Securing Your Network Simply with TrustSec

Transcription

1

2 Securing Your Network Simply with TrustSec Brandon Johnson Systems Engineer #clmel

3 Agenda Introduction TrustSec SGTs How difficult? Is this for you? Examples Conclusion

4 Modern Architecture

5 Network Architecture Started with.. data, or basic connectivity Scaled via VLANs Then Voice or converged networks next Wireless.

6 Network Architecture New Requirements New Stuff BYOD, Guest Wireless Must have security!!! Re work additional VLANs, new IP addressing, FW change management etc etc Demands Increase We end up with Just like demands for location/space in real estate, we have more demand on Networks We want it all, and we want it now

7 Security and Segmentation How do we do segmentation today? VLANs, MPLS, GRE, IPv4,(v6), VLANs are for broadcast domains, IP Addresses, Static assignment. (Very Manual; doesn t scale) Central model makes dirty access networks, easy to break, ACL explosion / nightmare to manage Need Line Rate! None VLANs SGTs GRE Scale of Complexity EVN MPLS

8 Who Should Care About TrustSec Network Operators Simplify configuration, understand how it works. Network Admins/Architects Provides next big thing for architecture, new tool in the tool box. Security Officers Network can now enforce, it s the only thing left that we can control. CIO s and CxO level Can I protect myself and company?

9 TrustSec

10 Why TrustSec Designed/engineered to map business policies to network devices. Segmentation independent of VLAN, IP Addressing. Segmentation at scale Its just simple and easier to understand

11 It Starts with Policy Src Dest. Guest Employee BYOD Employee Managed Internet Internal Server Guest Employee BYOD Employee Managed Internet Internal Server DEFAULT PERMIT ALL

12 Security Focused Policy Src Dest. Guest Employee BYOD Employee Managed Internet Internal Server Guest Employee BYOD Employee Managed Internet Internal Server DEFAULT DENY ALL ( or can be set to PERMIT ALL )

13 What is Cisco TrustSec (CTS) Architectures based on marking, classifying, propagating and enforcing traffic with SGT s Security Group Tags - SGT s Security Group Access Control Lists SGACLs SGT exchange Protocol Security Group Tag Cisco Innovation ( submitted to IETF ) Lots of ways to use it.

14 TrustSec Security Group Tagging Desired Policy Who can talk to whom Who can access protected assets How systems can talk to other systems Simplified Access Management Accelerated Security Operations Consistent Policy Switch Router DC FW DC Switch Flexible and Scalable Policy Enforcement 14

15 Tagging Operation Security Group Tag SGACL Unique 16 bit (64K) tag assigned to unique role Tag = privilege of the source user, device, or entity Tagged at ingress of TrustSec domain Filtered at egress of TrustSec domain (by an (SG-ACL) No IP address required in ACE (IP address is bound to SGT) Policy (ACL) is distributed from central server Provides topology independent policy Flexible and scalable policy based on user role Centralised Policy Management for Dynamic policy provisioning

16 Policy: Who, What, Where, When and How Identity 1 IEEE 802.1x EAP User Authentication Cisco ISE Profiling HTTP NetFlow SNMP HQ Company Asset 2 Profiling to Identify Device 4 Corporate Resources DNS RADIUS DHCP NMAP 2:38 p.m. Wireless LAN Controller Policy Decision Internet Only Personal Asset 3 Posture of the Device Unified Access Management 5 Enforce Policy in the Network 6 Full or Partial Access Granted 16

17 TrustSec Classification Options User/Device SGT assignments Wired Wireless (RA VPN soon) Profiling 802.1X Web Auth MAB ISE IP-SGT NX-OS/ UCS Dir/ Hypervisors SGT VLAN-SGT Port-SGT Data Centre Server Classifiers SGT RA-VPN future SGT IOS/Routing Port Profile Subnet-SGT SGT VLAN-SGT Prefix Learning (L3IF-SGT) Business Partners & 3 rd party connections

18 How a SGT is Assigned End User, Endpoint is classified with SGT SVI interface is mapped to SGT Physical Server is mapped to SGT Campus Access Distribution Core DC Core DC Dist. DC Access Enterprise Backbone SRC: VLAN is mapped to SGT WLC FW Hypervisor SW BYOD device is classified with SGT Virtual Machine is mapped to SGT

19 Classification Summary Dynamic Classification Static Classification IP Address 802.1X Authentication MAC Auth Bypass Web Authentication Common Classification for Mobile Devices VLANs Subnets L2 Interface L3 Interface Virtual Port Profile Layer 2 Port Lookup SGT Common Classification for Servers, Topology-based policy, etc.

