ZDCISCO-0403-WP1 3/8/04 9:50 AM Page 1

WHITE PAPER

Integrated Security:
Defending Against Evolving Threats
with Self-Defending Networks
The Cisco Self-Defending Network Initiative outlines the need for intelligent and integrated
security that is deeply embedded in a company’s technology and network infrastructure

Given new privacy legislation, the high value of intellectual property, and
the threat of embarrassment and expensive litigation if customer data falls
into the wrong hands, corporations today must aggressively defend their
networks against attack. A solid foundation is needed—one that is protect-
ed from the destructive and insidious attacks that may invade and destroy
the infrastructure of a business. Worms, viruses, Trojan horses, and blend-
ed threats move in faster than ever before and can cause extensive damage
before they are even identified. Additionally, directed attacks from inside
and outside of the network can cause significant financial damage and
irreparably tarnish a company’s reputation with its customers.
Although security measures have become more proactive, capable, and
integrated in recent years to combat new threats, many companies are still
vulnerable. For networks that rely on reactive, signature-based, or patch-
based point solutions like operating system patches or antivirus product
updates, for instance, time is on the side of intruders—even before new
updates or patches can be installed, intrusions can cause costly and some-
times irreparable damage. Perimeter defenses are unable to fully protect a
company, as many worms are smart enough to get through them—and
many threats are actually introduced behind the firewall by apathetic or
unknowing employees. 

1
ZDCISCO-0403-WP1 3/8/04 9:50 AM Page 2

As the nature of threats continues to evolve, so must event consolidation and correlation, as provided by the
the defense posture of the enterprise. To deal with new Cisco Threat Defense System, keeps security staff
threats, corporations must create self-defending net- focused on real issues rather than false positives. The
works that address known and unknown attacks the SAFE Blueprint from Cisco (http://www.cisco.com/safe)
instant they appear. Point solutions alone will fail. outlines flexible deployment options for each of these
These self-defending networks must work at many lev- elements.
els in order to: Below, the three critical elements of network security As the nature of
 Identify threats are discussed in greater depth. threats continues
 React appropriately to the severity level of the threat to evolve, so
 Isolate infected servers and clients Threat Defense Systems must the defense
 Reconfigure network resources to mitigate damage Threats today—both known and unknown—are more posture of the
in response to an attack destructive, frequent, and far-reaching than ever before.
enterprise. To
deal with new
The Cisco Threat Defense System uses multiple security
threats,
The foundation of a self-defending network is inte- technologies and advanced networking intelligence to
corporations
grated security—security that is embedded throughout defend effectively against attacks. Most companies
must create self-
the network. Every device on the network—including understand the need for layered security that extends defending
desktops and servers at headquarters or across the throughout the network and out to servers and desk- networks that
WAN—plays a part in securing the networked environ- tops, but struggle to implement a fully integrated securi- address known
ment. Such systems help to ensure the privacy of infor- ty solution. Threat defense must be addressed on a net- and unknown
mation transmitted, protect against internal and exter- work level with all parts working together to identify, attacks the
nal threats, and clearly delineate who and what can and prevent, and adapt to new security threats. instant they
cannot access the network. Threat defense starts with a perimeter defense using appear.
firewalls, secure perimeter routers, and intrusion detec-
Solutions for Building tion systems. The network interior must be protected as
Self-Defending Networks a second line of defense from external attacks, and as a
Corporations must implement products, architectures, first line of defense against attacks that begin inside a
and policies that create a systematic approach to the end- company. Cisco routers, Cisco Catalyst® switches, and
to-end security concerns of global e-business today. Cisco wireless access points benefit from the strong security
Systems Integrated Security solutions incorporate three
®
incorporated in Cisco IOS® Software.
elements that are critical to effective network security: Next, desktops, notebooks, and servers must be
 Threat defense systems—Address network and secured. Perpetrators of attacks frequently use Web-
system protection with technologies such as firewalls based or e-mail channels to infect these computers, and
and intrusion detection solutions that combat threats then use them as bases for further destructive opera-
from internal and external sources tions. But while signature-based antivirus software and
 Secure connectivity systems—Help to ensure operating system patches serve to harden these end-
that sensitive communications are kept secret and points, they cannot protect computers from new and
intact while being transported across both public unknown attacks.
and private networks with technologies such as IP The Cisco Security Agent, an integral part of the
Security (IPSec) and Secure Sockets Layer (SSL) Cisco Threat Defense System, provides proactive pro-
VPNs tection against unknown attacks. In the minutes,
 Trust and identity management systems—Help hours, or days that pass between first infection and the
companies identify and then permit or restrict access availability of a patch or virus definition update, the
to network resources (for both people and machines) Cisco Security Agent locks down any unauthorized
activity emanating from an infected computer and con-
Centralized management and control with intelligent tains the damage from any new attack. The Cisco

