bezpečnostní a funkce intelligent - cisco - global home … funkce intelligent wan architektury...

Bezpečnostní vlastnosti a funkce Intelligent WAN architektury

TECH-WAN: Building a Secure Intelligent WAN

Gaweł Mikołajczyk [email protected] Security Technical Solutions Architect CCIE #24987, CISSP-ISSAP, CISA, C|EH, SFCE

Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public

Embracing the Holistic Threat Continuum

3

Control Enforce Harden

Detect Block

Defend

Scope Contain

Remediate

Infrastructure

and Protocols

Network

Firewall

Next-Generation

Firewall (NGFW) Next-Generation

IPS (NGIPS)

Web Security

Content Filtering

Mobile Users

Remote Access

VPN

Email Security

SSL Decryption

and Inspection

Network Forensics Advanced Malware

Protection (AMP)

Incident Response

Open Source

Custom Tools

Context-Awareness Attribution


Threat-Centric Security Approach

The problem is the THREATS.

What high value assets am I trying to protect?

– Intellectual property, customer and employee data,

– Network and compute infrastructure

What are the possible threats?

– Internal and External, Structured and Unstructured

How do I detect and mitigate the threats?

– This is what this session is about at the Internet Edge

What is my incident response approach?

– Will I just sit there or clean up my environment?

4

BRKSEC-2135 The Importance of Threat-Centric Security


About the Speaker

5

CCIE#24987

[email protected]

@gapheu

/gawelmikolajczyk

Gaweł Mikołajczyk SFCE#123985

IOS Hardening


“Why Would Anyone Hack Into My Router?”

7

Enterprise

Network

mbehring

Internet

FTP

BRKSEC-2345 Critical Infrastructure Protection (2013 London)

tunnel

PBR2: from Server to PC Next hop tunnel

PBR1: from PC to Server Next hop tunnel

FTP

Server

CLIENT


Physical Security Principles and Procedures

Can detect takeover of device

– MUST detect login of authorised admin

– MUST detect brute force SSH attacks

– MUST detect password recovery

– MUST detect device replacement (UDI)

– MUST check device integrity regularily OS, configuration, file system

Cannot detect wiretap

– MUST protect all control plane protocols (BGP, IGP, LDP)

– MUST protect all management plane protocols (SSH, SNMP) Only data plane attacks are possible

After each reboot, link-down event, etc:

– Device could have been replaced

– Password recovery could have been done

– Check system: Unique Device Identifier (UDI), OS, configuration,

enable password

After unexpected login from admin:

– Change password for that admin

– Check system OS, configuration, enable password

Regularly (ex: once in 24h)

– Check system: OS, configuration, enable password

8

AAA

server

scripts

Syslog

server

You could have missed an event.


Device Software Authenticity Challenges Today

Boot ROM

OS

Configuration

BOOTS

USES

Unique Device

Identifier (UDI)

• Misconfiguration

• Lacking security

• Sabotage

• Protocol vulnerability

• OS vulnerability

• Rootkit

• Physical attacks

• Physical attacks


Device Software Authenticity Outlook for the Future

10

Boot ROM

OS with Vendor Signature

Configuration with Checksum

CHECKS OS CORRECTNESS, BOOTS

VERIFIES FIRST, THEN USES

Secure Unique Device

Identifier (SUDI) (802.1AR)

PHYSICALLY SECURE

• SUDI allows for globally unique, secure device identification

– Cannot replace device

• Boot process secured

– Cannot modify Boot ROM

– Cannot modify OS

• Secure OS coding practices

– CSDL Practices

– Reduces vulnerabilities

• Upgrade procedures

http://standards.ieee.org/findstds/standard/802.1AR-2009.html






Verifying Software Authenticity on Routers

11

Use the verify /md5 privileged EXEC command to verify the integrity of image files stored on the Cisco IOS file system or can also provide an MD5 hash to the verify command.

Router# verify /md5 sup-bootdisk: c7600rsp72043-advipservicesk9-mz.151-3.S3 .....<output truncated>.....Done! e383bf779e137367839593efa8f0f725

Router# configure terminal Router(config)# file verify auto Configure the file verify auto Cisco IOS feature

gdb *, test *, tlcsh *, service internal, attach *, remote *, ipc-con *, if-con *, execute-on *, show region, show memory *, show platform *

The presence of the following commands should trigger

further investigation. The asterisk symbol * indicates any

text that follows the command itself.

IOS supports digitally signed images on some platforms.

Verify the authenticity and integrity of the binary file by

using the show software authenticity file command.

http://www.cisco.com/web/about/security/intelligence/integrity-assurance.html

Router# show software authenticity file c1900-universalk9-mz.SPA.152-4.M2 File Name : c1900-universalk9-mz.SPA.152-4.M2 Image type : Production Signer Information Common Name : CiscoSystems Organization Unit : C1900 Organization Name : CiscoSystems Certificate Serial Number : 509AC949 Hash Algorithm : SHA512 Signature Algorithm : 2048-bit RSA Key Version : A






IOS Hardening Best Practices

Cisco Guide to Harden Cisco IOS Devices

– Secure Operational Procedures Monitor Security Advisories

Leverage AAA, Centralize Log Collection

Use Secure Protocols when possible

– Management Plane (SSH, SNMP, NetFlow) Disable unused Services, Password Security

Secure Management Sessions

Thresholding for Memory, CPU, Leaks

Management Plane Protection (MPP)

– Control Plane (ICMP, BGP, RSVP) Control Plane Policing (CoPP), Protection (CPPr), HW Rate-Limiters

– Data Plane (production traffic) Antispoofing with uRPF, IPSG, Port Security, DAI, ACLs

Traffic Access Control

12

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml




I understand my network. A Cisco Example.

