Building Network Security Policy Through Data Intelligence

Transcription

1

2 Building Network Security Policy Through Data Intelligence Darrin Miller Distinguished Technical Marketing Engineer Matthew Robertson, Technical Marketing Engineer

3 Cisco Spark How Questions? Use Cisco Spark to chat with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space Cisco Spark spaces will be available until July 3, cs.co/ciscolivebot# 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

4 Agenda Introduction Harnessing Network Telemetry Discover and Classify Assets Design and implementing policy Monitoring security policy Active Enforcement Conclusion

5 About this Session: Segmentation Cisco and/or its affiliates. All rights reserved. Cisco Public 5

6 Segmentation is Hard We all know we want it but we re not sure how to do it effectively Cow Pig Probably not drunk. CISO: How do I deploy segmentation without getting fired? 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6

7 Segmentation is a Process Ongoing Refinement Define the Objectives Ongoing monitoring & Validation Visibility: Understand Behaviour Enforcement: Active Enforcement Cluster & Segment Definition Author Validation: Would it Work? 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 7

8 Who we are Matt Robertson Security Business Group (SBG) Technical Marketing Engineer Darrin Miller Enterprise Networking Business Group (Not SBG) Distinguished Technical Marketing Engineer 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8

9 Segmentation & Network Security Policy Security policy should dictate a hierarchy of access permissions; that is, grant users access only to what is necessary for the completion of their work Static ACL VLAN Routing Redudancy Private VLAN DHCP Scope Raw Addresses Group Policy 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9

10 Group Based Policies Simple ways to add access control policy for new things Represent threat state or vulnerable devices Reduce effort in adds, moves & changes Acquisitions and partnerships Internet of Things Use Groups to represent suspicious devices based on threat state detected Reduce error prone admin More consistent security policy BYOD Cloud Reduce OpEx Use groups to protect device types that you cannot patch Reduced time to implement changes Manage complexity 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 10

11 Group Policy Examples TrustSec ACI Firewall Objects And More! 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11

12 Policy Between Groups Engineers Pigs Beer Garden Cows Classification Propagation Enforcement Classification 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12

13 Creating The Policy Matrix How do I discover assets? How do I create groups? How do I decide my policy? How do I know my policy is valid? How do I verify that its working? Destination Group Source Group Action 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13

14 Scope of Discussion: Enterprise-Wide Policy Branch Campus Datacenter Cloud Datacenter Cloud Network as a Sensor Shared Visibility Tetration Analytics 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14

15 Agenda Introduction Harnessing Network Telemetry

16 Network Telemetry Telemetry: an automated communications process by which measurements and other data are collected at remote or inaccessible points and transmitted to receiving equipment for monitoring. Talos Endpoint Agent Access Switch Distribution/Core Switch Firewall Proxy Identity Network Devices Isolated knowledge based on function and location AD & DNS Global Intelligence 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16

17 Our Receiving Equipment Cisco Stealthwatch Cisco Stealthwatch: Is a collector and aggregator of network telemetry for the purposes of security analysis and monitoring. Cisco ISE: Collects and aggregates network telemetry to facilitate next-generation secure network access. Cisco Identity Services Engine 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17

18 ISE: Building the Session Table Session Table Group Definitions Active Authentication (host supplied): User & Device Authentication MAC Authentication bypass Web portal Passive Authentication (collected): WMI, Agent, SPAN, Syslog, REST API, Endpoint Probe Profiling (collected): Infrastructure provided (DHCP, HTTP, etc) Signature based Alternative Active Authenticator 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18

19 Stealthwatch: Building the Flow Table Flow Table User/Device Identity NetFlow / IPFIX Threat Intelligence weblogs Transactional Contextual Group Definitions 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19

20 eth0/1 eth0/2 Transactional Telemetry with NetFlow port port 80 Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent SGT DGT TCP Flags 10:20: eth0/ TCP SYN,ACK,PSH 10:20: eth0/ TCP SYN,ACK,FIN 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20

