Enterprise Network Segmentation with Cisco TrustSec

Transcription

1

2 Enterprise Network Segmentation with Cisco TrustSec Hariprasad

3 Abstract This session provides an overview of the Cisco TrustSec solution for Enterprise network segmentation and Role-Based Access Control. TrustSec allows for simplified network segmentation based on User Identity/Role and allows for secure access and consistent security policies across Wired/Wireless networks. We will cover TrustSec solution on the Catalyst, Nexus Switching and Routing (ASR1K/CSR/ISR) platforms, including converged wired/wireless with a focus on the deployment use cases in a campus, data centre & branch networks. The session covers an architectural overview of TrustSec and benefits of role based policies, elements of the solution such as user identification with 802.1x, device identification, role classification using Security Group Tagging (SGT) and enforcement using Security Group Access Control List (SGACL). This session is for Network and Security Architects, Pre-Sales Engineers and Technical Decision Makers. Previous knowledge or experience is recommended in campus design, Internet edge design, routing protocol design, and Layer 2 and Layer 3 switching. 3

4 TrustSec or related sessions BRKSEC Network as a Sensor and Enforcer Matthew Robertson - Wednesday 9 Mar 2:30 PM - 4:00 PM 208 BRKCRS Enterprise Network Segmentation (with Cisco TrustSec) Hariprasad Holla - Wednesday 9 Mar 4:30 PM - 6:00 PM 203 BRKSEC Deploying Security Group Tags Kevin Regan - Wednesday 9 Mar 4:30 PM - 6:00 PM 208 BRKSEC Building an Enterprise Access Control Architecture Using ISE and TrustSec Hosuk Won - Thursday 10 Mar 8:30 AM - 10:30 AM 208 BRKSEC Advanced Security Group Tags Kevin Regan - Friday 11 Mar 8:45 AM - 10:45 AM 105 BRKACI Cisco Security on ACI - Microsegmentation, ASA, FirePOWER Brenden Buresh - Friday 11 Mar 8:45 AM - 10:45 AM 211 4

5 access-list 102 deny tcp eq lt 4993 access-list 102 deny tcp eq lt 848 access-list 102 deny ip eq gt 4878 access-list 102 permit icmp lt eq 1216 access-list 102 deny icmp gt gt 1111 access-list 102 deny ip eq eq 4175 access-list 102 permit tcp lt gt 1462 access-list 102 permit tcp gt lt 4384 access-list 102 permit icmp eq eq 878 access-list 102 permit ip gt eq 467 Tom s Segmentation Challenge access-list 102 deny tcp eq lt 848 access-list 102 deny ip eq gt 4878 access-list 102 permit icmp lt eq 1216 access-list 102 deny icmp gt gt 1111 access-list 102 deny ip eq eq 4175 access-list 102 permit tcp lt gt 1462 access-list 102 permit tcp gt lt 4384 access-list 102 permit icmp eq eq 878 access-list 102 permit ip gt eq 467 access-list 102 permit udp eq lt 1780 access-list 102 deny icmp lt gt 3611 access-list 102 permit tcp lt eq 606 access-list 102 deny tcp gt gt 4005 access-list 102 permit ip gt eq 199 access-list 102 deny udp lt gt 3782 Complex IP based policies Need updates as topology changes Campus Branch Employees Contractors Vendors Guests PCI Devices Extend segments over - Layer 3 boundaries VLANs Line of Business IPv6 Compliance BYOD Various Segmentation needs Tom manages network for ABC Corp Retain policies as network transitions to IPv6 5

6 Enterprise Network Segmentation with Cisco TrustSec Hariprasad

7 Agenda Network Segmentation The past present and future of network segmentation TrustSec Deep-dive WHAT is Cisco TrustSec Deploying TrustSec HOW to deploy TrustSec Use cases & Deployment scenarios WHY segment the TrustSec way? Key takeaways WHEN to deploy TrustSec: Now! For Your Reference Cisco Identity Services Engine Authenticated User 7

8 Network Segmentation Network Segmentation Deploying TrustSec Key Take-aways Start TrustSec Deep-dive Use-cases & Scenarios 8

9 Traditional Segmentation is operationally heavy Applications access-list 102 deny udp gt eq 2165 access-list 102 deny udp lt gt 428 access-list 102 permit ip eq gt 1511 access-list 102 deny tcp gt gt 1945 access-list 102 permit icmp lt eq 116 access-list 102 deny udp eq eq 959 access-list 102 deny tcp eq lt 4993 access-list 102 deny tcp eq lt 848 access-list 102 deny ip eq gt 4878 access-list 102 permit icmp lt eq 1216 access-list 102 deny icmp gt gt 1111 access-list 102 deny ip eq eq 4175 access-list 102 permit tcp lt gt 1462 access-list 102 permit tcp gt lt 4384 Static ACL Routing Redundancy DHCP Scope Address VLAN Limitations of Traditional Segmentation Security Policy based on Topology High cost and complex maintenance Non-Compliant Voice Enterprise Backbone VACL Employee Aggregation Layer Access Layer Supplier BYOD Enforcement IP based policies. ACLs, Firewall rules Propagation Carry segment context over the network through VLAN tags / IP address / VRF Classification Static / Dynamic VLAN assignments Quarantine VLAN Voice VLAN Data VLAN Guest VLAN BYOD VLAN 9

