trustsec (naas / naae ) - · pdf filesgt exchange protocol (sxp) 12 routers firewall •...
TRANSCRIPT
Security on top of the mind for our customers
60%of data is stolen inHOURS
85%of point-of-sale intrusions aren’t discovered for WEEKS
54%of breaches remain undiscovered forMONTHS
51%increase of companies reporting a $10M lossor more in the last 3
YEARS
“A community that hides in plain sight avoids detection and attacks swiftly”- “Cisco Security Annual Security Report”
“Effective network segmentation5 restricts communication between networks and reduces the extent to which an adversary can move across the network.”
US-CERT
How TrustSec Simplifies Network Segmentation
Access Layer
EnterpriseBackbone
VoiceVLAN
Voice
DataVLAN
Employee
Aggregation Layer
Supplier
GuestVLAN
BYOD
BYODVLAN
Non-Compliant
QuarantineVLAN
VLAN
Address
DHCP Scope
Redundancy
Routing
Static ACL
VACL
Security Policy based on TopologyHigh cost and complex maintenance
VoiceVLAN
Voice
DataVLAN
Employee Supplier BYODNon-Compliant
Use existing topology and automate security policy to reduce OpEx
ISE
No VLAN Change
No Topology Change
Central Policy Provisioning
Micro/Macro Segmentation
Employee Tag
Supplier Tag
Non-Compliant Tag
Access Layer
EnterpriseBackbone
DC Firewall / Switch
DC Servers
Policy
TrustSecTraditional Segmentation
Driven by Customer Top-of Mind
Segmentation at access layer to block “lateral-movement of threats”, access control to improve security
• Major Retailers segmenting critical assets in stores and DC driven by recent hacks
• Governments, tech companies, healthcare, manufacturing increasing network security controls to mitigate risk
Segmentation for Threat Defense
Segmentation for scope reduction, protecting sensitive information from other connected devices (PCI, HIPAA, Financial Regulation, etc.)
• Bank - 3 use-cases in production
• Bank – deploying across 350,000 endpoints
• Multiple retailers for PCI compliance
• Defense customer – export controls
• Healthcare – Segmenting clinical/non-clinical devices and protecting patient data
Regulatory Compliance
Restricting application access based on user / device privilege in scalable fashion
• Banks
• Universities
• Broadcaster
• Federal/Central Govts
• Utilities
• Defense
• Manufacturers
• Insurance
• Consumer electronics
• Research
Privileged Access to DC
Agenda
Overview of Cisco TrustSec
Prescriptive Approach for Effective Segmentation
Summary and Key Takeaways
Case Studies and Design Considerations
Agenda
Overview of Cisco TrustSec
Prescriptive Approach for Effective Segmentation
Summary and Key Takeaways
Case Studies and Design Considerations
Infected Hosts
Endpoints
!Priority Users / Devices
Sites / Branch Offices
ServersUsers
TrustSecAbout Security Group Tags
Classification: The process of assigning SGTs
Propagation: The process of carrying tags in the network
Enforcement: The process of controlling access based on tags.
Full AccessPartial AccessAccess Deny
EnforcementClassification Propagation
TrustSec in Action
Routers
ISE
DC Firewall
ApplicationServers
Wireless
RemoteAccess
SwitchDC Switch Application
Servers
Directory
Users
Network5 SGTSGT5 SGT
8 SGTSGT8 SGT
7 SGTSGT7 SGT
STATIC CLASSIFICATIONDYNAMIC CLASSIFICATION
Classification Types
Common Classificationfor Mobile Devices
Common Classification for Servers, Topology-based Policy, etc.