21 eth0/1 eth0/2 Telemetry Processing: Stitching Uni-directional flow records port 1024 Start Time Interface Src IP Src Port Dest IP Dest Port Proto port 80 Pkts Sent Bytes Sent 10:20: eth0/ TCP :20: eth0/ TCP SGT DGT Start Time Client IP Client Port Server IP Server Port Proto Client Bytes Client Pkts Server Bytes Server Pkts Client SGT Server SGT Interfaces 10:20: TCP eth0/1 eth0/2 Bi-directional: Conversation flow record Allows easy visualization and analysis 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21

22 Telemetry Processing: De-duplication Start Time port 1024 Sw1 ASA port 80 Client IP Client Port Server IP Server Port Proto Client Bytes Client Pkts Server Bytes Server Pkts App Client SGT Server SGT Exporter, Interface, Direction, Action 10:20: TCP HTTP Sw1, eth0, in Sw1, eth1, out Sw2, eth0, in Sw2, eth1, out ASA, eth1, in ASA, eth0, out, Permitted ASA eth0, in, Permitted ASA, eth1, out Sw3, eth1, in Sw3, eth0, out Sw1, eth1, in Sw1, eth0, out Sw2 Sw Cisco and/or its affiliates. All rights reserved. Cisco Public 22

23 Conversational Flow Record Who What Who When Where How More context Stitched and de-duplicated Conversational representation Highly scalable data collection and compression Months of data retention 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23

24 ISE as a Telemetry Source Device/User Authentication Device Profiling Passive Identity Stealthwatch Management Console Maintain historical session table Correlate NetFlow to username Build User-centric reports pxgrid Cisco ISE Authenticated Session Table 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24

25 Host Groups Virtual Container of IP Addresses User defined Similar attributes Model any Process/Application 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25

26 Threat Intelligence Stealthwatch Threat Intelligence License Known C&C Servers Tor Entrance and Exits 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26

27 Decorated Conversational Flow Record NBAR Geo-IP mapping ISE Telemetry Applied situational awareness Threat Intelligence Flow Sensor 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27

28 Agenda Introduction Harnessing Network Telemetry Discover and Classify Assets

29 Classification Grouping objects based on their similar properties Aristotle Plato Categories are discrete entities characterized by a set of properties which are shared by their members 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29

30 Classification Canadian Bacon is Ham! No 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30

31 Classification Canadian Bacon Ham American Bacon 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31

32 Classification: Objective All IP Space 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32

33 Classification: Objective Things I don t own Function Things I own Location Servers NGFW HQ Branch Geo-IP ASNs CoLo Threat Intel HR Application Imaging 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33

34 Host Groups: Logical Buckets of IP Space Hierarchical structure Examples: My DNS Servers are and All my POSs are /24 My HQ is /8 Etc. IP Address list A host can exist in multiple Host Groups A Host can not be simultaneously Inside and Outside 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34

35 Host Group Tactics: Best Practices Outside Hosts Trusted Internet Hosts Partners/Trusted Entities Monitored Internet Hosts Specific hosts of interest. Ex. Cloud Service Providers Suspect Fat finger Investigation acceleration Inside Hosts Catch All Unclassified Space By Location for reference and trust boundaries By Function for security policy and reporting By Application for investigation 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35

36 Building Groups: Direct Configuration Suspect Fat Finger: Numerous 1-digit transpositions of RFC1918 Space Helps eliminate false positives Ex. Outbound RDP to Czech Republic Or a defect 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36

37 Building Groups: Leverage Telemetry Group Definitions Search 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 37

38 Group Telemetry Host Groups is just an XML File! 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38

39 Host Group Automation Tetration Analytics Contextual IP Definitions IPAM Threat Intel ASN:IP Databases Scripted conversion to host groups Etc Cisco and/or its affiliates. All rights reserved. Cisco Public 39

