Enabling Software- Defined Segmentation with TrustSec

Transcription

1

2 Enabling Software- Defined Segmentation with TrustSec Fay-Ann Lee Technical Marketing Engineer

3 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space Cisco Spark spaces will be available until July 3, cs.co/clus17/# 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

4 Agenda Introduction TrustSec Group-Based Policies TrustSec Fundamentals How does it work? Main Deployment Scenarios What can you do? One Little Tag, so Many Uses What else is possible? Getting Group-Based Policies Right How to get started? Managing Policies and Changes Fine Tuning Summary SGT 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

5 Presentation Decode Or 5 Security Group Security Group Tag / Scalable Group Tag Cisco Identity Services Engine (ISE pronounced ICE ) Rapid Deployment Option Point to remember For Your Reference Slide intended for your reference 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5

6 access-list 102 permit tcp lt gt 1462 access-list 102 permit tcp gt lt 4384 access-list 102 permit icmp eq eq 878 access-list 102 permit ip gt eq 467 with TrustSec Traditional Security Policy Security Control Automation Simplified Access Management TrustSec Security Policy Improved Security Efficiency Software-Defined Segmentation Network Fabric Switch Router Wireless DC FW DC Switch Flexible and Scalable Policy Enforcement 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6

7 How Do Group-Based Policies Help?... Simple ways to add access control policy for new things Represent threat state or vulnerable devices Reduce effort in adds, moves & changes Acquisitions and partnerships Internet of Things Use Groups to represent suspicious devices based on threat state detected Reduce error prone admin More consistent security policy BYOD Cloud Reduce OpEx Use groups to protect device types that you cannot patch Reduced time to implement changes Manage complexity 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 7

8 Address Segmentation Needs with Group-Based Policies Eataly s network segmentation prevented a POS compromise at one store from compromising systems at the chain s 26 other locations across the globe Effective network segmentation reduces the extent to which an adversary can move across the network Network segmentation is one of the most effective controls an agency can implement to mitigate the second stage of a network intrusion, propagation or lateral movement 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8

9 TrustSec Concepts Users, Devices Classification (Source) ISE Enforcement Directory Classification (Destination) 5 Switch Router DC FW DC Switch Sharing Group Information Classify systems/users based on context (user role, device, location etc.) Context or role expressed as a Security Group Firewalls, routers and switches use Security Groups to make filtering decisions Classify once reuse Security Group anywhere on network 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9

10 Normalizing Policy Groups Across Admin Domains Campus / Branch ACL Manager Firewall Manager APIC-DC Data Center Fabric Voice Employee Supplier BYOD Web App DB Groups of apps, user/device combinations shared across campus, security and DC platforms 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 10

11 Simplifying Segmentation Traditional Segmentation Static ACL Routing Redundancy DHCP Scope Address VLAN Enterprise Backbone VACL Aggregation Layer Access Layer TrustSec Micro/Macro Segmentation Central Policy Provisioning No Topology Change No VLAN Change DC Servers Enterprise Backbone DC Firewall / Switch Policy Access Layer ISE Non-Compliant Voice Employee Supplier BYOD Voice Non-Compliant Employee Supplier BYOD Quarantine VLAN Voice VLAN Data VLAN Guest VLAN Security Policy based on VLAN/Topology BYOD VLAN Employee Tag Supplier Tag Non-Compliant Tag Voice VLAN Data VLAN Automated security policy, works independently of VLANs/topology 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11

12 Proven Results For Your Reference 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12

13 Agenda Introduction TrustSec Group-Based Policies TrustSec Fundamentals How does it work? Main Deployment Scenarios What can you do? One Little Tag, so Many Uses What else is possible? Getting Group-Based Policies Right How to get started? Managing Policies and Changes Fine Tuning Summary SGT SGT 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

14 TrustSec Functions to Enable 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14

15 Logical Groupings to Support Segmentation Goals Use Security Groups to Denote Roles You Care About Business-based groupings to provide consistent policy and access independent of network topology SGT_Contractor Contractor 1 SGT_Building Management 50 Temperature Device 1 SGT_Employee Employee 1 Employee 2 Employee 3 Leverage attributes such as location and device type to define group assignments Contractor 2 Contractor 3 Contractor 4 Surveillance Device 1 50 Temperature Device 2 Employee 4 Surveillance Device 2 SGT_FinanceServer SGT_Printers Fin 1 Fin 2 Printer 1 Printer Cisco and/or its affiliates. All rights reserved. Cisco Public 15

16 Managing Security Groups in ISE 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16

17 Managing Security Groups in DNA Center 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17

18 Getting Group Info to Network Devices Network devices need to be defined in ISE to get group information downloads: At periodic intervals On demand Push from ISE Device ID and password here needs to match the cts credentials id in the network device Option to send the policies through CLI (SSH) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18

19 Configuring an IOS Device for TrustSec For Your Reference Following CLI is required to turn on NDAC (to authenticate device to ISE and receive policies including SGACL from ISE 1 Enabling AAA Switch#config t Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#aaa new-model 22 Defining RADIUS server with PAC keyword Switch(config)#radius-server host <ISE_PDP_IP> pac key <RADIUS_SHARED_SECRET> 33 Define authorization list name for TrustSec policy download Switch(config)#cts authorization list <AUTHZ_List_Name> 44 Use default AAA group for 802.1X and defined authz list for authorisation Switch(config)#aaa authentication dot1x default group radius Switch(config)#aaa authorization network <AUTHZ_List_Name> group radius 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19

20 Configuring an IOS Device (cont.) For Your Reference 5 Switch(config)#radius-server vsa send authentication 6 Switch(config)#dot1x system-auth-control 7 Switch#cts credential id <DEVICE_ID> password <DEVICE_PASSWORD> Note: Device credentials in IOS are configured in Enable mode, not in the configuration mode. NX-OS is different need to configure device credentials in configuration mode 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20

21 Viewing Group Info in Network Devices Group info appears in network devices as Environment Data ISE is typically the single source of truth for Group information IOS#show cts environment-data CTS Environment Data ==================== Security Group Name Table: : 0-01:Unknown 2-00:TrustSec_Devices 4-01:Employees 5-01:Contractors 6-01:CUCM_Servers 8-01:Developers 10-de:Production_Users 11-01:Prod_Svrs 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21

22 TrustSec Functions to Enable 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22

23 Static Dynamic Classification Methods User endpoints Ideal for users and mobile devices Virtual Systems Dynamic mechanisms Passive ID (Easy Connect) ACI (App- Centric) 802.1X. WebAuth V. Port Profile MAB, Profiling pxgrid & REST APIs SGT #1 SGT #2 Internal resources Static mechanisms SGT #3 Internal IT infrastructure and topology-based policy IP Address Subnets VLANs SGT #4 Partner & external External partners and 3rd party connections L3 Interface VPN Port 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23

24 Dynamic Classification and SGT Assignment via ISE Context => Security Group 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24

25 Dynamic Classification with 802.1x 00:00:00:AB:CD:EF 1 Supplicant Switch RADIUS (Any) Layer 2 EAPoL Transaction Authorised MAC: 00:00:00:AB:CD:EF SGT = 5 EAP Transaction Layer 3 RADIUS Transaction Authorization SGT Authentication Authorized cisco-av-pair=cts:security-group-tag= Policy Evaluation 2 DHCP Lease: /24 DHCP 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25

26 Dynamic Classification with 802.1x (continued) Supplicant Switch RADIUS (Any) 3 ARP Probe IP Device Tracking Binding: 00:00:00:AB:CD:EF = /24 SRC: = SGT 5 Switch#show cts role-based sgt-map all details Active IP-SGT Bindings Information IP Address Security Group Source ============================================= :TrustSec_Devices INTERNAL :Employee LOCAL Local policy defines fallback SGT assignment 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26

27 Critical SGT 15.2(3)E/ 3.7.0E Shared Services Data Center For Your Reference Application Servers Local SGT authorization when ISE becomes unavailable. CTS Caching retains downloaded ISE policies (SGACL) during ISE outage ISE DC Switch Wide Area Network service-template CRITICAL_ACCESS sgt 10...! policy-map type control subscriber ID-ACCESS-POLICY event session-started match-all 10 class always do-until-failure 10 authenticate using dot1x retries 2 retry-time 0 priority 10 event authentication-failure match-first 5 class DOT1X_FAILED do-until-failure 10 activate service-template AUTH_FAIL_VLAN 20 authorize 10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure 10 activate service-template CRITICAL_ACCESS 20 authorize 30 pause reauthentication... Internet Branch Office Switch Employee-1 Local Resources Employee-2 Employee Tag Critical Tag 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27