10 Source Introducing Cisco TrustSec Destination Egress Policy Employee App_Serv Permit All Prod_Serv Deny All App_Serv Permit All Deny All Prod_Serv Deny All Permit All 5 SGT Remote Access Wireless Network ISE Directory Production Servers 8 SGT Employees Switch Routers DC Firewall DC Switch Application Servers 7 SGT Classification Propagation Enforcement 10

11 Consistent access governed by simplified policy Data Centre Regardless of topology or location, policy (Security Group Tag) stays with users, devices, and servers Shared Services Remediation Application Servers DC Switch TrustSec simplifies ACL management for intra/inter- VLAN traffic Enterprise Backbone ISE Switch Switch DC switch receives policy for only what is connected Employee Tag Supplier Tag Non-Compliant Employee Voice Voice Employee Supplier Non-Compliant Non-Compliant Tag VLAN: Data-2 VLAN: Data-1 BRKCRS

12 The three common deployment scenarios User to Data Centre Access Control Data Centre Segmentation Campus and Branch Segmentation Context--based access control Compliance requirements PCI, HIPAA, export controlled information Merger & acquisition integration, divestments Server zoning & Micro-segmentation Production vs. Development Server segmentation Compliance requirements, PCI, HIPAA Firewall rule automation Line of business segregation PCI, HIPAA and other compliance regulations Malware propagation control/quarantine 13

13 TrustSec Deep-dive (WHAT is TrustSec) Network Segmentation Deploying TrustSec Key Take-aways Start TrustSec Deep-dive Use-cases & Scenarios 14

14 Sources ISE controls TrustSec NDAC for a trusted domain of Network Devices SGT: Centrally define Security Group Tags SGACL / Name table: TrustSec policy matrix to be pushed down to the enforcers via secure channel Security Group ACL Destinations SGACL / Name table NDAC (Network Device Admission Control) SGT and SGT Names Security Group Tags 3: Employee 4: Contractors 8: PCI_Servers 9: App_Servers ISE authenticates Wired/Wireless/VPN clients and assigns SGTs Rogue Device(s) 802.1X Dynamic SGT Assignment Static SGT Assignments 15

15 The 3 TrustSec functions 5 Employee 6 Voice 7 Partner A B Classification Propagation Enforcement (Assigning SGTs) Static Assignments Dynamic Assignments Inline SGT SXP WAN Options Security Group ACL SG Firewall 16

16 Classification Two ways to assign Security Group Tags Dynamic Classification Static Classification SVI (L3 Interface) to SGT L2 Port to SGT MAB Campus Access Distribution Core DC Core DC Dist/Access Enterprise Backbone WLC FW Hypervisor SW VLAN-SGT Mapping Subnet-SGT VM (Port Profile) to SGT 17

17 Classification Routes learnt on L3 port automatically gets SGT assignment Can apply to Layer 3 interfaces regardless of the underlying physical interface: Routed port, SVI (VLAN interface), Tunnel interface, etc. GigabitEthernet 3/0/1 maps to SGT 8 GigabitEthernet 3/0/2 maps to SGT 9 Joint Ventures Route Updates /24 g3/0/1 IP Address SGT Source ======================================== INTERNAL INTERNAL INTERNAL /24 8 L3IF /24 9 L3IF /24 9 L3IF DC Access Business Partners g3/0/2 Route Updates / /24 Hypervisor SW 18

18 Classification In Nexus 1000V, SGTs can be assigned to Port Profile Port Profile Container of network properties Applied to different interfaces Server Admin may assign Port Profiles to new VMs VMs inherit network properties of the port-profile including SGT SGT stays with the VM even if moved 20

19 The 3 TrustSec functions 5 Employee 6 Voice 7 Partner A B Classification Propagation Enforcement (Assigning SGTs) Static Assignments Dynamic Assignments Inline SGT SXP WAN Options Security Group ACL SG Firewall 21

20 AES-GCM 128bit Encryption Propagation IETF SGT propagation through Ethernet Inline Tagging Faster, and most scalable way to propagate SGT within LAN or Data Centre SGT embedded within Cisco Meta Data (CMD) in Layer 2 frame Capable switches understands and process SGT in line-rate Protected by enabling MACsec (IEEE802.1AE) optional for capable hardware No impact to QoS, IP MTP/Fragmentation L2 Frame Impact: ~20 bytes 16 bits field gives ~ 64,000 tag space Non-capable device drops frame with unknown Ethertype Ethernet Frame Destination MAC Source MAC 802.1Q CMD ETHTYPE PAYLOAD CRC Cisco Meta Data CMD EtherType Version Length SGT Option Type SGT Value Other CMD Option EtherType:0x8909 SGT Value:16bits MACsec Frame Destination MAC Source MAC 802.1AE Header 802.1Q CMD ETHTYPE PAYLOAD 802.1AE Header CRC EtherType:0x88E5 22

21 Propagation IETF Out-of-band IP-SGT binding propagation through SGT Exchange Protocol (SXP) Propagation method of IP-SGT binding Propagate IP-SGT from classification to enforcement point Open protocol (IETF-Draft) & ODL Supported TCP - Port:64999 Role: Speaker (initiator) and Listener (receiver) Use MD5 for authentication and integrity check Switches Speaker Routers (SXP Aggregation) Listener Firewall Support Single Hop SXP & Multi-Hop SXP (aggregation) Cisco ISE 2.0 can be an SXP Speaker and Listener Switches 23