Offices in 100+ countries

15 Billon Flows per day

125,000 endpoints (with laptops and phones)

150,000+ servers of all types

40,000 routers

1,500 labs

350 IPS Sensors / 1.5M Alerts per day

12 major Internet POPs

One CSIRT analyst for every 7,000 employees

13

HUGE COMPLEXITY.

„3D COMPLEXITY CUBE”

Secure WAN Transport

14


Step 1: Secure Transport

IPSec with DMVPN overlay Secure transport independent overlay

Add Strong Cryptography: IKEv2 + AES-GCM 256

Step 2: Threat Defense

IOS Zone-based Firewall or ACLs

Minimize exposure DHCP addressing for Internet and tunnel interfaces

Don’t put tunnel addresses into DNS

Step 3: Choose your performance level Size router based on Encryption with Services and WAN bandwidth

Head-end: ASR1000 or ISR4451X

Branch: ISR-G2

DSL Cable

Branch ISR-G2

ASR 1000 ASR 1000

ISP A ISP C

Data Center

Securing the Intelligent WAN


Best Practice: VRF-Aware DMVPN

Keeping the Default Routes in Separate VRFs with Front Door VRF

Enable FVRF DMVPN on the Spokes

Allow the ISP learned Default Route in the VRF INET-PUBLIC and use for tunnel establishment

Global VRF contains Default Route learned via tunnel. User data traffic follows Tunnel to INSIDE interface on firewall

Allows for consistent implementation of corporate security policy for all users

VPN-DMZ

Internet Edge

Block

default

default

INSIDE

OUTSIDE default

default

default

default

EIG

RP

Internet

VRF: INET-PUBLIC

VRF: INET-PUBLIC


Securing IWAN Transports with Front-door VRF Isolation of external networks

Virtual Route Forwarding (VRFs) create multiple logical routers on a single device

– Separate control/forwarding planes per VRF

– No connectivity between VRFs by default

– Provider side VRF (yellow) for external networks, Global VRF (blue) for internal networks

Provider VRF minimizes threat exposure

– Default routing only in Provider VRF

– Provider assigned IP addressing hides internal network

– Provider IP address used as IPSec tunnel source

– Only IPsec allowed between internal Global and Provider Front Side VRFs

Global

F-VRF

Branch LAN

10.1.1.0/24

10.1.2.0/24

…

Front Side

Provider VRF

Provider Assigned

WAN IP Address

192.168.254.254

VRFs have

independent

routing and

forwarding

planes IPSec Tunnel

Interface

Global

Enterprise

VRF

IOS ZBFW or

ACL to permit

only authorized

traffic; i.e. IPsec


DSL Cable

Branch

ASR 1000 ASR 1000

ISP A ISP C

Data Center

Protecting the Public facing IWAN Interfaces

Use ACLs, ZBFW or ASA to block all traffic except the DMVPN tunnel traffic to routers

Zone Based Firewall (ZBFW) at the branch if there are plans for direct Internet access

Typical ACL for protecting the Internet interface

interface GigabitEthernet0/0

bandwidth 10000

ip vrf forwarding INET-PUBLIC1

ip address dhcp

ip access-group ACL-INET-PUBLIC in

duplex auto

!

ip access-list extended ACL-INET-PUBLIC

permit udp any any eq non500-isakmp

permit udp any any eq isakmp

permit esp any any

permit udp any any eq bootpc

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any ttl-exceeded

permit icmp any any port-unreachable

permit udp any any gt 1023 ttl eq 1

!

Secure Direct Internet Access (DIA)


Central versus Direct Internet Access

20

Central Internet Access

Internet link remains unused during normal operations

Sub-optimal access to cloud based resources

All traffic traverses the WAN

Direct Internet Access

Internet link is used during normal operations

Optimal access to cloud based resources

Only Internal traffic traverses the WAN


Central versus Direct Internet Access Direct (local) Internet Central Internet

RS230-1941#sh ip route

Gateway of last resort is 10.10.34.1 to network 0.0.0.0

D*EX 0.0.0.0/0 [170/2561280] via 10.4.34.1, 1w1d, Tunnel10

10.0.0.0/8 is variably subnetted, 110 subnets, 10 masks

D EX 10.10.0.0/16 [170/2560512] via 10.10.34.1, 1w1d,

Tunnel10

D EX 10.10.0.0/20 [170/2561024] via 10.10.34.1, 1w1d,

Tunnel10



S* 0.0.0.0/0 [15/0] via 172.18.100.129


D EX 10.10.0.0/16 [170/26880512] via 10.10.34.1, 1w1d,

Tunnel10

D EX 10.10.0.0/20 [170/26881024] via 10.10.34.1, 1w1d,

Tunnel10


Non Redundant

Internet WAN

MPLS + Internet

WAN

Redundant

Links

Internet

MPLS VPN Internet

Internet

Internet

MPLS VPN Internet

Internet

Internet

Redundant

Links & Routers

WAN Remote-site Designs with Direct Internet


ISR-G2 with Cloud Web Security Connector

Connector is integrated into Cisco ISR G2 Router Platforms

– VRF Aware CWS Connector with IOS release 15.4(1)T

Redirection of web traffic is happens transparently on the remote-site router

Tower Redundancy

Single point of policy management and monitoring

Internet G0/0

Secure Remote Site


Web requests

Allowed traffic

Filtered traffic User

HTTP and HTTPS client requests are redirected to a CWS

proxy (tower) in the cloud.

Requests are checked against configured policies and

filtered.

Clean requests are directed back to the client.

