TrustSec (NaaS / NaaE)

per@cisco.com

Security on top of the mind for our customers

60%of data is stolen inHOURS

85%of point-of-sale intrusions aren’t discovered for WEEKS

54%of breaches remain undiscovered forMONTHS

51%increase of companies reporting a $10M lossor more in the last 3

YEARS

“A community that hides in plain sight avoids detection and attacks swiftly”- “Cisco Security Annual Security Report”

“Effective network segmentation5 restricts communication between networks and reduces the extent to which an adversary can move across the network.”

US-CERT

How TrustSec Simplifies Network Segmentation

Access Layer

EnterpriseBackbone

VoiceVLAN

Voice

DataVLAN

Employee

Aggregation Layer

Supplier

GuestVLAN

BYOD

BYODVLAN

Non-Compliant

QuarantineVLAN

VLAN

Address

DHCP Scope

Redundancy

Routing

Static ACL

VACL

Security Policy based on TopologyHigh cost and complex maintenance

VoiceVLAN

Voice

DataVLAN

Employee Supplier BYODNon-Compliant

Use existing topology and automate security policy to reduce OpEx

ISE

No VLAN Change

No Topology Change

Central Policy Provisioning

Micro/Macro Segmentation

Employee Tag

Supplier Tag

Non-Compliant Tag

Access Layer

EnterpriseBackbone

DC Firewall / Switch

DC Servers

Policy

TrustSecTraditional Segmentation

Driven by Customer Top-of Mind

Segmentation at access layer to block “lateral-movement of threats”, access control to improve security

• Major Retailers segmenting critical assets in stores and DC driven by recent hacks

• Governments, tech companies, healthcare, manufacturing increasing network security controls to mitigate risk

Segmentation for Threat Defense

Segmentation for scope reduction, protecting sensitive information from other connected devices (PCI, HIPAA, Financial Regulation, etc.)

• Bank - 3 use-cases in production

• Bank – deploying across 350,000 endpoints

• Multiple retailers for PCI compliance

• Defense customer – export controls

• Healthcare – Segmenting clinical/non-clinical devices and protecting patient data

Regulatory Compliance

Restricting application access based on user / device privilege in scalable fashion

• Banks

• Universities

• Broadcaster

• Federal/Central Govts

• Utilities

• Defense

• Manufacturers

• Insurance

• Consumer electronics

• Research

Privileged Access to DC

Agenda

Overview of Cisco TrustSec

Prescriptive Approach for Effective Segmentation

Summary and Key Takeaways

Case Studies and Design Considerations

Agenda

Overview of Cisco TrustSec

Prescriptive Approach for Effective Segmentation

Summary and Key Takeaways

Case Studies and Design Considerations

Infected Hosts

Endpoints

!Priority Users / Devices

Sites / Branch Offices

ServersUsers

TrustSecAbout Security Group Tags

Classification: The process of assigning SGTs

Propagation: The process of carrying tags in the network

Enforcement: The process of controlling access based on tags.

Full AccessPartial AccessAccess Deny

EnforcementClassification Propagation

TrustSec in Action

Routers

ISE

DC Firewall

ApplicationServers

Wireless

RemoteAccess

SwitchDC Switch Application

Servers

Directory

Users

Network5 SGTSGT5 SGT

8 SGTSGT8 SGT

7 SGTSGT7 SGT

STATIC CLASSIFICATIONDYNAMIC CLASSIFICATION

Classification Types

Common Classificationfor Mobile Devices

Common Classification for Servers, Topology-based Policy, etc.