22 Propagation SXP in action! Cisco ISE 2.0 TrustSec Policy X Employee = SGT-5 SXP IP = SGT-10 5 Employee SXP IP = SGT WAN 10 Web_Server SRC: DST: X IP-SGT Binding Table Access Switch IP Address SGT Source ======================================== INTERNAL LOCAL N7K SRC: DST: IP-SGT Binding Table Nexus Switch IP Address SGT Source ======================================== INTERNAL SXP SXP

23 Propagation Multiple options for SGT transport over L3 network Enterprise LAN Switch Enterprise Network ISE SGACL CTS Link Finance SXP IPSEC Wireless Internet Nexus 7000 Nexus 1000v SXP BYOD Switch SXP DMVPN Catalyst 6500 Data Centre Switch Enterprise MPLS GETVPN HR Multiple options for SGT transport over non CTS Layer 3 networks DMVPN for Internet based VPNS GETVPN and OTP for private WAN 28

24 The 3 TrustSec functions 5 Employee 6 Voice 7 Partner A B Classification Propagation Enforcement (Assigning SGTs) Static Assignments Dynamic Assignments Inline SGT SXP WAN Options Security Group ACL SG Firewall 29

25 Enforcement Ingress classification, Egress enforcement User authenticated Classified as Marketing (5) FIB Lookup Destination MAC/Port SGT 20 Destination Classification Web_Dir: SGT 20 CRM: SGT 30 SRC: Cat3850 Cat6800 Cat6800 Nexus 7000 Nexus 5500 Nexus SRC: DST: SGT: 5 Enterprise Backbone Nexus 2248 Web_Dir DST: SGT: 20 CRM DST: SGT: 30 WLC5508 DST SRC Web_Dir (20) CRM (30) Marketing (5) Permit Deny BYOD (7) Deny SGACL-A 30 ACL: Access Control List

26 Enforcement The SGACL Enforcement Policy 31

27 Enforcement SGTs can be used for policies in Cisco ASA Firewall SGT Defined in the ISE or locally defined on ASA Use Destination SGT received from Switches connected to destination Trigger IPS/CX based on SGT Use Network Object (Host, Range, Network (subnet), or FQDN) More on ASA TrustSec: BRKSEC-2690 and BRKSEC

28 TrustSec supported platforms WAN (GETVPN DMVPN IPSEC) User Switch Router Router Firewall DC Switch vswitch Server ISE Classification Propagation Propagation Enforcement Classification Propagation Enforcement Catalyst 2960-S/-C/-Plus/-X/-XR Catalyst 3560-E/-C/-X/-CX Catalyst 3750-E/-X Catalyst 3850/3650 Catalyst 4500E (Sup6E/7E) / 4500X Catalyst 4500E (Sup8) Catalyst 6500E (Sup720/2T) Catalyst 6800 WLC 2500/5500/WiSM2 WLC 5760 WLC 8510/8540 Nexus 7000 Nexus 6000 Nexus 5500/2200 Nexus 1000v ISRG2, ISR4000 ASR1000, CSR 1000v IE2000/3000/4000 CGR 2000, CGS2500 ASA5500 (RAS VPN) Enforcement SGT Catalyst 2960-S/-C/-Plus/-X/-XR Catalyst 3560-E/-C/, 3750-E Catalyst 3560-X/3750-X Catalyst 3850/3650 Catalyst 4500E (Sup6E) Catalyst 4500E (Sup, 7E, 7LE, 8E) Catalyst 4500X Catalyst 6500E (Sup720) Catalyst 6500/Sup2T, 6800 WLC 2500/5500/WiSM2 WLC 5760, 8510/8540 Nexus 7000 Nexus 6000 Nexus 5500/2200 Nexus 1000v ISR G2, ISR 4000 ASR1000, CSR 1000V IE2000/3000/4000,CGR2000,CGS2500 ASA5500 ISE Catalyst 3560-X Catalyst 3750-X Catalyst 3850/3650 WLC 5760 Catalyst 4500E (7E) / 4500X Catalyst 4500E (8E) Catalyst 6500E (2T) Catalyst 6800 Nexus 7000 Nexus 6000 Nexus 5500/5600 Nexus 1000v ISR G2, ISR 4000 ASR 1000, CSR 1000v CGR2000 ASA 5500 Firewall ASAv Firewall Web Security Appliance For up-to-date information visit: 33

29 Deploying TrustSec (HOW to deploy TrustSec) Network Segmentation Deploying TrustSec Key Take-aways Start TrustSec Deep-dive Use-cases & Scenarios 34

30 Approaching a TrustSec design Start with Policy Goals Use Cases can be Localised Focus on Business Problem Controlled access to Production systems or PCI Servers User to DC Access Control Secure BYOD Contractor Access Control Extranet Security Simplified Firewall Rule, VPN Access, ACLs or WSA rules Maintain Compliance Protect against breach Complex ACLs, Firewall rule complexity 35