High-level Data Flow with Cloud Web Security

Internet


Cloud Web Security Centralized Management

28

Cisco ScanCenter Portal


Cloud Web Security

Cisco ScanCenter Portal – Create Group

parameter-map type content-scan global

server scansafe primary ipv4 72.37.248.27 port http 8080 https 8080

server scansafe secondary ipv4 69.174.58.187 port http 8080 https 8080

license 0 893EECEED111C32D2A205A8204079043

source interface GigabitEthernet0/0

user-group CWS-REMOTE-SITES

server scansafe on-failure block-all

Must Match


Cloud Web Security

Cisco ScanCenter Portal – Generate Group Key


Cloud Web Security Cisco ScanCenter Portal – Generate Group Key




license 0 893EECEED111C32D2A205A8204079043




Must Match


Cloud Web Security Cisco ScanCenter Portal – Create Filter


Cloud Web Security Cisco ScanCenter Portal – Create Policies


DSL Cable

Branch

ASR 1000 ASR 1000

ISP A ISP C

Data Center

CWS Tower Communication Modify ACL for CWS communication


bandwidth 10000


ip address dhcp

ip access-group ACL-INET-PUBLIC in

duplex auto

!

ip access-list extended ACL-INET-PUBLIC

remark Allow-DMVPN

permit udp any any eq non500-isakmp

permit udp any any eq isakmp

permit esp any any

remark Allow-DHCP

permit udp any any eq bootpc

remark Allow-ICMP

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any ttl-exceeded

permit icmp any any port-unreachable

permit udp any any gt 1023 ttl eq 1

remark allow-CWS

permit tcp any eq 8080 any


Cloud Web Security Configuration

36

Basic CWS Configuration for Direct Internet Access

interface Tunnel10

description DMVPN

content-scan out




license 7 04095B242A071A6A513B5133422D2F550B7901706310744652332152040F010502




Internet

CWS Towers

G0/0

Secure Remote Site


Cloud Web Security Traffic Whitelists

CWS Whitelisting for Internal web services - ACL

ip access-list extended CWS-EXCLUDE

permit ip any 10.0.0.0 0.255.255.255

Internet

CWS Towers

G0/0

Internal Web

Services

80/443

content-scan whitelisting

whitelist acl name CWS-EXCLUDE

Secure Remote Site


Cloud Web Security

Cisco ScanCenter Portal – Verify CWS on Clients


Cloud Web Security

Cisco ScanCenter Portal – Verify CWS Operation from host

Full Services Secure Direct Internet Access


Secure Direct Internet Access

IOS Zone Based Firewall

Security Zone

OUTSIDE

Central Site

Internet

Secure Remote Site

IOS Zone

Firewall

DMVPN

Security Zone

INSIDE

• Stateful IOS Zone Based Firewall replaces static ACL configured on outside Interfaces.

• Zone Firewall provides stateful inspection for inside to outside user traffic flows.

– Only traffic originating from the INSIDE zone is allowed into the internal remote-site networks.

• Firewall policy allows the router to accept DMVPN, DHCP and ICMP traffic destined to the router itself.

• Firewall policy allows the router to originate DMVPN, DHCP and ICMP traffic from the router itself.


Remote Site Security IOS Zone Firewall configuration – Inside to outside traffic

Security Zone

OUTSIDE

Central Site

Internet

Secure Remote Site

IOS Zone

Firewall

DMVPN

Security Zone

INSIDE

zone security INSIDE

zone security OUTSIDE

class-map type inspect match-any INSIDE-TO-OUTSIDE-CLASS

match protocol ftp

match protocol tcp

match protocol udp

match protocol icmp

zone-pair security IN_OUT source INSIDE destination OUTSIDE

service-policy type inspect INSIDE-TO-OUTSIDE-POLICY

policy-map type inspect INSIDE-TO-OUTSIDE-POLICY

class type inspect INSIDE-TO-OUTSIDE-CLASS

inspect

class class-default

drop


IOS Zone Firewall

Zone-pair and Zone members


description Internet Connection

zone-member security OUTSIDE

Interface GigabitEthernet0/2.64

description Wired Data

zone-member security INSIDE

interface Tunnel10

description DMVPN-1 tunnel interface


zone-pair security FROM-ROUTER source self destination OUTSIDE

service-policy type inspect ACL-OUT-POLICY

zone-pair security TO-ROUTER source OUTSIDE destination self

service-policy type inspect ACL-IN-POLICY

Gig0/0

Zone OUTSIDE

G0/2.64

Zone INSIDE

Tunnel 10

Zone INSIDE


Direct Internet Access with NAT/PAT Basic NAT/PAT configuration

Central Site

Internet

Secure Remote Site

DMVP

N

IP NAT Inside IP NAT Outside

ip access-list standard NAT

permit 10.10.31.0 0.0.0.255

ip nat inside source list NAT interface GigabitEthernet0/0 overload


ip nat outside

interface GigabitEthernet0/2.64

ip nat inside

Full Services Direct Internet Access Routing with F-VRF


Direct Internet Access Routing with F-VRF

With Front Door VRF the Internet interface is placed into a VRF isolating the ISP default route from the global table.

For traffic to get to the Internet we need a method to route outbound traffic from the global table to the Internet facing VRF.

For return traffic we need a method to route inbound traffic from the outside VRF to the global table.

