authenticate everywhere - cisco.com · authenticate everywhere modern security starts with identity...

Authenticate everywheremodern security starts with identity

Gyorgy AcsSecurity Consulting Systems Engineer

Cisco Connect Slovenija 2019

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Agenda

• The New IT Reality• ”Zero Trust”• Device Trust

• SAML• Integrations

• ISE Use Cases

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Today's Reality:Why Do We Not Believe Anyone and Anything?


The New IT RealityIt’s more difficult to establish user and device trust

1Apps are availableon-premises plusvia IaaS and SaaS

2Employees, contractors, others access these apps with BYOD and mobile devices

3Attackers most often cause data breaches by directly accessing these apps via compromised passwords and devices


Anonymous

“Get used to the fact that your password is not (only) yours!It will be pwned finally! We need something completely different!”


Security Risks Persistwith Traditional MFA

of breaches leverage either stolen or weak

passwordsSource: Verizon, 10th edition of the Data Breach Investigations Report

81%Poorly deployed and cannot

support all applications; exposing security gaps

Cumbersome tokens and one-time passwords;

not user friendly


Compromised DevicesCan Access Your Data

of vulnerabilities exploited will be ones known by

security team for at least one year (through 2021)

Source: Gartner, Dale Gardner, 2018 Security Summit

99%Admin lack time to patch all

corporate (managed) devices

End users access data with personal (unmanaged) devices

End users don’t want admins to take control of personal devices


Zero Trust


1 2How do you stop attacks that use

stolen (yet legitimate) credentials?

How do you prevent devices with poor security hygiene from accessing

critical apps?


A New Model for Security: Duo Trusted Access

Every ApplicationConsistent user experience for every application

Trusted UsersStrong user authentication for all types of users.

Trusted DevicesEstablish device trust without agents

Visibility and Policies


Duo secures the login process

Step 1: Primary authenticationUser enters their credentials to be verified by their internal server or cloud application

User’s primary device

Step 2: Server communicationOnce credentials are confirmed, the customer’s applications connect with Duo servers

Servers and apps

Step 5: Success!Once approved, user is granted access to the apps they need to do their job

User’s primary device

Step 3: Request sent to DuoCall for secondary authentication is sent to Duo

Duo cloud servers

Step 4: Secondary authenticationAuthentication request is sent to user who approves or denies it

User’s secondary device


Multiple secondary authentication options

SMS Code

UniversalTwo

Factor (U2F)

Phone Callback

Bypass Code

HOTP Hardware

Token

*****

DuoPush

Mobile Passcode

***

WebAuthN


Secure Access

On-Prem Remote

Proprietary Apps (APIs)

Internal Apps(VPN)

MicrosoftShops

CloudService

Unix Devices

(SSH Sessions)

Cloud Apps

WebApps

SAML 2.0Apps

Secure “Every” Corporate App, Open API


Device Trust


• Identify corporate-owned & BYOD

• Verify if devices are out-of-date and potentially vulnerable to security risks

• Block devices access to critical applications

• Apply policies consistently for any device platform: Windows, MacOS, iOS & Android

Verify Trust for Any DeviceLimit Access to Compliant Devices


End users get just-in-time notification about out-of-date OS, browsers, Flash and Java

If users do not update by a certain day, the endpoints are blocked

Improve Security Posture by Informing the User

Learn more about self remediation

https://duo.com/product/trusted-devices/self-remediation

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

SAML: Security Assertion Markup Language


• SAML 2.0 is widely adopted by thousands of cloud applications.

• Once a trust is established between a SP and an IdP, SAML 2.0 requests and responses are used to verify and share user login state with cloud applications.

• SAML federation verifies authentication state of a user using a logon token (not shared credentials)

Identity Federation

3) Verifies Lee is authenticated OR prompts for auth (Parses SAML Auth request & generates token)

2) Salesforce sends authentication request to IdP (SAML Auth request)

1) Lee navigates to Salesforce URL

7) Lee accesses Salesforce (Verified SAML token)

Web Browser Service Provider (SP) Identity Provider (IdP)

6) DAG redirects Lee’sbrowser to Salesforce to allow access (SAML token response)

4) Lee’sbrowser DAG SSO URL 5) Lee authenticates


Duo Access Gateway (DAG)

Cloud Hosted Services Duo Access Gateway Active Directory, OpenLDAP, or

SAML 2.0 IdentityProvider

LDAP or SAMLHTTPS 443

Perimeter Firewall Internal Firewall

Internet DMZ Internal Network

Example integrations

About this integrationDefinition: Adds 2FA to cloud applications that support SAML by providing SAML connectors and redirecting users to the DAG server on the networkOther information:• Used most commonly with SaaS applications• Applies when the customer doesn’t already have a web SSO

solution• Separates primary and secondary authentication


Duo Network Gateway (DNG)