40 Discovery of servers through flow Search for Top Hosts Serving Traffic Filter on Services/Applications of Interest Start with well known services: DNS (UDP/53) Mail Servers (imap4, smtp) Domain Controllers Kerberos AND NetBIOS AND SMB AND LDAP File and Backup Servers (nfs, smb) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40

41 Discovery of DNS Servers Example Likely DNS Servers: Go and Validate Examine Volume Rogue or misconfiguration Note the drastic decrease 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41

42 Validation of Server Classification 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 42

43 Validation of Server Classification Assertion: is an Imaging Archive Server Check corporate records: Compare to any IPAM Reverse DNS Validate corporate ownership Location & subnet Other Activity: What else is it serving What else is it connecting to Other applications Ports/protocols Flow Search: See previous 2 slides What are the clients? Type of Client (ISE) End users 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43

44 Discovery of Clients Find top peers communicating with the Imaging Archive Server Group 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 44

45 Identifying Inbound Clients All inbound Clients over the course of the day Stack ranked by volume Cisco and/or its affiliates. All rights reserved. Cisco Public 45

46 Sometimes its About the Process Loin cut Rolled in peameal (cornmeal is acceptable) Brine cure Canadian Bacon 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46

47 Identify Application Clients Filer top peers on known application details (https) Identification of potential Radiology Imaging Clients 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 47

48 Validate and Classify Clients Look, a Doctor! Classify into Radiology Imaging Client Group 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 48

49 Automatic Classification First introduced in Stealthwatch 6.7 Currently only for Scanners Expect to see significant enhancements 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49

50 Begin Mapping Dependencies and Policy 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 50

51 Begin Mapping Dependencies and Policy Inter-system relationships 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 51

52 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 52

53 Stealthwatch as a Telemetry Source Data Exporter: High speed export of Stealthwatch bi-flow via web socket Flow Collector 4000/5000 models Other Application 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 53

54 Stealthwatch Data Exporter: Splunk Use Data Exporter to move biflow data into Splunk 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54

55 Segmentation Service Analysis & Segment Definition Output: Host Groups, NGFW ACLs, SGTs Segmentation Service Software Custom rules Meta Data Stealthwatch bi-flow Sessions & Groups AD IPAM Host Groups 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 55

56 Cluster Analysis 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46

57 Agenda Introduction Harnessing Network Telemetry Discover and Classify Assets Design and implementing policy

58 Starting a Segmentation Design Discuss assets to protect Classification Mechanisms Policy Enforcement Points Propagation Methods Example: Cardholder Data, Medical Record, intellectual data Example: Dynamic, Static, etc. DC segmentation (DC virtual/ physical switches or virtual/physical Firewalls) User to DC access control (Identify capable switches or firewalls in the path) Inline Tagging SXP DM-VPN GET-VPN IPSec vxlan etc Cisco and/or its affiliates. All rights reserved. Cisco Public 58

59 Logical Groupings Based On Business Goals Business-based groupings to provide consistent policy and access independent of network topology Contractor Contractor 1 Building Management 50 Temperature Device 1 Employee Employee 1 Employee 2 Employee 3 Leverage attributes such as location and device type to define group assignments Contractor 2 Contractor 3 Contractor 4 Surveillance Device 1 50 Temperature Device 2 Employee 4 Surveillance Device 2 FinanceServer Printers Fin 1 Fin 2 Printer 1 Printer Cisco and/or its affiliates. All rights reserved. Cisco Public 59

60 Approaching a Design Start with desired goals in mind, e.g. e.g. controlled access to Production systems or PCI Servers etc. Remember many use-cases can be localized, for example: User to DC Access Control BYOD Contractor Access Control Extranet security Simplifying Firewall rules, VPN access, ACLs or WSA rules Problems where OpEx is high can be good places to start Complex ACLs, Firewall rule complexity are good indicators of where dynamic objects (TrustSec, ID Firewall, etc.) will help the most 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 60