31 Starting a TrustSec design Discuss assets to protect Classification Mechanisms Policy Enforcement Points Propagation Methods Example: Cardholder Data, Medical Record, intellectual data Example: Dynamic, Static, etc. DC segmentation (DC virtual/ physical switches or virtual/physical Firewalls) User to DC access control (Identify capable switches or firewalls in the path) Inline Tagging SXP DM-VPN GET-VPN IPSec OTP etc.. 36

32 SGT policy matrix example Write it down on a spreadsheet!

33 WAN It all starts with ISE Things to do in Cisco ISE for TrustSec Cisco ISE Basic infrastructure setup Certificates, Active Directory integration, etc. Create Security Group Tags to be used in the network Setup Network Device Admission Control - NDAC Define Authentication and Authorisation policies for Users and Devices Configure SGACL & Egress Policies (If enforcing on IOS / Nexus Switches) 42

34 Security Group Tags in ISE WAN Cisco ISE Define SGTs under Components section in TrustSec Work Centre (from ISE 2.0) 43

35 WAN Define all the Network Devices Cisco ISE The Network Devices, aka Switches, Routers, Wireless controllers, Firewalls, etc. needs to be defined here. Bulk upload via CSV is possible too. 44

36 WAN Configure additional parameters for TrustSec Cisco ISE In addition to RADIUS secret, check Advanced Trustsec Settings and Use Device ID for Trustsec, then type device password. This ID and Password needs to be exactly same as you define on network device CLI 45

37 WAN Define Authorisation policies for Users and Devices Cisco ISE 802.1X / MAB / Web Authentication policy to assign SGTs to the Users and Devices 47

38 WAN Configure Security Group ACLs Cisco ISE Configure SGACLs first to be referenced under the Egress policy later 48

39 WAN Egress Policy Matrix Cisco ISE Default Rule, Can be Permit or Deny 49

40 Cisco IOS Switches WAN Global Cisco TrustSec (CTS) configurations Global AAA Configuration for all IOS Switches TrustSec authorisation should use cts-list AAA servers cts authorization list cts-list For SGT policy enforcement, if switch has to access control cts role-based enforcement cts role-based enforcement vlan-list <VLANs> Critical authentication for NDAC When ISE is not reachable and Fall back to cached / default policies when ISE is unreachable cts critical-authentication cts critical-auth fallback cached default aaa new-model! aaa authentication dot1x default group ise-group aaa authorization network default group ise-group aaa authorization network cts-list group ise-group aaa accounting dot1x default start-stop group ise-group! aaa server radius dynamic-author client <Switch_IP> server-key cisco! radius server ise address ipv4 <ISE_IP> auth-port 1812 acct-port 1813 pac key <PAC_Password>! aaa group server radius ise-group server name ise! 50 More options:

41 ** Other best practice configurations applicable WAN Cisco IOS Switches Devices (Typically) Enable 802.1X on downlink and SGT propagation on uplink (Optional) For static assignment of VLAN to SGT. Useful if the users or devices are static cts role-based sgt-map vlan-list \ <VLAN_IDs> sgt <SGT> Switch port configuration for dynamic SGT assignments interface <Access-port> switchport access vlan <Data_VLAN> switchport voice vlan <Voice_VLAN> switchport mode access authentication open authentication port-control auto authentication host-mode multi-auth dot1x pae authenticator mab Campus Agg / Core Access cts commands in uplink ports, automatically (hidden) configures propagate sgt command interface <Uplink_Port> description ** Uplink Interface ** switchport mode trunk cts manual!or cts dot1x cts manual for manual configuration of (optional) MACSec on the port, cts dot1x for the switch to receive MACSec PMK keys from Cisco ISE 51

42 WAN Cisco IOS Switches Switch ports can stay in 802.1X Monitor Mode forever Monitor Mode: Irrespective of authentication status (pass/fail), endpoints gets IP address. Successful authentication gets specific SGTs and failures will be classified as Unknown SGT Monitor Mode PCI Server Production Server Users, Endpoints Catalyst Switches (3K/4K/6K) Campus Network N7K Development Server Tagged traffic traverses the network allowing monitoring and validation that: Assets are correctly classified Traffic flows to assets are as predicted/expected SRC \ DST PCI Server Prod Server Dev Server (2000) (1000) (1010) Employees (100) Permit Deny all Permit Deny all Permit all PCI User (105) Permit all Permit all Permit all Unknown (0) Permit Deny all Permit Deny all Permit all 52

43 Cisco IOS Switches WAN ISE and Network Device transact securely using PAC keys Switch authenticates with Cisco ISE for Secure EAP FAST Channel Environmental Data TrustSec Egress Policy Switch# cts credential id C password cisco ISE RADIUS EAP FAST Channel IOS RADIUS PAC* keys pushed by ISE. Switch uses this to talk to ISE securely Switch# show cts pacs AID: 3E465B9E3F4E012E6AD3159B403B5004 PAC-Info: PAC-type = Cisco Trustsec AID: 3E465B9E3F4E012E6AD3159B403B5004 I-ID: C A-ID-Info: Identity Services Engine Credential Lifetime: 13:12:04 UTC Jan PAC-Opaque: B E465B9E3F4E012E6AD3159B403B C C3B32A200B23EF4A53D9DF79A6E4B D A B5BB779165C75E75DDF4619CB3D4AD F5488C5904CA27F13C 6FB45F DCCED288FF304F FD49D2D2D3EBF664300E3FD66925 A7DEB8C A369280EB251091D92D90FEDA7BBD1148C7CCA8D018011F00 9A F854DD3C EE32E47B7AB BB3FD Refresh timer is set for 12w4d *PAC: Protected Access Credentail