802.1X Authentication
Web Authentication
MAC Auth BypassIP Address
VLANs
Subnets
L2 Interface
L3 Interface
Virtual Port Profile
Layer 2 Port Lookup
SGT
Classification
Inline Tagging
� Faster, and most scalable way to propagate SGT within LAN or Data Center
� SGT embedded within Cisco Meta Data (CMD) in Layer 2 frame
� Capable switches understands and process SGT in line-rate
� Protected by enabling MACsec(IEEE802.1AE) – optional for capable hardware
� No impact to QoS, IP MTP/Fragmentation� L2 Frame Impact: ~20 bytes� 16 bits field gives ~ 64,000 tag space� Non-capable device drops frame with
unknown Ethertype
CRC
PAYLOAD
ETHTYPE
CMD
802.1Q
Source MAC
Destination MAC
Ethernet Frame
EtherType:0x8909SGT Value:16bits
CMD EtherType
Version
Length
SGT Option Type
Cisco Meta Data
SGT Value
Other CMD Option
CRC
PAYLOAD
ETHTYPE
CMD
802.1Q
Source MAC
Destination MAC
MACsec Frame
802.1AE Header
802.1AE Header
AE
S-G
CM
128bit
Encry
ption
Propagation
SGT Exchange Protocol (SXP)
12
RoutersFirewall
• Propagation method of IP-SGT binding
– Propagate IP-SGT from classification to enforcement point
• Open protocol (IETF-Draft) & ODL Supported
– TCP - Port:64999
• Role: Speaker (initiator) and Listener (receiver)
• Use MD5 for authentication and integrity check
• Support Single Hop SXP & Multi-Hop SXP (aggregation)
(SXP Aggregation)
Speaker Listener
Switches
Switches
5 10.0.1.210.0.1.25 10.0.1.2
6 10.4.9.510.4.9.56 10.4.9.5
5 10.0.1.210.0.1.25 10.0.1.2
6 10.4.9.510.4.9.56 10.4.9.5
Propagation
Nexus 7000
Data Center
ISE
Internet
SGT Transport over L3 networks
Nexus 1000v
Catalyst 6500
SGACL
CTS Link
Enterprise LAN
HR
Finance
EnterpriseMPLS
DMVPN
• Multiple options for SGT transport over non CTS Layer 3 networks• DMVPN for Internet based VPNS• GETVPN for security private MPLS clouds• Over The Top (OTP) for private enterprise networks (1HCY15)
BYOD
EnterpriseNetwork
OTP
Switch
Switch
Wireless
Switch
GETVPN
SXP
SXP
SXP
on Roadmap
Propagation
SGACL Enforcement Policy
Sourc
e
Destination
Policy Representing
Source = Empoloye_SGT
Destination=CreditCard_Server
Policy = Deny IP
Enforcement
Policy Enforcement on Firewalls: ASA SG-FW
Use Destination SGT received
from Switches connected to
destination
Use Network Object (Host, Range,
Network (subnet), or FQDN)
SGT Defined in the ISE or locally
defined on ASA
Trigger IPS/CX based on
SGT
Enforcement
TrustSec Functions
Classification
Static
Dynamic
Enforcement
SGACL
SGFW
SGZBFW
Propagation
Inline
SXP
WAN
5 EmployeeEmployee5 Employee
6 SupplierSupplier6 Supplier
8 SuspiciousSuspicious8 Suspicious A B 8 5
TrustSec Supported PlatformsWAN
(GETVPNDMVPNIPSEC)
Switch Router Router Firewall DC Switch vSwitch ServerUser
Propagation EnforcementClassification
Catalyst 2960-S/-C/-Plus/-X/-XRCatalyst 3560-E/-C/-X/-CXCatalyst 3750-E/-XCatalyst 3850/3650Catalyst 4500E (Sup6E/7E)Catalyst 4500E (Sup8)Catalyst 6500E (Sup720/2T)Catalyst 6800WLC 2500/5500/5400/WiSM2/8510/8540WLC 5760Nexus 7000Nexus 6000Nexus 5500/2200Nexus 1000vISRG2, CGR2000, ISR4000IE2000/3000/CGR2000ASA5500 (RAS VPN)
Catalyst 2960-S/-C/-Plus/-X/-XRCatalyst 3560-E/-C/, 3750-ECatalyst 3560-X/3750-XCatalyst 3850/3650Catalyst 4500E (Sup6E)Catalyst 4500E (Sup, 7E, 7LE, 8E)Catalyst 4500XCatalyst 6500E (Sup720)Catalyst 6500/Sup2T, 6800WLC 2500/5500/5400/WiSM2/8510/8540WLC 5760Nexus 7000Nexus 6000Nexus 5500/2200Nexus 1000vISRG2,ISR4000IE2000/3000/CGR2000ASR1000ASA5500