61 Starting a Design First, think about the assets to protect Cardholder Data, Medical Choose mechanisms for classifying systems (assigning SGTs to assets) Based on the policy goals choose where policy enforcement is needed, e.g. DC segmentation for Production vs Non-Production zones (e.g. DC virtual/ physical switches or virtual/physical Firewalls protecting those assets User to DC access control (Identify capable switches or firewalls in the path where we can enable initial enforcement) Choose objects to the policy enforcement devices in an automated fashion Management/Control Plane REST APIs with pus/sub, PxGrid, SXP, etc. Data Plane TrustSec (VXLAN, DMVPN, etc.) ACI (VXLAN, etc.), NSH 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 61

62 Security Object Initial Considerations Unlike traditional segmentation/access control Adding dynamically assigned groups later should be easy (TrustSec, ID FW, etc.) No configuration impact on infrastructure, all Group Config is centralized Keep groups as simple as possible whilst still meeting policy requirements Easy to add Security Objects later as needed Should not be necessary to transfer complexity, like extensive AD groups, into Security Objects (Not 1 AD : 1 Security Object) Compliance goals, roles previously used for VLAN assignment tend to be simple Consider if all roles need a Security Object assigned? Remember that group membership may change very frequently, Groups and Group-based policies tend not to change frequently Cisco and/or its affiliates. All rights reserved. Cisco Public 62

63 Group-based Policies in Firewalls Simplified rule management: Define protected assets by their role, not their IP address Groups retrieved from ACI and TrustSecenabled data centers Avoids complexity and add/move/change effort Leads to much simpler and smaller rulebase Consistent, clear, simple rules 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

64 Security Object Relationship Mapping All Groups External Guests Internet Partner Users User1App1 User1App2 Audit Admin Non Compliant User2App1 User1App3 User1App4 Devices Device1 App1 Device 3 App1 BYOD Access Device1 App3 Unified Comm. HVAC Billing Device2 App1 Device 2 App3 Device1 App2 Device2 App3 Security Guest Devices Apps/Services AD Server Device 1 App3 App1 App3 Unified Comm. HVAC Network Services 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 64

65 Static Dynamic Classification Methods User endpoints Ideal for users and mobile devices Virtual Systems Dynamic mechanisms Passive ID (Easy Connect) ACI (App- Centric) 802.1X. WebAuth V. Port Profile MAB, Profiling pxgrid & REST APIs SGT #1 SGT #2 Internal resources Static mechanisms SGT #3 Internal IT infrastructure and topology-based policy IP Address Subnets VLANs SGT #4 Partner & external External partners and 3rd party connections L3 Interface VN Port 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 65

66 Identify Where Groups can be Created/Assinged Need to be Assigned Based on the assets to protect identify where we need to classify End User, Endpoint is classified with SGT SVI interface is mapped to SGT Physical Server is mapped to SGT Campus Access Distribution Core DC Core EOR DC Access Enterprise Backbone SRC: VLAN is mapped to SGT WLC FW Hypervisor SW BYOD device is classified with SGT Virtual Machine is mapped to SGT 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 66

67 Enabling Classifications Many migration options can be used to make enabling easy If per-user authorization is not in place Enabling VLAN, subnet, L3 Interface mappings can provide coarse classification initially Per-user authorization (TrustSec, Passive ID) can then override static classification Many systems may get Unknown classificaiton assignments initially Focus on the explicit classifications needed to meet policy Keeping classifications simple can mean days not weeks to enable 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 67

68 Users Security Object Single Application Mappings User1App1 User2App2 Admin Device1 App2 Devices Device2 App1 Device1 App1 Device 3 App1 Billing Apps/Services AD Server App1 App2 Network Services 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 68