20 SGT Assignment Access Layer Classification Cat2960-S Cat3750X Cat3850/5760 Cat4K S7 Cat6x00 ISR WLC Notes Dynamic 802.1X X X X X X X X MAB X X X X X X X Web Auth X X X X X X X Static VLAN/SGT - X* X X X* - - Subnet/SGT - - X X X - - Via Sup2T Layer 3 Identity to Port Mapping X - - Based on routes learned from port via dynamic routing * - limits on the number of VLANs per platform 20

21 ISE Dynamic SGT Assignments

22 Dynamic Classification Process in Detail 00:00:00:AB:CD:EF Supplicant Switch / WLC ISE Layer 2 Layer 3 2 DHCP Lease: /24 EAPoL Transaction 1 Authorised MAC: 00:00:00:AB:CD:EF SGT = 5 ARP Probe EAP Transaction DHCP IP Device Tracking SRC: = SGT 5 RADIUS Transaction Authorisation SGT Binding: 00:00:00:AB:CD:EF = /24 3 Authentication Authorised cisco-av-pair=cts:security-group-tag= Policy Evaluation Make sure that IP Device Tracking is TURNED ON 3560X#show cts role-based sgt-map all details Active IP-SGT Bindings Information IP Address Security Group Source ============================================= :SGA_Device INTERNAL :Employee LOCAL

23 Static Classification IOS CLI Example IP to SGT mapping cts role-based sgt-map A.B.C.D sgt SGT_Value VLAN to SGT mapping* cts role-based sgt-map vlan-list VLAN sgt SGT_Value Subnet to SGT mapping cts role-based sgt-map A.B.C.D/nn sgt SGT_Value L2IF to SGT mapping* (config-if-cts-manual)#policy static sgt SGT_Value L3IF to SGT mapping** cts role-based sgt-map interface name sgt SGT_Value L3 ID to Port Mapping** (config-if-cts-manual)#policy dynamic identity name * relies on IP Device Tracking ** relies on route prefix snooping

24 Layer 3 Interface to SGT Mapping (L3IF-SGT) Sup2T 15.0(1)SY Route Prefix Monitoring on a specific Layer 3 Port mapping to a SGT Can apply to Layer 3 interfaces regardless of the underlying physical interface: Routed port, SVI (VLAN interface), Tunnel interface cts role-based sgt-map interface GigabitEthernet 3/0/1 sgt 8 cts role-based sgt-map interface GigabitEthernet 3/0/2 sgt 9 Joint Ventures Route Updates /24 g3/0/1 VSS-1#show cts role-based sgt-map all Active IP-SGT Bindings Information IP Address SGT Source ======================================== INTERNAL INTERNAL INTERNAL /24 8 L3IF /24 9 L3IF /24 9 L3IF EOR DC Access Business Partners g3/0/2 Route Updates /24, /24 Hypervisor SW

25 Nexus 1000V 2.1 SGT Assignment Port Profile Container of network properties Applied to different interfaces Server Admin may assign Port Profiles to new VMs VMs inherit network properties of the port-profile including SGT SGT stays with the VM even if moved 25

26 Nexus 1000V 2.1 SGT Assignment Port Profiles assigned to VMs 26

27 SGT Propagation ()

28 AES-GCM 128bit Encryption Propagation Option 1: Inline Tagging SGT embedded within Cisco Meta Data (CMD) in Layer 2 frame Capable switches understands and process SGT in line-rate Optional MACsec (IEEE802.1AE) protection No impact to QoS, IP MTPU/Fragmentation L2 Frame Impact: ~40 bytes 16 bits field gives ~ 64,000 tag space Incapable devices will drop frames with unknown Ethertype Ethernet Frame Destination MAC Source MAC 802.1Q CMD ETHTYPE PAYLOAD CRC ETHTYPE:0x8909 Cisco Meta Data CMD EtherType Version Length SGT Option Type SGT Value Other CMD Option MACsec Frame Destination MAC Source MAC 802.1AE Header 802.1Q CMD ETHTYPE PAYLOAD 802.1AE Header CRC ETHTYPE:0x88E5

29 Configure Links for SGT Tagging CTS Manual no encryption interface TenGigabitEthernet1/5 cts manual policy static sgt 2 trusted C6K2T-CORE-1#sho cts interface brief Global Dot1x feature is Enabled Interface GigabitEthernet1/1: CTS is enabled, mode: MANUAL IFC state: OPEN Authentication Status: NOT APPLICABLE Peer identity: "unknown" Peer's advertised capabilities: "" Authorization Status: SUCCEEDED Peer SGT: 2:device_sgt Peer SGT assignment: Trusted SAP Status: NOT APPLICABLE Propagate SGT: Enabled Cache Info: Expiration : N/A Cache applied to link : NONE L3 IPM: disabled. Always shut 2015 Cisco and and/or no its affiliates. shut All rights and reserved. interface for any cts manual or cts dot1x change

30 Propagation Option 2: SGT exchange Protocol () Control plane protocol that conveys the IP- SGT map of authenticated hosts to enforcement points uses TCP as the transport layer Accelerate deployment of SGT Support Single Hop & Multi-Hop (aggregation) Two roles: Speaker (initiator) and Listener (receiver) Speaker SW Listener SW SW (Aggregation) RT

31 Propagation Option 2: SGT exchange Protocol () accelerates deployment of SGTs Allows classification at the access edge without hardware upgrade Allows communication from access edge to enforcement device also used to traverse networks/devices without SGT capabilities Uses TCP for transport protocol TCP port for connection initiation Use MD5 for authentication and integrity check Two roles: Speaker (initiator) and Listener (receiver)

32 Informational Draft now published as an Informational Draft to the IETF, based on customer requests Draft called Source-Group Tag exchange Protocol because of likely uses beyond security Specifies v4 functionality with backwards compatibility to v2 33