2
ZDCISCO-0403-WP1 3/8/04 9:50 AM Page 3

Security Agent complements traditional antivirus and connectivity options. To simplify provisioning at small-
operating system patches with a behavioral approach er remote sites, Cisco integrates the same advanced
to prevent damage and give a company breathing room IPSec VPN technology into the network access devices
until appropriate patches can be installed. It also works commonly used by remote offices, so a single device can
in conjunction with Cisco VPN client software, so only handle both connectivity and security requirements.
protected machines can gain access to the network Remote workers typically connect to corporate
through secure VPNs. offices using always-on broadband connections such as While the
The Cisco Threat Defense System proactively those provided by cable or digital subscriber line (DSL) improved
defends the business, applications, users, and the net- services. For these workers—as well as mobile workers productivity that
work by: accessing corporate data through high-speed connec- can be realized
 Enhancing security in the existing network infra- tions in hotel rooms or public wireless hotspots—Cisco by enabling
structure offers a suite of SSL VPN solutions that are ideal for
mobile and
remote workers
 Adding dedicated security technologies to critical simplified and secure remote access. This access, cou-
is certainly a
parts of the network pled with the Cisco Security Agent, helps to ensure a
boon, it is also
 Adding comprehensive security at the endpoints secure connection back to a central office for remote
extremely
and mobile workers. important to
This system offers a security fabric to protect busi- LAN connections have traditionally been considered protect the
nesses from operational disruption, lost revenue, and trusted networks. However, according to leading securi- privacy of all IP
loss of reputation. With centralized management and ty firms, internal threats are ten times more financially communications
control, companies can identify, prevent, and adapt to damaging than external threats. Therefore, preserving (voice, video, and
any external or internal security threat. the confidentiality and integrity of the data and applica- data) as
tions that traverse wired or wireless LANs needs to be information
Secure Connectivity Systems an important part of business decisions. Cisco Aironet® travels across
Information often travels beyond corporate boundaries, wireless LAN solutions incorporate dynamic Wired untrusted
where it can become the target of “man-in-the-middle” Equivalent Privacy (WEP) to protect the privacy of
domains such as
the Internet or
attacks. Today’s companies conduct operations in many wireless transmissions.
other public
diverse locations and must securely extend the same The Cisco Secure Connectivity System effectively
networks.
applications offered within headquarters to remote extends the network to remote offices and remote and
offices and to remote and mobile workers. While the mobile workers—without sacrificing security.
improved productivity that can be realized by enabling
mobile and remote workers is certainly a boon, it is also Trust and Identity Management Systems
extremely important to protect the privacy of all IP The Cisco Trust and Identity Management System is crit-
communications (voice, video, and data) as information ical for e-business, underpinning the creation of a self-
travels across untrusted domains such as the Internet or defending network. The system provides or denies access
other public networks. Security solutions must be inte- to business applications and networked resources based
grated with other critical IP network services important on the specific privileges and rights of a user or device.
for remote connectivity—such as quality of service These users or devices may be internal or external to a
(QoS) and load balancing—so that connections are pro- company and can include employees, consultants, part-
tected without sacrificing performance. ners, suppliers, or customers accessing the network.
Cisco offers secure VPN technology in several access While authentication, authorization, and accounting
routers and security appliances to cost-effectively and (AAA) technologies implemented for user management
securely connect any remote office, regardless of size. still form the basis of trust and identity management
Cisco VPN solutions offer flexible, reliable encryption systems, companies must extend the notion of these sys-
and authentication along with the integration of tems beyond just a semi-static set of rules managed by
dynamic routing, multiprotocol support, and numerous administrators to provision users. To handle today’s