44 WAN Cisco IOS Switches Environmental Data ISE IOS Switch# show cts environment-data CTS Environment Data ==================== Current state = COMPLETE Last status = Successful Local Device SGT: SGT tag = 2-00:TrustSec_Infra_SGT Server List Info: Installed list: CTSServerList1-0001, 1 server(s): *Server: , port 1812, A-ID 3E465B9E3F4E012E6AD3159B403B5004 Status = DEAD auto-test = TRUE, keywrap-enable = FALSE, idle-time = 60 mins, deadtime = 20 secs Multicast Group SGT Table: Security Group Name Table: 0-00:Unknown 2-00:TrustSec_Infra_SGT 10-00:Employee_FullAccess 20-00:Employee_BYOD 30-00:Contractors :PCI_Devices :Web_Servers :Mail_Servers :Unregist_Dev_SGT Environment Data Lifetime = secs Last update time = 21:57:24 UTC Thu Feb Env-data expires in 0:23:58:00 (dd:hr:mm:sec) Env-data refreshes in 0:23:58:00 (dd:hr:mm:sec) Cache data applied = NONE State Machine is running Security Group Name Table: 0-00:Unknown 2-00:TrustSec_Infra_SGT 10-00:Employee_FullAccess 20-00:Employee_BYOD 30-00:Contractors :PCI_Devices :Web_Servers :Mail_Servers :Unregist_Dev_SGT

45 WAN Cisco IOS Switches cts role-based enforcement ISE Switch#show cts rbacl Permit_ _Traffic CTS RBACL Policy ================ RBACL IP Version Supported: IPv4 name = Permit_ _Traffic-40 IP protocol version = IPV4 refcnt = 1 flag = 0x stale = FALSE RBACL ACEs: permit tcp dst eq 110 permit tcp dst eq 143 permit tcp dst eq 25 permit tcp dst eq 465 permit tcp dst eq 585 permit tcp dst eq 993 permit tcp dst eq 995 deny all log Switch Switch#show cts role-based permissions IPv4 Role-based permissions default: IOS switch as enforcer Permit IP IPv4 Role-based permissions from group 10:Employee_FullAccess to group 10:Employee_FullAccess: Malware_Contol_ACL-10 IPv4 Role-based permissions from group 10:Employee_FullAccess to group 30:Contractors: Cisco_Jabber_Access-10 IPv4 Role-based permissions from group 30:Contractors to group 10:Employee_FullAccess: Cisco_Jabber_Access-10 IPv4 Role-based permissions from group 30:Contractors to group 120:Mail_Servers: Permit_ _Traffic...

46 Sources * Supported on all Wireless Controllers except 7500 & vwlc Wireless AireOS Controllers* SXP WAN Switch / FW SXP Speaker (Wireless Controller) Cisco ISE Assign SGT 5520 Destinations SXP Listener (Switch / Firewall) No SG based enforcement locally on the controller. IP-SGT sent over SXP to enforcers / Aggregators 58

47 Sources * Supported on all Wireless Controllers except 7500 & vwlc WAN Wireless AireOS Controllers* Switch / FW SXP Cisco ISE Assign SGT 5520 Destinations No SG based enforcement locally on the controller. IP-SGT sent over SXP to enforcers / Aggregators 59

48 WAN Routers Overview of TrustSec support on routers WAN Classification Propagation Enforcement IP-to-SGT Subnet-to-SGT L3IF-to-SGT No dynamic classification option Multiple options for propagation SXP Inline methods: SGT over Ethernet IPSec DMVPN GETVPN EIGRP OTP / LISP Zone based Firewall (ZBFW) SGT based PBR (Policy Based Routing) SGT based QoS (Quality of Service) 60

49 ESP: Encapsulating Security Payload AH: Authentication Header WAN Routers One command to enable SGT transport over IPSec SGT in IPSec IP header (Protocol Type = ESP) ESP Header IV Next Header (IP) Len = 3 Version (0x1) Reserved Len (0x0) Len (0x1) Type (1 = SGT) Type (5 = PST) GETVPN Psuedo timestamp Original IP Header Original IP Payload Pad Authentication Tag SGT Number (16 bits) Pad Length Next Header Cisco Meta Data (CMD) uses protocol 99, and is inserted to the beginning of the ESP/AH payload. CMD crypto ikev2 proposal p1 encryption 3des integrity md5 group 2! crypto ikev2 policy policy1 proposal p1! crypto ikev2 keyring key peer v4 address pre-shared-key cisco! crypto ikev2 profile prof3 match identity remote address authentication local pre-share authentication remote pre-share keyring key CTS infra CLI used to configure IP->SGT mapping! crypto ikev2 cts sgt! crypto ipsec transform-set trans esp-3des esp-sha-hmac!... 61

50 WAN Routers cts sgt inline enables SGT transport in DMVPN sessions Hub! crypto ikev2 profile prof3 match identity remote address authentication local pre-share authentication remote pre-share keyring key! cts sgt inline! crypto ipsec transform-set trans esp-3des esp-sha-hmac! Spokes CTS infrastructure CLI, to configure static IP to SGT bindings cts role-based sgt-map sgt 150 cts role-based sgt-map sgt 200 Router# show ip nhrp nhs detail Legend: E=Expecting replies, R=Responding, W=Waiting Tunnel0: RE NBMA Address: priority = 0 cluster = 0 req-sent 44 req-failed 0 repl-recv 43 (00:01:37 ago) TrustSec Enabled 63

