Securing Your Network Simply with TrustSec
|
|
- Cathleen Bishop
- 6 years ago
- Views:
Transcription
1
2 Securing Your Network Simply with TrustSec Brandon Johnson Systems Engineer #clmel
3 Agenda Introduction TrustSec SGTs How difficult? Is this for you? Examples Conclusion
4 Modern Architecture
5 Network Architecture Started with.. data, or basic connectivity Scaled via VLANs Then Voice or converged networks next Wireless.
6 Network Architecture New Requirements New Stuff BYOD, Guest Wireless Must have security!!! Re work additional VLANs, new IP addressing, FW change management etc etc Demands Increase We end up with Just like demands for location/space in real estate, we have more demand on Networks We want it all, and we want it now
7 Security and Segmentation How do we do segmentation today? VLANs, MPLS, GRE, IPv4,(v6), VLANs are for broadcast domains, IP Addresses, Static assignment. (Very Manual; doesn t scale) Central model makes dirty access networks, easy to break, ACL explosion / nightmare to manage Need Line Rate! None VLANs SGTs GRE Scale of Complexity EVN MPLS
8 Who Should Care About TrustSec Network Operators Simplify configuration, understand how it works. Network Admins/Architects Provides next big thing for architecture, new tool in the tool box. Security Officers Network can now enforce, it s the only thing left that we can control. CIO s and CxO level Can I protect myself and company?
9 TrustSec
10 Why TrustSec Designed/engineered to map business policies to network devices. Segmentation independent of VLAN, IP Addressing. Segmentation at scale Its just simple and easier to understand
11 It Starts with Policy Src Dest. Guest Employee BYOD Employee Managed Internet Internal Server Guest Employee BYOD Employee Managed Internet Internal Server DEFAULT PERMIT ALL
12 Security Focused Policy Src Dest. Guest Employee BYOD Employee Managed Internet Internal Server Guest Employee BYOD Employee Managed Internet Internal Server DEFAULT DENY ALL ( or can be set to PERMIT ALL )
13 What is Cisco TrustSec (CTS) Architectures based on marking, classifying, propagating and enforcing traffic with SGT s Security Group Tags - SGT s Security Group Access Control Lists SGACLs SGT exchange Protocol Security Group Tag Cisco Innovation ( submitted to IETF ) Lots of ways to use it.
14 TrustSec Security Group Tagging Desired Policy Who can talk to whom Who can access protected assets How systems can talk to other systems Simplified Access Management Accelerated Security Operations Consistent Policy Switch Router DC FW DC Switch Flexible and Scalable Policy Enforcement 14
15 Tagging Operation Security Group Tag SGACL Unique 16 bit (64K) tag assigned to unique role Tag = privilege of the source user, device, or entity Tagged at ingress of TrustSec domain Filtered at egress of TrustSec domain (by an (SG-ACL) No IP address required in ACE (IP address is bound to SGT) Policy (ACL) is distributed from central server Provides topology independent policy Flexible and scalable policy based on user role Centralised Policy Management for Dynamic policy provisioning
16 Policy: Who, What, Where, When and How Identity 1 IEEE 802.1x EAP User Authentication Cisco ISE Profiling HTTP NetFlow SNMP HQ Company Asset 2 Profiling to Identify Device 4 Corporate Resources DNS RADIUS DHCP NMAP 2:38 p.m. Wireless LAN Controller Policy Decision Internet Only Personal Asset 3 Posture of the Device Unified Access Management 5 Enforce Policy in the Network 6 Full or Partial Access Granted 16
17 TrustSec Classification Options User/Device SGT assignments Wired Wireless (RA VPN soon) Profiling 802.1X Web Auth MAB ISE IP-SGT NX-OS/ UCS Dir/ Hypervisors SGT VLAN-SGT Port-SGT Data Centre Server Classifiers SGT RA-VPN future SGT IOS/Routing Port Profile Subnet-SGT SGT VLAN-SGT Prefix Learning (L3IF-SGT) Business Partners & 3 rd party connections
18 How a SGT is Assigned End User, Endpoint is classified with SGT SVI interface is mapped to SGT Physical Server is mapped to SGT Campus Access Distribution Core DC Core DC Dist. DC Access Enterprise Backbone SRC: VLAN is mapped to SGT WLC FW Hypervisor SW BYOD device is classified with SGT Virtual Machine is mapped to SGT
19 Classification Summary Dynamic Classification Static Classification IP Address 802.1X Authentication MAC Auth Bypass Web Authentication Common Classification for Mobile Devices VLANs Subnets L2 Interface L3 Interface Virtual Port Profile Layer 2 Port Lookup SGT Common Classification for Servers, Topology-based policy, etc.
