bezpečnostní a funkce intelligent - cisco - global home … funkce intelligent wan architektury...
TRANSCRIPT
Bezpečnostní vlastnosti a funkce Intelligent WAN architektury
TECH-WAN: Building a Secure Intelligent WAN
Gaweł Mikołajczyk [email protected] Security Technical Solutions Architect CCIE #24987, CISSP-ISSAP, CISA, C|EH, SFCE
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Embracing the Holistic Threat Continuum
3
Control Enforce Harden
Detect Block
Defend
Scope Contain
Remediate
Infrastructure
and Protocols
Network
Firewall
Next-Generation
Firewall (NGFW) Next-Generation
IPS (NGIPS)
Web Security
Content Filtering
Mobile Users
Remote Access
VPN
Email Security
SSL Decryption
and Inspection
Network Forensics Advanced Malware
Protection (AMP)
Incident Response
Open Source
Custom Tools
Context-Awareness Attribution
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Threat-Centric Security Approach
The problem is the THREATS.
What high value assets am I trying to protect?
– Intellectual property, customer and employee data,
– Network and compute infrastructure
What are the possible threats?
– Internal and External, Structured and Unstructured
How do I detect and mitigate the threats?
– This is what this session is about at the Internet Edge
What is my incident response approach?
– Will I just sit there or clean up my environment?
4
BRKSEC-2135 The Importance of Threat-Centric Security
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
About the Speaker
5
CCIE#24987
@gapheu
/gawelmikolajczyk
Gaweł Mikołajczyk SFCE#123985
IOS Hardening
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
“Why Would Anyone Hack Into My Router?”
7
Enterprise
Network
mbehring
Internet
FTP
BRKSEC-2345 Critical Infrastructure Protection (2013 London)
tunnel
PBR2: from Server to PC Next hop tunnel
PBR1: from PC to Server Next hop tunnel
FTP
Server
CLIENT
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Physical Security Principles and Procedures
Can detect takeover of device
– MUST detect login of authorised admin
– MUST detect brute force SSH attacks
– MUST detect password recovery
– MUST detect device replacement (UDI)
– MUST check device integrity regularily OS, configuration, file system
Cannot detect wiretap
– MUST protect all control plane protocols (BGP, IGP, LDP)
– MUST protect all management plane protocols (SSH, SNMP) Only data plane attacks are possible
After each reboot, link-down event, etc:
– Device could have been replaced
– Password recovery could have been done
– Check system: Unique Device Identifier (UDI), OS, configuration,
enable password
After unexpected login from admin:
– Change password for that admin
– Check system OS, configuration, enable password
Regularly (ex: once in 24h)
– Check system: OS, configuration, enable password
8
AAA
server
scripts
Syslog
server
You could have missed an event.
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Device Software Authenticity Challenges Today
Boot ROM
OS
Configuration
BOOTS
USES
Unique Device
Identifier (UDI)
• Misconfiguration
• Lacking security
• Sabotage
• Protocol vulnerability
• OS vulnerability
• Rootkit
• Physical attacks
• Physical attacks
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Device Software Authenticity Outlook for the Future
10
Boot ROM
OS with Vendor Signature
Configuration with Checksum
CHECKS OS CORRECTNESS, BOOTS
VERIFIES FIRST, THEN USES
Secure Unique Device
Identifier (SUDI) (802.1AR)
PHYSICALLY SECURE
• SUDI allows for globally unique, secure device identification
– Cannot replace device
• Boot process secured
– Cannot modify Boot ROM
– Cannot modify OS
• Secure OS coding practices
– CSDL Practices
– Reduces vulnerabilities
• Upgrade procedures
http://standards.ieee.org/findstds/standard/802.1AR-2009.html
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Verifying Software Authenticity on Routers
11
Use the verify /md5 privileged EXEC command to verify the integrity of image files stored on the Cisco IOS file system or can also provide an MD5 hash to the verify command.
Router# verify /md5 sup-bootdisk: c7600rsp72043-advipservicesk9-mz.151-3.S3 .....<output truncated>.....Done! e383bf779e137367839593efa8f0f725
Router# configure terminal Router(config)# file verify auto Configure the file verify auto Cisco IOS feature
gdb *, test *, tlcsh *, service internal, attach *, remote *, ipc-con *, if-con *, execute-on *, show region, show memory *, show platform *
The presence of the following commands should trigger
further investigation. The asterisk symbol * indicates any
text that follows the command itself.
IOS supports digitally signed images on some platforms.
Verify the authenticity and integrity of the binary file by
using the show software authenticity file command.
http://www.cisco.com/web/about/security/intelligence/integrity-assurance.html
Router# show software authenticity file c1900-universalk9-mz.SPA.152-4.M2 File Name : c1900-universalk9-mz.SPA.152-4.M2 Image type : Production Signer Information Common Name : CiscoSystems Organization Unit : C1900 Organization Name : CiscoSystems Certificate Serial Number : 509AC949 Hash Algorithm : SHA512 Signature Algorithm : 2048-bit RSA Key Version : A
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
IOS Hardening Best Practices
Cisco Guide to Harden Cisco IOS Devices
– Secure Operational Procedures Monitor Security Advisories
Leverage AAA, Centralize Log Collection
Use Secure Protocols when possible
– Management Plane (SSH, SNMP, NetFlow) Disable unused Services, Password Security
Secure Management Sessions
Thresholding for Memory, CPU, Leaks
Management Plane Protection (MPP)
– Control Plane (ICMP, BGP, RSVP) Control Plane Policing (CoPP), Protection (CPPr), HW Rate-Limiters
– Data Plane (production traffic) Antispoofing with uRPF, IPSG, Port Security, DAI, ACLs
Traffic Access Control
12
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
I understand my network. A Cisco Example.
Offices in 100+ countries
15 Billon Flows per day
125,000 endpoints (with laptops and phones)
150,000+ servers of all types
40,000 routers
1,500 labs
350 IPS Sensors / 1.5M Alerts per day
12 major Internet POPs
One CSIRT analyst for every 7,000 employees
13
HUGE COMPLEXITY.
