Jaromír Pilař

jpilar@cisco.com

May, 2016

Leveraging the network to control threats

Network as an Sensor & Enforcer

• Overview of Network as a Sensor and Enforcer

• Network as a Sensor

• Network as an Enforcer

• Summary and resources

Agenda

Network as a Sensor and Enforcer Overview

Security Challenges

Growing Attack

Surface

Dynamic

Threat Landscape

Complexity

and Fragmentation

How Data Breaches Happen

Reconnaissance

Victim clicks phishing email link

Malware dropped via backdoor

Lateral Movement to find Admin

Escalate Privilege to become Admin

Data Exfiltration using Admin privilege

Information monetized after breach

You Can’t Protect What You Don’t See

60% of data is stolen in

HOURS

85%of point-of-sale intrusions

aren’t discovered for

WEEKS

54%of breaches remain

undiscovered for

MONTHS

51%increase of companies

reporting a $10M loss

or more in the last 3

YEARS

“A community that hides in plain sight avoids detection and attacks swiftly”- “Cisco Security Annual Security Report”

A Threat-Centric Security Model

BeforeDiscover

Enforce

Harden

AfterAssess

Contain

Remediate

Attack Continuum

Detect

Block

Defend

During

Network as an Enforcer

Network as a Sensor

Network with Only Perimeter Visibility

192.168.19.3

10.85.232.4

10.4.51.5

192.168.132.99

10.43.223.221

10.200.21.110

10.51.51.0/24

10.51.52.0/24

10.51.53.0/24

Internet

Many devices in your network

without visibility

Visibility available for traffic

transiting through perimeter

Enabling Visibility Inside Your Network

192.168.19.3

10.85.232.4

10.4.51.5

192.168.132.99

10.43.223.221

10.200.21.110

10.51.51.0/24

10.51.52.0/24

10.51.53.0/24

Internet

Cryptic network addresses that

may change constantly

Difficult to manage policy

without any context

Context based Visibility and Control

Employee

Employee

Supplier

Quarantine

Shared

Server

Server

High Risk

Segment

Internet

Network Fabric

Allowed Traffic

Denied Traffic

Clear understanding of traffic

flow with context

Easier to create & apply policy

based on such context

Network as a Sensor - Cisco ISE, Netflow and visualization and mitigation tools

Real-time visibility at all network layers

• Data Intelligence throughout network

• Assets discovery

• Network profile

• Security policy monitoring

• Anomaly detection

• Accelerated incident response

Cisco ISE

Mitigation Action

Context Information

NetFlow

Integration options

• Cisco Platform Exchange Grid (pxGrid)

– open to 3rd party

• API/script – for example APIC-EM and

Flowmon integration

access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467

Network as an Enforcerwith TrustSec

Traditional Security Policy

TrustSec Security Policy

Security Control Automation

Simplified Access Management

Improved Security Efficacy

Network Fabric

Switch Router DC FW DC SwitchWireless

Flexible and Scalable Policy Enforcement

segmentationsoftware defined

Network as a Sensor

Introduction to NetFlow10.1.8.3

172.168.134.2

InternetFlow Information Packets

SOURCE ADDRESS 10.1.8.3

DESTINATION ADDRESS

172.168.134.2

SOURCE PORT 47321

DESTINATION PORT 443

INTERFACE Gi0/0/0

IP TOS 0x00

IP PROTOCOL 6

NEXT HOP 172.168.25.1

TCP FLAGS 0x1A

SOURCE SGT 100

: :

APPLICATION NAMENBAR SECURE-

HTTP

RoutersSwitches

NetFlow provides

• Trace of every conversation in your network

• An ability to collect record everywhere in your

network (switch, router, or firewall)

• Network usage measurement

• An ability to find north-south as well as east-west

communication

• Light weight visibility compared to SPAN based traffic

analysis

• Indications of Compromise (IOC)

