Enterprise Network Segmentation with Cisco TrustSec
|
|
- Ethan Shelton
- 6 years ago
- Views:
Transcription
1
2 Enterprise Network Segmentation with Cisco TrustSec Hariprasad
3 Abstract This session provides an overview of the Cisco TrustSec solution for Enterprise network segmentation and Role-Based Access Control. TrustSec allows for simplified network segmentation based on User Identity/Role and allows for secure access and consistent security policies across Wired/Wireless networks. We will cover TrustSec solution on the Catalyst, Nexus Switching and Routing (ASR1K/CSR/ISR) platforms, including converged wired/wireless with a focus on the deployment use cases in a campus, data centre & branch networks. The session covers an architectural overview of TrustSec and benefits of role based policies, elements of the solution such as user identification with 802.1x, device identification, role classification using Security Group Tagging (SGT) and enforcement using Security Group Access Control List (SGACL). This session is for Network and Security Architects, Pre-Sales Engineers and Technical Decision Makers. Previous knowledge or experience is recommended in campus design, Internet edge design, routing protocol design, and Layer 2 and Layer 3 switching. 3
4 TrustSec or related sessions BRKSEC Network as a Sensor and Enforcer Matthew Robertson - Wednesday 9 Mar 2:30 PM - 4:00 PM 208 BRKCRS Enterprise Network Segmentation (with Cisco TrustSec) Hariprasad Holla - Wednesday 9 Mar 4:30 PM - 6:00 PM 203 BRKSEC Deploying Security Group Tags Kevin Regan - Wednesday 9 Mar 4:30 PM - 6:00 PM 208 BRKSEC Building an Enterprise Access Control Architecture Using ISE and TrustSec Hosuk Won - Thursday 10 Mar 8:30 AM - 10:30 AM 208 BRKSEC Advanced Security Group Tags Kevin Regan - Friday 11 Mar 8:45 AM - 10:45 AM 105 BRKACI Cisco Security on ACI - Microsegmentation, ASA, FirePOWER Brenden Buresh - Friday 11 Mar 8:45 AM - 10:45 AM 211 4
5 access-list 102 deny tcp eq lt 4993 access-list 102 deny tcp eq lt 848 access-list 102 deny ip eq gt 4878 access-list 102 permit icmp lt eq 1216 access-list 102 deny icmp gt gt 1111 access-list 102 deny ip eq eq 4175 access-list 102 permit tcp lt gt 1462 access-list 102 permit tcp gt lt 4384 access-list 102 permit icmp eq eq 878 access-list 102 permit ip gt eq 467 Tom s Segmentation Challenge access-list 102 deny tcp eq lt 848 access-list 102 deny ip eq gt 4878 access-list 102 permit icmp lt eq 1216 access-list 102 deny icmp gt gt 1111 access-list 102 deny ip eq eq 4175 access-list 102 permit tcp lt gt 1462 access-list 102 permit tcp gt lt 4384 access-list 102 permit icmp eq eq 878 access-list 102 permit ip gt eq 467 access-list 102 permit udp eq lt 1780 access-list 102 deny icmp lt gt 3611 access-list 102 permit tcp lt eq 606 access-list 102 deny tcp gt gt 4005 access-list 102 permit ip gt eq 199 access-list 102 deny udp lt gt 3782 Complex IP based policies Need updates as topology changes Campus Branch Employees Contractors Vendors Guests PCI Devices Extend segments over - Layer 3 boundaries VLANs Line of Business IPv6 Compliance BYOD Various Segmentation needs Tom manages network for ABC Corp Retain policies as network transitions to IPv6 5
6 Enterprise Network Segmentation with Cisco TrustSec Hariprasad
7 Agenda Network Segmentation The past present and future of network segmentation TrustSec Deep-dive WHAT is Cisco TrustSec Deploying TrustSec HOW to deploy TrustSec Use cases & Deployment scenarios WHY segment the TrustSec way? Key takeaways WHEN to deploy TrustSec: Now! For Your Reference Cisco Identity Services Engine Authenticated User 7
8 Network Segmentation Network Segmentation Deploying TrustSec Key Take-aways Start TrustSec Deep-dive Use-cases & Scenarios 8
9 Traditional Segmentation is operationally heavy Applications access-list 102 deny udp gt eq 2165 access-list 102 deny udp lt gt 428 access-list 102 permit ip eq gt 1511 access-list 102 deny tcp gt gt 1945 access-list 102 permit icmp lt eq 116 access-list 102 deny udp eq eq 959 access-list 102 deny tcp eq lt 4993 access-list 102 deny tcp eq lt 848 access-list 102 deny ip eq gt 4878 access-list 102 permit icmp lt eq 1216 access-list 102 deny icmp gt gt 1111 access-list 102 deny ip eq eq 4175 access-list 102 permit tcp lt gt 1462 access-list 102 permit tcp gt lt 4384 Static ACL Routing Redundancy DHCP Scope Address VLAN Limitations of Traditional Segmentation Security Policy based on Topology High cost and complex maintenance Non-Compliant Voice Enterprise Backbone VACL Employee Aggregation Layer Access Layer Supplier BYOD Enforcement IP based policies. ACLs, Firewall rules Propagation Carry segment context over the network through VLAN tags / IP address / VRF Classification Static / Dynamic VLAN assignments Quarantine VLAN Voice VLAN Data VLAN Guest VLAN BYOD VLAN 9
10 Source Introducing Cisco TrustSec Destination Egress Policy Employee App_Serv Permit All Prod_Serv Deny All App_Serv Permit All Deny All Prod_Serv Deny All Permit All 5 SGT Remote Access Wireless Network ISE Directory Production Servers 8 SGT Employees Switch Routers DC Firewall DC Switch Application Servers 7 SGT Classification Propagation Enforcement 10
11 Consistent access governed by simplified policy Data Centre Regardless of topology or location, policy (Security Group Tag) stays with users, devices, and servers Shared Services Remediation Application Servers DC Switch TrustSec simplifies ACL management for intra/inter- VLAN traffic Enterprise Backbone ISE Switch Switch DC switch receives policy for only what is connected Employee Tag Supplier Tag Non-Compliant Employee Voice Voice Employee Supplier Non-Compliant Non-Compliant Tag VLAN: Data-2 VLAN: Data-1 BRKCRS
12 The three common deployment scenarios User to Data Centre Access Control Data Centre Segmentation Campus and Branch Segmentation Context--based access control Compliance requirements PCI, HIPAA, export controlled information Merger & acquisition integration, divestments Server zoning & Micro-segmentation Production vs. Development Server segmentation Compliance requirements, PCI, HIPAA Firewall rule automation Line of business segregation PCI, HIPAA and other compliance regulations Malware propagation control/quarantine 13
13 TrustSec Deep-dive (WHAT is TrustSec) Network Segmentation Deploying TrustSec Key Take-aways Start TrustSec Deep-dive Use-cases & Scenarios 14
14 Sources ISE controls TrustSec NDAC for a trusted domain of Network Devices SGT: Centrally define Security Group Tags SGACL / Name table: TrustSec policy matrix to be pushed down to the enforcers via secure channel Security Group ACL Destinations SGACL / Name table NDAC (Network Device Admission Control) SGT and SGT Names Security Group Tags 3: Employee 4: Contractors 8: PCI_Servers 9: App_Servers ISE authenticates Wired/Wireless/VPN clients and assigns SGTs Rogue Device(s) 802.1X Dynamic SGT Assignment Static SGT Assignments 15