„3D COMPLEXITY CUBE”
Secure WAN Transport
14
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Step 1: Secure Transport
IPSec with DMVPN overlay Secure transport independent overlay
Add Strong Cryptography: IKEv2 + AES-GCM 256
Step 2: Threat Defense
IOS Zone-based Firewall or ACLs
Minimize exposure DHCP addressing for Internet and tunnel interfaces
Don’t put tunnel addresses into DNS
Step 3: Choose your performance level Size router based on Encryption with Services and WAN bandwidth
Head-end: ASR1000 or ISR4451X
Branch: ISR-G2
DSL Cable
Branch ISR-G2
ASR 1000 ASR 1000
ISP A ISP C
Data Center
Securing the Intelligent WAN
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Best Practice: VRF-Aware DMVPN
Keeping the Default Routes in Separate VRFs with Front Door VRF
Enable FVRF DMVPN on the Spokes
Allow the ISP learned Default Route in the VRF INET-PUBLIC and use for tunnel establishment
Global VRF contains Default Route learned via tunnel. User data traffic follows Tunnel to INSIDE interface on firewall
Allows for consistent implementation of corporate security policy for all users
VPN-DMZ
Internet Edge
Block
default
default
INSIDE
OUTSIDE default
default
default
default
EIG
RP
Internet
VRF: INET-PUBLIC
VRF: INET-PUBLIC
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Securing IWAN Transports with Front-door VRF Isolation of external networks
Virtual Route Forwarding (VRFs) create multiple logical routers on a single device
– Separate control/forwarding planes per VRF
– No connectivity between VRFs by default
– Provider side VRF (yellow) for external networks, Global VRF (blue) for internal networks
Provider VRF minimizes threat exposure
– Default routing only in Provider VRF
– Provider assigned IP addressing hides internal network
– Provider IP address used as IPSec tunnel source
– Only IPsec allowed between internal Global and Provider Front Side VRFs
Global
F-VRF
Branch LAN
10.1.1.0/24
10.1.2.0/24
…
Front Side
Provider VRF
Provider Assigned
WAN IP Address
192.168.254.254
VRFs have
independent
routing and
forwarding
planes IPSec Tunnel
Interface
Global
Enterprise
VRF
IOS ZBFW or
ACL to permit
only authorized
traffic; i.e. IPsec
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
DSL Cable
Branch
ASR 1000 ASR 1000
ISP A ISP C
Data Center
Protecting the Public facing IWAN Interfaces
Use ACLs, ZBFW or ASA to block all traffic except the DMVPN tunnel traffic to routers
Zone Based Firewall (ZBFW) at the branch if there are plans for direct Internet access
Typical ACL for protecting the Internet interface
interface GigabitEthernet0/0
bandwidth 10000
ip vrf forwarding INET-PUBLIC1
ip address dhcp
ip access-group ACL-INET-PUBLIC in
duplex auto
!
ip access-list extended ACL-INET-PUBLIC
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit esp any any
permit udp any any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any ttl-exceeded
permit icmp any any port-unreachable
permit udp any any gt 1023 ttl eq 1
!
Secure Direct Internet Access (DIA)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Central versus Direct Internet Access
20
Central Internet Access
Internet link remains unused during normal operations
Sub-optimal access to cloud based resources
All traffic traverses the WAN
Direct Internet Access
Internet link is used during normal operations
Optimal access to cloud based resources
Only Internal traffic traverses the WAN
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Central versus Direct Internet Access Direct (local) Internet Central Internet
RS230-1941#sh ip route
Gateway of last resort is 10.10.34.1 to network 0.0.0.0
D*EX 0.0.0.0/0 [170/2561280] via 10.4.34.1, 1w1d, Tunnel10
10.0.0.0/8 is variably subnetted, 110 subnets, 10 masks
D EX 10.10.0.0/16 [170/2560512] via 10.10.34.1, 1w1d,
Tunnel10
D EX 10.10.0.0/20 [170/2561024] via 10.10.34.1, 1w1d,
Tunnel10
RS250-1941#sh ip route
Gateway of last resort is 172.18.100.129 to network 0.0.0.0
S* 0.0.0.0/0 [15/0] via 172.18.100.129
10.0.0.0/8 is variably subnetted, 107 subnets, 11 masks
D EX 10.10.0.0/16 [170/26880512] via 10.10.34.1, 1w1d,
Tunnel10
D EX 10.10.0.0/20 [170/26881024] via 10.10.34.1, 1w1d,
Tunnel10
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Non Redundant
Internet WAN
MPLS + Internet
WAN
Redundant
Links
Internet
MPLS VPN Internet
Internet
Internet
MPLS VPN Internet
Internet
Internet
Redundant
Links & Routers
WAN Remote-site Designs with Direct Internet
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
ISR-G2 with Cloud Web Security Connector
Connector is integrated into Cisco ISR G2 Router Platforms
– VRF Aware CWS Connector with IOS release 15.4(1)T
Redirection of web traffic is happens transparently on the remote-site router
Tower Redundancy
Single point of policy management and monitoring
Internet G0/0
Secure Remote Site
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Web requests
Allowed traffic
Filtered traffic User
HTTP and HTTPS client requests are redirected to a CWS
proxy (tower) in the cloud.
Requests are checked against configured policies and
filtered.
Clean requests are directed back to the client.
High-level Data Flow with Cloud Web Security
Internet
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Cloud Web Security Centralized Management
28
Cisco ScanCenter Portal
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Cloud Web Security
Cisco ScanCenter Portal – Create Group
parameter-map type content-scan global
server scansafe primary ipv4 72.37.248.27 port http 8080 https 8080
server scansafe secondary ipv4 69.174.58.187 port http 8080 https 8080
license 0 893EECEED111C32D2A205A8204079043
source interface GigabitEthernet0/0
user-group CWS-REMOTE-SITES
server scansafe on-failure block-all
Must Match
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Cloud Web Security
Cisco ScanCenter Portal – Generate Group Key
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Cloud Web Security Cisco ScanCenter Portal – Generate Group Key
parameter-map type content-scan global
server scansafe primary ipv4 72.37.248.27 port http 8080 https 8080
server scansafe secondary ipv4 69.174.58.187 port http 8080 https 8080
license 0 893EECEED111C32D2A205A8204079043
source interface GigabitEthernet0/0
user-group CWS-REMOTE-SITES
server scansafe on-failure block-all
Must Match
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Cloud Web Security Cisco ScanCenter Portal – Create Filter
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Cloud Web Security Cisco ScanCenter Portal – Create Policies
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
DSL Cable
Branch
ASR 1000 ASR 1000
ISP A ISP C
Data Center
CWS Tower Communication Modify ACL for CWS communication
interface GigabitEthernet0/0
bandwidth 10000
ip vrf forwarding INET-PUBLIC1
ip address dhcp
ip access-group ACL-INET-PUBLIC in
duplex auto
!