20 SGT Assignment Access Layer Classification Cat2960-S Cat3750X Cat3850/5760 Cat4K S7 Cat6x00 ISR WLC Notes Dynamic 802.1X X X X X X X X MAB X X X X X X X Web Auth X X X X X X X Static VLAN/SGT - X* X X X* - - Subnet/SGT - - X X X - - Via Sup2T Layer 3 Identity to Port Mapping X - - Based on routes learned from port via dynamic routing * - limits on the number of VLANs per platform 20
21 ISE Dynamic SGT Assignments
22 Dynamic Classification Process in Detail 00:00:00:AB:CD:EF Supplicant Switch / WLC ISE Layer 2 Layer 3 2 DHCP Lease: /24 EAPoL Transaction 1 Authorised MAC: 00:00:00:AB:CD:EF SGT = 5 ARP Probe EAP Transaction DHCP IP Device Tracking SRC: = SGT 5 RADIUS Transaction Authorisation SGT Binding: 00:00:00:AB:CD:EF = /24 3 Authentication Authorised cisco-av-pair=cts:security-group-tag= Policy Evaluation Make sure that IP Device Tracking is TURNED ON 3560X#show cts role-based sgt-map all details Active IP-SGT Bindings Information IP Address Security Group Source ============================================= :SGA_Device INTERNAL :Employee LOCAL
23 Static Classification IOS CLI Example IP to SGT mapping cts role-based sgt-map A.B.C.D sgt SGT_Value VLAN to SGT mapping* cts role-based sgt-map vlan-list VLAN sgt SGT_Value Subnet to SGT mapping cts role-based sgt-map A.B.C.D/nn sgt SGT_Value L2IF to SGT mapping* (config-if-cts-manual)#policy static sgt SGT_Value L3IF to SGT mapping** cts role-based sgt-map interface name sgt SGT_Value L3 ID to Port Mapping** (config-if-cts-manual)#policy dynamic identity name * relies on IP Device Tracking ** relies on route prefix snooping
24 Layer 3 Interface to SGT Mapping (L3IF-SGT) Sup2T 15.0(1)SY Route Prefix Monitoring on a specific Layer 3 Port mapping to a SGT Can apply to Layer 3 interfaces regardless of the underlying physical interface: Routed port, SVI (VLAN interface), Tunnel interface cts role-based sgt-map interface GigabitEthernet 3/0/1 sgt 8 cts role-based sgt-map interface GigabitEthernet 3/0/2 sgt 9 Joint Ventures Route Updates /24 g3/0/1 VSS-1#show cts role-based sgt-map all Active IP-SGT Bindings Information IP Address SGT Source ======================================== INTERNAL INTERNAL INTERNAL /24 8 L3IF /24 9 L3IF /24 9 L3IF EOR DC Access Business Partners g3/0/2 Route Updates /24, /24 Hypervisor SW
25 Nexus 1000V 2.1 SGT Assignment Port Profile Container of network properties Applied to different interfaces Server Admin may assign Port Profiles to new VMs VMs inherit network properties of the port-profile including SGT SGT stays with the VM even if moved 25
26 Nexus 1000V 2.1 SGT Assignment Port Profiles assigned to VMs 26
27 SGT Propagation ()
28 AES-GCM 128bit Encryption Propagation Option 1: Inline Tagging SGT embedded within Cisco Meta Data (CMD) in Layer 2 frame Capable switches understands and process SGT in line-rate Optional MACsec (IEEE802.1AE) protection No impact to QoS, IP MTPU/Fragmentation L2 Frame Impact: ~40 bytes 16 bits field gives ~ 64,000 tag space Incapable devices will drop frames with unknown Ethertype Ethernet Frame Destination MAC Source MAC 802.1Q CMD ETHTYPE PAYLOAD CRC ETHTYPE:0x8909 Cisco Meta Data CMD EtherType Version Length SGT Option Type SGT Value Other CMD Option MACsec Frame Destination MAC Source MAC 802.1AE Header 802.1Q CMD ETHTYPE PAYLOAD 802.1AE Header CRC ETHTYPE:0x88E5
29 Configure Links for SGT Tagging CTS Manual no encryption interface TenGigabitEthernet1/5 cts manual policy static sgt 2 trusted C6K2T-CORE-1#sho cts interface brief Global Dot1x feature is Enabled Interface GigabitEthernet1/1: CTS is enabled, mode: MANUAL IFC state: OPEN Authentication Status: NOT APPLICABLE Peer identity: "unknown" Peer's advertised capabilities: "" Authorization Status: SUCCEEDED Peer SGT: 2:device_sgt Peer SGT assignment: Trusted SAP Status: NOT APPLICABLE Propagate SGT: Enabled Cache Info: Expiration : N/A Cache applied to link : NONE L3 IPM: disabled. Always shut 2015 Cisco and and/or no its affiliates. shut All rights and reserved. interface for any cts manual or cts dot1x change