69 Policy Matrix Example Legend ACL Deny Permit 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 69

70 Deployment Approach Users connect to network, Monitor mode allows traffic regardless of authentication Authentication can be performed passively resulting in Group assignments Monitor Mode Enterprise Network Catalyst Switches/WLC Classified traffic traverses the network allowing monitoring and validation that: Assets are correctly classified Traffic flows to assets are as predicted/expected SRC \ DST PCI Server Prod Server Dev Server (2000) (1000) (1010) Employees (100) Deny Permit all all (M) Permit all Deny Permit all all (M) PCI User (105) Permit all Permit all Deny Permit all all (M) Unknown (0) Deny Permit all all (M) Permit all Deny Permit all all (M) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 70

71 Enabling Group-Based Policies Across the Enterprise Goal: Consistent Security Groups and Identity shared between TrustSec and ACI domains Allow TrustSec security groups to be used in ACI policies Allow ACI EndPoint Groups to be used in policies across the Enterprise Simplified management of security appliances using both TrustSec and ACI classifications TrustSec Policy Domain ACI Policy Domain Campus / Branch / Non-ACI DC TrustSec Policy Domain ISE 2.1 APIC Data Center APIC Policy Domain Voice Employee Supplier BYOD Voice VLAN Data VLAN TrustSec domain ACI Fabric Web App DB 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 71

72 TrustSec Security Groups Provisioned in ACI TrustSec ACI ISE Dynamically provisions TrustSec Security Groups in ACI Fabric Security Groups TrustSec Groups represented as External EPGs 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 72

73 TrustSec Domain Automatically aware of ACI Application Servers TrustSec ACI ISE dynamically learns EPGs and VM Bindings from ACI fabric TrustSec Domain VM1 TrustSec Policies Controlling Access to ACI Data Centers VM1000 ACI Fabric 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 73

74 Group Policy APIs Share group info to simplify policy management Share classifications to reduce SecOps effort, deliver consistency and simplify audit AWS Security Groups ACI EndPoint Groups Azure Network Security Groups APIC DC Rackspace Security Groups OpenStack Security Groups Scripts to Read/Write Groups ODL Groups VTS Groups Multiple clouds with consistent policy Enterprise Security Groups Foundation for DNA/SDA 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 74

75 Agenda Introduction Harnessing Network Telemetry Discover and Classify Assets Design and implementing policy Monitoring security policy

76 Crypto Compliance (ETA) Are my services cryptographic compliant. Filter/sort results on cryptographic information (ex. SSL vs TLS) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 76

77 Stealthwatch Security Model Track and/or measure behaviour/activity Notification of security event generated Algorithm Security Event Alarm Suspicious behaviour observed or anomaly detected 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 77

78 Alarm Categories Each category accrues points Cisco and/or its affiliates. All rights reserved. Cisco Public 78

79 Monitoring of Traditional Segmentation Policies PCI Zone Map Forbidden Relationship Inter-system relationships 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 79

80 Policy Violation: Host Locking Client group Server group Client traffic conditions Server traffic conditions Successful or unsuccessful 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 80

81 Visibility into Group Policy Source and Destination group numbers and names stitched into flow table Source and Destination groups collected from flow records IP-SGT binding collected from pxgrid with Stealthwatch Cisco and/or its affiliates. All rights reserved. Cisco Public 81

82 NetFlow SGT Support Source Tag: Retrieved from the packet Destination Tag: Derived based on destination IP Address Switch Derived Source Tag: 4K Only: Value applied on the packet on egress SGT Table 6K only: export in NetFlow template data tables mapping Security Group Tags to Security Group Names SGACL Drop Record 6k only: Generate a flow record on a SGACL drop 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 82

83 SGT-NetFlow Device List Device First Release Source Tag Destination tag Switch- Derived SGT SGT Table SGACL Drop Record Catalyst 6500 (Sup2T) IOS 15.1(1)SY1 Yes (match) Yes (match) No Yes Yes (dedicated monitor) ISR, ASR, CSR IOS XE 3.13S Yes Yes No No No Catalyst 3850, 3650 IOS XE 3.7.1E IOS XE 3.6.3E* Yes (match) Yes (match) No No No Catalyst 4500 (Sup 7-E, 7L-E, 8-E) IOS XE 3.7.1E IOS XE 3.6.3E* Yes (collect) Yes (collect) Yes No No ASA No No No No NSEL Record Stealthwatch FlowSensor 6.8 Yes No No No No 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 83

