trustsec for a secure network- clle

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public

Local Edition

TrustSec for a Secure Network Clark Gambrel ([email protected]) - Kentucky

Sam Camarda ([email protected]) - Louisiana

Consulting Systems Engineer – Security

mailto:[email protected]





Table of Contents

• Advanced Threats

• Authentication

• Profiling

• Posture Assessment

• Network Segmentation

• Security Group Tags

2


Local Edition

Why?


Local Edition

Advanced Threats

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 5

”

“ There's now a growing

sense of fatalism: It's no

longer if or when you

get hacked, but the

assumption that you've

already been hacked,

with a focus on

minimizing the damage.

Source: Security’s New Reality: Assume the Worst; Dark Reading


Advanced Threats – Advanced Persistent Threat (APTs)

6

• APT is the Hot Topic in Information Security

‒ Aurora (2009) brought the term into the mainstream

‒ They actually incorporate a number of threats

• APT have Common Features

‒ Defined goal, not opportunistic

‒ Stealthy infiltration, horizontal propagation

‒ Obfuscate trail, to ensure continued compromise

‒ Multiple tools / tactics used throughout campaign

‒ Significant resources required over an extended period

• APT Components Parts are Not Really Advanced

‒ Off the shelf malware dev kits

‒ Spear phishing & social engineering

‒ Drop an infected key in the car park / smoking area etc..


APT Attack Targets & Methodology

• Who Are The Targets?

‒ Governments

Economic offices, military, diplomatic corps, etc. – anyone working overseas

Outside government contractors, advisors (e.g. academic scholars)

Dissident and activist support organizations (and related NGOs)

‒ Private sector & commercial

Multinational businesses – aerospace, energy, pharmaceutical, finance, technology,

• How Do They Work?

Infiltrate Extract IP

0-day Malware

Recon

Identify Target

Phishing

Spread Persist Extract

Initial Access

7


To defend we must recognize actors’ motives

• Stock Price Manipulation • Company Financials

• Sales Forecasts

• Gain Competitive Advantage • Go-to-market strategies

• Product roadmaps and schedules

• Acquisition plans

• Customer lists

• Impact Operations

• Damage the Company Brand • Web Site Defacing

• Denial of Service

• Obtain Intellectual Property • ASIC designs

• Source Code

• Exploit the Network Potential • Huge amount of Internet Bandwidth

• Hundreds of thousands of PCs

• Fraud • RMA Fraud

• Bank Account Transfers

• Toll Dial Fraud

• Credit Card Data

• Identity Theft

• Counterfeiting

• Attack Specific Customers • Vulnerabilities in Source Code

• Bug Tracking Data

.. And More!


Local Edition

Threats? Is that all I need to worry

about?

Sadly…No


The Device Landscape

Corporate Laptops Corporate VXI Endpoints

Mobile Devices (BYOD)

Other


Top of Mind Security Concerns

How can we minimize the threats these devices bring with them?

How to deploy a consistent policy for all these devices?

How to ensure end-to-end security in a scalable way?

Device Proliferation

will lead to billions of devices

(Internet of Everything)

The Challenge

Device Proliferation –

What threat? Where?


Local Edition

How it’s made


Concept: Kill Chain

13

• http://computer-forensics.sans.org/blog/2009/10/14/security-intelligence-attacking-the-kill-chain/

• Harvesting email addresses, identifying information, etc. Reconnaissance

• Coupling exploit with backdoor into deliverable payload Weaponization

• Delivering weaponized bundle to the victim via email, web, USB, etc. Delivery

• Exploiting a vulnerability to execute code in victim system Exploitation

• Command channel for remote manipulation of victim Command and Control

• Intruders accomplish their original goal Actions on Objectives

http://computer-forensics.sans.org/blog/2009/10/14/security-intelligence-attacking-the-kill-chain/














Kill Chain: Post Breach

2. Command and

Control

1.Social

Engineering

Exploit



1. Command and

Control

2. Reconnaissance



1. Command and

Control

2. Reconnaissance

3.Propagation



1. Command and

Control

2. Reconnaissance

3.Propagation 4. C&C

Alternate Path



1. Command and

Control

2. Reconnaissance

3.Propagation



1. Command and

Control

2. Reconnaissance

3.Propagation 4. Data Theft

Stealth/Sleep


Local Edition

Sit back and watch it happen?

Nope…


So, What to do first?

• Educate Users

• Standardize

• Anti-Virus

• User Privileges

• Patch, Patch, Patch

• Isolate – Java?