Full Services Internet Access with Front Door VRF

DHCP Derived

Default Route from ISP

0.0.0.0 0.0.0.0

Default Distance 254

VRF INET-PUBLIC1

Internet

G0/0

VRF INET-PUBLIC1

Global Table


Single Router DMVPN WAN with Local Internet

Full services Internet with front door VRF

L2

FVRF – INET-PUBLIC1

Public Cloud/

Internet

DHCP

Global Table

G0/0

Local Internet Access 0.0.0.0 0.0.0.0

IOS NAT/FW

IOS NAT/FW


Single Router DMVPN with Local Internet

Routing Details – Routing traffic outbound to the Internet

DHCP Derived

Default Route 0.0.0.0 0.0.0.0


VRF INET-PUBLIC1

Internet

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp 10 interface GigabitEthernet0/0


ip address dhcp

G0/0

VRF INET-PUBLIC1

Global Table


Default Distance 10 DM

VP

N

From Global to INET-PUBLIC1

(via G0/0)



Routing Details – View Routing tables for outbound traffic

RS231-2911#sh ip route <-GLOBAL TABLE


S* 0.0.0.0/0 [10/0] via 172.18.101.121, GigabitEthernet0/0


D EX 10.10.0.0/16 [170/1536512] via 10.10.34.1, 02:32:14, Tunnel10

D EX 10.10.0.0/20 [170/1537024] via 10.10.34.1, 02:32:14, Tunnel10

RS231-2911#sh ip route vrf INET-PUBLIC1

Routing Table: INET-PUBLIC1


S* 0.0.0.0/0 [254/0] via 172.18.101.121


C 172.18.101.120/29 is directly connected, GigabitEthernet0/0

S 172.18.101.121/32 [254/0] via 172.18.101.121, GigabitEthernet0/0

Internet

G0/0

VRF INET-PUBLIC1

Global Table

DM

VP

N

10.10.31.0/24



Routing Details – Routing for return traffic inbound from the Internet

Internet

route-map INET-INTERNAL permit 10

match ip address INTERNAL-NETS

set global

!

ip access-list extended INTERNAL-NETS

permit ip any 10.0.0.0 0.255.255.255



ip address dhcp

ip policy route-map INET-INTERNAL

G0/0

VRF INET-PUBLIC1

Global Table

DM

VP

N

Policy Route for

10.0.0.0/8 traffic

Set next-hop VRF to

Global Table

10.10.31.0/24

From INET-PUBLIC1 to Global


Single Router MPLS Primary DMVPN Backup with Local Internet


Public Cloud/

Internet

MPLS WAN

DHCP

Local Internet Access 0.0.0.0 0.0.0.0

IOS NAT/FW

IOS NAT/FW


Single Router Dual DMVPN WAN with Local Internet

Full services Internet with front door VRF – outbound traffic

DM

VP

N-o

INE

T

DM

VP

NoM

PLS

Secondary Internet Path

EIGRP Derived

Central-site Default Route

0.0.0.0 0.0.0.0

Admin Distance 170 Global Table

Internet



ip address dhcp

G0/1

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 dhcp 10

MPLS VPN

10.10.31.0/24

Global Table


Default Distance 10

Primary Internet Path


(via G0/0)


DHCP Derived



VRF INET-PUBLIC1



Full services Internet with front door VRF – return traffic

DM

VP

N-o

INE

T

DM

VP

N-o

MP

LS

Internet



ip address dhcp


G0/0 G0/1

MPLS VPN



set global

!


permit ip any 10.0.0.0 0.255.255.255

Global Table

Policy Route for

10.0.0.0/8 traffic

Set next-hop VRF to

Global Table


10.10.31.0/24




Public Cloud/

Internet

Local Internet Access Primary 0.0.0.0 0.0.0.0

Public Cloud/

Internet

Local Internet Access Secondary 0.0.0.0 0.0.0.0

IOS NAT/FW

IOS NAT/FW

DMVPNoINET



61

Full services Internet with front door VRF – Egress Traffic

DM

VP

NoIN

ET

DM

VP

NoIN

ET

Secondary Internet Path


(via G0/1)


Admin Distance 15



(via G0/0)


Admin Distance 10

Internet Internet



ip address dhcp



ip address dhcp

G0/0 G0/1



10.10.31.0/24

Global Table



Full services Internet with front door VRF – return traffic

DM

VP

NoIN

ET

DM

VP

NoIN

ET

Internet Internet



ip address dhcp




ip address dhcp


G0/0 G0/1



set global

!


permit ip any 10.0.0.0 0.255.255.255

10.10.31.0/24 Global Table

Policy Route for

10.0.0.0/8 traffic

Set next-hop VRF to

Global Table


Policy Route for

10.0.0.0/8 traffic

Set next-hop VRF to

Global Table


Additional DIA Routing Considerations


ip sla 110

icmp-echo x.x.x.x source-interface GigabitEthernet0/0

vrf INET-PUBLIC1

threshold 1000

frequency 15

ip sla schedule 110 life forever start-time now

ip sla 111

icmp-echo y.y.y.y source-interface GigabitEthernet0/0

vrf INET-PUBLIC1

threshold 1000

frequency 15

ip sla schedule 111 life forever start-time now

track 60 ip sla 110 reachability

track 61 ip sla 111 reachability

track 62 list boolean or

object 60

object 61

IP SLA

Probes

Note: This method is compatible with dual Internet DHCP design.

Black Hole Route Detection

IP SLA

Lost connection to ISP but DHCP route stays in the routing table

event manager applet DISABLE-STATIC-GIG0-0

event track 62 state down

action 1 cli command "enable"

action 2 cli command "configure terminal"

action 3 cli command "no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp

10"

action 4 cli command "end"

action 99 syslog msg “DEFAULT IP ROUTE via GIG0/0 DISABLED"


Preventing internal traffic from leaking to the Internet

Internal Traffic Null route takes effect during link failure

ip route 10.0.0.0 255.0.0.0 Null0 254

MPLS VPN Internet

Primary WAN

-to central site- 10.4.48.10 via BGP or EIGRP

10.5.244.25

Default Route

0.0.0.0 0.0.0.0

10.4.48.10 via 0.0.0.0 0.0.0.0

10.5.244.25

10.4.48.10

via

10.5.244.25

NULL0 10.5.244.0/24



S* 0.0.0.0/0 [10/0] via 172.18.100.129


S 10.0.0.0/8 is directly connected, Null0

Direct Internet Access Use Cases


Guest Access with Local Internet

67

Guest Internet Access with VRF

VRF – INET-PUBLIC1

Internet DHCP

Global Table

G0/0 Trunk

Trusted Wired VLAN

(64)