28 Critical SGT 15.2(3)E/ 3.7.0E Switch#show access-session interface gigabitethernet 1/0/1 details Interface: GigabitEthernet1/0/1 MAC Address: 000c.2987.b296 IPv6 Address: FE80::1DFA:A241:96E0:3DAD, 2001:DB8:100:0:1DFA:A241:96E0:3DAD IPv4 Address: User-Name: Status: Authorized Domain: UNKNOWN Oper host mode: multi-auth Oper control dir: both Session timeout: N/A Common Session ID: AC14FC B9A Acct Session ID: 0x Handle: 0x Current Policy: ID-ACCESS-POLICY Local Policies: Service Template: CRITICAL_ACCESS (priority 150) SGT Value: 10 For Your Reference ISE Internet Shared Services Switch Data Center Application Servers DC Switch Wide Area Network Local Resources Method status list: Method dot1x State Authc Failed Branch Office CTS-C3750X#show cts role-based sgt-map all Active IPv4-SGT Bindings Information Employee-1 Employee-2 IP Address SGT Source ============================================ LOCAL INTERNAL Employee Tag Critical Tag 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28

29 Classifying via 802.1x Authentication For Your Reference ISE Authorization Result = Employee_SGT x 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29

30 Classifying Using Passive Identity (Easy Connect) Domain Controller (Active Directory) Bob logged in DOMAIN\bob DHCP DNS ISE ISE retrieves Bob s ID and AD membership (Employee) NTP AD 2 1 Bob 4 Network No 802.1X MAB (TrustSec Device) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30

31 Classifying Virtual Servers Nexus 1000v: SGT to Port-Profile Port Profile Container of network properties Applied to different interfaces VMs inherit network properties of the port profile including SGT SGT stays with VM if moved port-profile type vethernet production switchport access vlan 101 switchport mode access cts manual policy static sgt 0x4 role-based enforcement no shutdown state enabled vmware port-group 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31

32 Static SGT Classification Can use ISE or CLI for these IP to SGT mapping Subnet to SGT mapping cts role-based sgt-map <ip address> sgt <SGT_value> cts role-based sgt-map <ip address/nn> sgt <SGT_value> VLAN to SGT mapping Often used when AAA unreachable critical vlan + VLAN-SGT Method relies of IP Device Tracking Port to SGT mapping Method relies of IP Device Tracking cts role-based sgt-map vlan-list <VLAN> sgt <SGT_value> (config-if-cts-manual)# policy static sgt <SGT_value> Service templates can also assign a static SGT in fallback conditions 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32

33 Centrally Managing Static Classifications Mappings propagated over SXP from ISE to SXP devices (covered later) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33

34 Classifying Extranet Connections Route Prefix Monitoring on a specific Layer 3 interface mapping to a SGT Can apply to Layer 3 interfaces regardless of the underlying physical interface: Routed port, SVI (VLAN interface), Tunnel interface cts role-based sgt-map interface GigabitEthernet 3/0/1 sgt 8 cts role-based sgt-map interface GigabitEthernet 3/0/2 sgt 9 Joint Ventures Route Updates /24 g3/0/1 VSS-1#show cts role-based sgt-map all Active IP-SGT Bindings Information IP Address SGT Source ======================================== INTERNAL INTERNAL INTERNAL /24 8 L3IF /24 9 L3IF /24 9 L3IF DC Access Business Partners g3/0/2 Route Updates / /24 Hypervisor SW 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34

35 Mixing Static and Dynamic Classifications 5000 branches with up to 4 subnets each = 20,000 subnets defined in FW rules Branch Office Data Center Voice Enterprise WAN BYOD Existing network has 4 subnets/vlans per branch. No use of 802.1X Extensive IP-based rules in DC Firewalls Policy Goal: Simplify Filter branch traffic to Data Center resources 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35

36 Starting with Static Classifications Branch Office Data Center Voice Enterprise WAN Database App Svr Comm Svr BYOD L3 Interface-SGT Maps Destination Classification Database: SGT 20 App Svr: SGT 30 Comm Svr: SGT 40 VLAN:servers VLAN:voice VLAN:data VLAN:byod SGT:servers SGT:voice SGT:data SGT:byod WAN Same SGTs in every branch office 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36

37 Next Steps Dynamic Overriding Static Classification Branch Office Data Center Voice Enterprise WAN Database SGT 20 Employee BYOD App Svr Comm Svr SGT 30 SGT 40 Enable 802.1X, MAB, or Web Authentication L3 Interface-SGT maps still in place. Bindings from SXP take priority over static SGTs Longest Match Coarse-grained roles from VLAN mappings AND Fine-grained roles from authentication Net Result: groups instead of 20,000 subnets, add/remove branches w/o FW changes 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 37

38 Classification IOS Binding Source Priority For Your Reference The current priority enforcement order, from lowest (1) to highest (7), is as follows: 1. VLAN Bindings learned from snooped ARP packets on a VLAN that has VLAN-SGT mapping configured. 2. CLI Address bindings configured using the IP-SGT form of the cts role-based sgt-map global configuration command. 3. Layer 3 Interface (L3IF) Bindings added due to FIB forwarding entries that have paths through one or more interfaces with consistent L3IF-SGT mapping or Identity Port Mapping on routed ports. 4. SXP Bindings learned from SXP peers. 5. IP_ARP Bindings learned when tagged ARP packets are received on a CTS capable link. 6. LOCAL Bindings of authenticated hosts which are learned via EPM and device tracking. This type of binding also include individual hosts that are learned via ARP snooping on L2 [I]PM configured ports. 7. INTERNAL Bindings between locally configured IP addresses and the device own SGT An exception to the rules stated above is with the Catalyst 4500 See Cisco and/or its affiliates. All rights reserved. Cisco Public 38

39 Classification NX-OS Binding Source Priority For Your Reference The current priority enforcement order, from lowest (1) to highest (6), is as follows: VLAN Bindings learned from snooped ARP packets on a VLAN that has VLAN-SGT mapping configured. SGT Caching IP/SGT learned via the SGT caching feature SXP Bindings learned from SXP peers. Interface (LOCAL) Bindings of authenticated hosts which are learned via EPM and device tracking. This type of binding also include individual hosts that are learned via ARP snooping on L2 [I]PM configured ports. CLI Address bindings configured using the IP-SGT form of the cts role-based sgt-map global configuration command INTERNAL Bindings between locally configured IP addresses and the device own SGT Cisco and/or its affiliates. All rights reserved. Cisco Public 39

40 TrustSec Functions to Enable 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40

41 Policy Enforcement Security Group ACL (SGACL) User authenticated Destination Classification Web_Dir: SGT 20 CRM: SGT 30 Classified as Employee (5) FIB Lookup Destination MAC/Port SGT 20 SRC: SRC: DST: SGT: 5 Enterprise Backbone Web_Dir DST: SGT: 20 CRM DST: SGT: 30 SRC\DST Employee (5) Web_Dir (20) SGACL-A CRM (30) SGACL-B BYOD (7) Deny Deny 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41

42 ISE Policy Matrix (SGACL) permit tcp dst eq 6970 log permit tcp dst eq 6972 log permit tcp dst eq 3804 log permit tcp dst eq 8443 log permit tcp dst eq 8191 log permit tcp dst eq 5222 log permit tcp dst eq log permit tcp dst eq 443 log permit tcp dst eq 2748 log permit tcp dst eq 5060 log permit tcp dst eq 5061 log permit tcp dst range log permit udp dst range log deny ip log 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 42

43 Creating Group-Based Policies in DNA Center 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43

44 Viewing Policy Enforcement in Switches Switch#show cts role-based permissions IPv4 Role-based permissions default: Permit IP-00 IPv4 Role-based permissions from group 3 to group 5: Deny IP-00 IPv4 Role-based permissions from group 4 to group 5: ALLOW_HTTP_HTTPS-20 IPv4 Role-based permissions from group 4:Employees to group 6:CUCM_Servers: Jabber_Sig_to_CUC-10 IPv4 Role-based permissions from group 4 to group 6: Deny IP-00 IPv4 Role-based permissions from group 3 to group 7: Deny IP-00 IPv4 Role-based permissions from group 4 to group 7: Permit IP-00 SGACL rule from ISE On IOS devices, SGACLs from ISE takes precedence over locally configured SGACLs On NX-OS devices, locally configured SGACLs take precedence over ISE SGACLs 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 44