• Upgrade

• AAA - Segment and Contain

How do I limit my exposure

22

AAA - Segment and Contain Authenticate & Authorize


Other Conditions Identity

Information

+ Group:

Contractor

Group:

Full-Time Employee

Group:

Guest

Network Access Policies Authentication and Authorization

Time and Date

Access Type

Location Posture

Authorization (Controlling Access)

Broad Access

Limited Access

Guest/Internet

Deny Access

Quarantine

Track Activity for Compliance Device Type

Vicky Sanchez Employee, Marketing Wireline 3 p.m.

Frank Lee Guest Wireless 9 a.m.

Security Camera G/W Agentless Asset MAC: F5 AB 8B 65 00 D4

Francois Didier Consultant HQ—Strategy Remote Access 6 p.m.

Access Scenarios


Trustsec

TrustSec Authentication

Overview

IEEE 802.1X Standard for link layer authentication and access control Components: supplicant (client), authenticator (switch), and AAA server Uses Extensible Authentication Protocol (EAP) to transport authentication info.

MAC Auth Bypass (MAB) Authenticate using the client’s MAC address For devices that don’t support 802.1X (no supplicant), such as printers.

Web Authentication For clients that don’t support 802.1X (no supplicant), but are capable for

interactive HTTP authentication

IEEE

802.1X

MAC

Authentication

Web

Authentication


EAP Credentials Sent & Validated

Port Authorized

25

Wired Flexible Authentication

One Configuration Fits All

EAP 1X

MAB

URL

• One configuration addresses all use cases, all host modes • Controllable sequence of access control mechanisms, with flexible failure and fallback authorization

• Support for IP Telephony

• Support single-host and multi-auth scenarios

802.1x times out or fails`

WEB

802.1X Client

IP Phone

Guest User

Employee Partner

Faculty

Sub Contractor

Network Printer

Guest User

802.1X Client

IP Phone

Known MAC - Access Accept

Port Authorized

Host Change

ISE

Unknown MAC Access Accept

Port Authorized w/ URL Redirect

MAB


Profiling Technology

• Why Classify?

‒ Originally: identify the devices that cannot authenticate and automagically build

the MAB list.

i.e.: Printer = Bypass Authentication

‒ Today: Now we also use the profiling data as part of an authorization policy.

i.e.: Authorized User + i-Device = Internet Only

The Ability to Classify Devices

26


Local Edition

All those devices


PCs Non-PCs

UPS Phone Printer AP

PCs Non-PCs

UPS Phone Printer AP

How?

ISE Profiling

• What ISE Profiling is:

‒ Dynamic classification of every device that connects to network using the infrastructure.

‒ Provides the context of “What” is connected independent of user identity for use in access policy

decisions

What Profiling is NOT:

‒ An authentication mechanism.

‒ An exact science for device classification.


Profiling Technology

Visibility Into What Is On the Network

29


Profiling Non-User Devices

Dynamic Population of MAB Database Based on Device Type

30

Access Switch

Management

ISE

UPS =

Management_Only

dACL

Cameras = Video

VLAN

Printers = Printer

VLAN

Value-Add


Profiling User Devices

Differentiated Access Based on Device Type

31

WLAN

Controller

Internet

Kathy

Marketing

Kathy + Personal

Tablet / Smartphone

= Limited Access

(Internet Only)

ISE

Kathy

Marketing

Kathy + Corp Laptop =

Full Access to

Marketing VLAN

Named ACL = Internet_Only

VLAN = Marketing

Corp

Guest

Value-Add


Understanding ISE Profiling

• All Endpoints are uniquely identified by their

MAC Address

‒ One workstation connected to both Wired & Wireless

= 2 devices in ISE

• Some probes collect data based on IP address

only. If ISE is not L2 adjacent, then IP-to-MAC

Address binding required.

‒ This means other probes must be in place and

working to collect IP-to-MAC data.

• Collection methods that bypass MAC-IP

requirement:

‒ HTTP (URL-Redirected traffic)

‒ IOS Sensor

IP to MAC Address is Critical

32

DNS

IOS Sensor

DHCP

NMAP


Feed Service

• Automatic Updates

• Feeds OUIs, Profiles, Posture,

Bootstraps, and Agents

• Has approval / publish process


Local Edition

Where has this device been doing?


Posture Assessment

• Posture = the state-of-compliance with the company’s security policy.

‒ Is the system running the current Windows Patches?