• Security Group Information

Cisco Network Empowers NetFlow in Scale

Comprehensive view

into all activities

Unsampled NetFlow on Cisco

devices allows all traffic to be

collected

Fundamental capabilities built-in

to Cisco Routers and Switches

plus UCS vNIC

• Packet count

• Byte count

• Source IP address

• Destination IP address

• Start sysUpTime

• End sysUpTime

• Packet count

• Byte count

• Input ifIndex

• Output ifIndex

• Type of Service

• TCP flags

• Protocol

• Next hop address

• Source AS number

• Dest. AS number

• Source prefix mask

• Dest. prefix mask

Usage

Time

Port

Utilization

QoS

From/To

Application

Routing and

PeeringEven on routers full 1-to-1

NetFlow introduced little

overhead, typically around 5% but

upwards of 15% in the worst case

depending on prior CPU utilization

FlowTraffic set defined by a set of

KEY fields

Ex. Source IP, Destination IP, Source

Port, Destination Port, Protocol, TOS,

Interface

NetFlow Terminology

Flow TemplateA flexible (v9) feature that advertises

the record format to the collector

Flow CollectorA device that receives NetFlow

records from a NetFlow generator

Flow RecordNetFlow Protocol Data Unit exported

from a NetFlow generator

Contains a collection of KEY and NON-

KEY fields relating to a flow

Non-KEY fields

Ex. Bytes, Packets, TCP Flags, AP

MAC and Client MAC

Flow Exporter A NetFlow configuration of where

(Collector) the flows are going to be

sent, including IP address and

protocol/port

NetFlow Generator A NetFlow enabled network device

Myths about NetFlow Generation

17

Myth #1: NetFlow impacts performance

• Hardware implemented NetFlow has no performance impact

• Software implementation is typically significantly <15%

processing overhead

Myth #2: NetFlow has bandwidth overhead

• NetFlow is a summary protocol

• Traffic overhead is typically significantly <1% of total traffic

per exporting device

NetFlow in Motion

NetFlow

Generator DestinationSource

FlowCollector

Source IP Address

Destination IP Address

Source Port

Destination Port

Destination Port

TOS byte (DSCP)

Input Interface

NetFlow Key Fields

Flow Information

Address, ports…

…

11000 1528

… …

Packets Bytes / packet

NetFlow Cache

1

2

3

NetFlow Supported Platforms

WAN

Switch Router Router Firewall DC Switch ServerUser

NetFlow Exporters

Catalyst 2960-X (NetFlow Lite) - Sampled Only

Catalyst 3560-X (SM-10G module only)

Catalyst 3750-X (SM-10G module only)

Catalyst 3850/3650 (FNF v9 SGT support)

Catalyst 4500E (Sup7E/7LE)

Catalyst 4500E (Sup8) (FNF v9 SGT support)

Catalyst 6500E (Sup2T) (FNF v9 SGT support)

Catalyst 6800 (FNF v9 SGT support)

Cisco ISR G2 (FNF v9 SGT support)

Cisco ISR 4000 (FNF v9 SGT support)

Cisco ASR1000 (FNF v9 SGT support)

Cisco CSR 1000v (FNF v9 SGT support)

NetFlow Capable

ISE

Cisco WLC 5760 (FNF v9)

Cisco WLC 5520, 8510, 8540 (v9) *

ASA5500, 5500-X (NSEL)

Nexus 7000 (M Series I/O modules – FNF v9)

Nexus 1000v (FNF v9)

Cisco NetFlow Generation Appliance (FNF v9)

Cisco UCS VIC (VIC 1224/1240/1280/1340/1380)

Cisco AnyConnect Client (IPFIX) *

Network as an Enforcer

access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467

Network as an EnforcerSoftware-Defined Segmentation with TrustSecTraditional Security Policy

TrustSec Security Policy

Security Control Automation

Simplified Access Management

Improved Security Efficacy

Network Fabric

Switch Router DC FW DC SwitchWireless

Flexible and Scalable Policy Enforcement

Network Segmentation with TrustSec

Username: johnd

Group: Store Managers

Location: Store Office

Time: Business Hour

Security Group: ManagerEnforcement

AUTHORIZED

PERSONNEL

ONLY

Switches

Routers

Firewall

DC Switch

Hypervisor SW

Resource

Segmentation based on RBAC

• Independent from address based topology

Role based on context

• AD, LDAP attributes, device type, location, time, access methods, etc…

Use Tagging technology

• To represent logical group (Classification)