33 Connection Types Single-Hop Speaker Listener Non-TrustSec Domain Enabled Switch/WLC SGT Capable HW Multi-Hop Speaker Listener Speaker Listener Enabled SW/WLC Speaker Enabled SW SGT Capable HW Enabled SW/WLC 34

34 IOS Configuration C3750#show cts role-based sgt-map all details Active IP-SGT Bindings Information 3750 cts sxp enable cts sxp connection peer source password default mode local! Peering to Cat6K 6K cts sxp enable cts sxp default password cisco123! cts sxp connection peer source password default mode local listener hold-time 0 0! ^^ Peering to Cat3K cts sxp connection peer source password default mode local listener hold-time 0 0! ^^ Peering to WLC IP Address Security Group Source ====================================================================== :device_sgt INTERNAL :EMPLOYEE_FULL LOCAL C6K2T-CORE-1#show cts sxp connections brief : Enabled Highest Version Supported: 4 Default Password : Set Default Source IP: Not Set Connection retry open period: 120 secs Reconcile period: 120 secs Retry open timer is not running Peer_IP Source_IP Conn Status Duration On 11:28:14:59 ( dd:hr:mm:sec) On 22:56:04:33 ( dd:hr:mm:sec) Total num of Connections = 2 C6K2T-CORE-1#show cts role-based sgt-map all details Active IP-SGT Bindings Information IP Address Security Group Source ====================================================================== :PCI_Servers CLI :Device_sgt INTERNAL --- snip :GUEST :EMPLOYEE_FULL 35

35 WLC Configuration 36

36 Inline Tagging vs. Tag Propagation Inline SGT Tagging CMD Field IP Address SGT ASI C Optionally Encrypted ASI C ASI C L2 Ethernet Frame SRC: Campus Access Distribution Core DC Core EOR DC Access Enterprise Backbone Hypervisor SW SRC: WLC FW Inline Tagging: If Device supports SGT in ASICs : If there are devices are not SGT-capable IP Address SGT SRC Local IP-SGT Binding Table

37 Policy Enforcement

38 Policy Enforcement - Security Group ACL (SGACL) Mary authenticated Classified as Marketing (5) FIB Lookup Destination MAC/Port SGT 20 Destination Classification Web_Dir: SGT 20 CRM: SGT 30 SRC: Cat3750X 5 SRC: DST: SGT: 5 Cat6500 Cat6500 Nexus 7000 Enterprise Backbone Nexus 5500 Nexus 2248 Nexus 2248 Web_Dir DST: SGT: 20 CRM DST: SGT: 30 WLC5508 ASA5585 SRC\DST Web_Dir (20) CRM (30) Marketing (5) SGACL-A SGACL-B BYOD (7) Deny Deny

39 Centralised SGACL Policy Management in ISE Portal_ACL permit tcp dst eq 443 permit tcp dst eq 80 permit tcp dst eq 22 permit tcp dst eq 3389 permit tcp dst eq 135 permit tcp dst eq 136 permit tcp dst eq 137 permit tcp dst eq 138 permit tcp des eq 139 deny ip

40 SGT=3 SGT=4 SGT=5 SGACL Egress Policy Enforcement Extended ACL syntax, without IP addresses Avoids TCAM impact, can be IPv6 agnostic* Can be applied anywhere (no IP dependency) Switches that classify servers only download SGACLs they need from ISE No device-specific ACL configs SGACL Enforcement Prod_Servers Portal_ACL permit tcp dst eq 443 permit tcp dst eq 80 permit tcp dst eq 22 permit tcp dst eq 3389 permit tcp dst eq 135 permit tcp dst eq 136 permit tcp dst eq 137 permit tcp dst eq 138 permit tcp des eq 139 deny ip Dev_Servers * Currently only Cat6k Sup 2T supports IPv6 SGACL Prod_Server (SGT=7) Dev_Server (SGT=10)

41 Typical SGACL Deployment Approach Egress Enforcement Security Group ACL PCI Server Monitor Mode Users, Endpoints authentication port-control auto authentication open dot1x pae authenticator Catalyst Sw itches/wlc (3K/4K/6K) Campus Netw ork AUTH=OK SGT= PCI User (10) Development Server Production Server SRC \ DST PCI Server (111) Dev Server (222) Dev User(8) Deny all Permit all PCI User (10) Permit all Permit all Unknow n (0) Deny all Deny all 1. User connects to network, Monitor mode allows traffic from before authentication 2. Authentication is performed and results are logged by ISE 3. Traffic traverse to Data Centre and hits SGACL at egress enforcement point 4. SGACLs may be enabled gradually on a destination SGT basis N7K 42

42 Environment Data TS2-6K-DIST#show cts environment-data CTS Environment Data ==================== Current state = COMPLETE Last status = Successful Local Device SGT: SGT tag = 2-00 Server List Info: Installed list: CTSServerList1-0004, 3 server(s): *Server: , port 1812, A-ID 04FB30FE056125FE90A340C732ED9530 Status = ALIVE auto-test = FALSE, idle-time = 60 mins, deadtime = 20 secs *Server: , port 1812, A-ID 04FB30FE056125FE90A340C732ED9530 Status = ALIVE auto-test = FALSE, idle-time = 60 mins, deadtime = 20 secs *Server: , port 1812, A-ID 04FB30FE056125FE90A340C732ED9530 Status = ALIVE auto-test = FALSE, idle-time = 60 mins, deadtime = 20 secs Multicast Group SGT Table: Security Group Name Table: : 2-98 : 80 -> Device_SGT unicast-unknown-98 : 80 -> Unknown Any : 80 -> ANY Transport type = CTS_TRANSPORT_IP_UDP Environment Data Lifetime = secs Last update time = 20:56:48 UTC Mon Sep Env-data expires in 0:23:59:59 (dd:hr:mm:sec) Env-data refreshes in 0:23:59:59 (dd:hr:mm:sec) Cache data applied = NONE State Machine is running 46