3
ZDCISCO-0403-WP1 3/8/04 9:50 AM Page 4

security threats effectively, trust and identity systems notebooks, or spyware-infected machines used by
must be implemented as dynamic services through remote workers. Then, intelligent network devices such
which users and devices can be quarantined, denied, or as Cisco switches and routers can be used to deny access
provided restricted access in real time, based on findings to, quarantine, restrict access to, or provide some form
of noncompliance with corporate policies or unusual of remediation to these noncompliant desktops, servers,
behavior indicating a potential vulnerability or attack. and devices. Instead of hoping that these systems con-
The U.S. Federal Bureau of Investigation states that form to company guidelines, the network itself can NAC is an
the majority of attacks come from inside a company. enforce antivirus subscription and operating system important
Formerly friendly machines that do not have the latest update policies designed to protect it and its users. component in
virus definitions or security patches installed—or newly An industry program led by Cisco has been created helping
attached computers or devices—can quickly become a to incorporate NAC into antivirus, security, and appli- companies
weapon against a company, and must be treated accord- cation software. With these tools, companies can build
integrate security
deep into the
ingly. Many of these openings are also caused inadver- fully integrated security solutions that help to reduce
fabric of the
tently, and are not the malicious work of an employee. risk, drive productivity, and lower costs.
network and its
For example, a well-intentioned user might deploy an With NAC, the network can take responsibility for
desktop and
unauthorized wireless access point to increase work- identification, authorization, and enforcement. Cisco’s servers, giving
group productivity. Similar to spyware or worms, this trust and identity solution—which includes Cisco Trust corporations the
act opens up network access to people outside the phys- Agent on desktops and servers (working with the Cisco upper hand
ical boundaries of the network, and must be handled Security Agent and antivirus software), the Cisco Secure against modern
appropriately. Companies can no longer use the idea of Access Control Server, wireless authentication proto- security threats.
a trusted or untrusted network. Instead, trust must be cols, and AAA capabilities in Cisco switches and
something that can be given—but also taken away routers—has the flexibility to provide granular access
quickly when the need arises. rights, to create quarantine zones for noncompliant
endpoints, and to block unauthorized access entirely. In
Network Admission Control addition, centralized management and policy servers
A self-defending network must ensure the compliance of bring complete, coordinated control to the hands of cor-
all of its systems. As a crucial part of its Trust and porate security staff.
Identity Management System, Cisco has introduced NAC is an important component in helping compa-
Network Admission Control (NAC) throughout its nies integrate security deep into the fabric of the net-
product lines and to the industry. NAC uses the net- work and its desktop and servers, giving corporations
work infrastructure to limit damage from viruses and the upper hand against modern security threats.
worms. It allows corporations to use their existing
investments in Cisco network infrastructures and In Summary
antivirus software to build more secure networks. By The Cisco Self-Defending Network Initiative addresses
implementing NAC throughout the network—within real security threats and presents systems and solutions
the data center and campus LANs, in wireless networks, for intelligent and integrated security that are deeply
and extending out to remote offices and workers—com- embedded in a company’s computers and network infra-
panies can uniformly protect themselves from rogue structure. Coupled with the Cisco Security Portfolio and
attacks targeting vulnerable computers or devices. industry initiatives led by Cisco, global enterprises can
With NAC installed throughout the network, com- confidently build more resilient, integrated, and adaptive
panies can identify weak links in the security fabric, information networks that better enable them to face
such as insecure wireless access points, unprotected new opportunities and challenges. ◆

Copyright © 2004 Cisco Systems, Inc. All rights reserved. Cisco, Cisco Systems, the Cisco Systems logo, Aironet, Catalyst, and Cisco IOS are registered trademarks or
trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website
are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0402R)