84 Considerations: 3850 Ingress: Source Tag Sources: Derived from packet header DGT Sources: Derived based on destination IP lookup SGACL enforcement must be enabled Trunk link only Egress: Source Tag Sources: Incoming packet header Port configured SGT IP to SGT mapping Destination Tag Sources: Derived based on destination IP lookup Requires SGACL enforcement to be enabled Trunk link only! flow monitor cts-cyber-monitor-in exporter StealthWatch-FC cache timeout active 60 record cts-cyber-3k-in!! flow monitor cts-cyber-monitor-out exporter StealthWatch-FC cache timeout active 60 record cts-cyber-3k-out! interface GigabitEthernet1/0/1 ip flow monitor cts-cyber-monitor-in input ip flow monitor cts-cyber-monitor-out output! vlan configuration 100 ip flow monitor cts-cyber-monitor-in input ip flow monitor cts-cyber-monitor-out output! 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 84

85 Considerations: 3850! flow record cts-cyber-3k-in match datalink mac source address input match datalink mac destination address input match ipv4 tos match ipv4 ttl match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input match flow direction match flow cts source group-tag match flow cts destination group-tag collect counter bytes long collect counter packets long collect timestamp absolute first collect timestamp absolute last!! flow record cts-cyber-3k-out match ipv4 tos match ipv4 ttl match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match flow direction match flow cts source group-tag match flow cts destination group-tag collect counter bytes long collect counter packets long collect timestamp absolute first collect timestamp absolute last! 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 85

86 Considerations: 4500 Sup 7-E, 7L-E, 8-E Source Tag: Packet header Maximum 12K distinct SRC-IP s Destination Tag: Derived based on destination IP Switch Derived Source Tag: SGT enforced on the packet from the switch Policy acquisition SGT in the packet SGT lookup on source IP Port SGT lookup SGT on packet at egress! flow record cts-cyber-4k match ipv4 tos match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input match flow direction collect flow cts source group-tag collect flow cts destination group-tag collect flow cts switch derived-sgt collect transport tcp flags collect interface output collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last! 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 86

87 Considerations: 6500 Sup 2T TrustSec data table: Export SGT-SGN mapping in NetFlow template! flow record cts-cyber-6k match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match flow cts source group-tag match flow cts destination group-tag collect transport tcp flags collect interface output collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last! SGACL Drop: Flow record generated on a drop Requires dedicated Flow Monitor Source Tag: Packet header IP-SGT lookup Destination Tag: Derived based on destination IP lookup Cisco and/or its affiliates. All rights reserved. Cisco Public 87

88 Considerations: 6500 Sup2T SGACL Drop config: Exporter and monitor:! flow exporter ise destination source TenGigabitEthernet2/1 transport udp 9993 option cts-sgt-table timeout 10! flow monitor FNF_SGACL_DROP exporter ise record cts-record-ipv4! cts role-based ip flow monitor FNF_SGACL_DROP dropped! flow exporter CYBER_EXPORTER destination source TenGigabitEthernet2/1 transport udp 2055 option cts-sgt-table timeout 10! flow monitor CYBER_MONITOR exporter CYBER_EXPORTER cache timeout active 60 record cts-cyber-6k! 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 88

89 Considerations: ISR, ASR, CSR Source Tag: Packet header IP-SGT lookup Destination Tag: Destination IP lookup! flow record cts-cyber-ipv4 match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input match flow direction match flow cts source group-tag match flow cts destination group-tag collect routing next-hop address ipv4 collect ipv4 dscp collect ipv4 ttl minimum collect ipv4 ttl maximum collect transport tcp flags collect interface output collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last collect application name! Cisco and/or its affiliates. All rights reserved. Cisco Public 89