43 Activating SGACL Enforcement on IOS switch After setting up SGT/SGACL on ISE, you can now enable SGACL Enforcement on IOS switch Defining IP to SGT mapping for servers Switch(config)#cts role-based sgt-map sgt 5 Switch(config)#cts role-based sgt-map sgt 6 Switch(config)#cts role-based sgt-map sgt 7 Enabling SGACL Enforcement Globally and for VLAN Switch(config)#cts role-based enforcement Switch(config)#cts role-based enforcement vlan-list 40 Distribution 6K Sup2T - Enabling Ingress Reflector to support SGACL on legacy linecard (if there is any) Switch(config)#platform cts ingress CTS Ingress reflector will be active only on next system reboot. Please reboot the system for CTS Ingress reflector to be active. Enabling reflector requires system to reboot. 47

44 Downloading SGACL Policy on IOS Switch Verify SGACL Content TS2-6K-DIST#show cts role-based permissions IPv4 Role-based permissions default: Permit IP-00 IPv4 Role-based permissions from group 3 to group 5: Deny IP-00 IPv4 Role-based permissions from group 4 to group 5: ALLOW_HTTP_HTTPS-20 IPv4 Role-based permissions from group 3 to group 6: ALLOW_HTTP_SQL-10 Permit IP-00 IPv4 Role-based permissions from group 4 to group 6: Deny IP-00 IPv4 Role-based permissions from group 3 to group 7: Deny IP-00 IPv4 Role-based permissions from group 4 to group 7: Permit IP-00 SGACL Mapping Policy should match to one on ISE 49

45 Policy Enforcement on Firewalls: ASA SG-FW Security Group definitions from ISE Switches inform the ASA of Security Group membership Trigger other services by SGT Can still use Network Object (Host, Range, Network (subnet), or FQDN) AND / OR the SGT

46 SG-FW Simplifying ASA Rules and Operations Source Destination Action IP SGT IP SGT Port Action Any Web Server PCI Servers SQL Allow Any Audit users PCI Servers TCP Allow Any Developers Any Dev VDI Systems Any Deny Policies can use Security Groups for user roles and server roles Moves and changes do not require IP-address rule-changes New servers/users just require group membership to be established Rule-base reduction with Groups instead of IP addresses can be significant Common classification method for campus and data centre Simplified auditing for compliance purposes 52

47 Using SG-FW and SGACL Enforcement Together SGT Name Download IP Address SGT CSM/ASDM Policies SGT 10 = PCI_User SGT 100 = PCI_Svr ISE SGACL Policies PCI (10) Campus Network Consistent Classification/enforcement between Firewalls and switching. SGT Names will be synchronised between ISE and ASDM SGACL and SG-FW policies need be sync d via policy administration SG-FW on ASA SGACL on Switches Data Centre 53

48 Logging TrustSec Policy Enforcement IP Address SGT CSM/ASDM Policies SGT Name Download SGT 10 = PCI_User SGT 100 = PCI_Svr ISE SGACL Policies PCI (10) Campus Network SG-FW gives richer logging, e.g. URL logging Switch logging is best effort via syslog (e.g. N7000) or NetFlow (C6500 Sup2T) SGACL counters vary per switch platform Per SGT/DGT on Nexus 7000/Cat6500 Sup2T Per Platform on Nexus 5500 SG-FW on ASA SGACL on Switches Data Centre 54

49 TrustSec Platform Support Classification Propagation Enforcement Catalyst 2960S/C/Plus/X/XR Catalyst 3560-E/-C/-X Catalyst 3750-E/-X NEW Catalyst 3850,3650 WLC 5760 Catalyst 4500E (Sup6E/7E) Catalyst 6500E (Sup720/2T) Wireless LAN Controller 2500/5500/WiSM2 Nexus 7000 Nexus 5500 Nexus 1000v ISR G2, CGR2000 IE2000/3000, CGS2000 SGT SGT SGT SGT SGT SGT SGT SGT Catalyst 2960-S/-C/-Plus/-X/-XR Catalyst 3560-E/-C/, 3750-E Catalyst 3560-X, 3750-X Catalyst 3850,3650 Catalyst 4500E (Sup6E) Catalyst 4500E (7E), 4500X Catalyst 6500E (Sup720) Catalyst 6500E (2T) WLC 2500, 5500, WiSM2 WLC 5760 Nexus 1000v NEW Nexus 5500/22xx FEX Nexus 7000/22xx FEX GETVPN IPsec NEW ISRG2* CGR2000 SGACL SGACL SGACL SGACL SGACL SGFW SGFW Catalyst 3560-X Catalyst 3750-X Catalyst 3850,3650 WLC 5760 Catalyst 4500E (7E) Catalyst 6500E (2T) Nexus 7000 Nexus 5500 NEW ISR G2, CGR2000 ASR 1000 Router NEW NEW ASA5500 (VPN RAS) Beta SGT GETVPN IPsec ASR1000 ASA5500 Firewall, ASASM SGFW ASA 5500 Firewall Inline SGT on all ISRG2 except 800 series:

50 Where Can I Get Started

51 Getting Started It s a Jouney Start with understanding SGT s exist. (This session) Start with understanding existing network and what may be easy targets Develop your Policy! Proof of concepts (PoC) - talk to your SE. Use the use-cases for reference at Look at monitor mode with SGT Look to have infrastructure with SGT ACL Support.