802.1X Authentication

Web Authentication

MAC Auth BypassIP Address

VLANs

Subnets

L2 Interface

L3 Interface

Virtual Port Profile

Layer 2 Port Lookup

SGT

Classification

Inline Tagging

� Faster, and most scalable way to propagate SGT within LAN or Data Center

� SGT embedded within Cisco Meta Data (CMD) in Layer 2 frame

� Capable switches understands and process SGT in line-rate

� Protected by enabling MACsec(IEEE802.1AE) – optional for capable hardware

� No impact to QoS, IP MTP/Fragmentation� L2 Frame Impact: ~20 bytes� 16 bits field gives ~ 64,000 tag space� Non-capable device drops frame with

unknown Ethertype

CRC

PAYLOAD

ETHTYPE

CMD

802.1Q

Source MAC

Destination MAC

Ethernet Frame

EtherType:0x8909SGT Value:16bits

CMD EtherType

Version

Length

SGT Option Type

Cisco Meta Data

SGT Value

Other CMD Option

CRC

PAYLOAD

ETHTYPE

CMD

802.1Q

Source MAC

Destination MAC

MACsec Frame

802.1AE Header

802.1AE Header

AE

S-G

CM

128bit

Encry

ption

Propagation

SGT Exchange Protocol (SXP)

12

RoutersFirewall

• Propagation method of IP-SGT binding

– Propagate IP-SGT from classification to enforcement point

• Open protocol (IETF-Draft) & ODL Supported

– TCP - Port:64999

• Role: Speaker (initiator) and Listener (receiver)

• Use MD5 for authentication and integrity check

• Support Single Hop SXP & Multi-Hop SXP (aggregation)

(SXP Aggregation)

Speaker Listener

Switches

Switches

5 10.0.1.210.0.1.25 10.0.1.2

6 10.4.9.510.4.9.56 10.4.9.5

5 10.0.1.210.0.1.25 10.0.1.2

6 10.4.9.510.4.9.56 10.4.9.5

Propagation

Nexus 7000

Data Center

ISE

Internet

SGT Transport over L3 networks

Nexus 1000v

Catalyst 6500

SGACL

CTS Link

Enterprise LAN

HR

Finance

EnterpriseMPLS

DMVPN

• Multiple options for SGT transport over non CTS Layer 3 networks• DMVPN for Internet based VPNS• GETVPN for security private MPLS clouds• Over The Top (OTP) for private enterprise networks (1HCY15)

BYOD

EnterpriseNetwork

OTP

Switch

Switch

Wireless

Switch

GETVPN

SXP

SXP

SXP

on Roadmap

Propagation

SGACL Enforcement Policy

Sourc

e

Destination

Policy Representing

Source = Empoloye_SGT

Destination=CreditCard_Server

Policy = Deny IP

Enforcement

Policy Enforcement on Firewalls: ASA SG-FW

Use Destination SGT received

from Switches connected to

destination

Use Network Object (Host, Range,

Network (subnet), or FQDN)

SGT Defined in the ISE or locally

defined on ASA

Trigger IPS/CX based on

SGT

Enforcement

TrustSec Functions

Classification

Static

Dynamic

Enforcement

SGACL

SGFW

SGZBFW

Propagation

Inline

SXP

WAN

5 EmployeeEmployee5 Employee

6 SupplierSupplier6 Supplier

8 SuspiciousSuspicious8 Suspicious A B 8 5

TrustSec Supported PlatformsWAN

(GETVPNDMVPNIPSEC)

Switch Router Router Firewall DC Switch vSwitch ServerUser

Propagation EnforcementClassification

Catalyst 2960-S/-C/-Plus/-X/-XRCatalyst 3560-E/-C/-X/-CXCatalyst 3750-E/-XCatalyst 3850/3650Catalyst 4500E (Sup6E/7E)Catalyst 4500E (Sup8)Catalyst 6500E (Sup720/2T)Catalyst 6800WLC 2500/5500/5400/WiSM2/8510/8540WLC 5760Nexus 7000Nexus 6000Nexus 5500/2200Nexus 1000vISRG2, CGR2000, ISR4000IE2000/3000/CGR2000ASA5500 (RAS VPN)

Catalyst 2960-S/-C/-Plus/-X/-XRCatalyst 3560-E/-C/, 3750-ECatalyst 3560-X/3750-XCatalyst 3850/3650Catalyst 4500E (Sup6E)Catalyst 4500E (Sup, 7E, 7LE, 8E)Catalyst 4500XCatalyst 6500E (Sup720)Catalyst 6500/Sup2T, 6800WLC 2500/5500/5400/WiSM2/8510/8540WLC 5760Nexus 7000Nexus 6000Nexus 5500/2200Nexus 1000vISRG2,ISR4000IE2000/3000/CGR2000ASR1000ASA5500