• To enforce policy on switch, router, and firewall

Software Defined

• Policy managed centrally

• Policy provisioned automatically on demand

• Policy invoked anywhere on the network dynamically

How TrustSec Simplifies Network Segmentation

Access Layer

Enterprise

Backbone

Voice

VLAN

Voice

Data

VLAN

Employee

Aggregation Layer

Supplier

Guest

VLAN

BYOD

BYOD

VLAN

Non-Compliant

Quarantine

VLAN

VLAN

Address

DHCP Scope

Redundancy

Routing

Static ACL

VACL

Security Policy based on Topology

High cost and complex maintenance

Voice

VLAN

Voice

Data

VLAN

Employee Supplier BYODNon-Compliant

Use existing topology and automate

security policy to reduce OpEx

ISE

No VLAN Change

No Topology Change

Central Policy Provisioning

Micro/Macro Segmentation

Employee Tag

Supplier Tag

Non-Compliant Tag

Access Layer

Enterprise

Backbone

DC Firewall / Switch

DC Servers

Policy

TrustSecTraditional Segmentation

EnforcementClassification Propagation

TrustSec in Action

Routers

ISE

DC Firewall

Application

Servers

Wireless

Remote

Access

Switch

DC Switch Application

Servers

Directory

Users

Network5 SGT

8 SGT

7 SGT

TrustSec Functions

Classification

Static

Dynamic

Enforcement

SGACL

SGFW

SGZBFW

Propagation

Inline

SXP

WAN

5 Employee

6 Supplier

8 Suspicious A B 8 5

TrustSec Supported PlatformsWAN

(GETVPN

DMVPN

IPSEC)

Switch Router Router Firewall DC Switch vSwitch ServerUser

Propagation EnforcementClassification

Catalyst 2960-S/-C/-Plus/-X/-XR

Catalyst 3560-E/-C/-X/-CX

Catalyst 3750-E/-X

Catalyst 3850/3650

Catalyst 4500E (Sup6E/7E)

Catalyst 4500E (Sup8)

Catalyst 6500E (Sup720/2T)

Catalyst 6800

WLC 2500/5500/5400/WiSM2/8510/8540

WLC 5760

Nexus 7000

Nexus 6000

Nexus 5500/2200

Nexus 1000v

ISRG2, CGR2000, ISR4000

IE2000/3000/CGR2000

ASA5500 (RAS VPN)

Catalyst 2960-S/-C/-Plus/-X/-XR

Catalyst 3560-E/-C/, 3750-E

Catalyst 3560-X/3750-X

Catalyst 3850/3650

Catalyst 4500E (Sup6E)

Catalyst 4500E (Sup, 7E, 7LE, 8E)

Catalyst 4500X

Catalyst 6500E (Sup720)

Catalyst 6500/Sup2T, 6800

WLC 2500/5500/5400/WiSM2/8510/8540

WLC 5760

Nexus 7000

Nexus 6000

Nexus 5500/2200

Nexus 1000v

ISRG2,ISR4000

IE2000/3000/CGR2000

ASR1000

ASA5500

Catalyst 3560-X

Catalyst 3750-X

Catalyst 3850/3650

WLC 5760

Catalyst 4500E (7E)

Catalyst 4500E (8E)

Catalyst 6500E (2T)

Catalyst 6800

Nexus 7000

Nexus 6000

Nexus 5500/5600

Nexus 1000v

ISR G2, ISR4000, CGR2000

ASR 1000 Router

CSR-1000v Router

ASA 5500 Firewall

ASAv Firewall

Web Security Appliance

SGT

Propagation PropagationClassification Enforcement

ISE

Summary & Resources

Network as a Sensor and Enforcer Summary

TrustSec provides software defined (micro)

segmentation

NetFlow, Cisco ISE and visualisatioin and

mitigation tools provide visibility and intelligence

The network is a key

asset for threat detection

and control

To learn more visit

www.cisco.com/go/networksecuritywww.cisco.com/go/ISEwww.cisco.com/go/TrustSecwww.cisco.com/go/ctd