52 Possibilities Existing Wireless Networks with Guest BYOD Monitor Mode with SGT Create Guest Policy Create Policy Create Policy on Wireless controller on Wireless Controller Implement ISE and AD groups ASA with SGT Rules ASA with SGT Rules on wired with Monitor mode Provides SGT differentiated WIFI Rules that allow BYOD devices to only certain servers Provides scalable differentiated Employee access to sensitive information Apply SGT rules on ASA to provide protection to Servers Provides Scalable Rule-set that is easy to understand and audit

53 How to Implement TrustSec Starts with the policy Can start small and expand out, do not have to boil the ocean. Deploy ISE for central policy Implement Classification, Marking at Access (wired and wireless) Implement for propagation to Enforcement devices (ASA, Switches with SGACL support for extending over layer 3 boundaries. Implement enforcement. Check out IBNS 2.0 for policy

54 Use Cases

55 TrustSec Security Group Tagging Desired Policy Who can talk to whom Who can access protected assets How systems can talk to other systems Simplified Access Management Accelerated Security Operations Consistent Policy Switch Router DC FW DC Switch Flexible and Scalable Policy Enforcement 61

56 TrustSec Concept Users, Devices Classification ISE Directory Enforcement Fin Servers SGT = 4 SGT:5 Switch Router DC FW DC Switch HR Servers SGT = 10 SGT Propagation Classification of systems/users based on context (user role, device, location, access method) The context-based classification propagates via a SGT SGT used by firewalls, routers and switches to make intelligent forwarding or blocking decisions

57 ID & Profiling Data SGT Assignment - BYOD Example Classification Result: Personal Asset SGT Device Type: Apple ipad User: Fay Group: Tech Marketing Corporate Asset: No ISE Profiling SGT ISE (Identity Services Engine) Security Group Policy Company Asset DC Resource Access Tech Marketing Personal Asset AP Wireless LAN Controller NetFlow DCHP HTTP DNS RADIUS OUI NMAP SNMP Distributed Enforcement based on Security Group Restricted Internet Only

58 Traditional Segmentation Steps replicated across floors, buildings and sites ACL Aggregation Layer VLAN Addressing DHCP Scope Redundancy Routing Static ACL Access Layer Quarantine Voice Data Suppliers Guest Simple More Policies Segmentation using more with 2 VLANs 64

59 User to Data Centre Access Control with TrustSec SGT Regardless of topology or location, policy (Security Group Tag) stays with users, devices and servers Data Centre Firewall Campus Core Data Centre Access Layer Employee Tag Supplier Tag Guest Tag Voice Voice Employee Suppliers Guest Quarantine Quarantine Tag Building 3 WLAN Data VLAN Main Building Data VLAN 65

60 Campus Segmentation with TrustSec SGT Enforcement is based on the Security Group Tag, can control communication in same VLAN Data Centre Firewall Campus Core Data Centre Access Layer Building 3 Data VLAN (200) Voice Voice Employee Employee Guest Quarantine Main Building Data VLAN (100) Employee Tag Supplier Tag Guest Tag Quarantine Tag 66

61 Traditional OpEx in Security Policy Maintenance NY SF LA SJC NY / / / / / /24. DC-MTV (SRV1) DC-MTV (SAP1) DC-RTP (SCM2) DC-RTP (VDI) Production Servers Source Traditional ACL/FW Rule Destination permit NY to SRV1 for HTTPS deny NY to SAP2 for SQL deny NY to SCM2 for SSH permit SF to SRV1 for HTTPS deny SF to SAP1 for SQL ACL for 3 source objects & 3 destination objects deny SF to SCM2 for SSH permit LA to SRV1 for HTTPS deny LA to SAP1 for SQL deny LA to SAP for SSH Permit SJC to SRV1 for HTTPS deny SJC to SAP1 for SQL Adding source Object Complexity and Operational Effort deny SJC to SCM2 for SSH permit NY to VDI for RDP deny SF to VDI for RDP deny LA to VDI for RDP Adding destination Object deny SJC to VDI for RDP

62 Reduced OpEx in Policy Maintenance Employee BYOD NY SF LA SJC Source SGT: Employee (10) Security Group Filtering DC-MTV (SRV1) DC-MTV (SAP1) DC-RTP (SCM2) DC-RTP (VDI) Destination SGT: Production_Servers (50) Policy Stays with BYOD Users (200) / Servers regardless VDI (201) of location or topology Permit Employee to Production_Servers eq HTTPS Simpler Auditing Process (Low OpEx Cost) Permit Employee to Production_Servers eq SQL Simpler Permit Security Employee Operation to Production_Servers (Resource Optimisation) eq SSH Permit Employee to VDI eq RDP Deny BYOD to Production_Servers Deny BYOD to VDI eq RDP ROI from OpEx reduction Production Servers VDI Servers