90 Modeling Group Policy in Stealthwatch Custom event triggers on traffic condition Rule name and description Source Tag Destination Tag Trigger on traffic in both directions; Successful or unsuccessful 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 90

91 Modeling Group Policy in Stealthwatch Create flow-based rules for all proposed policy elements Policy Violation alarm will trigger if condition is met. Simulating proposed drop Cisco and/or its affiliates. All rights reserved. Cisco Public 91

92 Modeling Policy: Alarm Occurrence Alarm dashboard showing all Policy alarms Details of Employee to Productions Servers alarm occurrences 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 92

93 Modeled Policy: Flow Details How When Who Where What Who Is this communication permissible? Source Tag Destination Tag Yes Tune No Respond 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 93

94 Monitoring Unified SGT-ACI Policy Group Definitions pxgrid Cisco ISE Policy Plane Integration APIC-DC Policy Push Tetration Analytics SGT Definitions EPG Definitions Tetration Telemetry NetFlow SPAN pci_users SGT: 16 TrustSec Domain ACI Domain ACI Domain EV_appProfile_LOB2_App1EPG SGT: Cisco and/or its affiliates. All rights reserved. Cisco Public 94

95 Monitoring Unified SGT-ACI Policy C6K2T-CORE-1#$how flow monitor CYBER_MONITOR cache filter ipv4 destination address snip-- IPV4 SOURCE ADDRESS: IPV4 DESTINATION ADDRESS: TRNS SOURCE PORT: 0 TRNS DESTINATION PORT: 2048 FLOW CTS SOURCE GROUP TAG: 100 FLOW CTS DESTINATION GROUP TAG: 0 IP PROTOCOL: 1 tcp flags: 0x00 interface output: Te2/1 counter bytes: 1320 counter packets: 22 timestamp first: 04:04: timestamp last: 04:04: IPV4 SOURCE ADDRESS: IPV4 DESTINATION ADDRESS: TRNS SOURCE PORT: 0 TRNS DESTINATION PORT: 2048 FLOW CTS SOURCE GROUP TAG: 100 FLOW CTS DESTINATION GROUP TAG: IP PROTOCOL: 1 tcp flags: 0x00 interface output: Te2/1 counter bytes: 1440 counter packets: 24 timestamp first: 04:04: timestamp last: 04:04: C6K2T-CORE-1#sho cts environment-data --snip-- Security Group Name Table: 0-00:Unknown 2-00:TrustSec_Devices 3-00:Network_Services 4-00:Employees 5-00:Contractors 6-00:Guests 7-00:Production_Users 8-00:Developers 9-00:Auditors 10-00:Point_of_Sale_Systems 11-00:Production_Servers 12-00:Development_Servers 13-00:Test_Servers 14-00:PCI_Servers 15-00:BYOD 16-00:pci_users :Quarantined_Systems :EV_appProfile_LOB1_Web1EPG :EV_appProfile_LOB1_App1EPG :EV_appProfile_LOB1_DB1EPG :EV_appProfile_NetworkServicesEPG :EV_appProfile_LOB2_App1EPG --snip Cisco and/or its affiliates. All rights reserved. Cisco Public 95

96 Monitoring Unified Policy: Stealthwatch Flow Source Group assigned by ISE authorization Endpoint Group defined in APIC 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 96

97 Agenda Introduction Harnessing Network Telemetry Discover and Classify Assets Design and implementing policy Monitoring security policy Active Enforcement

98 Enabling Enforcement Example with TrustSec Egress Enforcement Security Group ACL PCI Server Campus Network Production Server Users, Endpoints Catalyst Switches/WLC (3K/4K/6K) N7K Development Server Monitor Mode SRC \ DST PCI Server (2000) Prod Server (1000) Dev Server (1010) Employees (100) Deny all Deny all Permit all PCI User (105) Permit all Permit all Permit all Unknown (0) Deny all Deny all Permit all Enforcement may be enabled gradually per destination Security Group basis Initially use SGACLs with deny logging enabled (remove log later if not required) Keep default policy as permit and allow traffic unknown SGT during deployment 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 98

