Home > Articles

  • Print
  • + Share This
This chapter is from the book

Summary

This chapter explained defense-in-depth combined with the self-defending network.

The layers of the self-defending network are the following:

  • Authentication layer
  • Perimeter layer
  • Network intrusion-prevention layer
  • Host intrusion-prevention layer
  • Security best practices

Table 2-2 outlines some the different network devices and their capability to self-defend inside your network.

Table 2-2. Network Devices and Self-Defending Capabilities

Cisco firewalls and ASA appliances

Accept and apply commands called shuns that stop traffic flows that Cisco IPS devices have identified.

Accept and apply access control lists that Cisco Incident Control servers have generated, to block new network outbreaks such as high-priority worms and viruses.

Send syslog files to CS-MARS for correlation and analysis to be used with syslogs and events from other security servers. CS-MARS uses this data to determine threat conditions and to formulate the correct response to that threat.

Send SNMP data to CS-MARS to report high CPU utilization conditions, enabling CS-MARS to take defensive action to protect the CPU that might be getting attacked.

Send critical data to CS-MARS to allow for network topology discovery.

IPS appliances, IPS Service Modules, ASA Security Services Modules, and integrated security routers running IPS

Send Security Device Event Exchange (SDEE) alerts to CS-MARS for correlation and analysis to be used with syslogs and events from other security servers. CS-MARS uses this data to determine threat conditions and to formulate the correct response to that threat.

Recognize attacks and send shuns to firewall and Cisco IOS devices, to protect against malicious flows.

Recognize attacks and send commands to rate-limit malicious traffic.

Recognize attacks and drop traffic in-line to protect network assets of both hosts and network devices.

Analyze destination hosts to determine the probability of an attack succeeding.

Send critical data to CS-MARS to allow for network topology discovery.

Host intrusion-prevention technology (CSA)

Recognizes and stops bad behavior on a host or server. Updates itself with globally correlated data and then automatically creates and deploys resulting rules that will stop security outbreaks, network scans, and hacker reconnaissance activity.

Kills applications that are behaving badly.

Sends alerts to CS-MARS for correlation and analysis to be used with syslogs and events from other security servers. CS-MARS uses this data to determine threat conditions and to formulate the correct response to that threat.

Cisco Network Admission Control

Works with routers, access points, VPN concentrators, and switches to stop hosts from accessing your network if those hosts do not have the proper security posture.

Takes protective action and can shut down a Layer 2 port if it's determined that a host is behaving badly.

Sends alerts to CS-MARS for correlation and analysis to be used with syslogs and events from other security servers. CS-MARS uses this data to determine threat conditions and to formulate the correct response to that threat.

CS-MARS extends the self-defending network by providing a much-needed layer of automated threat identification and response.

The following features of CS-MARS were discussed:

  • Automated log integration—Provides a single source for log aggregation
  • Automated threat response—Automatically learns the network topology, analyzes security alerts, and provides up-to-date accurate threat information.
  • Automated mitigation—Automatically evaluates existing threats and recommends a mitigation action to security responders that will stop or contain the threat in the network.

Now that you understand the role that CS-MARS plays in your network from a technical or engineering standpoint, you examine in the next chapter how this technology can result in cost savings.

  • + Share This
  • 🔖 Save To Your Account