Catalyst 3560-XCatalyst 3750-XCatalyst 3850/3650WLC 5760Catalyst 4500E (7E)Catalyst 4500E (8E)Catalyst 6500E (2T)Catalyst 6800Nexus 7000Nexus 6000Nexus 5500/5600Nexus 1000vISR G2, ISR4000, CGR2000ASR 1000 RouterCSR-1000v RouterASA 5500 FirewallASAv FirewallWeb Security Appliance

Employee SGT

Propagation PropagationClassification Enforcement

ISE

Agenda

Overview of Cisco TrustSec

Prescriptive Approach for Effective Segmentation

Summary and Key Takeaways

Case Studies and Design Considerations

Approaching a TrustSec Design

Focus on Business Problem

Use Cases can be Localized

Start with Policy Goals

• Maintain Compliance• Protect against breach• Complex ACLs,

Firewall rule complexity

• Controlled access to Production systems or PCI Servers

• User to DC Access Control

• Secure BYOD

• Contractor Access Control

• Extranet Security

• Simplified Firewall Rule, VPN Access, ACLs or WSA rules

Implementing Business Policy through Segmentation

Discover and Classify Assets

Understand Behavior

Enforce Policy

Active Monitoring

Network

Segmentation

Design and Model Policy

Discover and Classify AssetsDiscover and Classify Assets

Network

Segmentation

Profile Assets with ISE

• User & Device Authentication(User ID, SmartCard, Digital Certificate, etc.)

• MAC Address based Authentication• Web Portal based Authentication

Profile Assets with NetFlow and StealthWatch

• Services, applications, hosts • Behaviour profiling

ISE Provides Device Visibility via ProfilingActive Endpoint

ScanningIntegrated Profiling:

Visibility in Scale

Network infrastructure provides local sensing function

Device Feed —

Identity in Scale

Manufacturers and ecosystem provide constant updates to new devices

Active Scanning:

Enhanced Accuracy

Cisco® ISE augments passive network insight with active endpoint data

CiscoISE

CDP/LLDPDHCP

RADIUSDNS

SNMPNetFlowHTTPNMAP

Device Feed*

Cisco Device Sensor(Network Based)

Profiler Design Guide: http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-30-ISE_Profiling_Design_Guide.pdf

Locate Assets with Lancope StealthWatch

2

Find hosts communicating on the network

• Pivot based on transactional data

Implementing Effective Segmentation

Understand

Behavior

Network

Segmentation

Understand Critical Business Processes

• Applications, services, protocol, time of day, etc.• Profile systems

Understand Behavior Complete list of all hosts communicating

with HTTP Servers:

Who, What, When, Where and How

Profile Business Critical Processes

PCI Zone MapOverall System Profile

Inter-system relationships

Implementing Effective Segmentation

Network

Segmentation

Design and

Model Policy

Classify Objects into Security Groups

• Directory server search / group mapping• Device Profiling (Device type certainty)• Other attributes: Access Time, Location, Method, etc.

Design Policy

• Leverage group definitions from profiling activities• Monitor mode deployment

Model Policy with StealthWatch

• Passively model policy

Starting a TrustSec Design

Policy

Enforcement

Points

Discuss

assets to

protect

Classification

Mechanisms

Example:

Cardholder Data, Medical Record, intellectual data

Example:

Dynamic,Static, etc.

• DC segmentation (DC virtual/ physical switches or virtual/physical Firewalls)

• User to DC access control• (Identify capable switches

or firewalls in the path)

Propagation

Methods

• Inline Tagging• SXP• DM-VPN• GET-VPN• IPSec• OTP etc..