99 Centralized SGACL Management in ISE 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 99

100 Applying SGACLs SGACL_1 permit tcp dst eq 443 permit tcp dst eq 80 permit tcp dst eq 22 permit tcp dst eq 3389 permit tcp dst eq 135 permit tcp dst eq 136 permit tcp dst eq 137 permit tcp dst eq 138 permit tcp des eq 139 deny ip 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 100

101 Policy Deployment Incremental Deployment/Rollback Staging matrix allows changes to be applied on controlled basis Incremental deployment - Apply changes across more of the network as desired Ability to back out changes Uses workflow process with approval 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 101

102 Validation What am I eating? OR Canadian Bacon Ham 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 102

103 Monitoring as Enforcement is Enabled Dynamic Security Objects reduces SecOps effort but works differently Ops understanding needed Dynamic security functions are audited differently but easier and more accurate Some new functions should be monitored Management plane/control plane notifications and logging need to be managed Need to log dynamic security object membership chip 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 103

104 ACL Monitoring Switches/Routers are best effort C6K2T-CORE-1#sho cts role-based permissions IPv4 Role-based permissions from group 8:EMPLOYEE_FULL to group 8:EMPLOYEE_FULL: Malware_Prevention-11 C6K2T-CORE-1#sho ip access-list Role-based IP access list Deny IP-00 (downloaded) 10 deny ip Role-based IP access list Malware_Prevention-11 (downloaded) 10 deny icmp log-input (51 matches) 20 deny udp dst range log-input 30 deny tcp dst range log-input 40 deny udp dst eq domain log-input *May 24 04:50:06.090: %SEC-6-IPACCESSLOGDP: list Malware_Prevention-11 denied icmp (GigabitEthernet1/1 ) -> (8/0), 119 packets 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 104

105 FirePOWER Services Redirect Create service policy to forward suspicious traffic to FirePOWER Services 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 105

106 Threat Defense With ACI TrustSec Policy Domain INTERNET ENTERPRISE NETWORK ISE learns about ACI EPG s & shares via pxgrid (Provides Threat Defense for flows to ACI DC) FP 9300, ASA 5585 ACI Policy Domain APIC DC Quarantined COA ISE EPS: PxGrid Quarantine (over PxGrid) Source Criteria Destination Criteria Service Action IP SGT IP SGT any Quarantined any WEB_EPG any Deny 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 106

107 Agenda Introduction Harnessing Network Telemetry Discover and Classify Assets Design and implementing policy Monitoring security policy Active Enforcement Conclusion

108 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 108

109 Related Breakouts BRKSEC-3014 Security Monitoring with Stealthwatch: The Detailed Walkthrough Matt Robertson Monday, June 26, 1:30 3:30 pm BRKSEC-3690 Advanced Security Group Tags: The Detailed Walkthrough Darrin Miller Monday, June 26, 1:30 3:30 pm BRKSEC-2203 Enabling Software Defined Segmentation with TrustSec Fay Lee Tuesday, June 27, 4:00 5:30 pm BRKSEC-2695 Building an Enterprise Access Control Architecture Imran Bashir Tuesday, Jun 27, 8:00 10:00 am ; Wednesday June 28,1:30-3:30 pm BRKSEC-3697 Advanced ISE Service, Tips and Tricks Aaron Woland Tuesday, Jun 27, 8:00 10:00 am ; Wednesday June 28,1:30-3:30 pm 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 109

110 Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card. Complete your session surveys through the Cisco Live mobile app or on Don t forget: Cisco Live sessions will be available for viewing on demand after the event at Cisco and/or its affiliates. All rights reserved. Cisco Public

111 Key Takeaways The network can provide telemetry to build effective security policy Stealthwatch and ISE provide visibility to users, devices and activity TrustSec is used to dynamically segment and program the network 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 111

112 Thank you

113