15 The 3 TrustSec functions 5 Employee 6 Voice 7 Partner A B Classification Propagation Enforcement (Assigning SGTs) Static Assignments Dynamic Assignments Inline SGT SXP WAN Options Security Group ACL SG Firewall 16
16 Classification Two ways to assign Security Group Tags Dynamic Classification Static Classification SVI (L3 Interface) to SGT L2 Port to SGT MAB Campus Access Distribution Core DC Core DC Dist/Access Enterprise Backbone WLC FW Hypervisor SW VLAN-SGT Mapping Subnet-SGT VM (Port Profile) to SGT 17
17 Classification Routes learnt on L3 port automatically gets SGT assignment Can apply to Layer 3 interfaces regardless of the underlying physical interface: Routed port, SVI (VLAN interface), Tunnel interface, etc. GigabitEthernet 3/0/1 maps to SGT 8 GigabitEthernet 3/0/2 maps to SGT 9 Joint Ventures Route Updates /24 g3/0/1 IP Address SGT Source ======================================== INTERNAL INTERNAL INTERNAL /24 8 L3IF /24 9 L3IF /24 9 L3IF DC Access Business Partners g3/0/2 Route Updates / /24 Hypervisor SW 18
18 Classification In Nexus 1000V, SGTs can be assigned to Port Profile Port Profile Container of network properties Applied to different interfaces Server Admin may assign Port Profiles to new VMs VMs inherit network properties of the port-profile including SGT SGT stays with the VM even if moved 20
19 The 3 TrustSec functions 5 Employee 6 Voice 7 Partner A B Classification Propagation Enforcement (Assigning SGTs) Static Assignments Dynamic Assignments Inline SGT SXP WAN Options Security Group ACL SG Firewall 21
20 AES-GCM 128bit Encryption Propagation IETF SGT propagation through Ethernet Inline Tagging Faster, and most scalable way to propagate SGT within LAN or Data Centre SGT embedded within Cisco Meta Data (CMD) in Layer 2 frame Capable switches understands and process SGT in line-rate Protected by enabling MACsec (IEEE802.1AE) optional for capable hardware No impact to QoS, IP MTP/Fragmentation L2 Frame Impact: ~20 bytes 16 bits field gives ~ 64,000 tag space Non-capable device drops frame with unknown Ethertype Ethernet Frame Destination MAC Source MAC 802.1Q CMD ETHTYPE PAYLOAD CRC Cisco Meta Data CMD EtherType Version Length SGT Option Type SGT Value Other CMD Option EtherType:0x8909 SGT Value:16bits MACsec Frame Destination MAC Source MAC 802.1AE Header 802.1Q CMD ETHTYPE PAYLOAD 802.1AE Header CRC EtherType:0x88E5 22
21 Propagation IETF Out-of-band IP-SGT binding propagation through SGT Exchange Protocol (SXP) Propagation method of IP-SGT binding Propagate IP-SGT from classification to enforcement point Open protocol (IETF-Draft) & ODL Supported TCP - Port:64999 Role: Speaker (initiator) and Listener (receiver) Use MD5 for authentication and integrity check Switches Speaker Routers (SXP Aggregation) Listener Firewall Support Single Hop SXP & Multi-Hop SXP (aggregation) Cisco ISE 2.0 can be an SXP Speaker and Listener Switches 23
22 Propagation SXP in action! Cisco ISE 2.0 TrustSec Policy X Employee = SGT-5 SXP IP = SGT-10 5 Employee SXP IP = SGT WAN 10 Web_Server SRC: DST: X IP-SGT Binding Table Access Switch IP Address SGT Source ======================================== INTERNAL LOCAL N7K SRC: DST: IP-SGT Binding Table Nexus Switch IP Address SGT Source ======================================== INTERNAL SXP SXP
23 Propagation Multiple options for SGT transport over L3 network Enterprise LAN Switch Enterprise Network ISE SGACL CTS Link Finance SXP IPSEC Wireless Internet Nexus 7000 Nexus 1000v SXP BYOD Switch SXP DMVPN Catalyst 6500 Data Centre Switch Enterprise MPLS GETVPN HR Multiple options for SGT transport over non CTS Layer 3 networks DMVPN for Internet based VPNS GETVPN and OTP for private WAN 28
24 The 3 TrustSec functions 5 Employee 6 Voice 7 Partner A B Classification Propagation Enforcement (Assigning SGTs) Static Assignments Dynamic Assignments Inline SGT SXP WAN Options Security Group ACL SG Firewall 29
25 Enforcement Ingress classification, Egress enforcement User authenticated Classified as Marketing (5) FIB Lookup Destination MAC/Port SGT 20 Destination Classification Web_Dir: SGT 20 CRM: SGT 30 SRC: Cat3850 Cat6800 Cat6800 Nexus 7000 Nexus 5500 Nexus SRC: DST: SGT: 5 Enterprise Backbone Nexus 2248 Web_Dir DST: SGT: 20 CRM DST: SGT: 30 WLC5508 DST SRC Web_Dir (20) CRM (30) Marketing (5) Permit Deny BYOD (7) Deny SGACL-A 30 ACL: Access Control List
26 Enforcement The SGACL Enforcement Policy 31
27 Enforcement SGTs can be used for policies in Cisco ASA Firewall SGT Defined in the ISE or locally defined on ASA Use Destination SGT received from Switches connected to destination Trigger IPS/CX based on SGT Use Network Object (Host, Range, Network (subnet), or FQDN) More on ASA TrustSec: BRKSEC-2690 and BRKSEC
28 TrustSec supported platforms WAN (GETVPN DMVPN IPSEC) User Switch Router Router Firewall DC Switch vswitch Server ISE Classification Propagation Propagation Enforcement Classification Propagation Enforcement Catalyst 2960-S/-C/-Plus/-X/-XR Catalyst 3560-E/-C/-X/-CX Catalyst 3750-E/-X Catalyst 3850/3650 Catalyst 4500E (Sup6E/7E) / 4500X Catalyst 4500E (Sup8) Catalyst 6500E (Sup720/2T) Catalyst 6800 WLC 2500/5500/WiSM2 WLC 5760 WLC 8510/8540 Nexus 7000 Nexus 6000 Nexus 5500/2200 Nexus 1000v ISRG2, ISR4000 ASR1000, CSR 1000v IE2000/3000/4000 CGR 2000, CGS2500 ASA5500 (RAS VPN) Enforcement SGT Catalyst 2960-S/-C/-Plus/-X/-XR Catalyst 3560-E/-C/, 3750-E Catalyst 3560-X/3750-X Catalyst 3850/3650 Catalyst 4500E (Sup6E) Catalyst 4500E (Sup, 7E, 7LE, 8E) Catalyst 4500X Catalyst 6500E (Sup720) Catalyst 6500/Sup2T, 6800 WLC 2500/5500/WiSM2 WLC 5760, 8510/8540 Nexus 7000 Nexus 6000 Nexus 5500/2200 Nexus 1000v ISR G2, ISR 4000 ASR1000, CSR 1000V IE2000/3000/4000,CGR2000,CGS2500 ASA5500 ISE Catalyst 3560-X Catalyst 3750-X Catalyst 3850/3650 WLC 5760 Catalyst 4500E (7E) / 4500X Catalyst 4500E (8E) Catalyst 6500E (2T) Catalyst 6800 Nexus 7000 Nexus 6000 Nexus 5500/5600 Nexus 1000v ISR G2, ISR 4000 ASR 1000, CSR 1000v CGR2000 ASA 5500 Firewall ASAv Firewall Web Security Appliance For up-to-date information visit: 33
29 Deploying TrustSec (HOW to deploy TrustSec) Network Segmentation Deploying TrustSec Key Take-aways Start TrustSec Deep-dive Use-cases & Scenarios 34
30 Approaching a TrustSec design Start with Policy Goals Use Cases can be Localised Focus on Business Problem Controlled access to Production systems or PCI Servers User to DC Access Control Secure BYOD Contractor Access Control Extranet Security Simplified Firewall Rule, VPN Access, ACLs or WSA rules Maintain Compliance Protect against breach Complex ACLs, Firewall rule complexity 35
31 Starting a TrustSec design Discuss assets to protect Classification Mechanisms Policy Enforcement Points Propagation Methods Example: Cardholder Data, Medical Record, intellectual data Example: Dynamic, Static, etc. DC segmentation (DC virtual/ physical switches or virtual/physical Firewalls) User to DC access control (Identify capable switches or firewalls in the path) Inline Tagging SXP DM-VPN GET-VPN IPSec OTP etc.. 36