Catalyst 3560-XCatalyst 3750-XCatalyst 3850/3650WLC 5760Catalyst 4500E (7E)Catalyst 4500E (8E)Catalyst 6500E (2T)Catalyst 6800Nexus 7000Nexus 6000Nexus 5500/5600Nexus 1000vISR G2, ISR4000, CGR2000ASR 1000 RouterCSR-1000v RouterASA 5500 FirewallASAv FirewallWeb Security Appliance
Employee SGT
Propagation PropagationClassification Enforcement
ISE
Agenda
Overview of Cisco TrustSec
Prescriptive Approach for Effective Segmentation
Summary and Key Takeaways
Case Studies and Design Considerations
Approaching a TrustSec Design
Focus on Business Problem
Use Cases can be Localized
Start with Policy Goals
• Maintain Compliance• Protect against breach• Complex ACLs,
Firewall rule complexity
• Controlled access to Production systems or PCI Servers
• User to DC Access Control
• Secure BYOD
• Contractor Access Control
• Extranet Security
• Simplified Firewall Rule, VPN Access, ACLs or WSA rules
Implementing Business Policy through Segmentation
Discover and Classify Assets
Understand Behavior
Enforce Policy
Active Monitoring
Network
Segmentation
Design and Model Policy
Discover and Classify AssetsDiscover and Classify Assets
Network
Segmentation
Profile Assets with ISE
• User & Device Authentication(User ID, SmartCard, Digital Certificate, etc.)
• MAC Address based Authentication• Web Portal based Authentication
Profile Assets with NetFlow and StealthWatch
• Services, applications, hosts • Behaviour profiling
ISE Provides Device Visibility via ProfilingActive Endpoint
ScanningIntegrated Profiling:
Visibility in Scale
Network infrastructure provides local sensing function
Device Feed —
Identity in Scale
Manufacturers and ecosystem provide constant updates to new devices
Active Scanning:
Enhanced Accuracy
Cisco® ISE augments passive network insight with active endpoint data
CiscoISE
CDP/LLDPDHCP
RADIUSDNS
SNMPNetFlowHTTPNMAP
Device Feed*
Cisco Device Sensor(Network Based)
Profiler Design Guide: http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-30-ISE_Profiling_Design_Guide.pdf
Locate Assets with Lancope StealthWatch
2
Find hosts communicating on the network
• Pivot based on transactional data
Implementing Effective Segmentation
Understand
Behavior
Network
Segmentation
Understand Critical Business Processes
• Applications, services, protocol, time of day, etc.• Profile systems
Understand Behavior Complete list of all hosts communicating
with HTTP Servers:
Who, What, When, Where and How
Implementing Effective Segmentation
Network
Segmentation
Design and
Model Policy
Classify Objects into Security Groups
• Directory server search / group mapping• Device Profiling (Device type certainty)• Other attributes: Access Time, Location, Method, etc.
Design Policy
• Leverage group definitions from profiling activities• Monitor mode deployment
Model Policy with StealthWatch
• Passively model policy
Starting a TrustSec Design
Policy
Enforcement
Points
Discuss
assets to
protect
Classification
Mechanisms
Example:
Cardholder Data, Medical Record, intellectual data
Example:
Dynamic,Static, etc.
• DC segmentation (DC virtual/ physical switches or virtual/physical Firewalls)
• User to DC access control• (Identify capable switches
or firewalls in the path)
Propagation
Methods
• Inline Tagging• SXP• DM-VPN• GET-VPN• IPSec• OTP etc..