How to Tag Users / Devices?• TrustSec decouples network

topology and security policy to simplify access control and segmentation

• Classification process groups network resources into Security Groups

PC

MAC

802.1X

MAB

WebAuthentication

Profiling

IPv4 Prefix Learning

IPv6 Prefix LearningIPv6

Prefix-SGT

IPv4Subnet-SGT

AddressPool-SGT

VLAN-SGT

IP-SGT

Port Profile

Port-SGT

ISENX-OS/CIAC/

Hypervisors

IOS/Routing

Data Center/VirtualizationUser/Device/

Location Cisco Access Layer

Campus & VPN Access non-Cisco & legacy environment

Business Partners and Supplier Access Controls

Deployment Approach

Catalyst® Switches/WLC(3K/4K/6K)

Users,Endpoints

PCI Server

Production Server

Development Server

N7K

SRC \ DSTPCI Server

(2000)

Prod Server

(1000)

Dev Server (1010)

Employees (100) Permit all Permit all Permit all

PCI User (105) Permit all Permit all Permit all

Unknown (0) Permit all Permit all Permit all

• Users connect to network, Monitor mode allows traffic regardless of authentication

• Authentication can be performed passively resulting in SGT assignments

CampusNetwork

Monitor Mode

• Tagged traffic traverses the network allowing monitoring and validation that:

• Assets are correctly classified

• Traffic flows to assets are as predicted/expected

Understand Behavior

Rule name and

description

DGTSGT

Trigger on traffic in both directions;

Successful or unsuccessful

Custom event

triggers on traffic

condition

Modeling Policy in StealthWatch

Create flow-based rules for all proposed

policy elements

Policy Violation alarm will trigger if

condition is met. Simulating proposed

drop.

Modeled Policy: Flow Details

When Who

Where

What

Who

Security Group

More Context

Is this communication permissible?

Tune

Yes

Respond

No

Realistic Enterprise Policy

Implementing Effective Segmentation

Network

Segmentation

Enforce Policy

Move to active policy enforcement

• Strategic rollout • Security Group Access Control Lists • Firewall policy

Security Group Access Control Lists

Sourc

e

Destination

Policy Representing

Source = Empoloye_SGT

Destination=CreditCard_Server

Policy = Deny IP

Enabling Enforcement

Catalyst® Switches/WLC(3K/4K/6K)

Users,Endpoints

PCI Server

Production Server

Development Server

N7K

SRC \ DSTPCI Server

(2000)

Prod Server

(1000)

Dev Server (1010)

Employees (100) Deny all Deny all Permit all

PCI User (105) Permit all Permit all Permit all

Unknown (0) Deny all Deny all Permit all

• Enforcement may be enabled gradually per destination security group basis

• Initially use SGACLs with deny logging enabled (remove log later if not required)

• Keep default policy as permit and allow traffic ‘unknown SGT’ during deployment

CampusNetwork

Egress Enforcement(Security Group ACL)

Monitor Mode

Implementing Effective Segmentation

Network

Segmentation

Active Monitoring

Monitor Network Activity

• Detect suspicious and malicious activity • Network Behaviour and Anomaly Detection• Policy Violations

• Monitor Policy configuration and misconfiguration • Monitor for business continuity

Adaptive Network Control

• Identify and remediate threats• Dynamically segment network threats

NetFlow Monitoring

• Highly scalable (enterprise class) collection• High compression => long term storage

• Months of data retention

When Who

Where

What

Who

Security Group

More Context

Integrated Threat Defense (Detection & Containment)

Employee

Employee

Supplier

Quarantine

SharedServer

Server

High RiskSegment

Internet

LancopeStealthWatch

Event: Policy ViolationSource IP: 10.4.51.5Role: SupplierResponse: Quarantine

ISE

Change Authorization

Quarantine

Network Fabric

Quarantine from StealthWatch

Agenda

Overview of Cisco TrustSec

Prescriptive Approach for Effective Segmentation

Summary and Key Takeaways

Case Studies and Design Considerations

One Stop Cisco Partner portal for all “Network as a Sensor and Enforcer” resources: http://bit.ly/naas-e-partner

https://www.cisco.com/go/enterprisehttps://www.cisco.com/go/trustsec

Summary

Segmentation is

foundational

TrustSec

Automates

Network

Segmentation

Start small with

Localized Use-

cases

Create a

Win-Win

scenario with

TrustSec