32 SGT policy matrix example Write it down on a spreadsheet!
33 WAN It all starts with ISE Things to do in Cisco ISE for TrustSec Cisco ISE Basic infrastructure setup Certificates, Active Directory integration, etc. Create Security Group Tags to be used in the network Setup Network Device Admission Control - NDAC Define Authentication and Authorisation policies for Users and Devices Configure SGACL & Egress Policies (If enforcing on IOS / Nexus Switches) 42
34 Security Group Tags in ISE WAN Cisco ISE Define SGTs under Components section in TrustSec Work Centre (from ISE 2.0) 43
35 WAN Define all the Network Devices Cisco ISE The Network Devices, aka Switches, Routers, Wireless controllers, Firewalls, etc. needs to be defined here. Bulk upload via CSV is possible too. 44
36 WAN Configure additional parameters for TrustSec Cisco ISE In addition to RADIUS secret, check Advanced Trustsec Settings and Use Device ID for Trustsec, then type device password. This ID and Password needs to be exactly same as you define on network device CLI 45
37 WAN Define Authorisation policies for Users and Devices Cisco ISE 802.1X / MAB / Web Authentication policy to assign SGTs to the Users and Devices 47
38 WAN Configure Security Group ACLs Cisco ISE Configure SGACLs first to be referenced under the Egress policy later 48
39 WAN Egress Policy Matrix Cisco ISE Default Rule, Can be Permit or Deny 49
40 Cisco IOS Switches WAN Global Cisco TrustSec (CTS) configurations Global AAA Configuration for all IOS Switches TrustSec authorisation should use cts-list AAA servers cts authorization list cts-list For SGT policy enforcement, if switch has to access control cts role-based enforcement cts role-based enforcement vlan-list <VLANs> Critical authentication for NDAC When ISE is not reachable and Fall back to cached / default policies when ISE is unreachable cts critical-authentication cts critical-auth fallback cached default aaa new-model! aaa authentication dot1x default group ise-group aaa authorization network default group ise-group aaa authorization network cts-list group ise-group aaa accounting dot1x default start-stop group ise-group! aaa server radius dynamic-author client <Switch_IP> server-key cisco! radius server ise address ipv4 <ISE_IP> auth-port 1812 acct-port 1813 pac key <PAC_Password>! aaa group server radius ise-group server name ise! 50 More options:
41 ** Other best practice configurations applicable WAN Cisco IOS Switches Devices (Typically) Enable 802.1X on downlink and SGT propagation on uplink (Optional) For static assignment of VLAN to SGT. Useful if the users or devices are static cts role-based sgt-map vlan-list \ <VLAN_IDs> sgt <SGT> Switch port configuration for dynamic SGT assignments interface <Access-port> switchport access vlan <Data_VLAN> switchport voice vlan <Voice_VLAN> switchport mode access authentication open authentication port-control auto authentication host-mode multi-auth dot1x pae authenticator mab Campus Agg / Core Access cts commands in uplink ports, automatically (hidden) configures propagate sgt command interface <Uplink_Port> description ** Uplink Interface ** switchport mode trunk cts manual!or cts dot1x cts manual for manual configuration of (optional) MACSec on the port, cts dot1x for the switch to receive MACSec PMK keys from Cisco ISE 51
42 WAN Cisco IOS Switches Switch ports can stay in 802.1X Monitor Mode forever Monitor Mode: Irrespective of authentication status (pass/fail), endpoints gets IP address. Successful authentication gets specific SGTs and failures will be classified as Unknown SGT Monitor Mode PCI Server Production Server Users, Endpoints Catalyst Switches (3K/4K/6K) Campus Network N7K Development Server Tagged traffic traverses the network allowing monitoring and validation that: Assets are correctly classified Traffic flows to assets are as predicted/expected SRC \ DST PCI Server Prod Server Dev Server (2000) (1000) (1010) Employees (100) Permit Deny all Permit Deny all Permit all PCI User (105) Permit all Permit all Permit all Unknown (0) Permit Deny all Permit Deny all Permit all 52
43 Cisco IOS Switches WAN ISE and Network Device transact securely using PAC keys Switch authenticates with Cisco ISE for Secure EAP FAST Channel Environmental Data TrustSec Egress Policy Switch# cts credential id C password cisco ISE RADIUS EAP FAST Channel IOS RADIUS PAC* keys pushed by ISE. Switch uses this to talk to ISE securely Switch# show cts pacs AID: 3E465B9E3F4E012E6AD3159B403B5004 PAC-Info: PAC-type = Cisco Trustsec AID: 3E465B9E3F4E012E6AD3159B403B5004 I-ID: C A-ID-Info: Identity Services Engine Credential Lifetime: 13:12:04 UTC Jan PAC-Opaque: B E465B9E3F4E012E6AD3159B403B C C3B32A200B23EF4A53D9DF79A6E4B D A B5BB779165C75E75DDF4619CB3D4AD F5488C5904CA27F13C 6FB45F DCCED288FF304F FD49D2D2D3EBF664300E3FD66925 A7DEB8C A369280EB251091D92D90FEDA7BBD1148C7CCA8D018011F00 9A F854DD3C EE32E47B7AB BB3FD Refresh timer is set for 12w4d *PAC: Protected Access Credentail
44 WAN Cisco IOS Switches Environmental Data ISE IOS Switch# show cts environment-data CTS Environment Data ==================== Current state = COMPLETE Last status = Successful Local Device SGT: SGT tag = 2-00:TrustSec_Infra_SGT Server List Info: Installed list: CTSServerList1-0001, 1 server(s): *Server: , port 1812, A-ID 3E465B9E3F4E012E6AD3159B403B5004 Status = DEAD auto-test = TRUE, keywrap-enable = FALSE, idle-time = 60 mins, deadtime = 20 secs Multicast Group SGT Table: Security Group Name Table: 0-00:Unknown 2-00:TrustSec_Infra_SGT 10-00:Employee_FullAccess 20-00:Employee_BYOD 30-00:Contractors :PCI_Devices :Web_Servers :Mail_Servers :Unregist_Dev_SGT Environment Data Lifetime = secs Last update time = 21:57:24 UTC Thu Feb Env-data expires in 0:23:58:00 (dd:hr:mm:sec) Env-data refreshes in 0:23:58:00 (dd:hr:mm:sec) Cache data applied = NONE State Machine is running Security Group Name Table: 0-00:Unknown 2-00:TrustSec_Infra_SGT 10-00:Employee_FullAccess 20-00:Employee_BYOD 30-00:Contractors :PCI_Devices :Web_Servers :Mail_Servers :Unregist_Dev_SGT
45 WAN Cisco IOS Switches cts role-based enforcement ISE Switch#show cts rbacl Permit_ _Traffic CTS RBACL Policy ================ RBACL IP Version Supported: IPv4 name = Permit_ _Traffic-40 IP protocol version = IPV4 refcnt = 1 flag = 0x stale = FALSE RBACL ACEs: permit tcp dst eq 110 permit tcp dst eq 143 permit tcp dst eq 25 permit tcp dst eq 465 permit tcp dst eq 585 permit tcp dst eq 993 permit tcp dst eq 995 deny all log Switch Switch#show cts role-based permissions IPv4 Role-based permissions default: IOS switch as enforcer Permit IP IPv4 Role-based permissions from group 10:Employee_FullAccess to group 10:Employee_FullAccess: Malware_Contol_ACL-10 IPv4 Role-based permissions from group 10:Employee_FullAccess to group 30:Contractors: Cisco_Jabber_Access-10 IPv4 Role-based permissions from group 30:Contractors to group 10:Employee_FullAccess: Cisco_Jabber_Access-10 IPv4 Role-based permissions from group 30:Contractors to group 120:Mail_Servers: Permit_ _Traffic...