ip access-list extended ACL-INET-PUBLIC
remark Allow-DMVPN
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit esp any any
remark Allow-DHCP
permit udp any any eq bootpc
remark Allow-ICMP
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any ttl-exceeded
permit icmp any any port-unreachable
permit udp any any gt 1023 ttl eq 1
remark allow-CWS
permit tcp any eq 8080 any
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Cloud Web Security Configuration
36
Basic CWS Configuration for Direct Internet Access
interface Tunnel10
description DMVPN
content-scan out
parameter-map type content-scan global
server scansafe primary ipv4 72.37.248.27 port http 8080 https 8080
server scansafe secondary ipv4 69.174.58.187 port http 8080 https 8080
license 7 04095B242A071A6A513B5133422D2F550B7901706310744652332152040F010502
source interface GigabitEthernet0/0
user-group CWS-REMOTE-SITES
server scansafe on-failure block-all
Internet
CWS Towers
G0/0
Secure Remote Site
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Cloud Web Security Traffic Whitelists
CWS Whitelisting for Internal web services - ACL
ip access-list extended CWS-EXCLUDE
permit ip any 10.0.0.0 0.255.255.255
Internet
CWS Towers
G0/0
Internal Web
Services
80/443
content-scan whitelisting
whitelist acl name CWS-EXCLUDE
Secure Remote Site
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Cloud Web Security
Cisco ScanCenter Portal – Verify CWS on Clients
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Cloud Web Security
Cisco ScanCenter Portal – Verify CWS Operation from host
Full Services Secure Direct Internet Access
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Secure Direct Internet Access
IOS Zone Based Firewall
Security Zone
OUTSIDE
Central Site
Internet
Secure Remote Site
IOS Zone
Firewall
DMVPN
Security Zone
INSIDE
• Stateful IOS Zone Based Firewall replaces static ACL configured on outside Interfaces.
• Zone Firewall provides stateful inspection for inside to outside user traffic flows.
– Only traffic originating from the INSIDE zone is allowed into the internal remote-site networks.
• Firewall policy allows the router to accept DMVPN, DHCP and ICMP traffic destined to the router itself.
• Firewall policy allows the router to originate DMVPN, DHCP and ICMP traffic from the router itself.
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Remote Site Security IOS Zone Firewall configuration – Inside to outside traffic
Security Zone
OUTSIDE
Central Site
Internet
Secure Remote Site
IOS Zone
Firewall
DMVPN
Security Zone
INSIDE
zone security INSIDE
zone security OUTSIDE
class-map type inspect match-any INSIDE-TO-OUTSIDE-CLASS
match protocol ftp
match protocol tcp
match protocol udp
match protocol icmp
zone-pair security IN_OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
IOS Zone Firewall
Zone-pair and Zone members
interface GigabitEthernet0/0
description Internet Connection
zone-member security OUTSIDE
Interface GigabitEthernet0/2.64
description Wired Data
zone-member security INSIDE
interface Tunnel10
description DMVPN-1 tunnel interface
zone-member security INSIDE
zone-pair security FROM-ROUTER source self destination OUTSIDE
service-policy type inspect ACL-OUT-POLICY
zone-pair security TO-ROUTER source OUTSIDE destination self
service-policy type inspect ACL-IN-POLICY
Gig0/0
Zone OUTSIDE
G0/2.64
Zone INSIDE
Tunnel 10
Zone INSIDE
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Direct Internet Access with NAT/PAT Basic NAT/PAT configuration
Central Site
Internet
Secure Remote Site
DMVP
N
IP NAT Inside IP NAT Outside
ip access-list standard NAT
permit 10.10.31.0 0.0.0.255
ip nat inside source list NAT interface GigabitEthernet0/0 overload
interface GigabitEthernet0/0
ip nat outside
interface GigabitEthernet0/2.64
ip nat inside
Full Services Direct Internet Access Routing with F-VRF
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Direct Internet Access Routing with F-VRF
With Front Door VRF the Internet interface is placed into a VRF isolating the ISP default route from the global table.
For traffic to get to the Internet we need a method to route outbound traffic from the global table to the Internet facing VRF.
For return traffic we need a method to route inbound traffic from the outside VRF to the global table.
Full Services Internet Access with Front Door VRF
DHCP Derived
Default Route from ISP
0.0.0.0 0.0.0.0
Default Distance 254
VRF INET-PUBLIC1
Internet
G0/0
VRF INET-PUBLIC1
Global Table
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Single Router DMVPN WAN with Local Internet
Full services Internet with front door VRF
L2
FVRF – INET-PUBLIC1
Public Cloud/
Internet
DHCP
Global Table
G0/0
Local Internet Access 0.0.0.0 0.0.0.0
IOS NAT/FW
IOS NAT/FW
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Single Router DMVPN with Local Internet
Routing Details – Routing traffic outbound to the Internet
DHCP Derived
Default Route 0.0.0.0 0.0.0.0
Default Distance 254
VRF INET-PUBLIC1
Internet
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp 10 interface GigabitEthernet0/0
ip vrf forwarding INET-PUBLIC1
ip address dhcp
G0/0
VRF INET-PUBLIC1
Global Table
Default Route 0.0.0.0 0.0.0.0
Default Distance 10 DM
VP
N
From Global to INET-PUBLIC1
(via G0/0)
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Single Router DMVPN with Local Internet
Routing Details – View Routing tables for outbound traffic
RS231-2911#sh ip route <-GLOBAL TABLE
Gateway of last resort is 172.18.101.121 to network 0.0.0.0
S* 0.0.0.0/0 [10/0] via 172.18.101.121, GigabitEthernet0/0
10.0.0.0/8 is variably subnetted, 112 subnets, 10 masks
D EX 10.10.0.0/16 [170/1536512] via 10.10.34.1, 02:32:14, Tunnel10
D EX 10.10.0.0/20 [170/1537024] via 10.10.34.1, 02:32:14, Tunnel10
RS231-2911#sh ip route vrf INET-PUBLIC1
Routing Table: INET-PUBLIC1
Gateway of last resort is 172.18.101.121 to network 0.0.0.0
S* 0.0.0.0/0 [254/0] via 172.18.101.121
172.18.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.18.101.120/29 is directly connected, GigabitEthernet0/0
S 172.18.101.121/32 [254/0] via 172.18.101.121, GigabitEthernet0/0
Internet
G0/0
VRF INET-PUBLIC1
Global Table
DM
VP
N
10.10.31.0/24
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Single Router DMVPN with Local Internet
Routing Details – Routing for return traffic inbound from the Internet
Internet
route-map INET-INTERNAL permit 10
match ip address INTERNAL-NETS
set global
!