Internet DMZ Internal Network

Duo Network Gateway

Internal Web Application

SAML

SAML 2.0Identity Provider

Perimeter Firewall Internal Firewall

HTTP

S 44

3

About this integrationDefinition: Allows users to access on-premises apps and websites without requiring a VPN connectionOther information:• Enables access on an app-to-app basis, not access to the

entire network• Requires a SAML IdP for primary authentication• Currently supports HTTP(S) and SSH, with more protocols

to come



Secure Application Portal


Integrations


Cisco ISE and Duo

Corporate Network

User

MFA

Compliant Device Allow

Access

Non-compliant Device Self-

Remediation / Block

Trusted DeviceAllow Access

Untrusted DeviceQuarantine Access

MFA

Device Posture

Cloud SaaS

ISEISE


Duo Authentication Proxy

About this integrationDefinition: Allows application integration with Duo cloud to enable 2FA for apps that support RADIUS or LDAPOther information:• Used most commonly for VPN and VDI solutions• Requires customers to install a component in their environment

Accept

Loginrequest

Reject

Application

Duo Cloud

Username

Password

Application or Service Login

Username

Password

E nte r c reden t ia ls fo r em a il access

Duo PushPhone CallPasscode

Server access to OutboardPort 443-SSL

Active Directory

Authentication Proxy



• “Modify the iframe” and Secondary Auth.; push/phone or sms; but users do not like 2nd pass code on AnyConnect; http://duo.com/docs/cisco

• Alternative configuration: “auto-push” with Duo Auth Proxy, AnyConnect has only 2 fields only! http://duo.com/docs/cisco-alt

• SAML integration: no extra pass code field; easy, but it requires minimum ASA 9.7, http://duo.com/docs/ciscoasa-sso

Duo Security with ASA Integration

http://duo.com/docs/cisco

http://duo.com/docs/cisco-alt

http://duo.com/docs/ciscoasa-sso


FTD RA VPN 6.3 and Duo

Duo RADIUS Proxy

AD

On premise

FTD

Duo Cloud

VPN

RADIUS

TCP 443

AD (or it could be RADIUS as well)


30


FTD RAVPN Posture and Duo Duo RADIUS Proxy

AD

On premise

FTD

Duo Cloud

ISE

VPN

RADIUS

RADIUS

ISE


32


Learn how to set up Duo's RDP

MFA for Windows login and Remote Desktop(RDP) access

https://duo.com/docs/rdp


Identity Services Engine, ISE, Use Cases


Cisco ISE and AnyConnect

Access Policy

Who

What

How

When

Where

Health

Threats

Cisco ISE

CVSS

Wired Wireless VPN

Role-Based Access Control | Guest Access | BYOD | Secure Access

For Endpoints For Network

Cisco ISE

Partner Eco System

SIEM, MDM, NBA, IPS, IPAM, etc.

pxGridand APIs

Cisco Anyconnect

Supplicant for wired, wireless and VPN access. Services include: Posture assessment, Malware protection, Web security, MAC Security, Network visibility and more.

Context aware policy service, to control access and threat across wired, wireless and VPN networks.


ISE – Session Disconnect


• Differentiate VPN max session time based on AD groups, for example, employees (1 week), contractors (1 day), and so on.

• Solution:• REST API Call in ISE

ISE – Session Disconnect

ISEISE

ASA or FTD


Postman and ISE ANC Portal


ISE – Location based Authorization


• If AP is a member of the home network -> ISE provides full access

• Otherwise -> ISE provides limited access, internet only

• Solution:• AP name should contain the name of the location• WLC should send the name of the AP as a Called Station ID• LDAP attribute contains the name of the home network

ISE – Location based Authorization

ISEISE

AP


• 1. Set the name of AP to include teacher’s home school string

• 2. Configure WLC to use AP name as Radius Called Station ID:

ISE with Location based Authorization


• 3. Add the LDAP attribute that holds teacher’s home school into ISE

ISE with Location based Authorization (Cont.)


• 4. Construct a condition that will compare strings between RADIUS dictionary attribute Radius-Called-Station-ID and LDAP Edu dictionary attribute holding teacher’s home school (attribute sn)



• 5. Use the condition in AuthZ policy rule, which is rule named location in my case

• 6. RADIUS live log showing that visiting teachers would not match location rule and will be authorized against default rule



IRFLOW:Authorization based on Threat Level


• Based on REST API Calls• Flexible integration (Meraki, CMX, ISE, AMP, TG, Umbrella, NGFW, ...)• For both, threat hunting and incident response

• 2 apps: headless.py and app.py• Three databases: threats_db.json, domains_db.json and hosts_db.json• Running the headless script first will create and populate these databases• The headless script will continue to add new IOCs and associated details

to the databases on an hourly basis, auto or manual quarantine services• Web interface (app.py) using http://localhost:5555.

• https://youtu.be/KwFILkVnbEo and https://github.com/CiscoSE/irflow

IRFLOW – Incident Response Flow

http://localhost:5555/

https://youtu.be/KwFILkVnbEo

https://github.com/CiscoSE/irflow


IRFLOW with TH and IR Building Blocks

Threat Hunting Information

Incident Response

Threat Grid

”Any” with REST API

AMP forEndpoints Umbrella

Anywhere, even on your laptop

3rd partyCTA, CMX, Meraki, NGFW, ISE


Please scan QR code for evaluation of your session!

authenticate everywhere - cisco.com · authenticate everywhere modern security starts with identity...

Documents