46 Sources * Supported on all Wireless Controllers except 7500 & vwlc Wireless AireOS Controllers* SXP WAN Switch / FW SXP Speaker (Wireless Controller) Cisco ISE Assign SGT 5520 Destinations SXP Listener (Switch / Firewall) No SG based enforcement locally on the controller. IP-SGT sent over SXP to enforcers / Aggregators 58
47 Sources * Supported on all Wireless Controllers except 7500 & vwlc WAN Wireless AireOS Controllers* Switch / FW SXP Cisco ISE Assign SGT 5520 Destinations No SG based enforcement locally on the controller. IP-SGT sent over SXP to enforcers / Aggregators 59
48 WAN Routers Overview of TrustSec support on routers WAN Classification Propagation Enforcement IP-to-SGT Subnet-to-SGT L3IF-to-SGT No dynamic classification option Multiple options for propagation SXP Inline methods: SGT over Ethernet IPSec DMVPN GETVPN EIGRP OTP / LISP Zone based Firewall (ZBFW) SGT based PBR (Policy Based Routing) SGT based QoS (Quality of Service) 60
49 ESP: Encapsulating Security Payload AH: Authentication Header WAN Routers One command to enable SGT transport over IPSec SGT in IPSec IP header (Protocol Type = ESP) ESP Header IV Next Header (IP) Len = 3 Version (0x1) Reserved Len (0x0) Len (0x1) Type (1 = SGT) Type (5 = PST) GETVPN Psuedo timestamp Original IP Header Original IP Payload Pad Authentication Tag SGT Number (16 bits) Pad Length Next Header Cisco Meta Data (CMD) uses protocol 99, and is inserted to the beginning of the ESP/AH payload. CMD crypto ikev2 proposal p1 encryption 3des integrity md5 group 2! crypto ikev2 policy policy1 proposal p1! crypto ikev2 keyring key peer v4 address pre-shared-key cisco! crypto ikev2 profile prof3 match identity remote address authentication local pre-share authentication remote pre-share keyring key CTS infra CLI used to configure IP->SGT mapping! crypto ikev2 cts sgt! crypto ipsec transform-set trans esp-3des esp-sha-hmac!... 61
50 WAN Routers cts sgt inline enables SGT transport in DMVPN sessions Hub! crypto ikev2 profile prof3 match identity remote address authentication local pre-share authentication remote pre-share keyring key! cts sgt inline! crypto ipsec transform-set trans esp-3des esp-sha-hmac! Spokes CTS infrastructure CLI, to configure static IP to SGT bindings cts role-based sgt-map sgt 150 cts role-based sgt-map sgt 200 Router# show ip nhrp nhs detail Legend: E=Expecting replies, R=Responding, W=Waiting Tunnel0: RE NBMA Address: priority = 0 cluster = 0 req-sent 44 req-failed 0 repl-recv 43 (00:01:37 ago) TrustSec Enabled 63
51 WAN Routers Enable tagging in GETVPN KS, run v1.0.5 or later on members Group Members Key Server (KS) CTS infrastructure CLI, to configure static IP to SGT bindings cts role-based sgt-map sgt 150 cts role-based sgt-map sgt 200 crypto gdoi group GDOI identity number server local sa ipsec 2 no tag match address ipv4 ACL_GETVPN_NO_SGT sa ipsec 1 tag cts sgt match address ipv4 ACL_GETVPN_SGT If the KS is configured for tagging, Group members must be register using GETVPN software version or higher to be accepted. Router# show crypto gdoi feature cts-sgt Group Name: GETVPN Key Server ID Version Feature Supported Yes Yes Group Member ID Version Feature Supported No No Yes Yes 64
52 WAN Zone Based Firewall SGT is a source criteria only in ISR FW, Source or Destination in ASR 1000 Routers class-map type inspect match-any partner-services match protocol http match protocol icmp match protocol ssh class-map type inspect match-any partner-sgts match security-group source tag 2001 match security-group source tag 2002 match security-group source tag 2003 class-map type inspect match-all partner-class match class-map partner-services match class-map partner-sgts class-map type inspect match-any guest-services match protocol http class-map type inspect match-any guest-sgts match security-group source tag 5555 class-map type inspect match-all guest-class match class-map guest-services match class-map guest-sgts class-map type inspect match-any emp-services match protocol http match protocol ftp match protocol icmp match protocol ssh... 65
53 Available Today: Cisco IOS XE Release 3.16S (ASR 1000) as well as ASA5500-X (9.5.1) WAN Routers Path selection based on SGT route-map SG_PBR match security-group source tag 100 set ip next-hop match security-group destination tag 150 set ip next-hop Security Example Redirect traffic from malware-infected hosts Contain threats Pass traffic through centralised analysis and inspection functions Segment traffic to different VRFs based on context Other Example Inspection Router Policy-based Routing based on SGT Router / Firewall Network A Enterprise WAN SGT-based VRF Selection VRF-GUEST To map different user groups to different WAN service User B Suspicious User A Employee User C Guest 66
54 Available Today: Cisco ISE 4K and ASR 1K with 3.17S or later Quality of Service for SGTs class-map employee-non_critical match security-group source tag 10 match security-group destination tag 254 end! class-map employee-critical match security-group source tag 10 match security-group destination tag 100 end! policy-map sg_qos class employee-critical priority percent 50 class employee-non_critical bandwidth percent 25 set dscp ef end WAN Routers CriticalServers (100) Applications Router Router / Firewall Critical applications get priority treatment Network A Enterprise WAN f Y NonCritical (254) Non-critical class gets lower bandwidth Different user groups can be offered different Quality of Service (QoS) Employee (10) 67
55 WAN Same policy structure for Data Centres Web Servers Data Centre Middleware Servers Storage Database Servers 68
56 WAN TrustSec on NXOS and IOS are alike Towards Enterprise / WAN C P E SXP v1 only (IPv4-to-SGT, no loop detection) Nexus 5000/6000: Port-to-SGT classification only Nexus 9000 doesn t support SGTs today cts credentials defined in global config unlike in Exec mode in IOS Nexus(config)# feature cts Nexus(config)# feature dot1x Nexus(config)# cts device-id N7K-DST1 password cisco DATA CENTRE Disable SGT propagation on ports connecting to Physical servers Nexus(config)# int e1/30 Nexus(config-if)# cts manual Nexus(config-if-cts-manual)# policy static sgt 0X3 Nexus(config-if-cts-manual)# no propagate-sgt LOB1 DB LOB2 DB PCI DB Finance DB CoA for Environmental-Data and SGACL download from NXOS version 7.2* 69 *Earlier pushed through cts refresh CLI over SSH, now CoA. More details here:
57 APIC - Application Policy Infrastructure Controller, ACI - Application Centric Infrastructure WAN ISE 2.1: TrustSec ACI Policy Plane Integration Data Centre Security Groups Cisco ISE 2.1 TrustSec Policy Domain ISE creates matching Security Groups and Endpoint Groups ISE exchanges IP-SGT/EPG Name bindings ACI Policy Domain End Point Groups Cisco APIC-DC IP-Security Group bindings exchanged with network IP-ClassId, VNI bindings WAN (GETVPN DMVPN IPSEC) User Classification Switch Router Router Firewall Nexus9000 Nexus3000 Server SGT over Ethernet IPSec / DMVPN / GETVPN / SXP Spine Leaf 70
58 APIC - Application Policy Infrastructure Controller, ACI - Application Centric Infrastructure WAN Security Group EPG exchange Data Centre Security Groups and IP bindings Cisco ISE 2.1 End Point Groups (EPG) and IP bindings Cisco APIC-DC More on ACI Security: BRKACI Cisco Security on ACI BRKACI Introduction to ACI for Security Admins 71
59 WAN TrustSec traffic monitoring in StealthWatch Where When Who What Who Highly scalable (enterprise class) collection High compression long term storage flow record my-flow-record... match flow cts source group-tag Months of data retention match flow cts destination group-tag... NetFlow More Context Security Group 72
60 WAN Segmentation monitoring with StealthWatch Custom event triggers on traffic condition Rule name and description More on StealthWatch: BRKSEC-2026: Network as a Sensor and Enforcer SGT DGT Trigger on traffic in both directions; Successful or unsuccessful 73
61 Use Cases & Deployment Scenarios (WHY TrustSec) Network Segmentation Deploying TrustSec Key Take-aways Start TrustSec Deep-dive Use-cases & Scenarios 74
62 TrustSec means efficiency Large Campus Wireless Deployment Data Centre /24 = SGT 10 Large Electronics Device Manufacturing Company deploying Secure Wi-Fi ACL needs to scale more than 64 lines of ACL (>1,500) /24 = SGT 7 Campus D /24 = SGT 6 Branch Office /24 = SGT 22 TrustSec solution within C6k chassis WiSM2 aggregates AP traffic Policy enforcement Sup2T based on SGT Campus C Internet SXP Sup2T WiSM2 Sup2T WiSM2 Corporate Network /8 = SGT 100 SXP SGACLs optimises TCAM Utilisation Destination SGT values defined by IP & Subnet Reduced IOS static ACL managing policy using Egress Matrix e.g. about 500 lines of ACL allowing HTTPS is now supported by single line of SGACL Cat6500VSS System Non-Compliant Mobile Device WiSM2 WiSM2 CAPWAP Tunnel Access Points ISE Compliant Corporate Asset permit tcp dst eq 443 SGT 2: Limited Access SGT 3: Full Access 75
63 SGT=3 SGT=4 SGT=5 SGACL download only for known destinations SEGMENTATION DEFINED IN ISE Prod_Servers (7) Dev_Servers (8) TrustSec switches requests policies for assets they protect Policies downloaded & applied dynamically Result = Software Defined Segmentation Switches pull down only the policies they need I I pulled I know have SGT-7, policies nothing is to there protect to a protect policy SGT-7 for it? SGACL Enforcement interface ethernet 2/1 cts manual policy static sgt 0x7 no propagate-sgt Dev_Server (SGT=7) 76
64 Handling acquisitions / mergers or disinvestments Secure, economical way to integrate or segment networks Technicolor has acquired Cisco's Connected Devices business Cisco on Cisco Case Study Initiative: To divest assets including employees and properties to Technicolor Objective: To create logical separation on network infrastructure and provide secure resource access in shared workspace Solution: TrustSec segmentation based on user authentication in selected offices. Technicolor Resources Shared Resources Cisco Internal Cisco Users For details read: Global ISE deployment Destination SGT Technicolor Users Shanghai and Lawrenceville Offices Source SGT Cisco Internal Technicolor Shared Cisco Permit Permit Permit Technicolor Deny Permit Permit Auth-Fail Deny Deny Permit Untrusted Deny Deny Permit 77