Guest VLAN

(80)

Trusted WLAN

Guest Wired VLAN

Trunk



68

Place Guest VLAN in the outside VRF

DHCP Derived

Default Route

0.0.0.0 0.0.0.0

Internet


description GUEST-NET


encapsulation dot1Q 80

ip address 192.168.19.1 255.255.255.0


description ISP


ip address dhcp

G0/0

GUEST-NET VLAN

G0/2.80

VRF INET-PUBLIC1


description INERNAL-DATA

ip address 10.10.31.1 255.255.255.0

G0/2.64

INTERNAL-DATA VLAN

Global Table



69

Routing table view

RS231-2911#sh ip route vrf INET-PUBLIC1

Routing Table: INET-PUBLIC1


S* 0.0.0.0/0 [254/0] via 172.18.101.121


C 172.18.101.120/29 is directly connected, GigabitEthernet0/0

S 172.18.101.121/32 [254/0] via 172.18.101.121, GigabitEthernet0/0

L 172.18.101.122/32 is directly connected, GigabitEthernet0/0


C 192.168.19.0/24 is directly connected, GigabitEthernet0/2.80

L 192.168.19.1/32 is directly connected, GigabitEthernet0/2.80

Internet

G0/0

Guest VLAN G0/2.80

VRF INET-PUBLIC1



70

Guest IOS VRF-aware DHCP Configuration with public DNS




ip address 192.168.19.1 255.255.255.0

ip dhcp excluded-address vrf INET-PUBLIC1 192.168.19.1 192.168.19.19

!

ip dhcp pool GUEST-DHCP

vrf INET-PUBLIC1

network 192.168.19.0 255.255.255.0

default-router 192.168.19.1

domain-name cisco.guest

dns-server 8.8.8.8 <-Google Public DNS

Internet

GUEST User

G0/2.80

DHCP Request



71

Guest VRF aware NAT Configuration




ip address 192.168.19.1 255.255.255.0

ip nat inside


description ISP


ip address dhcp

ip nat outside

ip nat inside source list NAT interface GigabitEthernet0/0 vrf INET-PUBLIC1 overload

ip access-list extended NAT

permit ip 10.10.31.0 0.0.0.255 any

permit ip 192.168.19.0 0.0.0.255 any

Central Site

Internet

DMVPN

IP NAT Inside

IP NAT Outside

GUEST

G0/0

G0/2.80


Guest Access with Local internet

72

IOS Zone Firewall configuration – Guest to outside traffic

Security Zone

OUTSIDE

Central Site

Internet

IOS Zone

Firewall

DMVPN

Security Zone

GUEST

zone security GUEST

class-map type inspect match-any GUEST-TO-OUTSIDE-CLASS

match protocol dns

match protocol http

match protocol https

match protocol ftp

match access-group name GUEST-OUT

zone-pair security GUEST source GUEST destination OUTSIDE

service-policy type inspect GUEST-TO-OUTSIDE-POLICY

policy-map type inspect GUEST-TO-OUTSIDE-POLICY

class type inspect GUEST-TO-OUTSIDE-CLASS

inspect

class class-default

drop

GUEST

ip access-list extended GUEST-OUT

deny ip any any



73

Guest Firewall Zone configuration

DHCP Derived

Default Route

0.0.0.0 0.0.0.0

Internet interface GigabitEthernet0/2.80



ip address 192.168.19.1 255.255.255.0

zone-member security GUEST


description ISP


ip address dhcp

zone-member security OUTSIDE

G0/0

Guest VLAN G0/2.80

VRF INET-PUBLIC1


description INERNAL-DATA

ip address 10.5.204.1 255.255.255.0




74

Guest VLAN in with interface group mapped to CWS policies

DHCP Derived

Default Route

0.0.0.0 0.0.0.0

Internet




user-group default GUEST-GRP

ip address 192.168.19.1 255.255.255.0


description ISP


ip address dhcp

content-scan out

G0/0

Guest VLAN G0/2.80

VRF INET-PUBLIC1


CWS Guest Access

75

CWS Guest Policy – Create a Guest Directory Group


CWS Guest Access

76

CWS Guest Policy – Create Guest Filters


CWS Guest Access

77

CWS Guest Policy – Create Guest Policy Rules


CWS Guest Access

CWS Guest Policy – Guest Group is not able to browse Gambling sites

78


CWS Guest Access

79

CWS whoami.scansafe.net

Internal User Guest User

TrustSec in the WAN


TrustSec is consistent, location-independent policy

WLC Switches

Internet SSL-VPN

ASA

Wired Environment Wi-Fi Environment Remote Access

Target: CY14 1H

Employee

(SGT=55)

Employee

(SGT=55)

Employee

(SGT=55)

Application X

（SGT 100)

Virtual Machines

(SGT 200)

LoB (Eng)

(SGT 300)

Employee (SGT 55)

Regardless of topology or location,

TrustSec provides consistent resource access policy


Policy Admin

Point

Users and Systems are Classified into Security Groups based on Context. Traffic is then Tagged with the Security Group ID

Tags can be applied to traffic from specific users, servers, networks or network connections.