ip access-list extended INTERNAL-NETS
permit ip any 10.0.0.0 0.255.255.255
interface GigabitEthernet0/0
ip vrf forwarding INET-PUBLIC1
ip address dhcp
ip policy route-map INET-INTERNAL
G0/0
VRF INET-PUBLIC1
Global Table
DM
VP
N
Policy Route for
10.0.0.0/8 traffic
Set next-hop VRF to
Global Table
10.10.31.0/24
From INET-PUBLIC1 to Global
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Single Router MPLS Primary DMVPN Backup with Local Internet
Full services Internet with front door VRF
Public Cloud/
Internet
MPLS WAN
DHCP
Local Internet Access 0.0.0.0 0.0.0.0
IOS NAT/FW
IOS NAT/FW
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Single Router Dual DMVPN WAN with Local Internet
Full services Internet with front door VRF – outbound traffic
DM
VP
N-o
INE
T
DM
VP
NoM
PLS
Secondary Internet Path
EIGRP Derived
Central-site Default Route
0.0.0.0 0.0.0.0
Admin Distance 170 Global Table
Internet
interface GigabitEthernet0/1
ip vrf forwarding INET-PUBLIC1
ip address dhcp
G0/1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 dhcp 10
MPLS VPN
10.10.31.0/24
Global Table
Default Route 0.0.0.0 0.0.0.0
Default Distance 10
Primary Internet Path
From Global to INET-PUBLIC1
(via G0/0)
Primary Internet Path
DHCP Derived
Default Route 0.0.0.0 0.0.0.0
Default Distance 254
VRF INET-PUBLIC1
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Single Router Dual DMVPN WAN with Local Internet
Full services Internet with front door VRF – return traffic
DM
VP
N-o
INE
T
DM
VP
N-o
MP
LS
Internet
interface GigabitEthernet0/1
ip vrf forwarding INET-PUBLIC1
ip address dhcp
ip policy route-map INET-INTERNAL
G0/0 G0/1
MPLS VPN
route-map INET-INTERNAL permit 10
match ip address INTERNAL-NETS
set global
!
ip access-list extended INTERNAL-NETS
permit ip any 10.0.0.0 0.255.255.255
Global Table
Policy Route for
10.0.0.0/8 traffic
Set next-hop VRF to
Global Table
From INET-PUBLIC1 to Global
10.10.31.0/24
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Single Router Dual DMVPN WAN with Local Internet
Full services Internet with front door VRF
Public Cloud/
Internet
Local Internet Access Primary 0.0.0.0 0.0.0.0
Public Cloud/
Internet
Local Internet Access Secondary 0.0.0.0 0.0.0.0
IOS NAT/FW
IOS NAT/FW
DMVPNoINET
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Single Router Dual DMVPN WAN with Local Internet
61
Full services Internet with front door VRF – Egress Traffic
DM
VP
NoIN
ET
DM
VP
NoIN
ET
Secondary Internet Path
From Global to INET-PUBLIC2
(via G0/1)
Default Route 0.0.0.0 0.0.0.0
Admin Distance 15
Primary Internet Path
From Global to INET-PUBLIC1
(via G0/0)
Default Route 0.0.0.0 0.0.0.0
Admin Distance 10
Internet Internet
interface GigabitEthernet0/1
ip vrf forwarding INET-PUBLIC2
ip address dhcp
interface GigabitEthernet0/0
ip vrf forwarding INET-PUBLIC1
ip address dhcp
G0/0 G0/1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp 10
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 dhcp 15
10.10.31.0/24
Global Table
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Single Router Dual DMVPN WAN with Local Internet
Full services Internet with front door VRF – return traffic
DM
VP
NoIN
ET
DM
VP
NoIN
ET
Internet Internet
interface GigabitEthernet0/1
ip vrf forwarding INET-PUBLIC2
ip address dhcp
ip policy route-map INET-INTERNAL
interface GigabitEthernet0/0
ip vrf forwarding INET-PUBLIC1
ip address dhcp
ip policy route-map INET-INTERNAL
G0/0 G0/1
route-map INET-INTERNAL permit 10
match ip address INTERNAL-NETS
set global
!
ip access-list extended INTERNAL-NETS
permit ip any 10.0.0.0 0.255.255.255
10.10.31.0/24 Global Table
Policy Route for
10.0.0.0/8 traffic
Set next-hop VRF to
Global Table
From INET-PUBLIC1 to Global
Policy Route for
10.0.0.0/8 traffic
Set next-hop VRF to
Global Table
From INET-PUBLIC1 to Global
Additional DIA Routing Considerations
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
ip sla 110
icmp-echo x.x.x.x source-interface GigabitEthernet0/0
vrf INET-PUBLIC1
threshold 1000
frequency 15
ip sla schedule 110 life forever start-time now
ip sla 111
icmp-echo y.y.y.y source-interface GigabitEthernet0/0
vrf INET-PUBLIC1
threshold 1000
frequency 15
ip sla schedule 111 life forever start-time now
track 60 ip sla 110 reachability
track 61 ip sla 111 reachability
track 62 list boolean or
object 60
object 61
IP SLA
Probes
Note: This method is compatible with dual Internet DHCP design.