65 limiting workstation- to-workstation communication 78
66 Control lateral access with TrustSec Effective East- West Traffic control at the Enterprise access Replaces Private Isolated / Community VLAN functionality with centrally provisioned policy Supports mobile devices (with DHCP address). Statically defined ACL cannot support same level of policy No other competitor can support this type of use case Employee Tag AP Distribution Switch Access Switch 1 Scan for open ports / OS 2 Exploits vulnerability Anti-Malware-ACL deny icmp deny udp src dst eq domain deny tcp src dst eq 3389 deny tcp src dst eq 1433 deny tcp src dst eq 1521 deny tcp src dst eq 445 deny tcp src dst eq 137 deny tcp src dst eq 138 deny tcp src dst eq 139 deny udp src dst eq snmp deny tcp src dst eq telnet deny tcp src dst eq www deny tcp src dst eq 443 deny tcp src dst eq 22 deny tcp src dst eq pop3 deny tcp src dst eq 123 Sample ACEs to block PtH (SMB over TCP) used for privilege escalation SGACL Policy BYOD Device Wireless Segment Pawned PC Wired Segment PC 79 PtH: Pass-the-Hash
67 Before: An SSID & VLAN per vendor Customer Concerns Employees, PCI devices, Vendors & Guest in branch needing segmentation. Each segment today is a VLAN and / or a SSID. Provisioning and decommissioning vendors is a tedious task Segmenting Vendors, Guests, Employees and PCI devices in Retail Stores Store Guest BYOD Vendor-1 Vendor-2 Vendor-3 Vendor-N Store PCI Demo Vendor-2 Vendor-A Vendor-B Vendor-N Internet ISR w/ ZBFW WAN VRFs Data Centre WLC Servers * Additional VLAN/VRFs for Voice, Print, AP, etc. not shown in the picture 82 LOB: Line of Business
68 After: One SSID and one VLAN for vendors TrustSec Solution Cisco ISE authorises each endpoint with SGT and pushes SGACL to Branch CA* Switch One network for all Vendors, but each vendor is segmented with TrustSec Less VLANs & SSIDs to manage. Provisioning / retiring vendors is now EASY! Segmenting Vendors, Guests, Employees and PCI devices in Retail Stores Store Guest BYOD Vendors Store PCI Demo Vendors *Converged Access = Authenticated and authorised by ISE Internet ISR w/ ZBFW WAN VRFs Cisco ISE Vendor & Guest Accounts Data Centre Servers * Additional VLAN/VRFs for Voice, Print, AP, etc. not shown in the picture AD 83 Employee Accounts LOB: Line of Business
69 University controls IPv4 and IPv6 clients uniformly TrustSec is about tags! IPv4 IPv6 IPv6 to SGT bindings over SXP support from 15.2(3)E / E Both IPv4 and IPv6 endpoints can co-exist today and be access-controlled uniformly IPv4 Cisco ISE SGACL Data Centre Carry forward the policies as you transition the network IPv6 Cat3K/4K Cat3K/4K 15.2(2)E/ 3.6.0E IPv6 to SGT - binding over SXP = Authenticated and authorised by ISE C6500/6800 Enterprise Backbone CTS-C6500#show cts role-based sgt-map all ipv6 Active IP-SGT Bindings Information Servers IP Address SGT Source ======================================================== 2001:DB8:100::1 2 INTERNAL 2001:DB8:100:0:7CB0:3B1D:2F77:16A6 3 SXP 2001:DB8:200:0:9112:EB74:784F:E88B 4 SXP 2001:DB8:252::100 2 INTERNAL 2001:DB8:254::10 9 CLI 2001:DB8:254::12 7 CLI 84
70 TrustSec reduces Operational Costs Forrester Report on Total Economic Impact of TrustSec Cisco TrustSec enabled the organisations interviewed, to reduce operational costs by avoiding additional IT headcount, deploy new environments faster, and implement consistent and effective network segmentation resulting in lower downtime. 85
71 Push and enforce model SGACL Policy CoA (Change of Authorisation) to push policy change from ISE to appropriate devices Currently supported on IOS Switch / Wireless controllers and NXOS 7.2 and later. WAN Campus Network CoA ISE 86
72 TrustSec for PCI scope reduction Data Centre ASA Firewall Policy Common Servers PCI DB DC FW OS Type: Windows 8 User: John AD Group: Floor Staff Device Group: Nurse Workstation Security Group = Employee POS Floor 2 SW Store ABC Backbone Floor 1 SW Access Privilege Authorisation with Security Group ISE OS Type: Windows 7 Embedded User: George AD Group: Point-of-Sales Admin Device Group: POS Security Group = PCI Device PCI Scope Employee Workstation POS 87
73 Verizon certifies TrustSec for PCI segmentation 88
74 Key Takeaways (WHEN to-do TrustSec? NOW!) Network Segmentation Deploying TrustSec Key Take-aways Start TrustSec Deep-dive Use-cases & Scenarios 89
75 Tom s is Segmentation happy with Cisco Challenge TrustSec access-list 102 deny tcp eq lt 848 access-list 102 deny ip PCI eq 1493 Web Employee gt 4878 Contractor access-list 102 permit icmp lt eq 1216 access-list 102 deny icmp gt gt 1111 access-list 102 deny ip eq Anti- eq 4175 Ciscoaccess-list Employee 102 permit tcp Deny All Permit lt All Malware- gt 1462 Jabberaccess-list 102 permit tcp gt ACL lt 4384 Access access-list 102 permit icmp eq eq 878 access-list 102 permit ip gt Cisco eq 467 access-list Contractor 102 permit udp Deny All Permit eq 3256 All Jabber lt 1780 Permit All access-list 102 deny icmp lt Access gt 3611 access-list 102 permit tcp lt eq 606 access-list 102 deny tcp gt Anti gt 4005 access-list BYOD 102 permit ip Deny All Permit gt All Malwareeq 199 Permit All access-list 102 deny udp lt ACL gt 3782 Campus Complex Simple tag IP based policies Policy Need automation updates leading as topology lesser changes updates Branch Employees Contractors Vendors VLANs SGTs Guests PCI Devices TrustSec Extend segments decouples over - segmentation Layer 3 boundaries from topology Line of Business Compliance BYOD Various TrustSec Segmentation for segmentation needs Tom manages network for ABC Corp I Tr ustsec IPv6 SGTs Retain Remember, policies TrustSec as network is about transitions tag s to not IPv6 IP! 90
76 Gartner on TrustSec logical source and destination security groups are more flexible, are easier to maintain and reduce runtime overhead in the network s switching fabric. There is much to like about Cisco s ambitious and innovative initiative. Cisco has made great strides in integrating support for the TrustSec framework across its product lines Flexibility to Segregate Resources Without Physical Segmentation or Managing VLANs Reduction in ACL Maintenance, Complexity and Overhead
77 Make a Choice! caranddriver.com bcarwallpapers.com About 100 years after a crank was required to start a car, modern batteries can now start many cars using just a button. Traditional Segmentation Methods Segmenting using TrustSec Visit and know more 92
78 Q & A
79 Complete Your Online Session Evaluation Give us your feedback and receive a Cisco 2016 T-Shirt by completing the Overall Event Survey and 5 Session Evaluations. Directly from your mobile device on the Cisco Live Mobile App By visiting the Cisco Live Mobile Site Visit any Cisco Live Internet Station located throughout the venue T-Shirts can be collected Friday 11 March at Registration Learn online with Cisco Live! Visit us online after the conference for full access to session videos and presentations.
80 Thank you
81
TrustSec (NaaS / NaaE)
TrustSec (NaaS / NaaE) per@cisco.com Security on top of the mind for our customers 60% 85% 54% of data is stolen in HOURS of point-of-sale intrusions aren t discovered for WEEKS of breaches remain undiscovered
More informationChoice of Segmentation and Group Based Policies for Enterprise Networks
Choice of Segmentation and Group Based Policies for Enterprise Networks Hari Holla Technical Marketing Engineer, Cisco ISE BRKCRS-2893 hari_holla /in/hariholla Cisco Spark How Questions? Use Cisco Spark
More informationCisco TrustSec 4.0:How to Create Campus and Branch-Office Segmentation
Ordering Guide TrustSec 4.0:How to Create Campus and Branch-Office Segmentation Ordering Guide November 2013 2013 and/or its affiliates. All rights reserved. This document is Public Information. Page 1
More information2012 Cisco and/or its affiliates. All rights reserved. 1
2012 Cisco and/or its affiliates. All rights reserved. 1 Policy Access Control: Challenges and Architecture UA with Cisco ISE Onboarding demo (BYOD) Cisco Access Devices and Identity Security Group Access
More informationContents. Introduction
Contents Introduction Prerequisites Requirements Components Used Configure Network Diagram ISE - Configuration Steps 1. SGT for Finance and Marketing 2. Security group ACL for traffic Marketing ->Finance
More informationPolicy Defined Segmentation with Cisco TrustSec
Policy Defined Segmentation with Cisco TrustSec Session ID 18PT Rob Bleeker Consulting System Engineer CCIE #: 2926 Abstract This session will explain how TrustSec Security Group Tagging can be used to
More informationCisco Campus Fabric Introduction. Vedran Hafner Systems engineer Cisco
Cisco Campus Fabric Introduction Vedran Hafner Systems engineer Cisco Campus Fabric Abstract Is your Campus network facing some, or all, of these challenges? Host Mobility (w/o stretching VLANs) Network
More informationEvolving your Campus Network with. Campus Fabric. Shawn Wargo. Technical Marketing Engineer BRKCRS-3800
Evolving your Campus Network with Campus Fabric Shawn Wargo Technical Marketing Engineer BRKCRS-3800 Campus Fabric Abstract Is your Campus network facing some, or all, of these challenges? Host Mobility
More informationCisco SD-Access Policy Driven Manageability
BRKCRS-3811 Cisco SD-Access Policy Driven Manageability Victor Moreno, Distinguished Engineer Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session
More informationNetwork as an Enforcer (NaaE) Cisco Services. Network as an Enforcer Cisco and/or its affiliates. All rights reserved.