‒ Anti-Virus Installed? Is it Up-to-Date?

‒ Anti-Spyware Installed? Is it Up-to-Date?

‒ Screensaver enabled? Password Protected?

‒ Personal Firewall Enabled?

• User / System Identity is extended to include their Posture Status.

• Can be extended to Mobile Devices

‒ MobileIron, AirWatch, Citrix, Afaria, SAP

‒ Device Registration, Wipe, Lock

Does the Device Meet Security Requirements? Posture

35


ISE – Posture Policies

Wired Wireless VPN

Employees Contractors/Guests

Employee Policy: • Microsoft patches updated

• Trend Micro AV installed,

running, and current

• Corp asset checks

• Enterprise application

running

Contractor Policy: • Any AV installed,

running, and current

Guest Policy: Accept AUP (No posture - Internet Only)


Local Edition

Authorization and Segmentation


Network Segmentation

• Primary Network Segmentation Methods

Ingress port dynamic VLAN assignment

Ingress port ACLs

Downloadable ACLs (dACLs)

Named ACLs (filter-id)

Egress port ACLs (Security Group ACLs, or SGACLs)

• Complementary Technologies and Segmentation Methods

Virtual Route Forwarding (VRF)

Generic Route Encapsulation (GRE)

Virtual Private Networking (VPN)

Policy-Based Routing (PBR)

Other tunneling / path isolation technologies

‒ (L2TPv3, MPoE, QinQ, WDM, etc)


VLANs and dACLs

VLANs • Authorization policy dynamically sets port VLAN • VLAN assignment based on user compliance or role; for example:

• Quarantine/Remediation VLAN • Guest VLAN • Employee VLAN

• Infrastructure is responsible for isolating or securing traffic on VLAN such as ACLs, Firewalls, and/or path isolation (VRFs, tunnels, etc).

• Typically requires IP change, thus often disruptive to user access with potential delays and/or conflicts with other endpoint processes.

dACLs • Authorization policy dynamically sets port ACL to limit device access • ACL source (any) automatically converted to specific host address • Resource limits per switch on ACE count per ACL, thus intended for course-grained

access restrictions • No IP address change required, thus typically less disruptive to endpoint and

improved user experience.

802.1X/MAB/Web Auth

VLAN Assignment

ACL Download


Authorization

Switch/Controller is the Enforcement Point

41


Authorization

Switch/Controller is the Enforcement Point

42


What Makes this Work

• CoA allows an enforcement device (switchport, wireless controller, VPN

device) to change the VLAN/ACL/Redirection for a device/user without

having to start the entire process all over again.

• Without it: Manually remove the user from the network & then have the

entire AAA process begin again.

‒ Example: disassociate wireless device & have to join wireless again.

• RFC 3576 and 5176

Change of Authorization (CoA)

43


RADIUS Change of Authorization (CoA)

Quarantine VLAN CORP

VLAN

1 Endpoint fails Posture Assessment and gets assigned to Quarantine VLAN

2 Endpoint remediates itself and is reported: Posture=Compliant

3 ISE issues RADIUS CoA to re-authenticate

4 Client is re-authenticated and assigned to CORP VLAN

44


RADIUS Change of Authorization (CoA)

Quarantine VLAN CORP

VLAN

1 Endpoint fails Posture Assessment and gets assigned to Quarantine VLAN

2 Endpoint remediates itself and is reported: Posture=Compliant

3 ISE issues RADIUS CoA to re-authenticate

4 Client is re-authenticated and assigned to CORP VLAN

Dynamic session control from a Policy server

Re-authenticate session

Terminate session

Terminate session with port

bounce

Disable host port

Session Query

For Active Services

For Complete Identity

Service Specific

Service Activate

Service De-activate

Service Query

45


Power On

Kernel Loading Windows HAL Loading Device Driver Loading

CoA Benefit Native Supplicant or EAP-Chaining with AnyConnect

Obtain Network Address (Static, DHCP)

Determine Site and DC (DNS, LDAP)

Establish Secure Channel to AD

(LDAP, SMB)

Kerberos Authentication (Machine Account)

Computer GPOs Loading (Async)

GPO based Startup Script Execution

Certificate Auto Enrollment Time Synchronization Dynamic DNS Update

GINA

Components that depend on network connectivity

Kerberos Auth (User Account)

User GPOs Loading (Async)

GPO based Logon Script Execution (SMB)

Machine Authentication

User Authentication


Authorization Challenges

Ingress Access Control

47

• Can I create / manage the new VLANs or IP Address scope?