Black Hole Route Detection
IP SLA
Lost connection to ISP but DHCP route stays in the routing table
event manager applet DISABLE-STATIC-GIG0-0
event track 62 state down
action 1 cli command "enable"
action 2 cli command "configure terminal"
action 3 cli command "no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
10"
action 4 cli command "end"
action 99 syslog msg “DEFAULT IP ROUTE via GIG0/0 DISABLED"
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Preventing internal traffic from leaking to the Internet
Internal Traffic Null route takes effect during link failure
ip route 10.0.0.0 255.0.0.0 Null0 254
MPLS VPN Internet
Primary WAN
-to central site- 10.4.48.10 via BGP or EIGRP
10.5.244.25
Default Route
0.0.0.0 0.0.0.0
10.4.48.10 via 0.0.0.0 0.0.0.0
10.5.244.25
10.4.48.10
via
10.5.244.25
NULL0 10.5.244.0/24
RS250-1941#sh ip route
Gateway of last resort is 172.18.100.129 to network 0.0.0.0
S* 0.0.0.0/0 [10/0] via 172.18.100.129
10.0.0.0/8 is variably subnetted, 107 subnets, 11 masks
S 10.0.0.0/8 is directly connected, Null0
Direct Internet Access Use Cases
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Guest Access with Local Internet
67
Guest Internet Access with VRF
VRF – INET-PUBLIC1
Internet DHCP
Global Table
G0/0 Trunk
Trusted Wired VLAN
(64)
Guest VLAN
(80)
Trusted WLAN
Guest Wired VLAN
Trunk
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Guest Access with Local Internet
68
Place Guest VLAN in the outside VRF
DHCP Derived
Default Route
0.0.0.0 0.0.0.0
Internet
interface GigabitEthernet0/2.80
description GUEST-NET
ip vrf forwarding INET-PUBLIC1
encapsulation dot1Q 80
ip address 192.168.19.1 255.255.255.0
interface GigabitEthernet0/0
description ISP
ip vrf forwarding INET-PUBLIC1
ip address dhcp
G0/0
GUEST-NET VLAN
G0/2.80
VRF INET-PUBLIC1
interface GigabitEthernet0/2.64
description INERNAL-DATA
ip address 10.10.31.1 255.255.255.0
G0/2.64
INTERNAL-DATA VLAN
Global Table
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Guest Access with Local Internet
69
Routing table view
RS231-2911#sh ip route vrf INET-PUBLIC1
Routing Table: INET-PUBLIC1
Gateway of last resort is 172.18.101.121 to network 0.0.0.0
S* 0.0.0.0/0 [254/0] via 172.18.101.121
172.18.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.18.101.120/29 is directly connected, GigabitEthernet0/0
S 172.18.101.121/32 [254/0] via 172.18.101.121, GigabitEthernet0/0
L 172.18.101.122/32 is directly connected, GigabitEthernet0/0
192.168.19.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.19.0/24 is directly connected, GigabitEthernet0/2.80
L 192.168.19.1/32 is directly connected, GigabitEthernet0/2.80
Internet
G0/0
Guest VLAN G0/2.80
VRF INET-PUBLIC1
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Guest Access with Local Internet
70
Guest IOS VRF-aware DHCP Configuration with public DNS
interface GigabitEthernet0/2.80
description GUEST-NET
ip vrf forwarding INET-PUBLIC1
ip address 192.168.19.1 255.255.255.0
ip dhcp excluded-address vrf INET-PUBLIC1 192.168.19.1 192.168.19.19
!
ip dhcp pool GUEST-DHCP
vrf INET-PUBLIC1
network 192.168.19.0 255.255.255.0
default-router 192.168.19.1
domain-name cisco.guest
dns-server 8.8.8.8 <-Google Public DNS
Internet
GUEST User
G0/2.80
DHCP Request
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Guest Access with Local Internet
71
Guest VRF aware NAT Configuration
interface GigabitEthernet0/2.80
description GUEST-NET
ip vrf forwarding INET-PUBLIC1
ip address 192.168.19.1 255.255.255.0
ip nat inside
interface GigabitEthernet0/0
description ISP
ip vrf forwarding INET-PUBLIC1
ip address dhcp
ip nat outside
ip nat inside source list NAT interface GigabitEthernet0/0 vrf INET-PUBLIC1 overload
ip access-list extended NAT
permit ip 10.10.31.0 0.0.0.255 any
permit ip 192.168.19.0 0.0.0.255 any
Central Site
Internet
DMVPN
IP NAT Inside
IP NAT Outside
GUEST
G0/0
G0/2.80
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Guest Access with Local internet
72
IOS Zone Firewall configuration – Guest to outside traffic
Security Zone
OUTSIDE
Central Site
Internet
IOS Zone
Firewall
DMVPN
Security Zone
GUEST
zone security GUEST
class-map type inspect match-any GUEST-TO-OUTSIDE-CLASS
match protocol dns
match protocol http
match protocol https
match protocol ftp
match access-group name GUEST-OUT
zone-pair security GUEST source GUEST destination OUTSIDE
service-policy type inspect GUEST-TO-OUTSIDE-POLICY
policy-map type inspect GUEST-TO-OUTSIDE-POLICY
class type inspect GUEST-TO-OUTSIDE-CLASS
inspect
class class-default
drop
GUEST
ip access-list extended GUEST-OUT
deny ip any any
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Guest Access with Local Internet
73
Guest Firewall Zone configuration
DHCP Derived
Default Route
0.0.0.0 0.0.0.0
Internet interface GigabitEthernet0/2.80
description GUEST-NET
ip vrf forwarding INET-PUBLIC1
ip address 192.168.19.1 255.255.255.0
zone-member security GUEST
interface GigabitEthernet0/0
description ISP
ip vrf forwarding INET-PUBLIC1
ip address dhcp
zone-member security OUTSIDE
G0/0
Guest VLAN G0/2.80
VRF INET-PUBLIC1
interface GigabitEthernet0/2.64
description INERNAL-DATA
ip address 10.5.204.1 255.255.255.0
zone-member security INSIDE
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Guest Access with Local Internet
74
Guest VLAN in with interface group mapped to CWS policies
DHCP Derived
Default Route
0.0.0.0 0.0.0.0
Internet
interface GigabitEthernet0/2.80
description GUEST-NET
ip vrf forwarding INET-PUBLIC1
user-group default GUEST-GRP
ip address 192.168.19.1 255.255.255.0
interface GigabitEthernet0/0
description ISP
ip vrf forwarding INET-PUBLIC1
ip address dhcp
content-scan out
G0/0
Guest VLAN G0/2.80
VRF INET-PUBLIC1
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
CWS Guest Access
75
CWS Guest Policy – Create a Guest Directory Group
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
CWS Guest Access
76
CWS Guest Policy – Create Guest Filters
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
CWS Guest Access
77
CWS Guest Policy – Create Guest Policy Rules
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
CWS Guest Access
CWS Guest Policy – Guest Group is not able to browse Gambling sites
78
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
CWS Guest Access
79
CWS whoami.scansafe.net
Internal User Guest User
TrustSec in the WAN
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
TrustSec is consistent, location-independent policy
WLC Switches
Internet SSL-VPN
ASA
Wired Environment Wi-Fi Environment Remote Access
Target: CY14 1H
Employee
(SGT=55)
Employee
(SGT=55)
Employee
(SGT=55)
Application X
(SGT 100)
Virtual Machines
(SGT 200)
LoB (Eng)
(SGT 300)
Employee (SGT 55)
Regardless of topology or location,
TrustSec provides consistent resource access policy
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Policy Admin
Point
Users and Systems are Classified into Security Groups based on Context. Traffic is then Tagged with the Security Group ID
Tags can be applied to traffic from specific users, servers, networks or network connections.