63 Ease of Data Centre Provisioning Ease of Provisioning Manual Automated Firewalls must be manually updated with new IP address & permissions New workload is provisioned Firewall applies the correct security policy based on security group membership Workload is provisioned with security group attribute TrustSec policies applied to Switches and Firewalls

64 Use Cases: User to DC Access Control

65 Source User to Data Centre Access Control POLICY VIEW Employee (managed asset) Production Servers PERMIT Protected Assets Development Servers DENY Internet Access PERMIT Employee (Registered BYOD) PERMIT DENY PERMIT Employee (Unknown BYOD) DENY DENY PERMIT ENG VDI System DENY PERMIT PERMIT LOGICAL VIEW Classification ISE Enforcement Production Servers Users/ Devices Switch Router DC FW DC Switch SGT Propagation Development Servers 71

66 User to DC Access Control Unified Access/BYOD Wired Access Campus Core DC Firewall DC Core DC Distribution DC Virtual Access VM Server VM Server Wireless Access WLAN / UA DC Physical Access Physical Server Physical Server Catalyst 2960-S/-C/-Plus/-X/-XR Catalyst 3560-E/-C/, 3750-E Catalyst 3560-X, 3750-X Catalyst 3850 Catalyst 4500E (Sup6E) Catalyst 4500E (7E), 4500X Catalyst 6500E (Sup720) Catalyst 6500E (2T) WLC 2500, 5500, WiSM2 SGT SGT SGT SGT SGACL SGACL Campus Core Switch: Catalyst 6500E (2T) Catalyst 4500 Sup7(L3 cfg) WLAN/Unified Access: Catalyst 3850 WLC 5760 Classify destination SGTs in enforcement device using: - Subnet-SGT mappings - IP-SGT mappings WLC 5760 SGT 7

67 User to DC Access Control DC Switch Enforcement Wired Access Campus Core DC Core DC Distribution DC Virtual Access VM Server VM Server Wireless Access DC Physical Access Physical Server Physical Server Catalyst 2960-S/-C/-Plus/-X/-XR Catalyst 3560-E/-C/, 3750-E Catalyst 3560-X, 3750-X Catalyst 3850 Catalyst 4500E (Sup6E) Catalyst 4500E (7E), 4500X Catalyst 6500E (Sup720) Catalyst 6500E (2T) WLC 2500, 5500, WiSM2 WLC 5760 SGT SGT SGT SGT SGT CLASSIFY SERVERS WITH: Nexus 1000v Port Profile SGT mappings - VMs are associated with Nexus 1000V Port Profiles - N1000v sends SGT assignment to N7000s Nexus VLAN SGT mappings - IP-SGT used for physical servers: - IP Mappings pushed from ISE to N7000 switches Nexus 5500/2000/FEX - Port SGT mappings used for physical servers 73

68 User to DC Access Control SG-Firewall Wired Access Wireless Access Campus Core DC Firewall DC Core DC DC Virtual Distribution Access DC Physical Access VM Server VM Server Physica l Server Physica l Server Catalyst 2960-S/-C/-Plus/-X/-XR Catalyst 3560-E/-C/, 3750-E Catalyst 3560-X, 3750-X Catalyst 3850 Catalyst 4500E (Sup6E) Catalyst 4500E (7E), 4500X Catalyst 6500E (Sup720) Catalyst 6500E (2T) WLC 2500, 5500, WiSM2 WLC 5760 PROPAGATION to ASA CLASSIFY SERVERS WITH: IP Firewall rule entries from Nexus 1000v/5500/7000: - Nexus 1000v Port Profile SGT mappings - Nexus 7000 VLAN SGT mappings IP-SGT mappings (can be from ISE) - Nexus 5k/2k IP-SGT mappings (can be from ISE)

69 User to DC Access Control - Topology View Site B ISRG2 ISRG2 Encrypted WAN Site C ASR1000 Cat4KSup7 Cat6K-A Core Campus Cat3560-X Cat6K-B Policy Enforcement options Site A Cat6500 Cat3850 ISRG2 ASA N7K-A N5500 N2K N7K-B ASA N2K N1Kv Data Centre Prod DB ISE1.2 Dev Dev 75

70 Use Cases: Data Centre Segmentation

71 Data Centre Segmentation SGT: Production (6) SGT: Dev (10) SGACL Deny Segment servers into logical zones Control access to logical DC entities based on role Apply controls to physical and virtual systems (virtual servers, VDI.. Sample server groups: Production, Development, User Acceptance Test Export Controlled data Engineering vs. Business Servers PCI compliance-critical

72 Sources Data Centre Segmentation POLICY VIEW Production Servers Protected Assets Development Servers HR Database Storage Production Servers PERMIT DENY DENY PERMIT Development Servers HR Database Storage DENY PERMIT DENY PERMIT DENY DENY PERMIT PERMIT PERMIT PERMIT PERMIT PERMIT LOGICAL VIEW Enforcement ISE HR Database DC FW SGT Propagation DC Switch Classification Development Servers 78

