on the IP addresses of participants, and passing through NAT changes only IP packet headings, passing through NAT breaks work of SIP. Control of SIP allows to change heading of a SIP packet and to check it for correctness and compliance of RFC.

Support of H.323 protocol

Control of the SCCP and H.323 protocols allows to control work of signaling and media traffic. It allows to execute substitution of the IP addresses in headings of packets and also to dynamically open the resolving rules for media traffic if in signaling initialization of voice traffic is detected.

Fault tolerance of firewalls

For ensuring fault tolerance at the hardware level the solution High Availability allowing the reserve firewall to change the failed active firewall is used, at the same time all information on a status of sessions of the active firewall is constantly replicated on reserve that allows not to reset the current sessions and not to reinstall them again.

Backup of a configuration

The firewall has an opportunity to export a configuration of the equipment not only locally on flash, but also into external storage. Also for system recovery there is a possibility of import from an external system of storage of a configuration. For export and import the TFTP, FTP protocols HTTP HTTPS, are supported by SCP.

System of detection of invasion

Means of an intrusion detection system provide functionality: Possibilities of detection of invasions As any malware has characteristic behavior which is possible for describing a certain template, IPS conducts detection of the traffic corresponding to the similar templates which are in advance described in a system (such templates are called signatures).

Profiling of service

As check of traffic on signatures - resource-intensive process, the correct approach - the analysis of network of the customer and traffic in networks, determination of need of inclusion of these or those signatures.

Monitoring of invasions

For the description of behavior of the malware in signatures the so-called engines which are responsible for essentially different behavior of this software are used. The choice of the correct engine at the description of a signature defines, traffic will be traced how exactly: on contents of one packet, on the symbol set which is present at a set of packets by the number of the end devices participating in exchange of traffic in the direction of the attack, etc. At operation of a signature the message with information on type of threat and its rating is generated.

Management of signatures

The base of signatures is constantly updated from the website Cisco.com. There is a possibility of creation of own signature describing behavior of traffic using one of engines. Signatures it is possible to include/switch off, change reaction in case of operation (to notify, reset, execute TPC reset, to change contents and so forth).

Processing of incidents

The behavior of some software is directed to duration of actions or to group of end devices. In this case, if the same threat repeats 100 times for some time or will be directed to 100 end devices, then IPS will define it as 100 operations of signatures. Such behavior complicates the analysis of a problem and increases the number of messages in the magazine. For avoidance of redundancy of messages the functionality of a summarization (Summarizer) and generation of metaevents (Meta Event Generator) is used. Summarizator generates only one event in which it is announced the number of similar operations, and the generator of metaevents allows to integrate several events in one. For example, if signatures of A, B, C and D worked, and all of them describe work of the same virus which works using different technologies, then only one event of E=A+B+C+D describing group behavior of these signatures will be created.

Reservation of IPS

As IPS is the independent module in Cisco ASA and failure of this module can cause the termination of transfer of traffic, the special mechanism at which active Cisco ASA traces a status of the module IPS is developed and in case of its failure passes to reserve Cisco ASA with the working IPS module. It allows to avoid data loss in case of violation of work of IPS.