TrustSec (NaaS / NaaE)

Transcription

1 TrustSec (NaaS / NaaE) per@cisco.com

2 Security on top of the mind for our customers 60% 85% 54% of data is stolen in HOURS of point-of-sale intrusions aren t discovered for WEEKS of breaches remain undiscovered for MONTHS 51% increase of companies reporting a $10M loss or more in the last 3 YEARS A community that hides in plain sight avoids detection and attacks swiftly - Cisco Security Annual Security Report

3 US-CERT Effective network segmentation restricts communication between networks and reduces the extent to which an adversary can move across the network.

4 How TrustSec Simplifies Network Segmentation Traditional Segmentation Static ACL Routing Redundancy DHCP Scope Address VLAN Enterprise Backbone VACL Aggregation Layer Access Layer TrustSec Micro/Macro Segmentation Central Policy Provisioning No Topology Change No VLAN Change DC Servers Enterprise Backbone DC Firewall / Switch Policy Access Layer ISE Non-Compliant Voice Employee Supplier BYOD Voice Non-Compliant Employee Supplier BYOD Quarantine VLAN Voice VLAN Data VLAN Guest VLAN Security Policy based on Topology High cost and complex maintenance BYOD VLAN Employee Tag Supplier Tag Non-Compliant Tag Voice VLAN Data VLAN Use existing topology and automate security policy to reduce OpEx

5 Driven by Customer Top-of Mind Segmentation for Threat Defense Regulatory Compliance Privileged Access to DC Segmentation at access layer to block lateral-movement of threats, access control to improve security Major Retailers segmenting critical assets in stores and DC driven by recent hacks Governments, tech companies, healthcare, manufacturing increasing network security controls to mitigate risk Segmentation for scope reduction, protecting sensitive information from other connected devices (PCI, HIPAA, Financial Regulation, etc.) Bank - 3 use-cases in production Bank deploying across 350,000 endpoints Multiple retailers for PCI compliance Defense customer export controls Healthcare Segmenting clinical/non-clinical devices and protecting patient data Restricting application access based on user / device privilege in scalable fashion Banks Universities Broadcaster Federal/Central Govts Utilities Defense Manufacturers Insurance Consumer electronics Research

6 Agenda Overview of Cisco TrustSec Prescriptive Approach for Effective Segmentation Case Studies and Design Considerations Summary and Key Takeaways

7 Agenda Overview of Cisco TrustSec Prescriptive Approach for Effective Segmentation Case Studies and Design Considerations Summary and Key Takeaways

8 TrustSec About Security Group Tags! Priority Users / Devices Classification: The process of assigning SGTs Propagation: The process of carrying tags in the network Enforcement: The process of controlling access based on tags. Users Endpoints Infected Hosts Servers Full Access Partial Access Access Deny Sites / Branch Offices

9 TrustSec in Action Remote Access ISE Directory Application Servers 8 SGT 5 SGT Wireless Network Users Switch Routers DC Firewall DC Switch Application Servers 7 SGT Classification Propagation Enforcement

10 Classification Types Classification DYNAMIC CLASSIFICATION STATIC CLASSIFICATION 802.1X Authentication MAC Auth Bypass Web Authentication IP Address VLANs Subnets L2 Interface L3 Interface Virtual Port Profile Layer 2 Port Lookup SGT Common Classification for Mobile Devices Common Classification for Servers, Topology-based Policy, etc.

11 Propagation Inline Tagging Faster, and most scalable way to propagate SGT within LAN or Data Center SGT embedded within Cisco Meta Data (CMD) in Layer 2 frame Capable switches understands and process SGT in line-rate Protected by enabling MACsec (IEEE802.1AE) optional for capable hardware No impact to QoS, IP MTP/Fragmentation L2 Frame Impact: ~20 bytes 16 bits field gives ~ 64,000 tag space Non-capable device drops frame with unknown Ethertype Ethernet Frame Destination MAC Source MAC 802.1Q CMD ETHTYPE PAYLOAD CRC Cisco Meta Data CMD EtherType Version Length SGT Option Type SGT Value Other CMD Option EtherType:0x8909 SGT Value:16bits MACsec Frame AES-GCM 128bit Encryption Destination MAC Source MAC 802.1AE Header 802.1Q CMD ETHTYPE PAYLOAD 802.1AE Header CRC

12 Propagation SGT Exchange Protocol (SXP) Propagation method of IP-SGT binding Propagate IP-SGT from classification to enforcement point Open protocol (IETF-Draft) & ODL Supported TCP - Port:64999 Role: Speaker (initiator) and Listener (receiver) Use MD5 for authentication and integrity check Support Single Hop SXP & Multi-Hop SXP (aggregation) Switches Speaker Routers (SXP Aggregation) Listener Firewall Switches 12