73 Server Classifications Nexus 1000v Port Profile SGT mappings Nexus 7000 VLAN SGT mappings Nexus 7000 IP-SGT mappings Nexus 5500 Port-SGT assignments for inline tagging/sgacls Enterprise Backbone DC Firew all DC Core DC Distribution Virtual Access Physical Access VM Server VM Server Physical Server Physical Server Nexus 5500 IP-SGT mappings to send via 80

74 Using SG-FW and SGACL Together in the DC Risk Level 1 PCI_Users Risk Level 2 ISE PCI_Web PCI_App PCI_DB LOB2_DB SGACL on switches enforcing policy within each Risk Level ASA enforcing policy between Risk Levels (with IP/SGT mappings supplied from switch infrastructure) 81

75 Combining SGACL and SG-FW in the Data Centre SGT provides common policy objects used throughout FW and ACL rules Centralised SGACL definition & automation SGT can be propagated to other DCs to further simplify policy New SGACL batch programming (needs enabling) & Fragmented SGACL downloads N (6) N (2)N2 New SGT caching + 200k IP-SGT mappings in N (6) Virtual Access Physical Servers Data Centre Core SGACL enabled Device SG Firewall enabled Device DC Access Layer DC Aggregation DC Service Layer 82

76 SGT Caching Possible 3 rd party devices for Server Load Balancing (SLB), Intrusion Prevention Services (IPS), etc Caches IP-SGT mappings from data plane Can send IP-SGT mappings to ASA in 8 8 SRC: DST: SGT: 8 DC Access Layer IP Address SGT (Employee) SGT Tagged Traffic Untagged Traffic Physical Servers Physical Servers SGACL enabled Device

77 Use Cases: Campus and Branch Segmentation

78 Source Campus and Branch Segmentation POLICY VIEW LoB1 Production Users LoB1 Developers LoB2 Employees Guest *LoB = Line of Business LoB1 Production Users Malware Block Malware Block DENY DENY LoB1 Developers Malware Block Malware Block DENY DENY Guests DENY DENY Internet Access PERMIT PERMIT DENY Malware Block DENY PERMIT DENY Protected Assets LoB2 Employees DENY Malware Blocking ACL Deny tcp dst eq 445 log Deny tcp dst range log Permit DENY all PERMIT LOGICAL VIEW Classification ISE Switch Router Enforcement

79 SGT Malware Recon/Propagation Security Overlay Distribution SW SGACL Egress Policy Name MAC Address SGT IP Address Endpoint A 00:00:00:00:00:0a Endpoint B 00:00:00:00:00:0b SGT SGACL can for be SGT assigned 7 is applied via RADIUS attributes statically on in 802.1X switch Authorization dynamically OR downloaded statically from assigned ISE. to VLAN Exploits by sending payload Endpoint A Endpoint B Cat3750X 1 Scan for open ports / OS SRC \ DST 7 - Employee 7 - Employee Anti-Malw are-acl Anti-Malware-ACL deny icmp deny udp src dst eq domain deny tcp src dst eq 3389 deny tcp src dst eq 1433 deny tcp src dst eq 1521 deny tcp src dst eq 445 deny tcp src dst eq 137 deny tcp src dst eq 138 deny tcp src dst eq 139 deny udp src dst eq snmp deny tcp src dst eq telnet deny tcp src dst eq www deny tcp src dst eq 443 deny tcp src dst eq 22 deny tcp src dst eq pop3 deny tcp src dst eq 123 deny tcp match-all -ack +fin -psh -rst -syn -urg deny tcp match-all +fin +psh +urg permit tcp match-any +ack +syn

80 Campus Segmentation SGACL segmentation available on :- Wired Access Distribution Core Catalyst 3560-X, 3750-X Catalyst 3850 Catalyst 4500E (7E), 4500X Wireless Access Catalyst 6500E (2T) WLC 5760 Other WLC platforms can also be configured to forward all P2P traffic into SGACL-capable switch for policy enforcement from WLC to switch propagates role info for the Wireless users 87

81 Implementing Wireless User User Policy Enforcement Permit ISE Vlan WLAN Controller Deny interface Vlan2 ip local-proxy-arp ip route-cache same-interface! cts role-based enforcement cts role-based enforcement vlan-list

82 TrustSec Support for WLAN Deployment Mode Controller Platforms TrustSec Support Release Centralised AireOS 2504, 5508 WiSM2 Centralised IOS 5760 SGT, SGACL Converged Access IOS FlexConnect 3850, 3650 SGT, SGACL 5508, WiSM2 8510, 7510 None - could use VLAN-SGT mapping as workaround 7.4 onwards IOS XE SE IOS XE SE

83 Extending Inline Tagging Across WAN to Branches Inline tagging across WAN : ISR G2 IOS 15.4(1)T & ASR (1)S Inline tagging on built-in ISRG2 & ASR 1000 Ethernet interfaces (all except 800 series ISR) Carries SGT inline across GET- VPN and IPsec VPN Cat3750-X Cat3750-X Branch B Branch A ISRG2 ISRG2 e.g. 2951/3945 SGT over GET-VPN ASR1000 Router Can also use SGT-aware Zone-based Firewall in branch and DC WAN edge for reasons like PCI compliance SGT allows more dynamic classification in the branch and DC WAN edge SGT is a source criteria only in ISR FW, Source or Dest in ASR 1000 HQ Inline SGT 90