Provides virtual network segmentation, flexible access control and FW rule automation

A good Strategic fit with Cisco SDN

User, Device

Campus Switch Router Router DC Switch

HR Servers

Fin Servers SGT = 4

SGT = 10

ISE Directory

Classification

Data

TrustSec Classification, Propagation, Enforcement

Data SGT:5

Enforcement

SGT = 5

Propagation


ISR-EDGE2

Identity Services

Engine (ISE)

1

2

3

1. Dot1X process used to obtain user credentials on embedded switch

2. RADIUS Authentication takes place

3. ISE sends Security Group Tag (SGT) as a RADIUS Authorization Attribute

SGT/IP Mapping is available on the ISR device (no matter if user

authentication was performed using Dot1X or Auth-Proxy)

ISR with LAN

Switching HWIC

TrustSec Integration – IP/SGT Mapping – 802.1X

83

EHWIC-SW


Trustsec Integration – IP/SGT Mapping – Auth-Proxy

84

Identity Services

Engine (ISE)

1 2

3 192.168.12.12

1. Auth-Proxy process used to obtain user credentials

2. RADIUS Authentication takes place

3. ISE sends Security Group Tag (SGT) as a RADIUS Authorization Attribute

ISR-EDGE2

ISR-EDGE1# show epm session ip 192.168.12.12 Admission feature: AUTHPROXY AAA Policies: SGT: 0004-0


SXP SXP Listener SXP Speaker

Trustsec Integration SXP: SGT Exchange Protocol

85

ISR-CENTRAL ISR-EDGE2

ISR-EDGE1# show cts role-based sgt-map all Active IP-SGT Bindings Information IP Address SGT Source ==================================== 172.19.37.1 2 INTERNAL 172.19.38.1 2 INTERNAL 192.168.2.25 2 INTERNAL 192.168.10.2 2 INTERNAL 192.168.11.1 2 INTERNAL 192.168.12.1 2 INTERNAL 192.168.12.12 4 LOCAL IP-SGT Active Bindings Summary ==================================== Total number of LOCAL bindings = 1 Total number of INTERNAL bindings = 6 Total number of active bindings = 7

ISR-CENTRAL# show cts role-based sgt-map all Active IP-SGT Bindings Information IP Address SGT Source ==================================== 172.19.37.1 2 SXP 172.19.38.1 2 SXP 192.168.2.25 2 SXP 192.168.10.2 2 SXP 192.168.11.1 2 SXP 192.168.12.1 2 SXP 192.168.12.12 4 SXP IP-SGT Active Bindings Summary ==================================== Total number of SXP bindings = 7 Total number of active bindings = 7


Zone OUTSIDE Zone INSIDE

F0 F1

Hdr Data

Incoming IP Packets

Branch-n

Branch-1

Branch-2

. . .

Trustsec Integration Building ZFW Policies based on Security Group Tags

86

ISR-CENTRAL

class-map type inspect match-any CLASS1 match protocol http match protocol telnet match protocol ssh match protocol icmp

class-map type inspect match-any SGT1 match security-group source tag 3

class-map type inspect match-all EMPLOYEES match class-map CLASS1 match class-map SGT1

IP Address SGT

192.168.1.1 3


SXP Configuration

isr-cts2-2911c# config terminal

Enter configuration commands, one per line. End with CNTL/Z.

isr-cts2-2911c(config)#cts sxp enable

isr-cts2-2911c(config)#cts sxp default password cisco

isr-cts2-2911c(config)#cts sxp connection peer 1.1.1.2 source 1.1.1.1 password default mode

local speaker

isr-cts2-2911c(config)#end

isr-cts2-2911c#

isr-cts2-2921a# config terminal

Enter configuration commands, one per line. End with CNTL/Z.

isr-cts2-2921a(config)#cts sxp enable

isr-cts2-2921a(config)#cts sxp default password cisco

isr-cts2-2921a(config)#cts sxp connection peer 1.1.1.1 source 1.1.1.2 password default mode

local listener

isr-cts2-2921a(config)#end

isr-cts2-2921a#

Speaker

Listener

Enable SXP

SXP default password

peer ip address source ip address


show sxp connection brief

isr-cts2-2921a# show cts sxp connections brief

SXP : Enabled

Default Password : Set

Default Source IP: Not Set

Connection retry open period: 120 secs

Reconcile period: 120 secs

Retry open timer is running

-----------------------------------------------------------------------------

Peer_IP Source_IP Conn Status Duration

-----------------------------------------------------------------------------

1.1.1.1 1.1.1.2 On 0:00:00:16 (dd:hr:mm:sec)

10.1.1.1 20.1.1.1 On 0:00:00:15 (dd:hr:mm:sec)

Total num of SXP Connections = 2

isr-cts2-2921a#

Duration since the connection is in

the indicated status


Verify IP-SGT Bindings isr-cts2-2911c#show cts role-based sgt-map all

Active IP-SGT Bindings Information

IP Address SGT Source

============================================

1.10.1.1 10 CLI

1.11.1.1 11 CLI

IP-SGT Active Bindings Summary

============================================

Total number of CLI bindings = 2

Total number of active bindings = 2

IPv4 SGT bindings

Total no. of active bindings

isr-cts2-2921a#show cts role-based sgt-map all ipv6

Active IP-SGT Bindings Information

IP Address SGT Source

================================================================

1001:100:1::1 610 SXP

2001:100:1::1 620 CLI

IP-SGT Active Bindings Summary

============================================

Total number of CLI bindings = 1

Total number of SXP bindings = 1

Total number of active bindings = 2

Source of learning

IPv6 bindings

IPv4 ip-sgt bindings

Total no. of active ipv6 bindings


Branch Segmentation/SXP WAN

90

. . .