45 Enabling SGACL Policy Enforcement Enable enforcement globally for L3 traffic through device Enable enforcement within VLANs for L2 intra-vlan enforcement For Your Reference Switch(config)#cts role-based enforcement Switch(config)#cts role-based enforcement vlan-list <vlan> Switch(config)#cts role-based enforcement Switch(config)#vlan # Switch(config-vlan)#cts role-based enforcement IOS NX-OS SGACLs could be defined in switch or downloaded from ISE on demand Having an SGT classification will trigger policy download, e.g. Switch(config)#cts role-based sgt-map <ip address> sgt <sgt_value> Recommend disabling enforcement on interfaces between TrustSec-enabled switches 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45

46 SGT=3 SGT=4 SGT=5 Dynamic SGACL Downloads New User/Device/Server provisioned Switch requests policies for assets they protect Switches pull down only the policies they need Prod_Servers Dev_Servers Policies downloaded & applied dynamically Result: Software-Defined Segmentation All controls centrally managed Security policies de-coupled from network topology No switch-specific security configs needed One place to audit network-wide policies Prod_Server (SGT=7) Dev_Server (SGT=10) Switches request policies for assets they protect 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46

47 SGACL Scale For IP ACLs permissions with IP combinations SGACLs permissions with IP combinations are programmed in TCAM SGACLs permissions are programmed in TCAM but not the classifier SGT value comes from frame/packet or FIB lookup Group based permissions in TCAM can be reused For Your Reference Platform Max. SGACEs Catalyst 3850 (IOS-XE 3.6, 1375 per system 3.7), max 255 active groups Catalyst 4500-X 16,000 Catalyst 6840-X 8,000 Catalyst 6880-X 8,000 (LE) 32,000 (XL) Nexus 7K F Nexus 7K F2/F2e, F3 16,000 Nexus 7K M 128,000 Nexus 1000V 6,000 Nexus Nexus 5600, Cisco and/or its affiliates. All rights reserved. Cisco Public 47

48 How SGACL Scale Example Nexus 5500 limit of 124 SGACL TCAM entries max However, SG Access Control entries can be reused any number of times Consider limit to mean 124 unique permissions across any number of SGACLs Tested SGT,DGT combinations on a N5500 reusing 124 lines of permissions WEB-ACL: permit tcp dst eq 443 permit tcp dst eq 80 deny ip HR-DB-ACL: permit tcp dst eq 443 permit tcp dst eq 80 permit tcp dst eq 22 permit tcp dst eq 135 permit tcp dst eq 136 permit tcp dst eq 137 permit tcp dst eq 138 permit tcp des eq 139 deny ip For Your Reference 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 48

49 Enforcement on Nexus 1000V N1000V: Assigns SGT based on Port-profile Assignments PCI VM VM VM VM Nexus 1000V VEM PCI VEM filters traffic based on SG-ACLs VM VM VM VM Nexus 1000V VEM SXP comes from VSM (not VEM) Nexus 1000V VSM TrustSec Policy from ISE Hypervisor SXP for Firewall Server Hypervisor Server TOR filters traffic based on TOR SG-ACLs filters traffic based on SGACLs Inline Tagging on VEM Uplinks ISE PCI N1000v 5.2(1)SV3(1.1) - inline tagging and SGACL Enforcement 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49

50 Policy Enforcement in Firewalls: ASA Security Group definitions from ISE Trigger FirePower services by SGT matches Can still use Network Object (Host, Range, Network (subnet), or FQDN) AND / OR the SGT 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 50

51 TrustSec Functions to Enable 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 51

52 Propagating Security Group Tags Data Plane (Inline) Ethernet MACsec on Ethernet IPSec DM-VPN GET-VPN VXLAN Control Plane (SXP) Network Devices ISE IETF Open Daylight Platform Exchange Grid (pxgrid) Web Security Appliance (WSA) Firepower Threat Defense (FTD) Ecosystem vendor products 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 52

53 Data Plane Propagation on Ethernet AES-GCM 128bit Encryption Most scalable way to propagate SGT Enabled hop-by-hop Line-rate processing No impact to QoS L2 Frame MTU Impact: ~ 40 bytes 32B MACsec 8B CMD ETHTYPE:0x8909 Ethernet Frame Destination MAC Source MAC 802.1Q CMD ETHTYPE PAYLOAD CRC L2 MTU must be adjusted to accommodate CMD alone. Assume incapable device drops frame unknown Ethertype Cisco Meta Data CMD EtherType Version Length SGT Option Type SGT Value Other CMD Option ETHTYPE:0x88E5 MACsec Frame Destination MAC Source MAC 802.1AE Header 802.1Q CMD ETHTYPE PAYLOAD 802.1AE Header CRC Format defined in SGT in L2 Cisco Metadata (CMD) section of Cisco and/or its affiliates. All rights reserved. Cisco Public 53

54 Inline Tagging on Ethernet For Your Reference Enable hop-by-hop with cts manual interface command trusted option means trust tag values from peer propagate SGT on by default Shut/no shut needed ISE Interface GigabitEthernet1/5 mtu 9216 cts manual policy static sgt 2 trusted (2 = TrustSec devices sgt value) Inline tagging Untagged Branches 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54

55 Inline Tagging MTU CMD 8B For Your Reference Standard Ethernet = 1518B (1514 MAC+4 CRC) Dot1q Header = 4B 802.3ac extended standard Ethernet to Switches today dynamically account for 22B Leaves 1500B IP Datagram TrustSec requires 8B CMD MTU must be adjusted to accommodate or packet on interface will be seen as a Giant Cisco and/or its affiliates. All rights reserved. Cisco Public 55

56 Changing MTU For Your Reference 6500/6800 and all Nexus switches must be manually adjusted. L3 interfaces must have both sides of link manually adjusted. Failure to do so results in loss of neighbor adjacency. Change of MTU on member links must be changed independent of the port channel. Catalyst 3650/3850 must be changed system-wide Cisco and/or its affiliates. All rights reserved. Cisco Public 56

57 SGT Behavior Through Untrusted CTS Links Traffic Direction For Your Reference Tagged traffic 200 UnTrusted Catalyst 200 UnTrusted 400 Untrusted N7K 400 Untrusted Unknown SGT CMD present but SGT field is empty Untagged traffic entering TrustSec domain PC Untagged 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 57

58 SGT Behavior Through Trusted CTS Links Traffic Direction For Your Reference Trusted Trusted Trusted 400 Trusted PC Untagged Trusted N7K 200 Trusted Trusted N7K 400 Trusted 400 PC Untagged 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 58

59 Inline Propagation over WAN IPsec, DM-VPN, GET-VPN ISRG2 & ASR 1000 Ethernet interfaces (all except 800 series ISR) Enforcement Options: SGACL: Available on ASR 1013, 1006, 1004, 1009-X, 1006-X, ISR 4451 and ISR 4431 from IOS 16.3(1) Branch B ISRG2 SGT over GET-VPN, DM- VPN, IPsec VPN OTP HQ for SGACL scale recommend 16.5(1) Can use SGT-aware Zone-based firewall on ASR ASR1000, ISR 4000, ISR-G2 ISRG2 e.g. 2951/3945 Branch A ASR1000 Router Inline SGT 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 59

60 Branch Example Recap For Your Reference Branch Office Data Center Voice Enterprise WAN Database SGT 20 Employee BYOD App Svr Comm Svr SGT 30 SGT 40 Enable 802.1X passively L3 Interface-SGT maps still in place. Bindings from SXP take priority over static SGTs Longest Match Coarse-grained roles from VLAN mappings AND Fine-grained roles from authentication Net Result: groups instead of 20,000 subnets, add/remove branches w/o FW changes 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 60

61 Branch Example with Inline WAN For Your Reference Voice ISRG2/4000 Voice ISRG2/4000 Corporate Laptop Corporate Laptop Data Center BYOD Voice Corporate Laptop Voice BYOD BYOD ISRG2/4000 ISRG2/4000 Voice SGT over GET-VPN, DM- VPN, IPsec VPN OTP ASR1000 ASA Corporate Laptop Corporate Laptop ISRG2/4000 BYOD BYOD 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 61

62 Data Plane Propagation - VXLAN VRF + SGT Supports L2 & L3 Overlay ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD SGT can now be carried in VXLAN Alternative approach to SXP / SXP Domains for carrying SGT information across network devices SD-Access architecture allows subnets to span access switches without stretching VLANs Simplified VRF deployment without needing MPLS Cisco SD-Access - A Look Under the Hood (BRKCRS-2810) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 62

