network as an sensor & enforcer - flowmon€¦ · cisco isr g2 (fnf v9 sgt support) cisco isr...
TRANSCRIPT
Jaromír Pilař
May, 2016
Leveraging the network to control threats
Network as an Sensor & Enforcer
• Overview of Network as a Sensor and Enforcer
• Network as a Sensor
• Network as an Enforcer
• Summary and resources
Agenda
Network as a Sensor and Enforcer Overview
Security Challenges
Growing Attack
Surface
Dynamic
Threat Landscape
Complexity
and Fragmentation
How Data Breaches Happen
Reconnaissance
Victim clicks phishing email link
Malware dropped via backdoor
Lateral Movement to find Admin
Escalate Privilege to become Admin
Data Exfiltration using Admin privilege
Information monetized after breach
You Can’t Protect What You Don’t See
60% of data is stolen in
HOURS
85%of point-of-sale intrusions
aren’t discovered for
WEEKS
54%of breaches remain
undiscovered for
MONTHS
51%increase of companies
reporting a $10M loss
or more in the last 3
YEARS
“A community that hides in plain sight avoids detection and attacks swiftly”- “Cisco Security Annual Security Report”
A Threat-Centric Security Model
BeforeDiscover
Enforce
Harden
AfterAssess
Contain
Remediate
Attack Continuum
Detect
Block
Defend
During
Network as an Enforcer
Network as a Sensor
Network with Only Perimeter Visibility
192.168.19.3
10.85.232.4
10.4.51.5
192.168.132.99
10.43.223.221
10.200.21.110
10.51.51.0/24
10.51.52.0/24
10.51.53.0/24
Internet
Many devices in your network
without visibility
Visibility available for traffic
transiting through perimeter
Enabling Visibility Inside Your Network
192.168.19.3
10.85.232.4
10.4.51.5
192.168.132.99
10.43.223.221
10.200.21.110
10.51.51.0/24
10.51.52.0/24
10.51.53.0/24
Internet
Cryptic network addresses that
may change constantly
Difficult to manage policy
without any context
Context based Visibility and Control
Employee
Employee
Supplier
Quarantine
Shared
Server
Server
High Risk
Segment
Internet
Network Fabric
Allowed Traffic
Denied Traffic
Clear understanding of traffic
flow with context
Easier to create & apply policy
based on such context
Network as a Sensor - Cisco ISE, Netflow and visualization and mitigation tools
Real-time visibility at all network layers
• Data Intelligence throughout network
• Assets discovery
• Network profile
• Security policy monitoring
• Anomaly detection
• Accelerated incident response
Cisco ISE
Mitigation Action
Context Information
NetFlow
Integration options
• Cisco Platform Exchange Grid (pxGrid)
– open to 3rd party
• API/script – for example APIC-EM and
Flowmon integration
access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467
Network as an Enforcerwith TrustSec
Traditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWireless
Flexible and Scalable Policy Enforcement
segmentationsoftware defined
Network as a Sensor
Introduction to NetFlow10.1.8.3
172.168.134.2
InternetFlow Information Packets
SOURCE ADDRESS 10.1.8.3
DESTINATION ADDRESS
172.168.134.2
SOURCE PORT 47321
DESTINATION PORT 443
INTERFACE Gi0/0/0
IP TOS 0x00
IP PROTOCOL 6
NEXT HOP 172.168.25.1
TCP FLAGS 0x1A
SOURCE SGT 100
: :
APPLICATION NAMENBAR SECURE-
HTTP
RoutersSwitches
NetFlow provides
• Trace of every conversation in your network
• An ability to collect record everywhere in your
network (switch, router, or firewall)
• Network usage measurement
• An ability to find north-south as well as east-west