WAN

Data Center

SXPv4

Speaker-1

Listener-2 Listener-1

Speaker-300

N7K

Cat6K

ASR1K ASR1K

SXPv4

Cat6K

IP Address SGT

10.1.10.1 Contractor - 10

10.1.10.4 Employee - 30

IP Address SGT


10.1.10.4 Employee - 30

10.1.254.1 Contractor - 10

10.1.254.4 Employee - 30

IP Address SGT


10.1.10.4 Employee - 30

10.1.254.1 Contractor - 10

10.1.254.4 Employee - 30

IP Address SGT

10.1.254.1 Contractor - 10

10.1.254.4 Employee - 30

IP Address SGT


10.1.10.4 Employee - 30

10.1.254.1 Contractor - 10

10.1.254.4 Employee - 30

Bidirectional SXP with Loop Detection available now:

– ISRG2 15.4(1)S

– ASR1000/ISR4k/CSR XE 3.11

Allows ASR1000 to be an IP/SGT relay from remote to remote

SXP is a full replication model – each remote router will learn all IP/SGT bindings


Inline tagging across WAN -

– IPsec, DM-VPN, GET-VPN

Inline tagging on built-in ISRG2 & ASR 1000 Ethernet interfaces (all except 800 series ISR)

91

Branch Segmentation/Inline Tagging Across WAN

• Can also use SGT-aware Zone-based Firewall in branch and DC WAN edge for reasons like PCI compliance

• SGT is used only as a source criteria only in ISR G2 Zone-Based Firewall

Cat3750-X

Branch B

SGT over

GET-VPN, DM-

VPN or IPsec VPN

HQ

Inline SGT ASR1000

Router

Branch A

ISRG2

ISRG2

e.g. 2951/3945


SXP WAN Aggregation Option

92

SGT Capable Enforcement

Switch or Firewall

Speakers & Listeners

SXP

Listeners

SGT Capable Enforcement

Switch or Firewall

SXP Speakers

IP Address SGT

10.1.10.1 Production User –

10

10.1.10.10 Developer - 20

IP Address SGT


10

10.1.254.10 Developer – 20

IP Address SGT


10

10.1.10.10 Developer - 20


10

10.1.254.10 Developer - 20

IP Address SGT


10

10.1.10.10 Developer - 20


10

10.1.254.10 Developer - 20

Aggregators handling SXP control plane

Not in the traffic path

All bindings received at DC Edge

Peer only with the aggregators

Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public 93

Campus & Branch Segmentation

Cat6800/Sup2T

Catalyst

3850

HR

10.1.10.101

(DHCP)

Nexus 5K Nexus 2K

Nexus1000v

ASR1000

ISR3900

ISR2900

ISR1900

ISR4451

ISE

ASA5500-X

Catalyst

3850

Nexus 2K

Nexus 7

000

ASA5500-X

Branch B

Branch C

Branch D

WAN

(GETVPN,

DMVPN,

IPsec VPN)

HR

10.1.10.102

(DHCP)

Wired

Finance

10.2.1.52

(DHCP)

Finance

10.2.1.51

(DHCP) BYOD-Guest

192.168. 1.10.20

(DHCP)

BYOD-HR

192.168. 50.103

(DHCP)

VLAN10

Catalyst

3850

SSID: Vender-net

SSID: Corp-net

SSID: Corp-net

HR

20.10.18.103

(DHCP)

VLAN18

HE Finance BYOD Corp BYOD

Vendor

HR Finance BYOD-Corp BYOD-Vendor


Store

Retail customer

Existing segmentation scheme used up to 25 subnets/VLANs in stores

Segmentation for reasons including PCI

Additional segments would break route summarisation

PCI

POS


Store

ISR

Retail customer

Catalyst 3850 allowed SGACL segmentation in stores

No new VLANs/segments required

DM-VPN used to carry SGT inline between stores

ASR

PCI

POS Cat 3850

ISE

DM-VPN

Store Store


Branch

ISR

Financial Branch – Before TrustSec

Existing network had 4 subnets/VLANs per branch

No use of 802.1X

Extensive IP-based rules in DC Firewalls


Branch

Financial branch – with TrustSec

Rules in DC Firewalls based on simple categories

L3 Interface-SGT maps

– Each subnet/VLAN gets an SGT, IP-SGT bindings created

– Same SGTs in every branch

SXP

SXP

ISR


Branch

Financial branch

Enable 802.1X passively

Enable SXP in access switch (Switches only capable of SXP)

Coarse-grained roles from VLAN mappings

AND Fine-grained roles from authentication

L3 Interface-SGT maps still in place

Bindings from SXP take priority over static SGTs

SXP

SXP

ISR

ISE

SXP


Classification Propagation Enforcement

TrustSec Functions and Platform Support

Catalyst 2960-S/-C/-Plus/-X/-XR

Catalyst 3560-E/-C/-X

Catalyst 3750-E/-X

Catalyst 4500E (Sup6E/7E)

Catalyst 4500E (Sup8)

Catalyst 6500E (Sup720/2T)

Catalyst 3850/3650

WLC 5760

Wireless LAN Controller

2500/5500/WiSM2

Nexus 7000

Nexus 5500

Nexus 1000v (Port Profile)

ISR G2 Router, CGR2000

Catalyst 2960-S/-C/-Plus/-X/-XR

Catalyst 3560-E/-C/, 3750-E

Catalyst 3560-X, 3750-X

Catalyst 3850/3650

Catalyst 4500E (Sup6E)

Catalyst 4500E (7E, 8), 4500X

Catalyst 6500E (Sup720)

Catalyst 6500E (2T), 6800

WLC 2500, 5500, WiSM2

WLC 5760

Nexus 1000v

Nexus 6000/5600

Nexus 5500/22xx FEX

Nexus 7000/22xx FEX

ISRG2, CGS2000

ASR1000

ASA5500 Firewall, ASASM

SXP

SXP

IE2000/3000, CGS2000 NEW

ASA5500 (VPN RAS)