Provides virtual network segmentation, flexible access control and FW rule automation
A good Strategic fit with Cisco SDN
User, Device
Campus Switch Router Router DC Switch
HR Servers
Fin Servers SGT = 4
SGT = 10
ISE Directory
Classification
Data
TrustSec Classification, Propagation, Enforcement
Data SGT:5
Enforcement
SGT = 5
Propagation
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
ISR-EDGE2
Identity Services
Engine (ISE)
1
2
3
1. Dot1X process used to obtain user credentials on embedded switch
2. RADIUS Authentication takes place
3. ISE sends Security Group Tag (SGT) as a RADIUS Authorization Attribute
SGT/IP Mapping is available on the ISR device (no matter if user
authentication was performed using Dot1X or Auth-Proxy)
ISR with LAN
Switching HWIC
TrustSec Integration – IP/SGT Mapping – 802.1X
83
EHWIC-SW
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Trustsec Integration – IP/SGT Mapping – Auth-Proxy
84
Identity Services
Engine (ISE)
1 2
3 192.168.12.12
1. Auth-Proxy process used to obtain user credentials
2. RADIUS Authentication takes place
3. ISE sends Security Group Tag (SGT) as a RADIUS Authorization Attribute
ISR-EDGE2
ISR-EDGE1# show epm session ip 192.168.12.12 Admission feature: AUTHPROXY AAA Policies: SGT: 0004-0
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
SXP SXP Listener SXP Speaker
Trustsec Integration SXP: SGT Exchange Protocol
85
ISR-CENTRAL ISR-EDGE2
ISR-EDGE1# show cts role-based sgt-map all Active IP-SGT Bindings Information IP Address SGT Source ==================================== 172.19.37.1 2 INTERNAL 172.19.38.1 2 INTERNAL 192.168.2.25 2 INTERNAL 192.168.10.2 2 INTERNAL 192.168.11.1 2 INTERNAL 192.168.12.1 2 INTERNAL 192.168.12.12 4 LOCAL IP-SGT Active Bindings Summary ==================================== Total number of LOCAL bindings = 1 Total number of INTERNAL bindings = 6 Total number of active bindings = 7
ISR-CENTRAL# show cts role-based sgt-map all Active IP-SGT Bindings Information IP Address SGT Source ==================================== 172.19.37.1 2 SXP 172.19.38.1 2 SXP 192.168.2.25 2 SXP 192.168.10.2 2 SXP 192.168.11.1 2 SXP 192.168.12.1 2 SXP 192.168.12.12 4 SXP IP-SGT Active Bindings Summary ==================================== Total number of SXP bindings = 7 Total number of active bindings = 7
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Zone OUTSIDE Zone INSIDE
F0 F1
Hdr Data
Incoming IP Packets
Branch-n
Branch-1
Branch-2
. . .
Trustsec Integration Building ZFW Policies based on Security Group Tags
86
ISR-CENTRAL
class-map type inspect match-any CLASS1 match protocol http match protocol telnet match protocol ssh match protocol icmp
class-map type inspect match-any SGT1 match security-group source tag 3
class-map type inspect match-all EMPLOYEES match class-map CLASS1 match class-map SGT1
IP Address SGT
192.168.1.1 3
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
SXP Configuration
isr-cts2-2911c# config terminal
Enter configuration commands, one per line. End with CNTL/Z.
isr-cts2-2911c(config)#cts sxp enable
isr-cts2-2911c(config)#cts sxp default password cisco
isr-cts2-2911c(config)#cts sxp connection peer 1.1.1.2 source 1.1.1.1 password default mode
local speaker
isr-cts2-2911c(config)#end
isr-cts2-2911c#
isr-cts2-2921a# config terminal
Enter configuration commands, one per line. End with CNTL/Z.
isr-cts2-2921a(config)#cts sxp enable
isr-cts2-2921a(config)#cts sxp default password cisco
isr-cts2-2921a(config)#cts sxp connection peer 1.1.1.1 source 1.1.1.2 password default mode
local listener
isr-cts2-2921a(config)#end
isr-cts2-2921a#
Speaker
Listener
Enable SXP
SXP default password
peer ip address source ip address
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
show sxp connection brief
isr-cts2-2921a# show cts sxp connections brief
SXP : Enabled
Default Password : Set
Default Source IP: Not Set
Connection retry open period: 120 secs
Reconcile period: 120 secs
Retry open timer is running
-----------------------------------------------------------------------------
Peer_IP Source_IP Conn Status Duration
-----------------------------------------------------------------------------
1.1.1.1 1.1.1.2 On 0:00:00:16 (dd:hr:mm:sec)
10.1.1.1 20.1.1.1 On 0:00:00:15 (dd:hr:mm:sec)
Total num of SXP Connections = 2
isr-cts2-2921a#
Duration since the connection is in
the indicated status
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Verify IP-SGT Bindings isr-cts2-2911c#show cts role-based sgt-map all
Active IP-SGT Bindings Information
IP Address SGT Source
============================================
1.10.1.1 10 CLI
1.11.1.1 11 CLI
IP-SGT Active Bindings Summary
============================================
Total number of CLI bindings = 2
Total number of active bindings = 2
IPv4 SGT bindings
Total no. of active bindings
isr-cts2-2921a#show cts role-based sgt-map all ipv6
Active IP-SGT Bindings Information
IP Address SGT Source
================================================================
1001:100:1::1 610 SXP
2001:100:1::1 620 CLI
IP-SGT Active Bindings Summary
============================================
Total number of CLI bindings = 1
Total number of SXP bindings = 1
Total number of active bindings = 2
Source of learning
IPv6 bindings
IPv4 ip-sgt bindings
Total no. of active ipv6 bindings
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Branch Segmentation/SXP WAN
90
. . .