63 VXLAN with SD-Access Fabric Edge Nodes use LISP functions to lookup a VXLAN tunnel to use for a given destination IP Traffic encapulated in VXLAN with SGT and VRF sent to correct Fabric Edge Node Employee SGT (5) ISE Fabric Border Nodes Outside of the fabric - Links to rest of network could use inline tagging, SXP etc. Needs IOS 16.6 VXLAN Tunnel Employee SGT (5) Egress switch applies SGACL as normal 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 63

64 SGT exchange Protocol (SXP) Control plane protocol to propagate IP-SGT mappings Uses TCP as the transport layer Port for connection initiation Uses MD5 for authentication and integrity check Two roles: Speaker (initiator) and Listener (receiver) Supports single hop and multi-hop (aggregation) Support bidirectional communication (SXPv4) Speaker Implementation details: IP Address SXP Listener Speaker SGT IP Address SXP (Aggregation) SXP SGT IP Address SGT Open Source SDN Controller implmentation: Cisco and/or its affiliates. All rights reserved. Cisco Public 64

65 Branch Example with SXP Voice ISRG2/4000 Voice ISRG2/4000 Corporate Laptop Corporate Laptop SXP Data Center BYOD Corporate Laptop Voice BYOD ISRG2/4000 SXP Enterprise WAN SXP ASR1000 SXP ASA Voice BYOD ISRG2/4000 Voice ISRG2/4000 Corporate Laptop Corporate Laptop Aggregate mappings from branches BYOD BYOD 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 65

66 Enabling Propagation Finance Example For Your Reference Policy Goal Existing Environment 3 rd parties Business Partners Branches Data Centers Limit information system access to authorized users Limit information system access to the types of transactions and functions that authorized users are permitted to execute Cisco and/or its affiliates. All rights reserved. Cisco Public 66

67 Adding Inline Tagging and SXP For Your Reference SXP Inline Tagging SXP SXP Subnet-SGT and L3 Interface-SGT 3 rd parties SXP Business Partners Branches Data Centers SGTs assigned by 802.1x/MAB/Profiling in monitor mode SGACL Policy Enforcement enabled Enforcement disabled on inter-switch links (recommended) DC Server SGTs assigned by IP address or Subnet 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 67

68 Enabling Inline Tagging Incrementally 3 rd parties SXP SXP Business Partners Branches For Your Reference Easy to extend inline tagging device by device Disabled enforcement on inter-switch links- as enforcement moved to edge Ensured enforcement device always knew the destination SGTs to apply Could safely block traffic to Unknown SGT 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 68

69 SXP Versions For Your Reference Version 1, This is the initial SXP version supports IPv4 binding propagation.. Version 2, includes support for IPv6 binding propagation and version negotiation. Version 3, adds support for Subnet/SGT bindings propagation and expansion. (today 6K only). If speaking to a lower version listener will expand the subnet. Version 4, Loop Detection and Prevention, Capability Exchange, built-in Keep Alive mechanism Cisco and/or its affiliates. All rights reserved. Cisco Public 69

70 SXP Peer Sequence Filtering For Your Reference As a binding is exported between SXP peers (from SXP Speaker to SXP Listener), each SXP Speaker prepends its SXP Peer- ID to the PEER-SEQUENCE attribute. Used for v4 loop detection Two databases used for IP-SGT mappings when SXP is used; SXP and RBM (rolebased management) SXP may have multiple entries however only the last one learned or with the shortest peer sequence is installed in RBM. Sample <show cts sxp sgt-map>: IPv4,SGT: < , 10:NET_WIRED_INFRASTRUCTURE> source : SXP; Peer IP : ; Peer Spkr Ins Num : 1; Seq Num : Originator Peer Seq: 0AF5030C,0AF52114,0AF5F411, IPv4,SGT: < , 10:NET_WIRED_INFRASTRUCTURE> source : SXP; Peer IP : ; Ins Num : 1; Seq Num : Peer Seq: 0AF50311,0AF52114,0AF5F411, Catalyst switch sample: SXP DB -- show cts sxp sgt-map RBM DB -- show cts role-based sgt-map all 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 70

71 SXP Path Length Filtering An Enhancement to SXP v4 New command to limit the the path length for re-advertisement For Your Reference cts sxp limit export peer-sequence-nodes [3] cts sxp limit import peer-sequence-nodes [4] Available in IOS-XE and 16.4 Reflectors ASR1K Branch Networks 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 71

72 IOS SXP Configuration For Your Reference 3750#show cts role-based sgt-map all details Active IP-SGT Bindings Information 3750 cts sxp enable cts sxp connection peer source password default mode local! SXP Peering to Cat6K 6K cts sxp enable cts sxp default password cisco123! cts sxp connection peer source password default mode local listener hold-time 0 0! ^^ Peering to Cat3K IP Address Security Group Source ====================================================================== :device_sgt INTERNAL :EMPLOYEE_FULL LOCAL C6K2T-CORE-1#show cts sxp connections brief SXP : Enabled Highest Version Supported: 4 Default Password : Set Default Source IP: Not Set Connection retry open period: 120 secs Reconcile period: 120 secs Retry open timer is not running Peer_IP Source_IP Conn Status Duration On 11:28:14:59 (dd:hr:mm:sec) On 22:56:04:33 (dd:hr:mm:sec) Total num of SXP Connections = 2 6K#show cts role-based sgt-map all details Active IP-SGT Bindings Information IP Address Security Group Source ====================================================================== :PCI_Servers CLI :Device_sgt INTERNAL --- snip :GUEST SXP :EMPLOYEE_FULL SXP 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 72

73 WLC SXP Configuration For Your Reference 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 73

74 SXP Scaling For Your Reference Platform Max SXP Connections Max IP-SGT Bindings ASR ,000 (3.15 on) Catalyst 6500 Sup2T/ ,000 Nexus M series 7.2: 200k, 6.2: 50k F3 64,000 (recommend 50k) F2e 32,000 (recommend 25k) Catalyst 4500 Sup7E ,000 Catalyst 4500-X / 4500 Sup 7LE ,000 Catalyst 3850/WLC ,000 ASA 5585-X SSP60, 5555 FirePower 9300, ,000 1,000,000 For the most current numbers: Cisco and/or its affiliates. All rights reserved. Cisco Public 74

75 Generating SGT Bindings Directly from ISE RADIUS-based classifications will create IP-SGT mappings to SXP peers IP-SGT generated with 3 rd party access-layer with RADIUS accounting Share IP-SGT over SXP ISE SXP Routers Firewall Switches 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 75

76 ISE SXP Peer Configuration Dedicated SXP Services Nodes Up to 250,000 bindings, 100 SXP peers ISE Appliance: 3415: 100, /3515: 150, : 250, Cisco and/or its affiliates. All rights reserved. Cisco Public 76

77 Branch Example Revisited Branch Office Data Center Voice Enterprise WAN 3 Database SGT 20 Employee SGT 5 1 BYOD Enable authentication (802.1x, Easy Connect, Web Authentication) 2 SXP IP Address SGT App Svr Comm Svr SGT 30 SGT 40 Net Result: groups instead of 20,000 subnets, add/remove branches w/o FW changes 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 77

78 Finance Example Revisited DC Server SGTs assigned by IP address or Subnet L3 Interface-SGT RADIUS 3 rd parties SXP Aggregate IP-SGT Mappings Inline Business Partners Branches Data Centers Enable 802.1X, Easy Connect Limit information system access to authorized users Limit information system access to the types of transactions and functions that authorized users are permitted to execute Cisco and/or its affiliates. All rights reserved. Cisco Public 78

79 Sharing SGT Info via pxgrid ISE Session info. available via pxgrid pxgrid clients can subscribe for SGT info/bindings Bindings received over SXP can also be published via pxgrid ISE pxgrid W ww Any pxgrid ecosystem vendor e.g. Infoblox Firepower Threat Defense CheckPoint Web Security Appliance 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 79

80 Simplifying Firepower Threat Defense Access Note: Security Groups used for source criteria only currently 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 80

81 Simplifying WSA Policies with SGTs Who: Doctor What: Laptop Where: Office Who: Doctor What: ipad Where: Office Doctor BYOD Enterprise Backbone ISE pxgrid W ww Web Security Appliance Internet Who: Guest What: ipad Where: Office Guest Policies Order Group Protocols and User Agents URL Filtering Applications Objects Anti-Malware and Reputation 1 Doctors (global policy) Block: 1 Monitor: 78 Block: 10 Monitor: 367 (global policy) (global policy) 2 BYOD (global policy) Block: 1 Monitor: 78 Block: 10 Monitor: 367 (global policy) (global policy) 3 Guests (global policy) Block: 1 Monitor: 78 Block: 10 Monitor: 367 (global policy) (global policy) Global Policies No blocked items Monitor: 79 Monitor: 367 No Blocked Items Web Reputation: Enabled Anti-Malware Scanning: Enabled 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 81