51 WAN Routers Enable tagging in GETVPN KS, run v1.0.5 or later on members Group Members Key Server (KS) CTS infrastructure CLI, to configure static IP to SGT bindings cts role-based sgt-map sgt 150 cts role-based sgt-map sgt 200 crypto gdoi group GDOI identity number server local sa ipsec 2 no tag match address ipv4 ACL_GETVPN_NO_SGT sa ipsec 1 tag cts sgt match address ipv4 ACL_GETVPN_SGT If the KS is configured for tagging, Group members must be register using GETVPN software version or higher to be accepted. Router# show crypto gdoi feature cts-sgt Group Name: GETVPN Key Server ID Version Feature Supported Yes Yes Group Member ID Version Feature Supported No No Yes Yes 64

52 WAN Zone Based Firewall SGT is a source criteria only in ISR FW, Source or Destination in ASR 1000 Routers class-map type inspect match-any partner-services match protocol http match protocol icmp match protocol ssh class-map type inspect match-any partner-sgts match security-group source tag 2001 match security-group source tag 2002 match security-group source tag 2003 class-map type inspect match-all partner-class match class-map partner-services match class-map partner-sgts class-map type inspect match-any guest-services match protocol http class-map type inspect match-any guest-sgts match security-group source tag 5555 class-map type inspect match-all guest-class match class-map guest-services match class-map guest-sgts class-map type inspect match-any emp-services match protocol http match protocol ftp match protocol icmp match protocol ssh... 65

53 Available Today: Cisco IOS XE Release 3.16S (ASR 1000) as well as ASA5500-X (9.5.1) WAN Routers Path selection based on SGT route-map SG_PBR match security-group source tag 100 set ip next-hop match security-group destination tag 150 set ip next-hop Security Example Redirect traffic from malware-infected hosts Contain threats Pass traffic through centralised analysis and inspection functions Segment traffic to different VRFs based on context Other Example Inspection Router Policy-based Routing based on SGT Router / Firewall Network A Enterprise WAN SGT-based VRF Selection VRF-GUEST To map different user groups to different WAN service User B Suspicious User A Employee User C Guest 66

54 Available Today: Cisco ISE 4K and ASR 1K with 3.17S or later Quality of Service for SGTs class-map employee-non_critical match security-group source tag 10 match security-group destination tag 254 end! class-map employee-critical match security-group source tag 10 match security-group destination tag 100 end! policy-map sg_qos class employee-critical priority percent 50 class employee-non_critical bandwidth percent 25 set dscp ef end WAN Routers CriticalServers (100) Applications Router Router / Firewall Critical applications get priority treatment Network A Enterprise WAN f Y NonCritical (254) Non-critical class gets lower bandwidth Different user groups can be offered different Quality of Service (QoS) Employee (10) 67

55 WAN Same policy structure for Data Centres Web Servers Data Centre Middleware Servers Storage Database Servers 68

56 WAN TrustSec on NXOS and IOS are alike Towards Enterprise / WAN C P E SXP v1 only (IPv4-to-SGT, no loop detection) Nexus 5000/6000: Port-to-SGT classification only Nexus 9000 doesn t support SGTs today cts credentials defined in global config unlike in Exec mode in IOS Nexus(config)# feature cts Nexus(config)# feature dot1x Nexus(config)# cts device-id N7K-DST1 password cisco DATA CENTRE Disable SGT propagation on ports connecting to Physical servers Nexus(config)# int e1/30 Nexus(config-if)# cts manual Nexus(config-if-cts-manual)# policy static sgt 0X3 Nexus(config-if-cts-manual)# no propagate-sgt LOB1 DB LOB2 DB PCI DB Finance DB CoA for Environmental-Data and SGACL download from NXOS version 7.2* 69 *Earlier pushed through cts refresh CLI over SSH, now CoA. More details here:

57 APIC - Application Policy Infrastructure Controller, ACI - Application Centric Infrastructure WAN ISE 2.1: TrustSec ACI Policy Plane Integration Data Centre Security Groups Cisco ISE 2.1 TrustSec Policy Domain ISE creates matching Security Groups and Endpoint Groups ISE exchanges IP-SGT/EPG Name bindings ACI Policy Domain End Point Groups Cisco APIC-DC IP-Security Group bindings exchanged with network IP-ClassId, VNI bindings WAN (GETVPN DMVPN IPSEC) User Classification Switch Router Router Firewall Nexus9000 Nexus3000 Server SGT over Ethernet IPSec / DMVPN / GETVPN / SXP Spine Leaf 70

58 APIC - Application Policy Infrastructure Controller, ACI - Application Centric Infrastructure WAN Security Group EPG exchange Data Centre Security Groups and IP bindings Cisco ISE 2.1 End Point Groups (EPG) and IP bindings Cisco APIC-DC More on ACI Security: BRKACI Cisco Security on ACI BRKACI Introduction to ACI for Security Admins 71