WAN
Data Center
SXPv4
Speaker-1
Listener-2 Listener-1
Speaker-300
N7K
Cat6K
ASR1K ASR1K
SXPv4
Cat6K
IP Address SGT
10.1.10.1 Contractor - 10
10.1.10.4 Employee - 30
IP Address SGT
10.1.10.1 Contractor - 10
10.1.10.4 Employee - 30
10.1.254.1 Contractor - 10
10.1.254.4 Employee - 30
IP Address SGT
10.1.10.1 Contractor - 10
10.1.10.4 Employee - 30
10.1.254.1 Contractor - 10
10.1.254.4 Employee - 30
IP Address SGT
10.1.254.1 Contractor - 10
10.1.254.4 Employee - 30
IP Address SGT
10.1.10.1 Contractor - 10
10.1.10.4 Employee - 30
10.1.254.1 Contractor - 10
10.1.254.4 Employee - 30
Bidirectional SXP with Loop Detection available now:
– ISRG2 15.4(1)S
– ASR1000/ISR4k/CSR XE 3.11
Allows ASR1000 to be an IP/SGT relay from remote to remote
SXP is a full replication model – each remote router will learn all IP/SGT bindings
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Inline tagging across WAN -
– IPsec, DM-VPN, GET-VPN
Inline tagging on built-in ISRG2 & ASR 1000 Ethernet interfaces (all except 800 series ISR)
91
Branch Segmentation/Inline Tagging Across WAN
• Can also use SGT-aware Zone-based Firewall in branch and DC WAN edge for reasons like PCI compliance
• SGT is used only as a source criteria only in ISR G2 Zone-Based Firewall
Cat3750-X
Branch B
SGT over
GET-VPN, DM-
VPN or IPsec VPN
HQ
Inline SGT ASR1000
Router
Branch A
ISRG2
ISRG2
e.g. 2951/3945
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
SXP WAN Aggregation Option
92
SGT Capable Enforcement
Switch or Firewall
Speakers & Listeners
SXP
Listeners
SGT Capable Enforcement
Switch or Firewall
SXP Speakers
IP Address SGT
10.1.10.1 Production User –
10
10.1.10.10 Developer - 20
IP Address SGT
10.1.254.1 Production User –
10
10.1.254.10 Developer – 20
IP Address SGT
10.1.10.1 Production User –
10
10.1.10.10 Developer - 20
10.1.254.1 Production User –
10
10.1.254.10 Developer - 20
IP Address SGT
10.1.10.1 Production User –
10
10.1.10.10 Developer - 20
10.1.254.1 Production User –
10
10.1.254.10 Developer - 20
Aggregators handling SXP control plane
Not in the traffic path
All bindings received at DC Edge
Peer only with the aggregators
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public 93
Campus & Branch Segmentation
Cat6800/Sup2T
Catalyst
3850
HR
10.1.10.101
(DHCP)
Nexus 5K Nexus 2K
Nexus1000v
ASR1000
ISR3900
ISR2900
ISR1900
ISR4451
ISE
ASA5500-X
Catalyst
3850
Nexus 2K
Nexus 7
000
ASA5500-X
Branch B
Branch C
Branch D
WAN
(GETVPN,
DMVPN,
IPsec VPN)
HR
10.1.10.102
(DHCP)
Wired
Finance
10.2.1.52
(DHCP)
Finance
10.2.1.51
(DHCP) BYOD-Guest
192.168. 1.10.20
(DHCP)
BYOD-HR
192.168. 50.103
(DHCP)
VLAN10
Catalyst
3850
SSID: Vender-net
SSID: Corp-net
SSID: Corp-net
HR
20.10.18.103
(DHCP)
VLAN18
HE Finance BYOD Corp BYOD
Vendor
HR Finance BYOD-Corp BYOD-Vendor
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Store
Retail customer
Existing segmentation scheme used up to 25 subnets/VLANs in stores
Segmentation for reasons including PCI
Additional segments would break route summarisation
PCI
POS
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Store
ISR
Retail customer
Catalyst 3850 allowed SGACL segmentation in stores
No new VLANs/segments required
DM-VPN used to carry SGT inline between stores
ASR
PCI
POS Cat 3850
ISE
DM-VPN
Store Store
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Branch
ISR
Financial Branch – Before TrustSec
Existing network had 4 subnets/VLANs per branch
No use of 802.1X
Extensive IP-based rules in DC Firewalls
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Branch
Financial branch – with TrustSec
Rules in DC Firewalls based on simple categories
L3 Interface-SGT maps
– Each subnet/VLAN gets an SGT, IP-SGT bindings created
– Same SGTs in every branch
SXP
SXP
ISR
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Branch
Financial branch
Enable 802.1X passively
Enable SXP in access switch (Switches only capable of SXP)
Coarse-grained roles from VLAN mappings
AND Fine-grained roles from authentication
L3 Interface-SGT maps still in place
Bindings from SXP take priority over static SGTs
SXP
SXP
ISR
ISE
SXP
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Classification Propagation Enforcement
TrustSec Functions and Platform Support
Catalyst 2960-S/-C/-Plus/-X/-XR
Catalyst 3560-E/-C/-X
Catalyst 3750-E/-X
Catalyst 4500E (Sup6E/7E)
Catalyst 4500E (Sup8)
Catalyst 6500E (Sup720/2T)
Catalyst 3850/3650
WLC 5760
Wireless LAN Controller
2500/5500/WiSM2
Nexus 7000
Nexus 5500
Nexus 1000v (Port Profile)
ISR G2 Router, CGR2000
Catalyst 2960-S/-C/-Plus/-X/-XR
Catalyst 3560-E/-C/, 3750-E
Catalyst 3560-X, 3750-X
Catalyst 3850/3650
Catalyst 4500E (Sup6E)
Catalyst 4500E (7E, 8), 4500X
Catalyst 6500E (Sup720)
Catalyst 6500E (2T), 6800
WLC 2500, 5500, WiSM2
WLC 5760
Nexus 1000v
Nexus 6000/5600
Nexus 5500/22xx FEX
Nexus 7000/22xx FEX
ISRG2, CGS2000
ASR1000
ASA5500 Firewall, ASASM
SXP
SXP
IE2000/3000, CGS2000 NEW
ASA5500 (VPN RAS)
SXP SGT
SXP
SXP SGT
SXP
SXP SGT
SXP
SGT
SXP
SXP SGT
SXP SGT
SXP SGT
SXP
NEW inline tagging
GETVPN. DMVPN, IPsec
• Inline SGT on all ISRG2 except 800 series:
Catalyst 3560-X
Catalyst 3750-X
Catalyst 4500E (7E)
Catalyst 4500E (8E)
Catalyst 6500E (2T)
Catalyst 6800