82 Summary Control Plane SGT Propagation For Your Reference SXP Generate IP-SGT mappings from ISE ISE Send IP-SGT mappings to SXP & pxgrid peers SXP IP-SGT Bindings IP Address SGT SRC SXP Propagate from ISE or access-layer devices to any enforcement point pxgrid Local ANY network device ISE supports Ecosystem vendor products Router 1 Router 2 Firepower NGFW www WSA Switch 1 pxgrid Security appliances subscribe to pxgrid topics IP-SGT bindings then published by ISE 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 82

83 SXP in OpenDaylight Enabling Group-Based Policies in Open Source SDN Controller Open Daylight includes SXP Listener, Speaker and Bi-Directional Provides an open source implementation for other vendors/partners/customers to use Very effective SXP Reflector Filters limit the size of the IP/SGT table that gets advertised to a specific peer Outbound or Inbound filters based on prefix or Security Groups Peer Sequence filters limiting the number of SXP hops over which an IP-SGT binding is learned For Your Reference 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 83

84 Agenda Introduction TrustSec Group-Based Policies TrustSec Fundamentals How does it work? Main Deployment Scenarios What can you do? One Little Tag, so Many Uses What else is possible? Getting Group-Based Policies Right How to get started? Managing Policies and Changes Fine Tuning Summary SGT SGT 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

85 Common Deployment Scenarios User to Data Center & Cloud Access Control Campus and Branch Segmentation Data Center Segmentation Access control (BYOD,,IoT Contractor, Extranet) Compliance requirements PCI, HIPAA, export controls, Financial regs, EU data protection Merger & acquisitions, divestments Firewall Rule Automation Line of business segregation PCI, HIPAA and other compliance regulations Contractor, Business partner Segmentation Malware propagation control/quarantine Server zoning & Micro-segmentation Production vs Development Server segmentation Compliance requirements, PCI, HIPAA Firewall rule automation 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 85

86 User to Data Center Access Control TrustSec supports: Enterprise-wide, role-based access control Automated BYOD access control End-to-end regulatory and compliance requirements such as PCI and HIPAA ACI policy domain Prod server APIC-DC Dev server ACI Data center Prod server Dev server TrustSec-enabled data centre TrustSec Policy Domain ISE Employee Tag Policy in action: Employee TSenabled DC Remediation Internet Developer Tag Guest Tag Non-Compliant Tag Employee Developer X Guest X X Non Compliant Employee Voice Voice Employee Developer Guest Non Compliant Non- Compliant X X X Building 3 WLAN Data VLAN Main Building Data VLAN 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 86

87 User to DC Access Control-Campus Enforcement Source Classification Campus Access Propagation SXP Enforce Dist/ Core SXP Propagation ISE Destination Classification Data Center SGT Enterprise Backbone Enable Authentication: (802.1x, Easy Connect, Web Auth) Scale Considerations: Supported IP-SGT mappings* IP-SGT, Subnet-SGT Mappings Defined in ISE or on Switch Platform capabilities and scaling information: Cisco and/or its affiliates. All rights reserved. Cisco Public 87

88 User to DC Access Control DC Enforcement Source Classification Campus Access Propagation Dist/ Core Enforce DC Core Destination Classification DC Dist/Access SXP SGT Enable Authentication: (802.1x, Easy Connect, Web Auth) Scale Considerations: Supported IP-SGT mappings (line card dependent) IP-SGT, Subnet-SGT, Port-Profile Defined in ISE or on Switch Platform capabilities and scaling information: Cisco and/or its affiliates. All rights reserved. Cisco Public 88

89 Example: Cisco IT Divestment For Your Reference Portion of video business sold to Technicolor Transferred employees still needed access to resources on Cisco network Dynamic User Policy SGACLs control which Technicolor users are authorised and which applications and resources they can access on Cisco network Future uses extend this method to on-site vendors and contract employees who need limited access to Cisco resources erprise/cisco-on-cisco/i-en policies-to- Control-User-Access.pdf 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 89

90 Sharing Groups in TrustSec and ACI Domains Sharing Groups between TrustSec and ACI domains with ISE 2.1 Allow TrustSec security groups to be used in ACI policies Allow ACI EndPoint Groups to be used in policies in TrustSec domain TrustSec Policy Domain ACI Policy Domain Campus / Branch / Non-ACI DC TrustSec Policy Domain ISE 2.1 APIC DC Data Center APIC Policy Domain Voice Employee Supplier BYOD Voice VLAN Data VLAN ACI Fabric Web App DB 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 90

91 Enabling TrustSec-ACI Integration Checkbox to enable TrustSec-ACI Integration ACI Settings: APIC Controller Address(es) APIC Credentials Tenant name defined in ACI Tenant s L3 route outside of ACI fabric Suffix appended to learned/shared groups Share learned IP-EPG bindings via ISE SXP 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 91

92 TrustSec Groups Shared with ACI Max: 250 Security Groups Up to 4000/32 mappings (Gen1 HE) Up to 10K/32 mappings (EX hardware) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 92

93 TrustSec Groups Shared Selectively with ACI 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 93

94 ACI Groups Shared with TrustSec Domain EPG suffix added to Security Group name IP-SGT bindings from ACI can be propagated over SXP TrustSec devices and to pxgrid peers 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 94

95 TrustSec Info Used in ACI Network Layer Controller Layer TrustSec Policy Domain ISE ISE Exchanges: SGT Name: Auditor SGT Binding = APIC DC ACI Policy Domain PCI EPG Controller Layer EPG Name = Auditor Groups= Auditor SRC: DST: Enterprise Backbone x SRC: DST: ACI EPG Border Leaf (N9K) ACI Spine (N9K) ACI Border Leaf (N9K) PCI TrustSec Groups available in ACI Policies Network Layer 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 95

96 ACI Info Used in TrustSec Policies TrustSec Policy Domain ISE ACI Policy Domain ISE Retrieves: EPG Name: PCI EPG Endpoint= APIC DC PCI EPG Endpoint = Controller Layer Propagated with SXP: Auditor = PCI EPG = Network Layer Controller Layer Auditor SRC: DST: SGT (Optional) Retrieved Groups: Auditor, PCI EPG Enterprise Backbone Endpoint Groups available in TrustSec Policies Plain Ethernet (no CMD) ACI Border Leaf (N9K) ACI Spine (N9K) ACI Border Leaf (N9K) PCI Network Layer 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 96

97 Phase II Integration: Higher Scale Solution TrustSec Policy Domain ISE 2 ACI Policy Domain 3 Policy Plane (REST API) ISE Builds Translation Table 1. GET: VRF-ID, Class-ID 2. SGT <==> VRF-ID, Class-ID APIC DC IPSsec, DMVPN, GET SGT to Class ID, VNI Translation Table Download Routing Plane (MP-BGP EVPN) Trusted Mode 1 Golf L3out Data Plane (GBP VXLAN) SXP TrustSec Border Device (ASR 1K) 4 EPG Starts on ASR1k Supported on -EX only 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 97

98 Enabling Data Plane Integration in ISE For Your Reference Requires ISE 2.2 and ASR 1000 running IOS (July) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 98

99 ASR Translation Configuration For Your Reference aaa new-model aaa authentication dot1x default group radius aaa authorization network default group radius aaa authorization network acs-mlist group radius aaa accounting delay-start all aaa server radius dynamic-author client server-key acsi cts authorization list acs-mlist cts sg-epg translation cts role-based enforcement Enable translation function (global) interface nve1 no ip address shutdown source-interface Loopback0 host-reachability protocol bgp group-based policy member vni vrf evpn1 no mop enabled no mop sysid enable interface facing N9000 for ACI group-based policy format 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 99

100 Campus User to Cloud Access Control Typical Scenarios Policy enforced in enterprise network OR Virtual Firewall or SGACL-capable virtual routers in cloud environments e.g ASAv, CSR-1000v, ISRv Workloads / groups provisioned by Cisco or 3 rd party orchestration tools Orchestration tool can push IP-SGT bindings to ISE REST APIs ISE SXP updates enforcement points Avoids policy changes as new workloads are provisioned in clouds Dev Apps Prod Apps Remediation Internet AWS Security Groups Prod App Dev App Enterprise Network ISE Ent Policy Domain Prod App Dev App Policy Enforcement Options Azure Network Security Groups Employee Tag Developer Tag Guest Tag Non-Compliant Tag Employee X Developer X Guest X X Non Compliant Employee Voice Voice Employee Developer Guest Non Compliant 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 100