59 WAN TrustSec traffic monitoring in StealthWatch Where When Who What Who Highly scalable (enterprise class) collection High compression long term storage flow record my-flow-record... match flow cts source group-tag Months of data retention match flow cts destination group-tag... NetFlow More Context Security Group 72

60 WAN Segmentation monitoring with StealthWatch Custom event triggers on traffic condition Rule name and description More on StealthWatch: BRKSEC-2026: Network as a Sensor and Enforcer SGT DGT Trigger on traffic in both directions; Successful or unsuccessful 73

61 Use Cases & Deployment Scenarios (WHY TrustSec) Network Segmentation Deploying TrustSec Key Take-aways Start TrustSec Deep-dive Use-cases & Scenarios 74

62 TrustSec means efficiency Large Campus Wireless Deployment Data Centre /24 = SGT 10 Large Electronics Device Manufacturing Company deploying Secure Wi-Fi ACL needs to scale more than 64 lines of ACL (>1,500) /24 = SGT 7 Campus D /24 = SGT 6 Branch Office /24 = SGT 22 TrustSec solution within C6k chassis WiSM2 aggregates AP traffic Policy enforcement Sup2T based on SGT Campus C Internet SXP Sup2T WiSM2 Sup2T WiSM2 Corporate Network /8 = SGT 100 SXP SGACLs optimises TCAM Utilisation Destination SGT values defined by IP & Subnet Reduced IOS static ACL managing policy using Egress Matrix e.g. about 500 lines of ACL allowing HTTPS is now supported by single line of SGACL Cat6500VSS System Non-Compliant Mobile Device WiSM2 WiSM2 CAPWAP Tunnel Access Points ISE Compliant Corporate Asset permit tcp dst eq 443 SGT 2: Limited Access SGT 3: Full Access 75

63 SGT=3 SGT=4 SGT=5 SGACL download only for known destinations SEGMENTATION DEFINED IN ISE Prod_Servers (7) Dev_Servers (8) TrustSec switches requests policies for assets they protect Policies downloaded & applied dynamically Result = Software Defined Segmentation Switches pull down only the policies they need I I pulled I know have SGT-7, policies nothing is to there protect to a protect policy SGT-7 for it? SGACL Enforcement interface ethernet 2/1 cts manual policy static sgt 0x7 no propagate-sgt Dev_Server (SGT=7) 76

64 Handling acquisitions / mergers or disinvestments Secure, economical way to integrate or segment networks Technicolor has acquired Cisco's Connected Devices business Cisco on Cisco Case Study Initiative: To divest assets including employees and properties to Technicolor Objective: To create logical separation on network infrastructure and provide secure resource access in shared workspace Solution: TrustSec segmentation based on user authentication in selected offices. Technicolor Resources Shared Resources Cisco Internal Cisco Users For details read: Global ISE deployment Destination SGT Technicolor Users Shanghai and Lawrenceville Offices Source SGT Cisco Internal Technicolor Shared Cisco Permit Permit Permit Technicolor Deny Permit Permit Auth-Fail Deny Deny Permit Untrusted Deny Deny Permit 77

65 limiting workstation- to-workstation communication 78

66 Control lateral access with TrustSec Effective East- West Traffic control at the Enterprise access Replaces Private Isolated / Community VLAN functionality with centrally provisioned policy Supports mobile devices (with DHCP address). Statically defined ACL cannot support same level of policy No other competitor can support this type of use case Employee Tag AP Distribution Switch Access Switch 1 Scan for open ports / OS 2 Exploits vulnerability Anti-Malware-ACL deny icmp deny udp src dst eq domain deny tcp src dst eq 3389 deny tcp src dst eq 1433 deny tcp src dst eq 1521 deny tcp src dst eq 445 deny tcp src dst eq 137 deny tcp src dst eq 138 deny tcp src dst eq 139 deny udp src dst eq snmp deny tcp src dst eq telnet deny tcp src dst eq www deny tcp src dst eq 443 deny tcp src dst eq 22 deny tcp src dst eq pop3 deny tcp src dst eq 123 Sample ACEs to block PtH (SMB over TCP) used for privilege escalation SGACL Policy BYOD Device Wireless Segment Pawned PC Wired Segment PC 79 PtH: Pass-the-Hash

67 Before: An SSID & VLAN per vendor Customer Concerns Employees, PCI devices, Vendors & Guest in branch needing segmentation. Each segment today is a VLAN and / or a SSID. Provisioning and decommissioning vendors is a tedious task Segmenting Vendors, Guests, Employees and PCI devices in Retail Stores Store Guest BYOD Vendor-1 Vendor-2 Vendor-3 Vendor-N Store PCI Demo Vendor-2 Vendor-A Vendor-B Vendor-N Internet ISR w/ ZBFW WAN VRFs Data Centre WLC Servers * Additional VLAN/VRFs for Voice, Print, AP, etc. not shown in the picture 82 LOB: Line of Business

68 After: One SSID and one VLAN for vendors TrustSec Solution Cisco ISE authorises each endpoint with SGT and pushes SGACL to Branch CA* Switch One network for all Vendors, but each vendor is segmented with TrustSec Less VLANs & SSIDs to manage. Provisioning / retiring vendors is now EASY! Segmenting Vendors, Guests, Employees and PCI devices in Retail Stores Store Guest BYOD Vendors Store PCI Demo Vendors *Converged Access = Authenticated and authorised by ISE Internet ISR w/ ZBFW WAN VRFs Cisco ISE Vendor & Guest Accounts Data Centre Servers * Additional VLAN/VRFs for Voice, Print, AP, etc. not shown in the picture AD 83 Employee Accounts LOB: Line of Business