84 Extending Across WAN Data Centre Bidirectional with Loop Detection available now: ISRG2 15.3(2)T ASR1000 IOS XE 3.9 Allows ASR1000 to be an IP/SGT relay from remote to remote is a full replication model each remote router will learn all IP/SGT bindings with this approach N7K IP Address SGT Contractor Employee Contractor Employee - 30 Cat6K Cat6K ASR1K ASR1K Listener-1 Listener-2 v4 WAN Speaker-1 IP Address SGT Contractor Employee Contractor Employee - 30 IP Address Contractor Employee Contractor Employee - 30 Speaker-300 SGT v4 91

85 Putting Use-cases Together - Worked Example Requirement to permit or apply SG-ACL Requirement to block Apply Default policy DESTINATIONS SGT\DGT Users_x Users_y Users - z Biz_Partner_1 Biz_Partner_2 Third_Party_1 Prod_Servers_1 DBMS CRM Test systems Dev Systems users_x users_y User-Business Partner S O U R C E S users - z Business_Partner_1 Business_Partner_2 Third_party_access_1 Production_Server_1 DBMS User-User Segmentation Extranet access control Controlled Access to Critical Servers (User/Context Server) CRM Test_Systems Dev_Systems DC Segmentation 92

86 PCI Compliance

87 PCI Compliance PCI Server Server DATA CENTRE Data Centre Network Key SEGMENTATION ENFORCEMENT PCI SCOPE SEGMENTATION ACROSS COMPANY WAN BRANCH Register Workstation 94

88 PCI Compliance validation.pdf 95

89 Summary

90 Summary TrustSec can be deployed for multiple use-cases Can start with specific use-cases with minimal platform dependencies Non-disruptive deployments; SGACL enforcement can be enabled incrementally and gradually via the policy matrix TrustSec SGT can mean Centralised policy for complete network Distributed enforcement and scale No device-specific ACLs or rules to manage - one place to audit Servers can cycle through Dev>UAT> Prod without readdressing Operational benefits SGACLs avoid VLAN/dACL efforts and admin Security policy managers/auditors do not need to understand the topology or the underlying technology to use the policy matrix Firewall rule simplification and OpEx reduction Faster and easier deployment of new services 97

91 Related Sessions BRKSEC-2692 Identity Based Networking: IEEE 802.1X and Beyond Hariprasad Holla, Cisco Technical Marketing Engineer BRKSEC-3698 Advanced ISE and Secure Access Deployment Aaron Woland, Cisco Technical Marketing Engineer BRKSEC-2203 Deploying TrustSec Security Group Tagging Kevin Regan, Cisco Product Manager BRKSEC-3690 Advanced Security Group Tags: The Detailed Walk Through Darrin Miller, Cisco Distinguished Engineer BRKSEC-2045 Mobile Devices and BYOD Security - Deployment and Best Practices Sylvain Levesque, Consulting Systems Engineer BRKEWN-2020 Wireless LAN Security, Policy and BYOD Best Practices Federico Ziliotto, Senior Systems Engineer BRKSEC-3035 Successful Designing and Deploying Cisco s ISE 1.2/MDM Integration Christoph Altherr, Senior Systems Engineer PSOSEC-2001 BYOD: Management and Control for the Use and Provisioning of Mobile Devices Russell Rice, Director of Product Management Adv X Topics Adv. ISE Topics Intermediate and Adv TrustSec BYOD MDM Mobile Device Security 98

92 Links For more info: TrustSec and ISE Deployment Guides: _TrustSec.html PCI Scope Reduction with Cisco TrustSec QSA (Verizon) Validation: dation.pdf YouTube: Fundamentals of TrustSec: 99

93 Call to Action Visit the Cisco Campus at the World of Solutions to experience the following demos/solutions in action: Cisco Secure Access with ISE, TrustSec in the Data Centre TrustSec in the Campus and Branch, TrustSec Threat Mitigation Meet the Engineer Kevin Regan, Darrin Miller, Craig Hyps, Aaron Woland, Discuss your project challenges at the Technical Solutions Clinics Lunch Time Table Topics, held in main Catering Hall Visit CL365 (CiscoLiveEU.com) after the event for updated PDFs and on-demand session videos. 100

94 Summary TrustSec can be deployed for multiple use-cases Can start with specific use-cases with minimal platform dependencies Non-disruptive deployments; SGACL enforcement can be enabled incrementally and gradually via the policy matrix TrustSec SGT can mean Centralised policy for complete network Distributed enforcement and scale No device-specific ACLs or rules to manage - one place to audit Servers can cycle through Dev>UAT> Prod without readdressing Operational benefits SGACLs avoid VLAN/dACL efforts and admin Security policy managers/auditors do not need to understand the topology or the underlying technology to use the policy matrix Firewall rule simplification and OpEx reduction Faster and easier deployment of new services 101

95 Q & A

96 Complete Your Online Session Evaluation Give us your feedback and receive a Cisco Live 2015 T-Shirt! Complete your Overall Event Survey and 5 Session Evaluations. Directly from your mobile device on the Cisco Live Mobile App By visiting the Cisco Live Mobile Site Visit any Cisco Live Internet Station located throughout the venue T-Shirts can be collected in the World of Solutions on Friday 20 March 12:00pm - 2:00pm Learn online with Cisco Live! Visit us online after the conference for full access to session videos and presentations.

97 Thank you.

98