101 Pushing Workload Classifications into ISE For Your Reference REST APIs allow orchestration tools to push IP/Group information (and much more) into ISE Alternative IP/Group bindings REST API in virtual routers Orchestration tools provisioning workloads in DC/cloud can push the IP and role to the API Cisco and/or its affiliates. All rights reserved. Cisco Public 101

102 Campus and Branch Segmentation TrustSec supports: Role-based segmentation across multiple locations Branch - 3 WLAN Data VLAN HQ Data center End-to-end regulatory and compliance requirements such as PCI and HIPAA Non Compliant Employee Restriction of lateral threat movement Switch Router Employee Tag Developer Tag Policy in action: Employee Developer Data center Internet Switch Switch Building Mgmt Tag Non-Compliant Tag Employee Developer X X Building Mgmt X X X Non Compliant Employee Voice Voice Employee Developer Building Mgmt Non Compliant Non- Compliant X X X X Building 3 WLAN Data VLAN Main Building Data VLAN 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 102

103 Campus and Branch Segmentation Source Classification Enforcement Wired Access Distribution Core SGACL segmentation available on : Catalyst 3560-X, 3750-X Catalyst 3650, 3850 Catalyst 4500E S7E, S8, 4500X Catalyst 6500(2T)/6800 Destination Classification Wireless Access Wave 1 and 2 Access Points , 2700, 3700, 18x0, 2800, 3800 Apply segmentation Independently of VLANs Independently of SSIDs Cat 3560CX IE 4000, IE 5000 Nexus Cisco and/or its affiliates. All rights reserved. Cisco Public 103

104 Anatomy of an Attack 3 Victim clicks link unwittingly p www 1 Research targets (SNS) 2 Spear Phishing (you@gmail.com) Perimeter (Inbound) 4 Bot installed, back door established and receives commands from C2 server 5 Scan LAN for vulnerable hosts to exploit & find privileged users Attacker C2 Server Lateral Movement (Scanning, enterprise Pivoting, network Privilege Escalation, 6Brute Privileged Force, account found. etc.) Admin Node 8 System compromised and data breached. Perimeter (Outbound) 7 Data exfiltrated 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 104

105 Blocking Lateral Movement Employee Non Compliant Employee Block Lateral Movement SGACL deny icmp deny udp src dst eq domain deny tcp src dst eq 3389 deny tcp src dst eq 1433 deny tcp src dst eq 1521 deny tcp src dst eq 445 deny tcp src dst eq 137 deny tcp src dst eq 138 deny tcp src dst eq 139 deny udp src dst eq snmp deny tcp src dst eq telnet deny tcp src dst eq www deny tcp src dst eq 443 deny tcp src dst eq 22 deny tcp src dst eq pop3 deny tcp src dst eq 123 deny tcp match-all -ack +fin -psh -rst -syn -urg deny tcp match-all +fin +psh +urg permit tcp match-any +ack +syn SGT dynamically assigned or statically mapped to a VLAN SGACL applied statically via CLI or dynamically downloaded from ISE Lateral Movement and Privilege Escalation Blocked 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 105

106 Impact of Blocking Lateral Movement 3 Victim clicks link unwittingly www 1 Research targets (SNS) 2 Spear Phishing (you@gmail.com) Perimeter (Inbound) 4 Bot installed, back door established and receives commands from C2 server 5 TrustSec prevents workstation-to-workstation scanning, OS Finger printing, exploitation, and privilege escalation Attacker C2 Server Perimeter (Outbound) Admin Node Enterprise Network 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 106

107 Dealing with Potentially Compromised Hosts Security Group Firewall Business Data App / Storage Source Destination Action IP SGT IP SGT Service Action Any Employee Any Biz Server HTTPS Allow Any Suspicious Any Biz Server Any Deny NIDS SIM Event: Reconnaissance Source IP: /32 Response: Quarantine PXGRID: EPS Quarantine: Corp Network Source IP: /32 MAC Address: aa:bb:cc:dd:ee:ff Policy Mapping SGT: Quarantine Security Group ACL Switch#show cts role-based permissions IPv4 Role-based permissions from group 255:Quarantined to group 4:Employees: Deny IP-00 Compromised Endpoint (aa:bb:cc:dd:ee:ff) Employee Policy Server 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 107

108 Dynamic Segmentation on Access Points Needs WLC 8540 or 5520 Version 8.4 AP Models: 2800, 3700, 3800, 1850,1830, 1700, 2700 (AKA Wave 1 and Wave 2 APs) Works for centrally switched SSIDs and FlexConnect SSIDs Destination Source Employees (4) Employees (4) Anti_Malware Can use inline tagging and SXPv4 for propagation to upstream devices SGACL SGACL Employee (SGT=4) Employee (SGT=4) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 108

109 Centralized SSID Switch Based Enforcement Apply user-user policies as defined in ISE on traffic from the WLC Any AP and 2500, 5500, WiSM2, 8500 Controllers ISE SXP interface Vlan2 ip local-proxy-arp ip route-cache same-interface! cts role-based enforcement cts role-based enforcement vlan-list 2 Vlan Cisco and/or its affiliates. All rights reserved. Cisco Public 109

110 Shared Living: Room/Room Policy Enforcement SRC \ DST Room1 (10) Room2 (20) Room3 (30) Room4 (40) Room1 (10) Permit Deny Deny Deny Room2 (20) Deny Permit Deny Deny Room3 (30) Deny Deny Permit Deny Room4 (40) Deny Deny Deny Permit ISE Permit Deny Capable Access Points (FlexConnect or Centralised Mode) OR Centralised with External Switch 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 110

111 WLAN Support Summary For Your Reference Deployment Mode Centralised or FlexConnect Controller Platforms Centralised AireOS 2504, 5508 WiSM or , 3700, 3800, 1850,1830, 1700, 2700 Access Points TrustSec Support Release SGACLs on AP, inline tagging, SXP 8.4 SXP on WLC 5520, 8510, 8540 SXP on WLC onwards Centralised IOS 5760 SGT, SGACL SXP Converged Access IOS FlexConnect locally switched SSIDs 3850, 3650 SGT, SGACL SXP on 3x , WiSM SXP on WLC IOS XE SE on IOS XE SE on Cisco and/or its affiliates. All rights reserved. Cisco Public 111

112 Segmentation with ISE SXP Domains Bidirectional SXP Inline SGT IP-SGT mappings within SXP Domain 1 Domain 1 ISE SXP IP-SGT Binding Table IP Address SGT SRC Local Domain 2 IP-SGT mappings shared within SXP Domain 2 Inline Tagging SGT carried in data plane removes need to exchange IP-SGT mappings between SXP domains 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 112

113 Enhancing VRF Segmentation with User Granularity No inline capabilities on platforms used IP Address SGT Student Faculty - 20 SXP Enabled WLC Cross Connect Firewalls Listener/ Mappings per Context IP Address SGT Student Faculty Research MedDevUser Student Faculty Student_Research Univ_Services Student_Records Research Joint Research Joint_Research Univ_Services IP Address SGT Univ_Services Student_Records IP Address SGT Joint Research- 300 SXP Enabled SW Student Faculty 20 IP Address SGT Joint_Research Student_Records Student_Research - 40 SXP Aggregators All SXP in Global VRF since access layer cant place IP/SGT in VRF Remote Site Joint_Research 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 113

114 Enhancing VRF Segmentation with User Granularity No inline capabilities on platforms used ISE 2.1+ IP Address SGT Student Faculty Research MedDevUser Student Faculty 20 Listener Student_Research Univ_Services Student_Records Joint Research Joint_Research Univ_Services SXP Enabled SW SXP Aggregators All SXP in Global VRF since access layer cant place IP/SGT in VRF Remote Site Student_Records Joint_Research 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 114

115 Assigning Devices to a SXP Domain 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 115

116 Assigning Subnets to a SXP Domain SGT selection is not a requirement Cisco and/or its affiliates. All rights reserved. Cisco Public 116

117 Campus (Wired) Segmentation Building Blocks Inline Tagging in Data Plane ISE Common Policy Groups and Segmentation Policies Control Plane / SXP SXP Reflector VXLAN Tunnel Campus Fabric / VXLAN 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 117

