The presentation was on the Cisco Systems Secure Architecture For Enterprise (SAFE). Grace Lo, the local Account Manager of Cisco systems, said that Steve Smith used to work for Cisco and still supports Cisco. She recommended people should contact her if they wanted information about Cisco and contact Scott for technical questions.

Scott stared out by saying he was formerly a Cisco engineer and still has close ties to Cisco. He said he will only scratch the surface of Cisco's security software but will give references to Cisco websites where you can go into it in depth. They have design documents and white papers on how they developed security processes. He graduated from Texas Tech with EE and CS degrees and went to work at China Lake, JPL, Cisco and TRW and he then started his own company. He has obtained a lot of different perspectives on how people view security.

He started out with a Cisco SAFE overview and moved into the security concerns.

Why is security the key important thing that is considered when they go into a customer's location? What are the vulnerabilities? There were 2524 new vulnerabilities in 2003 directly related to information technology infrastructure. High targetable vulnerabilities such as denial of service (DOD) attacks are things that will bring your network down and cost you money. There are "blended threats" and these provide the greatest risks. Past attacks were obvious, sent through firewalls and directly to a PC, and they were very specific and easy to identify. The blended threats are ever changing and evolving. Some viruses will change themselves depending upon the security procedures they encounter. Attacks happen and they are worldwide. They cost companies millions of dollars. Companies experience 30+ attacks per week and there has been a 2000% increase (93-02) in financial losses from hacker caused denial of service. The average amount of money spent on IT security, .0025% of their expenses, is slightly less than they spend on coffee.

He recommended building on the SAFE architecture to mitigate these attacks. Networks started out fairly simple but have evolved to include multiple locations, mobile users and wireless networks. You can protect your core network, but what happens when someone logs in outside the network and downloads a virus? Network telephony opens up some more vulnerability.

Cisco has developed an umbrella approach to security. They work with many different companies and vendors that make applications that integrate with Cisco systems. They provide a self-defending network with integrated security and system level solutions. You can use analogies about the security of a bank. Firewalls and network ACCS are like a door. Network scanners, policy management, authorization and access control are like Surveillance cameras and guards. Virtual Private Networks (VPNs) protected by encryption are secure transport. A lot of companies are going away from internal networks to secure public networks as they get larger and are dispersed. The bottom line is that a network down for 49 hours costs about $93,000.

Scott gave three references for sites that have excellent information on network security.
     www.cisco.com/go/safe
     www.securityfocus.com
     www.faqs.org/faqs/computer-security

Scott asked for suggestions from the audience and www.insecure.org was recommended.

Fundamentals are that attack mitigation should be based on policy through infrastructure (not just specialized services) and must be cost effective. There must be secure management and reporting and authentication authorization must be used for access to critical network resources. Intrusion detection for critical resources and subnets must be used. Policies must be continuously evaluated and updated. SAFE is a security architecture that provides the ability to accomplish all of these and there are multiple layers of defense.

Grace Lo said that Cisco built a network, secured it and attacked it, and they built architectures for different types of systems. Information about this is on the Cisco website.

Scott Smith said that routers are targets. Scott described a number of methods used to attack routers. To protect them, lock down Telnet access and Simple Network Management Protocol (SNMP), control access to routers by using Terminal Access Controller Access Control System Plus (TACACS+) and turn off unneeded services. Log at all the appropriate levels, so you know what is happening, and authenticate routing updates.

Switches are also targets so arrange switches as securely as possible. Use a secure shell (SSH) to manage your devices. There is a product called Putty software that is a very good application. For information do a google search on putty and security software and numerous references will be received. Use access lists to restrict access with passwords. Scott went through a description of a number of ways to improve switch security.

The network is a target. He said don't leave all of your ports open on the network. Using private networks not accessible from outside is one way of achieving security. The most difficult attacks to deal with are DOS that work by causing many machines to simultaneously send spurious data to an IP address. This makes the entire network unresponsive. More sophisticated attacks use port 80 traffic with the ACK bit set so the net traffic appears to be legitimate. Authentication is difficult to achieve because things looks like normal traffic. Follow filtering guidelines in RFC1918 and RFC 2827. (RFC is Request for Comment. 1918 is on private address space, and 2827 is on address spoofing and DOS.)

The biggest thing is that applications are targets. How applications make calls to other applications or the OS, and the privilege level at which applications have a degree of trust must be considered. There is a lot of worked in protecting against attacks through applications, but it is very necessary.

What should you expect? 80% of the threats come from internal users. These can be disgruntled employees, corporate spies, visiting guests, and inadvertent bumbling users. Bumbling users is one of the big ones. 20% of the threats come from publicly addressable ports connected to the Internet. These are typically DOS attacks. There are system layer vulnerabilities and there are attacks from applications and POS attacks.

Enterprise Safe Architecture covers screens and the management module, and key devices. Firewalls stop threats at a very basic level. Threats are propagated by attempting unauthorized access and ID spoofing is attempted. Packet sniffers are used to try to measure traffic on your net. There are threats wherever users are connected to the network at layer 2 switches, user workstations or IP phones.

The server module is where users are connected to the network and are the lifeblood of your network. Key devices are layer 3 switches, call manager, corporate and dept. servers. Vulnerabilities occur at Email servers using SMTP & POPS. Application area attacks are very serious and difficult to protect against. VPN is used to provide encryption protection.

CISCO Security Agent (CSA) provides the transition from detection to protection at end point, from signature based to policy based, and is also based on previous measured good and bad behavior. It is a move from multiple products to a single agent. It aggregates multiple security functionality in one agent and moves from security updates to zero-update protection. The behavior-based architecture changes the desktop and server paradigm. Run CSA along with your anti-virus software, CSA doesn't eliminate that requirement. Cisco products handle very high traffic rates. CSA provides behavior protection from attacks and eliminating the ability to propagate threats is a key to its success.

Wireless is very simple to install and turn on but is vulnerable unless protected by VPN encryption that begins right at login. Everyone is seeing the packets passing back and forth because wireless is a shared medium.

AES (Advanced Encryption Standard) covers more than just encryption. For details do a google search on AES and encryption and numerous references will be provided.

Scott Smith gave an excellent presentation with a very large amount of information on network security. Anyone interested in software security and network security in particular should really have been at this meeting. If you weren't there you did not get a chance to listen to his answers to questions and this report does not cover most of them. However, if you were not there you can contact him at Sasmith@sasnetsolutions.com and you can go to his home page at www.sasnetsolutions.com.

This was the fourth meeting of the LA Chapter year and was attended by 16 persons.
Mike Walsh, LA ACM Secretary