communication
• Light weight visibility compared to SPAN based traffic
analysis
• Indications of Compromise (IOC)
• Security Group Information
Cisco Network Empowers NetFlow in Scale
Comprehensive view
into all activities
Unsampled NetFlow on Cisco
devices allows all traffic to be
collected
Fundamental capabilities built-in
to Cisco Routers and Switches
plus UCS vNIC
• Packet count
• Byte count
• Source IP address
• Destination IP address
• Start sysUpTime
• End sysUpTime
• Packet count
• Byte count
• Input ifIndex
• Output ifIndex
• Type of Service
• TCP flags
• Protocol
• Next hop address
• Source AS number
• Dest. AS number
• Source prefix mask
• Dest. prefix mask
Usage
Time
Port
Utilization
QoS
From/To
Application
Routing and
PeeringEven on routers full 1-to-1
NetFlow introduced little
overhead, typically around 5% but
upwards of 15% in the worst case
depending on prior CPU utilization
FlowTraffic set defined by a set of
KEY fields
Ex. Source IP, Destination IP, Source
Port, Destination Port, Protocol, TOS,
Interface
NetFlow Terminology
Flow TemplateA flexible (v9) feature that advertises
the record format to the collector
Flow CollectorA device that receives NetFlow
records from a NetFlow generator
Flow RecordNetFlow Protocol Data Unit exported
from a NetFlow generator
Contains a collection of KEY and NON-
KEY fields relating to a flow
Non-KEY fields
Ex. Bytes, Packets, TCP Flags, AP
MAC and Client MAC
Flow Exporter A NetFlow configuration of where
(Collector) the flows are going to be
sent, including IP address and
protocol/port
NetFlow Generator A NetFlow enabled network device
Myths about NetFlow Generation
17
Myth #1: NetFlow impacts performance
• Hardware implemented NetFlow has no performance impact
• Software implementation is typically significantly <15%
processing overhead
Myth #2: NetFlow has bandwidth overhead
• NetFlow is a summary protocol
• Traffic overhead is typically significantly <1% of total traffic
per exporting device
NetFlow in Motion
NetFlow
Generator DestinationSource
FlowCollector
Source IP Address
Destination IP Address
Source Port
Destination Port
Destination Port
TOS byte (DSCP)
Input Interface
NetFlow Key Fields
Flow Information
Address, ports…
…
11000 1528
… …
Packets Bytes / packet
NetFlow Cache
1
2
3
NetFlow Supported Platforms
WAN
Switch Router Router Firewall DC Switch ServerUser
NetFlow Exporters
Catalyst 2960-X (NetFlow Lite) - Sampled Only
Catalyst 3560-X (SM-10G module only)
Catalyst 3750-X (SM-10G module only)
Catalyst 3850/3650 (FNF v9 SGT support)
Catalyst 4500E (Sup7E/7LE)
Catalyst 4500E (Sup8) (FNF v9 SGT support)
Catalyst 6500E (Sup2T) (FNF v9 SGT support)
Catalyst 6800 (FNF v9 SGT support)
Cisco ISR G2 (FNF v9 SGT support)
Cisco ISR 4000 (FNF v9 SGT support)
Cisco ASR1000 (FNF v9 SGT support)
Cisco CSR 1000v (FNF v9 SGT support)
NetFlow Capable
ISE
Cisco WLC 5760 (FNF v9)
Cisco WLC 5520, 8510, 8540 (v9) *
ASA5500, 5500-X (NSEL)
Nexus 7000 (M Series I/O modules – FNF v9)
Nexus 1000v (FNF v9)
Cisco NetFlow Generation Appliance (FNF v9)
Cisco UCS VIC (VIC 1224/1240/1280/1340/1380)
Cisco AnyConnect Client (IPFIX) *
Network as an Enforcer
access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467
Network as an EnforcerSoftware-Defined Segmentation with TrustSecTraditional Security Policy
TrustSec Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWireless
Flexible and Scalable Policy Enforcement
Network Segmentation with TrustSec
Username: johnd
Group: Store Managers
Location: Store Office
Time: Business Hour
Security Group: ManagerEnforcement
AUTHORIZED
PERSONNEL
ONLY
Switches
Routers
Firewall
DC Switch
Hypervisor SW
Resource
Segmentation based on RBAC
• Independent from address based topology
Role based on context
• AD, LDAP attributes, device type, location, time, access methods, etc…
Use Tagging technology
• To represent logical group (Classification)
• To enforce policy on switch, router, and firewall
Software Defined
• Policy managed centrally
• Policy provisioned automatically on demand
• Policy invoked anywhere on the network dynamically
How TrustSec Simplifies Network Segmentation
Access Layer
Enterprise
Backbone
Voice
VLAN
Voice
Data
VLAN
Employee
Aggregation Layer
Supplier
Guest
VLAN
BYOD
BYOD
VLAN
Non-Compliant
Quarantine
VLAN
VLAN
Address
DHCP Scope
Redundancy
Routing
Static ACL
VACL
Security Policy based on Topology
High cost and complex maintenance
Voice
VLAN
Voice
Data
VLAN
Employee Supplier BYODNon-Compliant
Use existing topology and automate
security policy to reduce OpEx
ISE
No VLAN Change
No Topology Change
Central Policy Provisioning
Micro/Macro Segmentation
Employee Tag
Supplier Tag
Non-Compliant Tag
Access Layer
Enterprise
Backbone
DC Firewall / Switch
DC Servers
Policy
TrustSecTraditional Segmentation
EnforcementClassification Propagation
TrustSec in Action
Routers
ISE
DC Firewall
Application
Servers
Wireless
Remote
Access
Switch
DC Switch Application
Servers
Directory
Users
Network5 SGT
8 SGT
7 SGT
TrustSec Functions
Classification
Static
Dynamic
Enforcement
SGACL
SGFW
SGZBFW
Propagation
Inline
SXP
WAN
5 Employee
6 Supplier
8 Suspicious A B 8 5
TrustSec Supported PlatformsWAN
(GETVPN
DMVPN
IPSEC)
Switch Router Router Firewall DC Switch vSwitch ServerUser
Propagation EnforcementClassification
Catalyst 2960-S/-C/-Plus/-X/-XR
Catalyst 3560-E/-C/-X/-CX
Catalyst 3750-E/-X
Catalyst 3850/3650
Catalyst 4500E (Sup6E/7E)
Catalyst 4500E (Sup8)
Catalyst 6500E (Sup720/2T)
Catalyst 6800
WLC 2500/5500/5400/WiSM2/8510/8540
WLC 5760
Nexus 7000
Nexus 6000
Nexus 5500/2200
Nexus 1000v
ISRG2, CGR2000, ISR4000
IE2000/3000/CGR2000
ASA5500 (RAS VPN)
Catalyst 2960-S/-C/-Plus/-X/-XR
Catalyst 3560-E/-C/, 3750-E
Catalyst 3560-X/3750-X
Catalyst 3850/3650
Catalyst 4500E (Sup6E)
Catalyst 4500E (Sup, 7E, 7LE, 8E)
Catalyst 4500X
Catalyst 6500E (Sup720)
Catalyst 6500/Sup2T, 6800
WLC 2500/5500/5400/WiSM2/8510/8540
WLC 5760
Nexus 7000
Nexus 6000
Nexus 5500/2200
Nexus 1000v
ISRG2,ISR4000
IE2000/3000/CGR2000
ASR1000
ASA5500
Catalyst 3560-X
Catalyst 3750-X
Catalyst 3850/3650
WLC 5760
Catalyst 4500E (7E)
Catalyst 4500E (8E)
Catalyst 6500E (2T)
Catalyst 6800
Nexus 7000
Nexus 6000
Nexus 5500/5600
Nexus 1000v
ISR G2, ISR4000, CGR2000
ASR 1000 Router
CSR-1000v Router
ASA 5500 Firewall
ASAv Firewall
Web Security Appliance
SGT
Propagation PropagationClassification Enforcement
ISE
Summary & Resources
Network as a Sensor and Enforcer Summary
TrustSec provides software defined (micro)
segmentation
NetFlow, Cisco ISE and visualisatioin and
mitigation tools provide visibility and intelligence
The network is a key
asset for threat detection
and control
To learn more visit
www.cisco.com/go/networksecuritywww.cisco.com/go/ISEwww.cisco.com/go/TrustSecwww.cisco.com/go/ctd