118 Data Center Segmentation TrustSec supports: Firewall rule simplification Data center regulatory and compliance requirements such as PCI and HIPAA Server zoning Micro-segmentation Physical and virtual workload segmentation Web Servers Web Servers Policy in action: Web Servers Middleware Servers Database Servers Storage Middleware Servers Switch Storage Web Servers X X X Middleware Servers Database Servers X Database Servers Storage X 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 118

119 Server Classification Nexus 1000v Port Profile SGT mappings or IP-SGT mappings Nexus 7000 IP-SGT or VLAN-SGT mappings DC Core Nexus 1000v Nexus 6000/5600/5500 Port-SGT with inline tagging Enterprise Backbone Firewall Servers interface Ethernet1/20 cts manual policy static sgt <value> no propagate-sgt Enforcement DC Dist/Access 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 119

120 TrustSec Enforcement in DC For Your Reference Nexus 7k,6k,5x00, 2k and 1000v and CSR-1000v provide SGACLs ASA, CSR-1000v use SG-FW N7K-A Core N7K-B SGT provides common policy objects used throughout FW and ACL rules Firewall Nexus 1000V enforces policy between VMs SGT caching in N7000 allows tags to be reapplied after 3rd party inspection N5K-A N5K-B On Nexus use SGACL batch programming feature for complex policies (needs enabling) SXPv4 on N7k & N1000v to allow BiDir SXP Inline Tagging N2K N1Kv PROD1 PCI DB PCI PROD2 vswitch 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 120

121 DC Quick Reference For Your Reference TrustSec Classification Features Nexus 7000 Nexus 5600/6000 Nexus 5500 FEX Nexus 1000V IP to SGT Mapping Yes No No No Yes VLAN to SGT Mapping Yes No No No No L2 Interface/Port to SGT Mapping Yes Yes Yes Yes No Subnet to SGT Mapping Yes (7.3) No No No No Nexus Port Profile to SGT Mapping Yes No No No Yes TrustSec Transport Features Nexus 7000 Nexus 5600 Nexus 5500 Inline Tagging Yes (CE and FP) F3 needs 802.1Q or FP for inline tagging Yes (CE and FP) Yes (CE and FP) Yes-N5K only SXP Speaker and Listener v3( 7.3) v4 (8.x) Speaker only Speaker only No Yes (v4) SGT Caching Yes No No No No TrustSec Enforcement Features Nexus 7000 Nexus 5600 Nexus 5500 SGACL Yes (CE and FP) Yes (CE & FP) Yes (CE & FP) N5K only Yes Yes 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 121

122 Recap Earlier Finance Example For Your Reference Inline tagging Untagged 3 rd parties Business Partners Branches Data centers DC Server tags assigned by IP address or Subnet 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 122

123 Enabling DC Segmentation For Your Reference Inline tagging Untagged 3 rd parties Business Partners Branches Server Segmentation Inline Tagging extended into Data centers Enforcement enabled throughout VLAN-SGT (N7000) Port-SGT (N5500/FEX) IP-SGT (N7000) Port Profile (N1000v) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 123

124 PCI Compliant Branch and Data Center Putting All 3 Scenarios Together PCI Server Server DATA center For Your Reference Segmentation enforcement PCI scope Data center Network WAN PCI Scope Reduction with Cisco TrustSec QSA (Verizon) Validation: ollateral/ns170/ns896/ns1051/trustsec_ pci_validation.pdf BRANCH Register Workstation 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 124

125 Agenda Introduction TrustSec Group-Based Policies TrustSec Fundamentals How does it work? Main Deployment Scenarios What can you do? One Little Tag, so Many Uses What else is possible? Getting Group-Based Policies Right How to get started? Managing Policies and Changes Fine Tuning Summary SGT SGT 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

126 Apply Firepower Inspection Services via SGTs Data Center Customer DB ASA FirePower Enterprise Backbone Partners Suppliers Employee 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 126

127 Path Selection Based on SGT Available in ASR1000, CSR1000v, ISR4000, ASA Security Example Redirect traffic from malware-infected hosts Contain threats Pass traffic through centralized analysis and inspection functions Enterprise WAN Other Examples To map different user groups to different WAN service Segment in a site with TrustSec SGT routes traffic to correct WAN/VRF Policy-based Routing based on SGT User B Suspicious User A Employee SGT-based VRF Selection VRF-GUEST User C Guest 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 127

128 ASR1K, ISR, CSR1K ASA For Your Reference route-map policy_security match security-group source tag 100 match security-group source tag 111 set ip next-hop match security-group destination tag 200 match security-group destination tag 222 set ip next-hop end interface gigabitethernet0/0/0 ip policy route-map policy_security route-map policy_security match ip address outside_access_in_4 * set ip next-hop * access-list defined with security group(s) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 128

129 Quality of Service Based on SGT ASR1000, ISR4000 Provides QoS service levels on a per user-group basis {Platinum users, Gold users, Silver users} User-groups can be defined based upon contexual information. Eg: WAN-1 CIR Level SGT: Guest SGT: Partners Link Rate Gig 0/1 Employee with Corporate device Partners Premium Group (Employee) Gold Group (Partners) Best Effort SGT: Employee 100 Mbps Guest users Silver Group (Guests) Video Prioritizes applications within each usergroups for allocation of bandwidth and other qos policies Voice Office 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 129

130 class-map EMPLOYEE_SGT match sgt EMPLOYEE class-map PARTNERS_SGT match sgt PARTNERS class-map GUEST_SGT match sgt GUESTS policy-map EMPLOYEES class VOICE priority percent 10 priority level 1 class VIDEO priority percent 30 priority level 2 class OFFICE bandwidth percent 20 class class-default bandwidth percent 40 policy-map PARTNERS class VOICE priority percent 10 priority level 1 class VIDEO priority percent 30 priority level 2 class class-default bandwidth percent 60 policy-map GUESTS class class-default bandwidth percent 100 policy-map SEC-GROUP-QOS class EMPLOYEE_SGT bandwidth percent 50 service-policy EMPLOYEES class PARTNERS_SGT bandwidth percent 30 service-policy PARTNERS class GUEST bandwidth percent 20 service-policy GUESTS policy-map WAN-EDGE class class-default shape average service-policy SEC-GROUP-QOS interface gigabitethernet 0/1 service-policy output WAN-EDGE For Your Reference 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 130

131 Visibility through NetFlow NetFlow provides Trace of every conversation in your network An ability to collect record everywhere in your network (switch, router, or firewall) Network usage measurement An ability to find north-south as well as east-west communication Light weight visibility compared to SPAN based traffic analysis Indications of Compromise (IOC) Flow Information Packets SOURCE ADDRESS DESTINATION ADDRESS SOURCE PORT DESTINATION PORT 443 INTERFACE IP TOS FLOW CTS SOURCE GROUP TAG Gi0/0/0 0x00 41 IP PROTOCOL 6 NEXT HOP TCP FLAGS APPLICATION NAME 0x1A : : NBAR SECURE- HTTP 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 131

132 One Little Tag, So Many Uses Who: Doctor What: Desktop What: w/ AMP Where: Office No SSL Decrypt Filter URLs Permit Apps Scan for Malware Apply policies based on SGT Who: Guest What: Android Where: Branch Stealthwatch Flow Collector Path Selection based on SGT QoS based on SGT Access Control based on SGT 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 132

133 Agenda Introduction TrustSec Group-Based Policies TrustSec Fundamentals How does it work? Main Deployment Scenarios What can you do? One Little Tag, so Many Uses What else is possible? SGT SGT Getting Group-Based Policies Right How to get started? Managing Policies and Changes Fine Tuning Summary 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

134 Understanding Traffic Flows Options to Model Policy SGACL Monitor Mode Log Permit SGACLs Netflow / Stealthwatch IOS includes SGT in NetFlow records Users User1 App1 Devices Device2 App1 User2 App2 Device1 App1 Device1 App2 For Your Reference Admin Device 3 App1 Billing Apps/Services AD Server App1 App2 Network Services 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 134

135 Implementing Effective Segmentation Discover and Classify Assets: Classify and assign SGT with ISE Active Monitoring: Monitor SGT policy violations and events with StealthWatch, SIEM tools etc Enforce Policy: Create SGT-based policies Enable enforcement in switches, WLAN, Firewalls, Routers, Web Security Appliances etc Network Segmentation Understand Behavior - SGT in NetFlow - SGTs understood by Stealthwatch & other apps Design and Model Policy Based on Security Group (not IP address etc) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 135