• How do I deal with DHCP refresh in new subnet?

• How do I manage ACL on VLAN interface?

• Does protocol such as PXE or WOL work with VLAN assignment?

• Any impact to the route summarization?

• Who’s going to maintain ACLs?

• What if my destination IP addresses are changed?

• Does my switch have enough TCAM to handle all request?

• Traditional access authorization methods leave some deployment concerns:

– Detailed design before deployment is required, otherwise…

• Not so flexible for changes required by today’s business

• Access control project ends up with redesign for entire network

• Access devices now being used at Security devices

802.1X/MAB/Web Auth

ACL

Download

VLAN

Assignment


Enter Secure Group Access

• Term describing use of:

‒ Secure Group TAGs (SGTs)

‒ Secure Group ACLs (SGACLs)

‒ When a user logs in they are assigned a TAG (SGT) that identifies their role

‒ The TAG is carried throughout the Network

• Removes concern TCAM Space for detailed Ingress ACLs

• Removes concern of ACE explosion on DC Firewalls

• Enforce that tag in the DataCenter or at the ASA Edge

• SGACLs are applied based on a matrix:

Topology Independent Access Control

SGT Public Private

Staff Permit Permit

Guest Permit Deny 48


Security Group-Based Access Control In Action

Security Group Based Access Control • Authorization policy dynamically sets egress port ACL (SGACL) to limit device access • ACL source (any) automatically converted to specific host address • Since ACL applied close to destination (protected resource), SGACLs intended for fine-grained access restrictions • SGA abstracts the network topology from the policy thus reducing the number of policy rules necessary for the

admin to maintain

802.1X/MAB/Web Auth

Finance (SGT=4)

HR (SGT=10)

I’m a contractor My group is HR

SGT = 100

Contactor & HR SGT = 100

SGACL


How is the Tag Assigned?

SGT Assignment Process:

1. A user (or device) logs into network via 802.1X

2. ISE is configured to send a TAG in the Authorization Result – based on the “ROLE” of the user/device

3. The Switch/Controller applies this TAG to the users traffic.

50


Security Group Based Access Control

SGA Allows Customers:

‒ To keep existing logical design at access layer

‒ To change / apply policy to meet today’s business requirement

‒ To distribute policy from central management server

Egress Enforcement

SGACL

SGT=100

I am an employee

My group is HR HR SGT = 100

HR (SGT=100)

Ingress Enforcement Finance (SGT=4)

802.1X/MAB/Web Auth

51


Security Group Based Access Control for Firewalls

Security Group Firewall (SGFW)

52

Source Tags Destination Tags


Local Edition

More Good Stuff


MACSec and NDAC

• MACSec: Layer-2 Encryption (802.1AE)

‒ Industry Standard Extension to 802.1X

‒ Encrypts the links between host and switch and links between switches.

‒ Traffic in the backplane is unencrypted for inspection, etc.

‒ Client requires a supplicant that supports MACSec and the encryption key-exchange

• NDAC: Authenticate and Authorize switches entering the network

‒ Only honors SGTs from Trusted Peers

‒ Can retrieve policies from the ACS/ISE Server and “proxy” the trust to other devices.

Media Access Control Security and Network Device Admission Control

Encrypted Link

########

54

Encrypted Link

######## ######## Encrypted Link

SWITCHPORT SWITCHPORT


Client MACSec in Action

Wiring Closet

Switch

1 User bob connects.

2 Bob’s policy indicates endpoint must encrypt.

3 Key exchange using MKA, 802.1AE encryption complete.

User is placed in corporate VLAN.

Session is secured.

4 User steve connects

User: bob

Policy: encryption

User: steve

Policy: encryption

5 Steve’s policy indicates endpoint must encrypt.

6 Endpoint is not MACSec enabled.

Assigned to guest VLAN.

802.1X-Rev Components

• MACSec enabled switches

• AAA server 802.1X-Rev aware

• Supplicant supporting MKA and 802.1AE encryption

Non-

MACSec

enabled

Campus Network

55

MACSec

enabled


Register for Cisco Live - Orlando

Cisco Live - Orlando

June 23 – 27, 2013

www.ciscolive.com/us

56 56

trustsec for a secure network- clle

Technology

cisco andor

cisco publicconcept

cisco publickill chain

cisco publiclocal editionwhy

cisco publiclocal editionhow

command andcontrol2

post breach1

command andcontrol1