Network as an Enforcer (NaaE) Cisco Services INTRODUCTION... 6 Overview of Network as an Enforcer... 6 Key Benefits... 6 Audience... 6 Scope... 6... 8 Guidelines and Limitations... 8 Configuring SGACL
More informationWe re ready. Are you?
We re ready. Are you? Network as a Sensor and Enforcer Matt Robertson, Technical Marketing Engineer BRKSEC-2026 Why are we here today? Insider Threats Leverage the network Identify and control policy,
More informationCisco TrustSec Quick Start Configuration Guide
Cisco TrustSec Quick Start Configuration Guide Table of Contents Introduction... 5 Using This Guide... 5 Baseline ISE Configuration for TrustSec... 7 Active Directory Integration (optional)... 7 Defining
More informationSecuring BYOD with Cisco TrustSec Security Group Firewalling
White Paper Securing BYOD with Cisco TrustSec Security Group Firewalling Getting Started with TrustSec What You Will Learn The bring-your-own-device (BYOD) trend can spur greater enterprise productivity
More informationSD-Access Wireless: why would you care?
SD-Access Wireless: why would you care? CUWN Architecture - Centralized Overview Policy Definition Enforcement Point for Wi-Fi clients Client keeps same IP address while roaming WLC Single point of Ingress
More informationCisco Trusted Security Enabling Switch Security Services
Cisco Trusted Security Enabling Switch Security Services Michal Remper, CCIE #8151 CSE/AM mremper@cisco.com 2009 Cisco Systems, Inc. All rights reserved. 1 Enter Identity & Access Management Strategic
More informationTrustSec Configuration Guides. TrustSec Capabilities on Wireless 8.4 Software-Defined Segmentation through SGACL Enforcement on Wireless Access Points
TrustSec Configuration Guides TrustSec Capabilities on Wireless 8.4 Software-Defined Segmentation through SGACL Enforcement on Wireless Access Points Table of Contents TrustSec Capabilities on Wireless
More informationCisco Group Based Policy Platform and Capability Matrix Release 6.4
Group d Policy Platform and Capability Matrix Release 6.4 (inclusive of TrustSec Software-Defined Segmentation) Group d Policy (also known as TrustSec Software-Defined Segmentation) uniquely builds upon
More informationCisco TrustSec Software-Defined Segmentation Release 6.1 System Bulletin
System Bulletin TrustSec Software-Defined Segmentation Release 6.1 System Bulletin Introduction Network segmentation is essential for protecting critical business assets. TrustSec Software Defined Segmentation
More informationContents. Introduction. Prerequisites. Configure. Requirements. Components Used. Network Diagram
Contents Introduction Prerequisites Requirements Components Used Configure Network Diagram Traffic Flow Configurations Switch 3850-1 Switch 3850-2 ISE Verify References Related Cisco Support Community
More informationCisco TrustSec Software-Defined Segmentation Release 6.1 System Bulletin
System Bulletin TrustSec Software-Defined Segmentation Release 6.1 System Bulletin Introduction Network segmentation is essential for protecting critical business assets. TrustSec Software Defined Segmentation
More informationCisco TrustSec Software-Defined Segmentation Platform and Capability Matrix Release 6.3
TrustSec Software-Defined Segmentation Platform and Capability Matrix Release 6.3 TrustSec uniquely builds upon your existing identity-aware infrastructure by enforcing segmentation and access control
More informationCisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller
Cisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller For Comments, please email: howtoguides@external.cisco.com Current Document Version: 3.0 August 27, 2012 Table
More informationP ART 3. Configuring the Infrastructure
P ART 3 Configuring the Infrastructure CHAPTER 8 Summary of Configuring the Infrastructure Revised: August 7, 2013 This part of the CVD section discusses the different infrastructure components that are
More informationCisco TrustSec How-To Guide: Central Web Authentication
Cisco TrustSec How-To Guide: Central Web Authentication For Comments, please email: howtoguides@external.cisco.com Current Document Version: 3.0 August 27, 2012 Table of Contents Table of Contents... 1
More informationISE Primer.
ISE Primer www.ine.com Course Overview Designed to give CCIE Security candidates an intro to ISE and some of it s features. Not intended to be a complete ISE course. Some topics are not discussed. Provides
More informationCisco TrustSec Platform Support Matrix
Sales Tool TrustSec Platform Support Matrix System Component Platform Solution Minimum Solution- Level Validated Classification Control Plane Propagation () (Inline ) MACsec (for WAN) Enforceme nt Identity
More informationUser-to-Data-Center Access Control Using TrustSec Design Guide
CISCO VALIDATED DESIGN User-to-Data-Center Access Control Using TrustSec Design Guide October 2015 REFERENCE NETWORK ARCHITECTURE Table of Contents About This Document... 1 Cisco TrustSec Overview... 2
More informationEnabling Software- Defined Segmentation with TrustSec
Enabling Software- Defined Segmentation with TrustSec Fay-Ann Lee Technical Marketing Engineer Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this
More informationONE POLICY. Tengku Shahrizam, CCIE Asia Borderless Network Security 20 th June 2013
ONE POLICY Tengku Shahrizam, CCIE Asia Borderless Network Security 20 th June 2013 Agenda Secure Unified Access with ISE Role-Based Access Control Profiling TrustSec Demonstration How ISE is Used Today
More informationSecuring Your Network Simply with TrustSec
Securing Your Network Simply with TrustSec Brandon Johnson Systems Engineer #clmel Agenda Introduction TrustSec SGTs How difficult? Is this for you? Examples Conclusion Modern Architecture Network Architecture
More informationVeč kot SDN - SDA arhitektura v uporabniških omrežjih
Več kot SDN - SDA arhitektura v uporabniških omrežjih Aleksander Kocelj SE Cisco Agenda - Introduction to Software Defined Access - Brief description on SDA - Cisco SDA Assurance - DEMO 2 New Requirements
More informationHOME-SYD-RTR02 GETVPN Configuration
GETVPN OVER DMVPN Topology Details HOME-SYD-RTR02 is GETVPN KS. R2 & R3 are GETVPN Members. R2 is DMVPN Hub. R3 is DMVPN Spoke. HOME-PIX01 is Firewall between R2 and R3. IP Addressing Details HOME-SYD-RTR01
More informationSDN Security BRKSEC Alok Mittal Security Business Group, Cisco
SDN Security Alok Mittal Security Business Group, Cisco Security at the Speed of the Network Automating and Accelerating Security Through SDN Countering threats is complex and difficult. Software Defined
More informationTrustSec Configuration Guide. TrustSec with Meraki MS320 Switch Configuration Guide
TrustSec Configuration Guide TrustSec with Meraki MS320 Switch Configuration Guide Table of Contents TrustSec with Meraki MS320 Switch... 3 Introduction... 3 Summary of Operation... 3 Configuration...
More informationTech Update Oktober Rene Andersen / Ib Hansen
Tech Update 10 12 Oktober 2017 Rene Andersen / Ib Hansen DNA Solution Cisco Enterprise Portfolio DNA Center Simple Workflows DESIGN PROVISION POLICY ASSURANCE Identity Services Engine DNA Center APIC-EM
More informationBorderless Networks. Tom Schepers, Director Systems Engineering
Borderless Networks Tom Schepers, Director Systems Engineering Agenda Introducing Enterprise Network Architecture Unified Access Cloud Intelligent Network & Unified Services Enterprise Networks in Action
More informationIntelligent WAN Multiple VRFs Deployment Guide
Cisco Validated design Intelligent WAN Multiple VRFs Deployment Guide September 2017 Table of Contents Table of Contents Deploying the Cisco Intelligent WAN... 1 Deploying the Cisco IWAN Multiple VRFs...