SXP SGT

SXP

SXP SGT

SXP

SXP SGT

SXP

SGT

SXP

SXP SGT

SXP SGT

SXP SGT

SXP

NEW inline tagging

GETVPN. DMVPN, IPsec

• Inline SGT on all ISRG2 except 800 series:

Catalyst 3560-X

Catalyst 3750-X

Catalyst 4500E (7E)

Catalyst 4500E (8E)

Catalyst 6500E (2T)

Catalyst 6800

Catalyst 3850/3650

WLC 5760

Nexus 7000

Nexus 5600

Nexus 1000v

ISR G2 Router, CGR2000

ASA 5500 Firewall

ASAv Firewall

ASR 1000 Router

CSR-1000v Router

SXP

SGT

NEW

SGFW

SGFW

SGFW

SGACL

SGACL

SGACL

SGACL

SGACL

SGACL

SXP SGT

SXP SGT

Nexus 6000

Nexus 6000

NEW

Nexus 5500

NEW

Nexus 5600

NEW

NEW

NEW

SXP SGT NEW

NEW

SGT

NEW

GETVPN. DMVPN, IPsec

SGT

www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/trustsec_matrix.html

http://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/trustsec_matrix.html




Cyber Threat Defense Solution (CTD)

103


Making use of the WAN Traffic Patterns

Source and Destination Address (IPv4/IPv6)

Source and Destination Port

Protocol, Application

DSCP

Ingress Interface

BGP Next-Hop Field

MPLS label Info

Multicast Info

L2 information (802.1q tag, CoS field, etc)

104


NetFlow Technology Brief

Standards-based Flow Technology, with a long history (90’s, IOS 11.x)

– NFv5, NFv9, IPFIX, NSEL, FNF (Flexible NetFlow)

– Both Data Format and Protocol to transport the Flow Information from Exporter to Collector

– Exported Creates Cache Entry based on Key Fields, exports expired/terminated flows to Collector

– Configuration Defined by Flow Record, Exporter, Flow Monitor and Device Interface

– Efficient, Low Overhead, Binary Format, many (20-50) flow records per packet

Supported by the majority of the network Infrastructure, but mileage may greatly vary

– IOS/-XE/-XR Routers, Catalyst and Nexus Switches

– ASA provides NSEL (NetFlow Security Event Logging) support – state-based with NAT stitching

If cannot export natively – generate with SPAN-attached applance

– Cisco NetFlow Generation Appliance (NGA)

– Lancope FlowSensor Appliance (FS)

For Network Forensics and Behavioral Anomaly Detection, unsampled (1:1) NetFlow

– Sampled NetFlow still useful for traffic accounting, billing, understanding protocol mix, network planning

NetFlow instrumentation is the foundation for Traceback and Attribution

New security use for a very well-known technology

105

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-netflow/prod_white_paper0900aecd80406232.html

SPAN











http://cisco.com/go/netflow


Network-Based Anomaly Detection (NBAD)

Concern Index tracks hosts appearing to compromise the network integrity

106

• File Sharing Index indicates a peer-to-peer host activity

• Target Index visualizes hosts appearing to be victims of suspicious behaviour

• Host Group Targeted Reporting unveils Network and Application traffic patterns

Application

Report Inbound/Outbound

Traffic Report


Catching the Insider Threats with CTD

107

• Unauthorized Access violation attempted, denied by the Firewall

• Internal Reconaissance Concern Index Event, scanning on tcp/445

• Data Hoarding – transferring an large amount of data through the network

– Suspect Data Hoarding – host downloading inbound from many hosts

– Target Data Hoarding – host uploading unusual amount outbound to multiple hosts

• Data Exfiltration – identify suspicious transfers through Internet Edge over a long time


Handling the Indicators of Compromise (IoCs)

Indentify Suspected Malware Infected Hosts in the Client Host Groups

108

• Visualize the Malware Infection Spread with Worm Tracker

– Primary and Secondary Infections

– Subnets being scanned

• Apply Context-Aware Telemetry from ISE to understand the affected Users

• Investigate all the Hosts Touched by the originally Infected Host


Cyber Threat Defense Solution (CTD) Overview

StealthWatch FlowCollector*

StealthWatch Management

Console*

Management

StealthWatch FlowReplicator replicates NetFlow and other protocols

Other Traffic Analysis Software

Cisco ISE

Netflow enabled

IOS device

NetFlow NetFlow

NetF

low

* Virtual or Physical Edition


Example Attack Detection without Signatures High Concern Index (CI) indicates a

significant number of suspicious

events that deviate from established

baselines

Host Groups Host CI CI% Alarms Alerts

Desktops 10.10.101.118 338,137,280 8656% High Concern index Ping, Ping_Scan, TCP_Scan

ICMP echo

CEO PC

1. ECHO -> CI = CI + 1

2. ECHO -> CI = CI + 2

3. ECHO -> CI = CI + 4

4. ECHO -> CI = CI + 8

Simplified Example:


Operational Network & Security Intelligence (ONSI)

Network and Security

Intelligence

Dashboard

Summary

112


Embracing the Holistic Threat Continuum

113

Control Enforce Harden

Detect Block

Defend

Scope Contain

Remediate

Infrastructure

and Protocols

Network

Firewall

Next-Generation

Firewall (NGFW) Next-Generation

IPS (NGIPS)

Web Security

Content Filtering

Mobile Users

Remote Access

VPN

Email Security

SSL Decryption

and Inspection

Network Forensics Advanced Malware

Protection (AMP)

Incident Response

Open Source

Custom Tools

Context-Awareness Attribution

„ If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. ”

• Bruce Schneier

• Security Guru

bezpečnostní a funkce intelligent - cisco - global home … funkce intelligent wan architektury...

Documents