Catalyst 3850/3650
WLC 5760
Nexus 7000
Nexus 5600
Nexus 1000v
ISR G2 Router, CGR2000
ASA 5500 Firewall
ASAv Firewall
ASR 1000 Router
CSR-1000v Router
SXP
SGT
NEW
SGFW
SGFW
SGFW
SGACL
SGACL
SGACL
SGACL
SGACL
SGACL
SXP SGT
SXP SGT
Nexus 6000
Nexus 6000
NEW
Nexus 5500
NEW
Nexus 5600
NEW
NEW
NEW
SXP SGT NEW
NEW
SGT
NEW
GETVPN. DMVPN, IPsec
SGT
www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/trustsec_matrix.html
Cyber Threat Defense Solution (CTD)
103
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Making use of the WAN Traffic Patterns
Source and Destination Address (IPv4/IPv6)
Source and Destination Port
Protocol, Application
DSCP
Ingress Interface
BGP Next-Hop Field
MPLS label Info
Multicast Info
L2 information (802.1q tag, CoS field, etc)
104
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
NetFlow Technology Brief
Standards-based Flow Technology, with a long history (90’s, IOS 11.x)
– NFv5, NFv9, IPFIX, NSEL, FNF (Flexible NetFlow)
– Both Data Format and Protocol to transport the Flow Information from Exporter to Collector
– Exported Creates Cache Entry based on Key Fields, exports expired/terminated flows to Collector
– Configuration Defined by Flow Record, Exporter, Flow Monitor and Device Interface
– Efficient, Low Overhead, Binary Format, many (20-50) flow records per packet
Supported by the majority of the network Infrastructure, but mileage may greatly vary
– IOS/-XE/-XR Routers, Catalyst and Nexus Switches
– ASA provides NSEL (NetFlow Security Event Logging) support – state-based with NAT stitching
If cannot export natively – generate with SPAN-attached applance
– Cisco NetFlow Generation Appliance (NGA)
– Lancope FlowSensor Appliance (FS)
For Network Forensics and Behavioral Anomaly Detection, unsampled (1:1) NetFlow
– Sampled NetFlow still useful for traffic accounting, billing, understanding protocol mix, network planning
NetFlow instrumentation is the foundation for Traceback and Attribution
New security use for a very well-known technology
105
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-netflow/prod_white_paper0900aecd80406232.html
SPAN
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Network-Based Anomaly Detection (NBAD)
Concern Index tracks hosts appearing to compromise the network integrity
106
• File Sharing Index indicates a peer-to-peer host activity
• Target Index visualizes hosts appearing to be victims of suspicious behaviour
• Host Group Targeted Reporting unveils Network and Application traffic patterns
Application
Report Inbound/Outbound
Traffic Report
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Catching the Insider Threats with CTD
107
• Unauthorized Access violation attempted, denied by the Firewall
• Internal Reconaissance Concern Index Event, scanning on tcp/445
• Data Hoarding – transferring an large amount of data through the network
– Suspect Data Hoarding – host downloading inbound from many hosts
– Target Data Hoarding – host uploading unusual amount outbound to multiple hosts
• Data Exfiltration – identify suspicious transfers through Internet Edge over a long time
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Handling the Indicators of Compromise (IoCs)
Indentify Suspected Malware Infected Hosts in the Client Host Groups
108
• Visualize the Malware Infection Spread with Worm Tracker
– Primary and Secondary Infections
– Subnets being scanned
• Apply Context-Aware Telemetry from ISE to understand the affected Users
• Investigate all the Hosts Touched by the originally Infected Host
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Cyber Threat Defense Solution (CTD) Overview
StealthWatch FlowCollector*
StealthWatch Management
Console*
Management
StealthWatch FlowReplicator replicates NetFlow and other protocols
Other Traffic Analysis Software
Cisco ISE
Netflow enabled
IOS device
NetFlow NetFlow
NetF
low
* Virtual or Physical Edition
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Example Attack Detection without Signatures High Concern Index (CI) indicates a
significant number of suspicious
events that deviate from established
baselines
Host Groups Host CI CI% Alarms Alerts
Desktops 10.10.101.118 338,137,280 8656% High Concern index Ping, Ping_Scan, TCP_Scan
ICMP echo
CEO PC
1. ECHO -> CI = CI + 1
2. ECHO -> CI = CI + 2
3. ECHO -> CI = CI + 4
4. ECHO -> CI = CI + 8
Simplified Example:
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Operational Network & Security Intelligence (ONSI)
Network and Security
Intelligence
Dashboard
Summary
112
Cisco and/or its affiliates. All rights reserved. Cisco Connect 2015 – Secure WAN Cisco Public
Embracing the Holistic Threat Continuum
113
Control Enforce Harden
Detect Block
Defend
Scope Contain
Remediate
Infrastructure
and Protocols
Network
Firewall
Next-Generation
Firewall (NGFW) Next-Generation
IPS (NGIPS)
Web Security
Content Filtering
Mobile Users
Remote Access
VPN
Email Security
SSL Decryption
and Inspection
Network Forensics Advanced Malware
Protection (AMP)
Incident Response
Open Source
Custom Tools
Context-Awareness Attribution
„ If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. ”
• Bruce Schneier
• Security Guru