13 Propagation SGT Transport over L3 networks Enterprise LAN Finance Switch SXP Enterprise Network OTP on Roadmap ISE SGACL CTS Link Wireless SXP Internet Nexus 7000 Nexus 1000v BYOD Switch SXP DMVPN Catalyst 6500 Data Center Switch Enterprise MPLS GETVPN HR Multiple options for SGT transport over non CTS Layer 3 networks DMVPN for Internet based VPNS GETVPN for security private MPLS clouds Over The Top (OTP) for private enterprise networks (1HCY15)

14 Enforcement SGACL Enforcement Policy Destination Source Policy Representing Source = Empoloye_SGT Destination=CreditCard_Server Policy = Deny IP

15 Enforcement Policy Enforcement on Firewalls: ASA SG-FW SGT Defined in the ISE or locally defined on ASA Use Destination SGT received from Switches connected to destination Trigger IPS/CX based on SGT Use Network Object (Host, Range, Network (subnet), or FQDN)

16 TrustSec Functions Classification Propagation Enforcement 5 Employee 6 Supplier 8 Suspicious A B 8 5 Static Dynamic Inline SXP WAN SGACL SGFW SGZBFW

17 TrustSec Supported Platforms Employee SGT User WAN (GETVPN DMVPN IPSEC) Switch Router Router Firewall DC Switch vswitch Server ISE Classification Propagation Classification Catalyst 2960-S/-C/-Plus/-X/-XR Catalyst 3560-E/-C/-X/-CX Catalyst 3750-E/-X Catalyst 3850/3650 Catalyst 4500E (Sup6E/7E) Catalyst 4500E (Sup8) Catalyst 6500E (Sup720/2T) Catalyst 6800 WLC 2500/5500/5400/WiSM2/8510/8540 WLC 5760 Nexus 7000 Nexus 6000 Nexus 5500/2200 Nexus 1000v ISRG2, CGR2000, ISR4000 IE2000/3000/CGR2000 ASA5500 (RAS VPN) Propagation Propagation Catalyst 2960-S/-C/-Plus/-X/-XR Catalyst 3560-E/-C/, 3750-E Catalyst 3560-X/3750-X Catalyst 3850/3650 Catalyst 4500E (Sup6E) Catalyst 4500E (Sup, 7E, 7LE, 8E) Catalyst 4500X Catalyst 6500E (Sup720) Catalyst 6500/Sup2T, 6800 WLC 2500/5500/5400/WiSM2/8510/8540 WLC 5760 Nexus 7000 Nexus 6000 Nexus 5500/2200 Nexus 1000v ISRG2,ISR4000 IE2000/3000/CGR2000 ASR1000 ASA5500 Enforcement Enforcement Catalyst 3560-X Catalyst 3750-X Catalyst 3850/3650 WLC 5760 Catalyst 4500E (7E) Catalyst 4500E (8E) Catalyst 6500E (2T) Catalyst 6800 Nexus 7000 Nexus 6000 Nexus 5500/5600 Nexus 1000v ISR G2, ISR4000, CGR2000 ASR 1000 Router CSR-1000v Router ASA 5500 Firewall ASAv Firewall Web Security Appliance

18 Agenda Overview of Cisco TrustSec Prescriptive Approach for Effective Segmentation Case Studies and Design Considerations Summary and Key Takeaways

19 Approaching a TrustSec Design Start with Policy Goals Controlled access to Production systems or PCI Servers Use Cases can be Localized User to DC Access Control Secure BYOD Contractor Access Control Extranet Security Simplified Firewall Rule, VPN Access, ACLs or WSA rules Focus on Business Problem Maintain Compliance Protect against breach Complex ACLs, Firewall rule complexity

20 Implementing Business Policy through Segmentation Discover and Classify Assets Active Monitoring Network Segmentation Understand Behavior Enforce Policy Design and Model Policy

21 Discover and Classify Assets Discover and Classify Assets Profile Assets with ISE User & Device Authentication (User ID, SmartCard, Digital Certificate, etc.) MAC Address based Authentication Web Portal based Authentication Network Segmentation Profile Assets with NetFlow and StealthWatch Services, applications, hosts Behaviour profiling

22 ISE Provides Device Visibility via Profiling Integrated Profiling: Visibility in Scale Network infrastructure provides local sensing function Active Scanning: Enhanced Accuracy Cisco ISE augments passive network insight with active endpoint data Device Feed Identity in Scale Manufacturers and ecosystem provide constant updates to new devices Cisco ISE CDP/LLDP DHCP RADIUS DNS SNMP NetFlow HTTP NMAP Device Feed* Active Endpoint Scanning Cisco Device Sensor (Network Based) Profiler Design Guide:

23 Locate Assets with Lancope StealthWatch Find hosts communicating on the network Pivot based on transactional data 2

24 Implementing Effective Segmentation Understand Behavior Network Segmentation Understand Critical Business Processes Applications, services, protocol, time of day, etc. Profile systems