More informationCisco TrustSec Software-Defined Segmentation Platform and Capability Matrix
Sales Tool TrustSec Software-Defined Segmentation Platform and Capability Matrix TrustSec uniquely builds upon your existing identity-aware infrastructure by enforcing segmentation and access control policies
More informationDigital Network Architecture for Securing Enterprise Networks
Digital Network Architecture for Securing Enterprise Networks Matt Robertson Evgeny Mirolyubov Technical Marketing Engineers, Advanced Threat Solutions Cisco Spark How Questions? Use Cisco Spark to communicate
More informationConfigure TrustSec NDAC seed and non-seed devices
Configure TrustSec NDAC seed and non-seed devices Contents Introduction Prerequisites Components Used Network Diagram IP addresses ISE Configuration Add Network Devices 6500 (Seed) 3560X (Non-seed) TrustSec
More informationBEST PRACTICE - NAC AUF ARUBA SWITCHES. Rollenbasierte Konzepte mit Aruba OS Switches in Verbindung mit ClearPass Vorstellung Mobile First Features
BEST PRACTICE - NAC AUF ARUBA SWITCHES Rollenbasierte Konzepte mit Aruba OS Switches in Verbindung mit ClearPass Vorstellung Mobile First Features Agenda 1 Overview 2 802.1X Authentication 3 MAC Authentication
More informationData Center Security. Fuat KILIÇ Consulting Systems
Data Center Security Fuat KILIÇ Consulting Systems Engineer @Security Data Center Evolution WHERE ARE YOU NOW? WHERE DO YOU WANT TO BE? Traditional Data Center Virtualized Data Center (VDC) Virtualized
More informationExam Questions Demo Cisco. Exam Questions
Cisco Exam Questions 300-208 SISAS Implementing Cisco Secure Access Solutions (SISAS) Version:Demo 1. Which functionality does the Cisco ISE self-provisioning flow provide? A. It provides support for native
More informationCisco Exam Questions & Answers
Cisco 300-209 Exam Questions & Answers Number: 300-209 Passing Score: 800 Time Limit: 120 min File Version: 35.4 http://www.gratisexam.com/ Exam Code: 300-209 Exam Name: Implementing Cisco Secure Mobility
More informationDMVPN to Group Encrypted Transport VPN Migration
DMVPN to Group Encrypted Transport VPN Migration This document provides the steps for Dynamic Multipoint VPN (DMVPN) to Group Encrypted Transport VPN migration. DMVPN to Group Encrypted Transport VPN Migration
More informationCisco TrustSec How-To Guide: Monitor Mode
Cisco TrustSec How-To Guide: Monitor Mode For Comments, please email: howtoguides@external.cisco.com Current Document Version: 3.0 August 27, 2012 Table of Contents Table of Contents... 2 Introduction...
More informationCisco Software Defined Access (SDA)
Cisco Software Defined Access (SDA) Transformational Approach to Network Design & Provisioning Sanjay Kumar Regional Manager- ASEAN, Cisco Systems What is network about? Source: google.de images Security
More informationSwitch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions
Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions To ensure Cisco ISE is able to interoperate with network switches and functions from Cisco ISE are successful across
More informationIdentity Based Network Access
Identity Based Network Access Identity Based Network Access - Agenda What are my issues Cisco ISE Power training What have I achieved What do I want to do What are the issues? Guest Student Staff Contractor
More informationImplementing Cisco Edge Network Security Solutions ( )
Implementing Cisco Edge Network Security Solutions (300-206) Exam Description: The Implementing Cisco Edge Network Security (SENSS) (300-206) exam tests the knowledge of a network security engineer to
More informationCisco Exam Questions & Answers
Cisco 648-375 Exam Questions & Answers Number: 648-375 Passing Score: 800 Time Limit: 120 min File Version: 22.1 http://www.gratisexam.com/ Cisco 648-375 Exam Questions & Answers Exam Name: Cisco Express
More informationCertKiller q
CertKiller.500-451.28q Number: 500-451 Passing Score: 800 Time Limit: 120 min File Version: 5.3 500-451 Cisco Unified Access Systems Engineer Exam I just passed today with 89%. My sole focus was the VCE.
More informationDumpsFree. DumpsFree provide high-quality Dumps VCE & dumps demo free download
DumpsFree http://www.dumpsfree.com DumpsFree provide high-quality Dumps VCE & dumps demo free download Exam : 300-208 Title : Implementing Cisco Secure Access Solutions Vendor : Cisco Version : DEMO Get
More informationConfiguring Web Cache Services By Using WCCP
CHAPTER 44 Configuring Web Cache Services By Using WCCP This chapter describes how to configure your Catalyst 3560 switch to redirect traffic to wide-area application engines (such as the Cisco Cache Engine
More informationExamTorrent. Best exam torrent, excellent test torrent, valid exam dumps are here waiting for you
ExamTorrent http://www.examtorrent.com Best exam torrent, excellent test torrent, valid exam dumps are here waiting for you Exam : 400-251 Title : CCIE Security Written Exam (v5.0) Vendor : Cisco Version
More informationCisco Virtual Office: Easy VPN Deployment Guide
Cisco Virtual Office: Easy VPN Deployment Guide This guide provides detailed design and implementation information for deployment of Easy VPN in client mode with the Cisco Virtual Office. Please refer
More informationSoftware-Defined Access Wireless
Introduction to, page 1 Configuring SD-Access Wireless (CLI), page 7 Introduction to The Enterprise Fabric provides end-to-end enterprise-wide segmentation, flexible subnet addressing, and controller-based
More informationEvolution of Data Center Security Automated Security for Today s Dynamic Data Centers
Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers Speaker: Mun Hossain Director of Product Management - Security Business Group Cisco Twitter: @CiscoDCSecurity 2 Any
More informationSD-WAN Deployment Guide (CVD)
SD-WAN Deployment Guide (CVD) All Cisco Meraki security appliances are equipped with SD-WAN capabilities that enable administrators to maximize network resiliency and bandwidth efficiency. This guide introduces
More informationConfigure Devices Using Converged Access Deployment Templates for Campus and Branch Networks
Configure Devices Using Converged Access Deployment Templates for Campus and Branch Networks What Are Converged Access Workflows?, on page 1 Supported Cisco IOS-XE Platforms, on page 3 Prerequisites for
More informationInformation about Network Security with ACLs
This chapter describes how to configure network security on the switch by using access control lists (ACLs), which in commands and tables are also referred to as access lists. Finding Feature Information,
More informationIntegrating Meraki Networks with
Integrating Meraki Networks with Cisco Identity Services Engine Secure Access How-To guide series Authors: Tim Abbott, Colin Lowenberg Date: April 2016 Table of Contents Introduction Compatibility Matrix
More informationISE Identity Service Engine
CVP ISE Identity Service Engine Cisco Validated Profile (CVP) Series 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 10 Contents 1. Profile introduction...