136 Config Cheat Sheet TrustSec Overview in ISE 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 136

137 Modeling SGACL policies User authenticated Classified as Employee (5) Destination Classification Web_Dir: SGT 20 CRM: SGT 30 5 SRC: DST: SGT: 5 Enterprise Backbone Web_Dir DST: SGT: 20 CRM SRC: DST: SGT: 30 SRC\DST Employee (5) Web_Dir (20) Permit CRM (30) Permit BYOD (7) Permit Permit 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 137

138 Model Policy with Stealthwatch Use the SGT value to find (and classify) network traffic 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 138

139 Enabling SGACL Policies Egress Enforcement Security Group ACL PCI Server Monitor Mode Users, Endpoints authentication port-control auto authentication open dot1x pae authenticator Campus Network N7K Development Server Production Server SRC \ DST PCI Server (111) Dev Server (222) Dev User(8) Deny all Permit all PCI User (10) Permit all Permit all Unknown (0) Deny all Permit all Users connect to network, authorised passively, SGT assigned Traffic traverses network to Data center enforcement points Enforcement may be enabled gradually per Source, Destination Pair 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 139

140 Agenda Introduction TrustSec Group-Based Policies TrustSec Fundamentals How does it work? Main Deployment Scenarios What can you do? One Little Tag, so Many Uses What else is possible? Getting Group-Based Policies Right How to get started? SGT SGT Managing Policies and Changes Fine Tuning Summary 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

141 Key Concepts in the Policy Matrix For Your Reference Apply changes Can show policy in simpler tabular view for adds, moves and changes Anything without an SGT assignment treated with the Unknown SGT Blank cells get the Default SGACL 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 141

142 Key Concepts in the Policy Matrix For Your Reference Out of the box - Blacklist policy model Traffic permitted unless specifically blocked Easy to move to whitelist model when ready Populate matrix as needed Change the Default Egress Policy to Deny 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 142

143 Managing Policy Changes Make controlled changes with the Staging Matrix Change approval before deploy is possible Can discard changes at anytime Choose where you want to apply changes View delta 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 143

144 Using Multiple Policy Matrices (ISE 2.2) Different policy matrices for different purposes Geographic operations Different types of site Different policies for different threat states Move network devices from one policy matrix to another as required 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 144

145 Agenda Introduction TrustSec Group-Based Policies TrustSec Fundamentals How does it work? Main Deployment Scenarios What can you do? One Little Tag, so Many Uses What else is possible? Getting Group-Based Policies Right How to get started? Managing Policies and Changes Fine Tuning SGT SGT Summary 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

146 Summary Sharing group information saves time and operational effort Segmentation that is easy to enable and manage Can start with specific use-cases with minimal platform dependencies Non-disruptive deployments; SGACL enforcement can be enabled incrementally and gradually via the policy matrix TrustSec provides: More effective segmentation centrally managed Reduce management effort compared to VLAN/dACL efforts and admin Topology-independent security policies - policy managers/auditors do not need to understand the topology or the underlying technology to use the policy matrix Firewall rule simplification and OpEx reduction Faster and easier deployment of new services cuts the cost of change 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 146

147 For More Information For Your Reference For everything TrustSec-related: TrustSec platform support matrix Forrester Analysis - Total Economic Impact of TrustSec For our latest system bulletins covering validation testing that we do, please refer to: Case studies Cisco IT Use of TrustSechttp:// Gartner webcast on Software-Defined Segmentation and TrustSec Cisco and/or its affiliates. All rights reserved. Cisco Public 147

148 For More Information (Continued) For Your Reference PCI Scope Reduction with Cisco TrustSec QSA (Verizon) Validation: TrustSec DC Config Guide Campus and Branch Segmentation Guide Campus Fabric Design Guide including SGT over VXLAN CampusFabricDesign-2016OCT.pdf Securing BYOD and using VPN with TrustSec Cisco and/or its affiliates. All rights reserved. Cisco Public 148

149 Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card. Complete your session surveys through the Cisco Live mobile app or on Don t forget: Cisco Live sessions will be available for viewing on demand after the event at Cisco and/or its affiliates. All rights reserved. Cisco Public

150 ISE and TrustSec in CL 2017

151 Cisco ISE Break Out Sessions BRKSEC-2695 Building an Enterprise Access Control Architecture using ISE and TrustSec Imran Bashir Tue 08:00-10:00 AM, Level 3, South Seas F Wed 1:30-03:30 PM, Level 2, Mandalay Bay E BRKSEC-3699 Designing ISE for Scale & High Availability Craig Hyps Tue 1:30-03:30 PM, Level 2, Mandalay Bay J BRKSEC-2059 Deploying ISE in a Dynamic Environment Clark Gambrel Tue 04:00-05:30 PM, Level 3, South Seas E BRKSEC-3697 Advanced ISE Services, Tips and Tricks Aaron Woland Tue 08:00-10:00 AM, L-2, Mandalay Bay G Wed 1:30-03:30 PM, L-2, Mandalay Bay H BRKSEC-2039 Cisco Medical Device NAC Mark Bernard and Tim Lovelace Mon 04:00-05:30 PM, Level 3, South Seas D BRKCOC-2018 Inside Cisco IT: How Cisco Deployed ISE and TrustSec David Iacobacci, Bassem Khalife Thu 08:30-10:00 AM, Level 3, South Seas E Presentation ID 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 151

152 Cisco TrustSec Break Out Sessions Enabling Software-Defined Segmentation with TrustSec Fay Lee Tue 4:00-5:30 PM, Level 2, Mandalay Bay G BRKCRS-2893 Choice of Segmentation and Group based Policies for Enterprise Networks Hariprasad Holla Thu 10:30-12:00 PM, Level 2, Breakers IJ BRKCRS-2810 Cisco SD-Access - A Look Under the Hood Shawn Wargo Mon 1:30-03:30 PM, L-2, Lagoon I Tue 08:00-10:00 AM L-3, South Seas D BRKSEC-2205 Security and Virtualization in the Data Center Justin Poole Mon 08:00-10:00 AM, Level 2, Reef F BRKSEC-3014 Security Monitoring with StealthWatch: The detailed walkthrough Matthew Robertson Mon 1:30-3:30 PM, Level 2, Breakers IJ BRKSEC-2026 Building Network Security Policy Through Data Intelligence Darrin Miller, Matthew Robertson Wed 4:00-5:30 PM, Level 3, South Seas G Presentation ID 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 152

153 ISE / TrustSec Labs ISE integration with Firepower using pxgrid protocol Visibility Driven Secure Segmentation Cisco SD-Access- Hands-on Lab LTRSEC-2002 Vibhor Amrodia Aditya Ganjoo Wed 8:00-12:00 PM MGM Grand, Level 1, Room 104 LTRCRS-2006 Hariprasad Holla Aaron Rohyans Wed 01:00-05:00 PM MGM Grand, Level 1, Room 115 LTRCRS-2810 Derek Huckaby Larissa Overbey Wed 01:00 PM, MGM L-1, 116 Thu 08:00 PM, MGM L-1, 101 Presentation ID 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 153

154 Demos ISE Secure Access Demo Network Segmentation Demo Healthcare / Medical NAC Demo Network as a Sensor and Enforcer World-of-Solutions World-of-Solutions World-of-Solutions World-of-Solutions Multiple ISE demos: ISE Visibility, Easy Connect, Posute, etc, Use of TrustSec to mitigate Wannacry kind of ransomware ISE profiles for medical NAC, TrustSec segmentation, RTC ISE and Stealthwatch for visibility and control Presentation ID 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 154

155 Special sessions DEVNET-1010 PSODGT-1077 VILSEC-1007 Using Cisco pxgrid for Security Platform Integration Nancy Cam-Winget Brian Gonsalves World of Solutions, DevNet, Classroom 1 FirePower services (AMP, IPS,URL), and Access with ISE and AnyConnect Pooja Kapoor William Young World of Solutions, DevNet, Classroom 1 Vulnerability Prioritization & Mitigation with Cisco ISE and FirePOWER John Schimelpfenig WOS Security Village, Booth #1829 VILSEC-2000 SOLCLD-2011 TNKSEC-2000 Deception & Automation Disorientates and Defeats Cyber Attackers Moshe BenSimon How Cisco and Infoblox Automate and Secure Network Services Dave Signori Advanced Security Analytics: NetFlow and Metadata for Incident Response Bob Noel WOS Security Village, Booth #1829 WOS Solutions Theater, Booth # 4223 WOS Think Tank, Booth #1601 Presentation ID 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 155

156 Questions??