25 Understand Behavior Complete list of all hosts communicating with HTTP Servers: Who, What, When, Where and How

26 Profile Business Critical Processes PCI Zone Map Overall System Profile Inter-system relationships

27 Implementing Effective Segmentation Design Policy Leverage group definitions from profiling activities Monitor mode deployment Classify Objects into Security Groups Network Segmentation Directory server search / group mapping Device Profiling (Device type certainty) Other attributes: Access Time, Location, Method, etc. Model Policy with StealthWatch Passively model policy Design and Model Policy

28 Starting a TrustSec Design Discuss assets to protect Classification Mechanisms Policy Enforcement Points Propagation Methods Example: Cardholder Data, Medical Record, intellectual data Example: Dynamic, Static, etc. DC segmentation (DC virtual/ physical switches or virtual/physical Firewalls) User to DC access control (Identify capable switches or firewalls in the path) Inline Tagging SXP DM-VPN GET-VPN IPSec OTP etc..

29 How to Tag Users / Devices? TrustSec decouples network topology and security policy to simplify access control and segmentation Classification process groups network resources into Security Groups User/Device/ Location Cisco Access Layer MAC PC Web Authentication Profiling MAB ISE IP-SGT NX-OS/ CIAC/ Hypervisors VLAN-SGT Port-SGT Data Center/ Virtualization 802.1X IOS/Routing Port Profile Address Pool-SGT IPv4 Subnet-SGT IPv6 Prefix-SGT IPv6 Prefix Learning IPv4 Prefix Learning Campus & VPN Access non-cisco & legacy environment Business Partners and Supplier Access Controls

30 Deployment Approach Users connect to network, Monitor mode allows traffic regardless of authentication Authentication can be performed passively resulting in SGT assignments Monitor Mode PCI Server Production Server Users, Endpoints Catalyst Switches/WLC (3K/4K/6K) Campus Network N7K Development Server Tagged traffic traverses the network allowing monitoring and validation that: SRC \ DST PCI Server (2000) Prod Server (1000) Dev Server (1010) Assets are correctly classified Traffic flows to assets are as predicted/expected Employees (100) Permit all Permit all Permit all PCI User (105) Permit all Permit all Permit all Unknown (0) Permit all Permit all Permit all

31 Understand Behavior Custom event triggers on traffic condition Rule name and description SGT DGT Trigger on traffic in both directions; Successful or unsuccessful

32 Modeling Policy in StealthWatch Create flow-based rules for all proposed policy elements Policy Violation alarm will trigger if condition is met. Simulating proposed drop.

33 Modeled Policy: Flow Details Where When Who What Who Yes Tune Is this communication permissible? No Respond More Context Security Group

34 Realistic Enterprise Policy

35 Implementing Effective Segmentation Move to active policy enforcement Strategic rollout Security Group Access Control Lists Firewall policy Network Segmentation Enforce Policy

36 Security Group Access Control Lists Destination Source Policy Representing Source = Empoloye_SGT Destination=CreditCard_Server Policy = Deny IP

37 Enabling Enforcement Enforcement may be enabled gradually per destination security group basis Initially use SGACLs with deny logging enabled (remove log later if not required) Keep default policy as permit and allow traffic unknown SGT during deployment Monitor Mode Egress Enforcement (Security Group ACL) PCI Server Production Server Users, Endpoints Catalyst Switches/WLC (3K/4K/6K) Campus Network N7K Development Server SRC \ DST PCI Server (2000) Prod Server (1000) Dev Server (1010) Employees (100) Deny all Deny all Permit all PCI User (105) Permit all Permit all Permit all Unknown (0) Deny all Deny all Permit all

38 Implementing Effective Segmentation Active Monitoring Monitor Network Activity Detect suspicious and malicious activity Network Behaviour and Anomaly Detection Policy Violations Monitor Policy configuration and misconfiguration Monitor for business continuity Network Segmentation Adaptive Network Control Identify and remediate threats Dynamically segment network threats

39 NetFlow Monitoring Where When Who What Who Highly scalable (enterprise class) collection High compression => long term storage Months of data retention More Context Security Group

40 Integrated Threat Defense (Detection & Containment) Employee ISE Change Authorization Quarantine Supplier Server Lancope StealthWatch Event: Policy Violation Source IP: Role: Supplier Response: Quarantine Quarantine Network Fabric High Risk Segment Shared Server Internet Employee

41 Quarantine from StealthWatch

42 Agenda Overview of Cisco TrustSec Prescriptive Approach for Effective Segmentation Case Studies and Design Considerations Summary and Key Takeaways

43 One Stop Cisco Partner portal for all Network as a Sensor and Enforcer resources:

44 Summary Segmentation is foundational TrustSec Automates Network Segmentation Create a Win-Win scenario with TrustSec Start small with Localized Usecases

45