More informationCisco Virtual Office High-Scalability Design
Solution Overview Cisco Virtual Office High-Scalability Design Contents Scope of Document... 2 Introduction... 2 Platforms and Images... 2 Design A... 3 1. Configure the ACE Module... 3 2. Configure the
More informationConfiguring Network Admission Control
45 CHAPTER This chapter describes how to configure Network Admission Control (NAC) on Catalyst 6500 series switches. With a PFC3, Release 12.2(18)SXF2 and later releases support NAC. Note For complete
More informationSegmentation. Threat Defense. Visibility
Segmentation Threat Defense Visibility Establish boundaries: network, compute, virtual Enforce policy by functions, devices, organizations, compliance Control and prevent unauthorized access to networks,
More informationCisco Systems Korea Cisco Systems, Inc. All rights reserved. 1
(taecho@cisco.com) Cisco Systems Korea 2008 Cisco Systems, Inc. All rights reserved. 1 (Cisco Integrated Security Features) - Port Security - DHCP Snooping - Dynamic ARP Inspection - IP Source Guard -
More informationSoftware-Defined Access 1.0
Software-Defined Access 1.0 What is Cisco Software-Defined Access? The Cisco Software-Defined Access (SD-Access) solution uses Cisco DNA Center to provide intent-based policy, automation, and assurance
More informationConfigure TrustSec Multiple Matrices on ISE 2.2
Configure TrustSec Multiple Matrices on ISE 2.2 Contents Introduction Prerequisites Requirements Components Used Background Information Multiple Matrices DefCon Matrices Configure Network Diagram Configurations
More informationCisco Network Admission Control (NAC) Solution
Data Sheet Cisco Network Admission Control (NAC) Solution New: Updated to include the Cisco Secure Network Server (SNS) Cisco Network Admission Control (NAC) solutions allow you to authenticate wired,
More informationSoftware-Defined Access Wireless
Introduction to, page 1 Configuring SD-Access Wireless (CLI), page 7 Enabling SD-Access Wireless (GUI), page 8 Configuring SD-Access Wireless VNID (GUI), page 9 Configuring SD-Access Wireless WLAN (GUI),
More informationCisco SD-Access Hands-on Lab
LTRCRS-2810 Cisco SD-Access Hands-on Lab Larissa Overbey - Technical Marketing Engineer, Cisco Derek Huckaby - Technical Marketing Engineer, Cisco https://cisco.box.com/v/ltrcrs-2810-bcn2018 Password:
More informationCampus Fabric. How To Integrate With Your Existing Networks. Kedar Karmarkar - Technical Leader BRKCRS-2801
Campus Fabric How To Integrate With Your Existing Networks Kedar Karmarkar - Technical Leader Campus Fabric Abstract Is your Campus network facing some, or all, of these challenges? Host Mobility (w/o
More informationCisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1
Cisco ISE Overview, page 2 Key Functions, page 2 Identity-Based Network Access, page 2 Support for Multiple Deployment Scenarios, page 3 Support for UCS Hardware, page 3 Basic User Authentication and Authorization,
More informationP ART 2. BYOD Design Overview
P ART 2 BYOD Design Overview CHAPTER 2 Summary of Design Overview Revised: August 7, 2013 This part of the CVD describes design considerations to implement a successful BYOD solution and different deployment
More informationCampus Fabric Configuration Guide, Cisco IOS XE Everest 16.6.x (Catalyst 3650 Switches)
Campus Fabric Configuration Guide, Cisco IOS XE Everest 16.6.x (Catalyst 3650 Switches) First Published: 2017-07-31 Last Modified: 2017-11-03 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive
More informationThere are two ways for a sensor device to detect the Security Group Tag (SGT) assigned to the traffic:
Contents Introduction Components Used Overview The User-IP Mapping Method The Inline Tagging Method Troubleshooting From the Restricted Shell of a Firepower Device From the Expert Mode of a Firepower Device
More informationUniversal Wireless Controller Configuration for Cisco Identity Services Engine. Secure Access How-To Guide Series
Universal Wireless Controller Configuration for Cisco Identity Services Engine Secure Access How-To Guide Series Author: Hosuk Won Date: November 2015 Table of Contents Introduction... 3 What Is Cisco
More informationSecuring the Empowered Branch with Cisco Network Admission Control. September 2007
Securing the Empowered Branch with Cisco Network Admission Control September 2007 Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. 1 Contents 1 The Cisco Empowered Branch 2 Security Considerations
More informationCisco ISE Features Cisco ISE Features
Cisco ISE Overview, on page 2 Key Functions, on page 2 Identity-Based Network Access, on page 3 Support for Multiple Deployment Scenarios, on page 3 Support for UCS Hardware, on page 3 Basic User Authentication
More informationCampus Fabric Configuration Guide, Cisco IOS XE Everest 16.6.x (Catalyst 9300 Switches)
Campus Fabric Configuration Guide, Cisco IOS XE Everest 16.6.x (Catalyst 9300 Switches) First Published: 2017-07-31 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706
More informationOperating and Monitoring the Network
CHAPTER 6 Under the Operate tab, Prime NCS (WAN) provides tools to help you monitor your network on a daily basis, as well as perform other day-to-day or ad hoc operations relating to network device inventory
More informationEnterprise. Nexus 1000V. L2/L3 Fabric WAN/PE. Customer VRF. MPLS Backbone. Service Provider Data Center-1 Customer VRF WAN/PE OTV OTV.
2 CHAPTER Cisco's Disaster Recovery as a Service (DRaaS) architecture supports virtual data centers that consist of a collection of geographically-dispersed data center locations. Since data centers are
More informationPASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year
PASS4TEST \ http://www.pass4test.com We offer free update service for one year Exam : 300-208 Title : Implementing Cisco Secure Access Solutions Vendor : Cisco Version : DEMO Get Latest & Valid 300-208
More informationS.No. CCIE Security Written Exam Topics v4.0 Part I Infrastructure, Connectivity, Communications, Network Security
S.No. CCIE Security Written Exam Topics v4.0 Part I Infrastructure, Connectivity, Communications, Network Security 1 Network Addressing Basics 2 OSI Layers 3 TCP/UDP/IP Protocols 4 LAN Switching (e.g.
More informationCisco ACI Multi-Pod/Multi-Site Deployment Options Max Ardica Principal Engineer BRKACI-2003
Cisco ACI Multi-Pod/Multi-Site Deployment Options Max Ardica Principal Engineer BRKACI-2003 Agenda ACI Introduction and Multi-Fabric Use Cases ACI Multi-Fabric Design Options ACI Stretched Fabric Overview
More informationSharing IPsec with Tunnel Protection
The feature allows sharing an IPsec security association database (SADB) between two or more generic routing encapsulation (GRE) tunnel interfaces when tunnel protection is used. Shared tunnel interfaces
More informationDesigning Network Encryption for the Future Emily McAdams Security Engagement Manager, Security & Trust Organization BRKSEC-2015
Designing Network Encryption for the Future Emily McAdams Security Engagement Manager, Security & Trust Organization BRKSEC-2015 What Could It Cost You? Average of $0.58 a record According to the Verizon
More informationConverged Access CT 5760 AVC Deployment Guide, Cisco IOS XE Release 3.3
Converged Access CT 5760 AVC Deployment Guide, Cisco IOS XE Release 3.3 Last Updated: November, 2013 Introduction This guide is designed to help you deploy and monitor new features introduced in the IOS
More informationCisco.Network.Intuitive FastLane IT Forum. Andreas Korn Systems Engineer
Cisco.Network.Intuitive FastLane IT Forum Andreas Korn Systems Engineer 12.10.2017 Ziele dieser Session New Era of Networking - Was ist darunter zu verstehen? Software Defined Access Wie revolutioniert
More informationCisco Nexus Data Broker
Data Sheet Cisco Nexus Data Broker Product Overview You used to monitor traffic mainly to manage network operations. Today, when you monitor traffic you can find out instantly what is happening throughout
More informationCisco SD-Access Building the Routed Underlay
Cisco SD-Access Building the Routed Underlay Rahul Kachalia Sr. Technical Leader Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the
More informationSample Business Ready Branch Configuration Listings
APPENDIX A Sample Business Ready Branch Configuration Listings The following is a sample configuration of a Business Ready Branch. There are many permutations of feature combinations when setting up the
More informationDNA Campus Fabric. How to Migrate The Existing Network. Kedar Karmarkar - Technical Leader BRKCRS-2801
DNA Campus Fabric How to Migrate The Existing Network Kedar Karmarkar - Technical Leader Campus Fabric Abstract Is your Campus network facing some, or all, of these challenges? Host Mobility (w/o stretching
More informationCisco TrustSec How-To Guide: Phased Deployment Overview
Cisco TrustSec How-To Guide: Phased Deployment Overview For Comments, please email: howtoguides@external.cisco.com Current Document Version: 3.0 August 27, 2012 Table of Contents Table of Contents... 2
More informationConfiguring Hybrid REAP
13 CHAPTER This chapter describes hybrid REAP and explains how to configure this feature on controllers and access points. It contains the following sections: Information About Hybrid REAP, page 13-1,
More informationDeployment of Cisco IP Mobility Solution on Enterprise Class Teleworker Network
Deployment Guide Deployment of Cisco IP Mobility Solution on Enterprise Class Teleworker Network The Cisco Service Oriented Network Architecture (SONA) framework helps enterprise customers evolve their
More informationCisco Next Generation Firewall and IPS. Dragan Novakovic Security Consulting Systems Engineer
Cisco Next Generation Firewall and IPS Dragan Novakovic Security Consulting Systems Engineer Cisco ASA with Firepower services Cisco TALOS - Collective Security Intelligence Enabled Clustering & High Availability
More informationVendor: Cisco. Exam Code: Exam Name: Implementing Cisco Secure Access Solutions. Version: Demo
Vendor: Cisco Exam Code: 300-208 Exam Name: Implementing Cisco Secure Access Solutions Version: Demo QUESTION 1 By default, how many days does Cisco ISE wait before it purges the expired guest accounts?
More informationConfiguring Cache Services Using the Web Cache Communication Protocol
Configuring Cache Services Using the Web Cache Communication Protocol Finding Feature Information, page 1 Prerequisites for WCCP, page 1 Restrictions for WCCP, page 2 Information About WCCP, page 3 How
More information