How to Tag Users / Devices?• TrustSec decouples network
topology and security policy to simplify access control and segmentation
• Classification process groups network resources into Security Groups
PC
MAC
802.1X
MAB
WebAuthentication
Profiling
IPv4 Prefix Learning
IPv6 Prefix LearningIPv6
Prefix-SGT
IPv4Subnet-SGT
AddressPool-SGT
VLAN-SGT
IP-SGT
Port Profile
Port-SGT
ISENX-OS/CIAC/
Hypervisors
IOS/Routing
Data Center/VirtualizationUser/Device/
Location Cisco Access Layer
Campus & VPN Access non-Cisco & legacy environment
Business Partners and Supplier Access Controls
Deployment Approach
Catalyst® Switches/WLC(3K/4K/6K)
Users,Endpoints
PCI Server
Production Server
Development Server
N7K
SRC \ DSTPCI Server
(2000)
Prod Server
(1000)
Dev Server (1010)
Employees (100) Permit all Permit all Permit all
PCI User (105) Permit all Permit all Permit all
Unknown (0) Permit all Permit all Permit all
• Users connect to network, Monitor mode allows traffic regardless of authentication
• Authentication can be performed passively resulting in SGT assignments
CampusNetwork
Monitor Mode
• Tagged traffic traverses the network allowing monitoring and validation that:
• Assets are correctly classified
• Traffic flows to assets are as predicted/expected
Understand Behavior
Rule name and
description
DGTSGT
Trigger on traffic in both directions;
Successful or unsuccessful
Custom event
triggers on traffic
condition
Modeling Policy in StealthWatch
Create flow-based rules for all proposed
policy elements
Policy Violation alarm will trigger if
condition is met. Simulating proposed
drop.
Modeled Policy: Flow Details
When Who
Where
What
Who
Security Group
More Context
Is this communication permissible?
Tune
Yes
Respond
No
Implementing Effective Segmentation
Network
Segmentation
Enforce Policy
Move to active policy enforcement
• Strategic rollout • Security Group Access Control Lists • Firewall policy
Security Group Access Control Lists
Sourc
e
Destination
Policy Representing
Source = Empoloye_SGT
Destination=CreditCard_Server
Policy = Deny IP
Enabling Enforcement
Catalyst® Switches/WLC(3K/4K/6K)
Users,Endpoints
PCI Server
Production Server
Development Server
N7K
SRC \ DSTPCI Server
(2000)
Prod Server
(1000)
Dev Server (1010)
Employees (100) Deny all Deny all Permit all
PCI User (105) Permit all Permit all Permit all
Unknown (0) Deny all Deny all Permit all
• Enforcement may be enabled gradually per destination security group basis
• Initially use SGACLs with deny logging enabled (remove log later if not required)
• Keep default policy as permit and allow traffic ‘unknown SGT’ during deployment
CampusNetwork
Egress Enforcement(Security Group ACL)
Monitor Mode
Implementing Effective Segmentation
Network
Segmentation
Active Monitoring
Monitor Network Activity
• Detect suspicious and malicious activity • Network Behaviour and Anomaly Detection• Policy Violations
• Monitor Policy configuration and misconfiguration • Monitor for business continuity
Adaptive Network Control
• Identify and remediate threats• Dynamically segment network threats
NetFlow Monitoring
• Highly scalable (enterprise class) collection• High compression => long term storage
• Months of data retention
When Who
Where
What
Who
Security Group
More Context
Integrated Threat Defense (Detection & Containment)
Employee
Employee
Supplier
Quarantine
SharedServer
Server
High RiskSegment
Internet
LancopeStealthWatch
Event: Policy ViolationSource IP: 10.4.51.5Role: SupplierResponse: Quarantine
ISE
Change Authorization
Quarantine
Network Fabric
Agenda
Overview of Cisco TrustSec
Prescriptive Approach for Effective Segmentation
Summary and Key Takeaways
Case Studies and Design Considerations
One Stop Cisco Partner portal for all “Network as a Sensor and Enforcer” resources: http://bit.ly/naas-e-partner
https://www.cisco.com/go/enterprisehttps://www.cisco.com/go/trustsec
Summary
Segmentation is
foundational
TrustSec
Automates
Network
Segmentation
Start small with
Localized Use-
cases
Create a
Win-Win
scenario with
TrustSec