69 University controls IPv4 and IPv6 clients uniformly TrustSec is about tags! IPv4 IPv6 IPv6 to SGT bindings over SXP support from 15.2(3)E / E Both IPv4 and IPv6 endpoints can co-exist today and be access-controlled uniformly IPv4 Cisco ISE SGACL Data Centre Carry forward the policies as you transition the network IPv6 Cat3K/4K Cat3K/4K 15.2(2)E/ 3.6.0E IPv6 to SGT - binding over SXP = Authenticated and authorised by ISE C6500/6800 Enterprise Backbone CTS-C6500#show cts role-based sgt-map all ipv6 Active IP-SGT Bindings Information Servers IP Address SGT Source ======================================================== 2001:DB8:100::1 2 INTERNAL 2001:DB8:100:0:7CB0:3B1D:2F77:16A6 3 SXP 2001:DB8:200:0:9112:EB74:784F:E88B 4 SXP 2001:DB8:252::100 2 INTERNAL 2001:DB8:254::10 9 CLI 2001:DB8:254::12 7 CLI 84

70 TrustSec reduces Operational Costs Forrester Report on Total Economic Impact of TrustSec Cisco TrustSec enabled the organisations interviewed, to reduce operational costs by avoiding additional IT headcount, deploy new environments faster, and implement consistent and effective network segmentation resulting in lower downtime. 85

71 Push and enforce model SGACL Policy CoA (Change of Authorisation) to push policy change from ISE to appropriate devices Currently supported on IOS Switch / Wireless controllers and NXOS 7.2 and later. WAN Campus Network CoA ISE 86

72 TrustSec for PCI scope reduction Data Centre ASA Firewall Policy Common Servers PCI DB DC FW OS Type: Windows 8 User: John AD Group: Floor Staff Device Group: Nurse Workstation Security Group = Employee POS Floor 2 SW Store ABC Backbone Floor 1 SW Access Privilege Authorisation with Security Group ISE OS Type: Windows 7 Embedded User: George AD Group: Point-of-Sales Admin Device Group: POS Security Group = PCI Device PCI Scope Employee Workstation POS 87

73 Verizon certifies TrustSec for PCI segmentation 88

74 Key Takeaways (WHEN to-do TrustSec? NOW!) Network Segmentation Deploying TrustSec Key Take-aways Start TrustSec Deep-dive Use-cases & Scenarios 89

75 Tom s is Segmentation happy with Cisco Challenge TrustSec access-list 102 deny tcp eq lt 848 access-list 102 deny ip PCI eq 1493 Web Employee gt 4878 Contractor access-list 102 permit icmp lt eq 1216 access-list 102 deny icmp gt gt 1111 access-list 102 deny ip eq Anti- eq 4175 Ciscoaccess-list Employee 102 permit tcp Deny All Permit lt All Malware- gt 1462 Jabberaccess-list 102 permit tcp gt ACL lt 4384 Access access-list 102 permit icmp eq eq 878 access-list 102 permit ip gt Cisco eq 467 access-list Contractor 102 permit udp Deny All Permit eq 3256 All Jabber lt 1780 Permit All access-list 102 deny icmp lt Access gt 3611 access-list 102 permit tcp lt eq 606 access-list 102 deny tcp gt Anti gt 4005 access-list BYOD 102 permit ip Deny All Permit gt All Malwareeq 199 Permit All access-list 102 deny udp lt ACL gt 3782 Campus Complex Simple tag IP based policies Policy Need automation updates leading as topology lesser changes updates Branch Employees Contractors Vendors VLANs SGTs Guests PCI Devices TrustSec Extend segments decouples over - segmentation Layer 3 boundaries from topology Line of Business Compliance BYOD Various TrustSec Segmentation for segmentation needs Tom manages network for ABC Corp I Tr ustsec IPv6 SGTs Retain Remember, policies TrustSec as network is about transitions tag s to not IPv6 IP! 90

76 Gartner on TrustSec logical source and destination security groups are more flexible, are easier to maintain and reduce runtime overhead in the network s switching fabric. There is much to like about Cisco s ambitious and innovative initiative. Cisco has made great strides in integrating support for the TrustSec framework across its product lines Flexibility to Segregate Resources Without Physical Segmentation or Managing VLANs Reduction in ACL Maintenance, Complexity and Overhead

77 Make a Choice! caranddriver.com bcarwallpapers.com About 100 years after a crank was required to start a car, modern batteries can now start many cars using just a button. Traditional Segmentation Methods Segmenting using TrustSec Visit and know more 92

78 Q & A

79 Complete Your Online Session Evaluation Give us your feedback and receive a Cisco 2016 T-Shirt by completing the Overall Event Survey and 5 Session Evaluations. Directly from your mobile device on the Cisco Live Mobile App By visiting the Cisco Live Mobile Site Visit any Cisco Live Internet Station located throughout the venue T-Shirts can be collected Friday 11 March at Registration Learn online with Cisco Live! Visit us online after the conference for full access to session videos and presentations.

80 Thank you

81