30 Propagation Option 2: SGT exchange Protocol () Control plane protocol that conveys the IP- SGT map of authenticated hosts to enforcement points uses TCP as the transport layer Accelerate deployment of SGT Support Single Hop & Multi-Hop (aggregation) Two roles: Speaker (initiator) and Listener (receiver) Speaker SW Listener SW SW (Aggregation) RT
31 Propagation Option 2: SGT exchange Protocol () accelerates deployment of SGTs Allows classification at the access edge without hardware upgrade Allows communication from access edge to enforcement device also used to traverse networks/devices without SGT capabilities Uses TCP for transport protocol TCP port for connection initiation Use MD5 for authentication and integrity check Two roles: Speaker (initiator) and Listener (receiver)
32 Informational Draft now published as an Informational Draft to the IETF, based on customer requests Draft called Source-Group Tag exchange Protocol because of likely uses beyond security Specifies v4 functionality with backwards compatibility to v2 33
33 Connection Types Single-Hop Speaker Listener Non-TrustSec Domain Enabled Switch/WLC SGT Capable HW Multi-Hop Speaker Listener Speaker Listener Enabled SW/WLC Speaker Enabled SW SGT Capable HW Enabled SW/WLC 34
34 IOS Configuration C3750#show cts role-based sgt-map all details Active IP-SGT Bindings Information 3750 cts sxp enable cts sxp connection peer source password default mode local! Peering to Cat6K 6K cts sxp enable cts sxp default password cisco123! cts sxp connection peer source password default mode local listener hold-time 0 0! ^^ Peering to Cat3K cts sxp connection peer source password default mode local listener hold-time 0 0! ^^ Peering to WLC IP Address Security Group Source ====================================================================== :device_sgt INTERNAL :EMPLOYEE_FULL LOCAL C6K2T-CORE-1#show cts sxp connections brief : Enabled Highest Version Supported: 4 Default Password : Set Default Source IP: Not Set Connection retry open period: 120 secs Reconcile period: 120 secs Retry open timer is not running Peer_IP Source_IP Conn Status Duration On 11:28:14:59 ( dd:hr:mm:sec) On 22:56:04:33 ( dd:hr:mm:sec) Total num of Connections = 2 C6K2T-CORE-1#show cts role-based sgt-map all details Active IP-SGT Bindings Information IP Address Security Group Source ====================================================================== :PCI_Servers CLI :Device_sgt INTERNAL --- snip :GUEST :EMPLOYEE_FULL 35
35 WLC Configuration 36
36 Inline Tagging vs. Tag Propagation Inline SGT Tagging CMD Field IP Address SGT ASI C Optionally Encrypted ASI C ASI C L2 Ethernet Frame SRC: Campus Access Distribution Core DC Core EOR DC Access Enterprise Backbone Hypervisor SW SRC: WLC FW Inline Tagging: If Device supports SGT in ASICs : If there are devices are not SGT-capable IP Address SGT SRC Local IP-SGT Binding Table
37 Policy Enforcement
38 Policy Enforcement - Security Group ACL (SGACL) Mary authenticated Classified as Marketing (5) FIB Lookup Destination MAC/Port SGT 20 Destination Classification Web_Dir: SGT 20 CRM: SGT 30 SRC: Cat3750X 5 SRC: DST: SGT: 5 Cat6500 Cat6500 Nexus 7000 Enterprise Backbone Nexus 5500 Nexus 2248 Nexus 2248 Web_Dir DST: SGT: 20 CRM DST: SGT: 30 WLC5508 ASA5585 SRC\DST Web_Dir (20) CRM (30) Marketing (5) SGACL-A SGACL-B BYOD (7) Deny Deny
39 Centralised SGACL Policy Management in ISE Portal_ACL permit tcp dst eq 443 permit tcp dst eq 80 permit tcp dst eq 22 permit tcp dst eq 3389 permit tcp dst eq 135 permit tcp dst eq 136 permit tcp dst eq 137 permit tcp dst eq 138 permit tcp des eq 139 deny ip
40 SGT=3 SGT=4 SGT=5 SGACL Egress Policy Enforcement Extended ACL syntax, without IP addresses Avoids TCAM impact, can be IPv6 agnostic* Can be applied anywhere (no IP dependency) Switches that classify servers only download SGACLs they need from ISE No device-specific ACL configs SGACL Enforcement Prod_Servers Portal_ACL permit tcp dst eq 443 permit tcp dst eq 80 permit tcp dst eq 22 permit tcp dst eq 3389 permit tcp dst eq 135 permit tcp dst eq 136 permit tcp dst eq 137 permit tcp dst eq 138 permit tcp des eq 139 deny ip Dev_Servers * Currently only Cat6k Sup 2T supports IPv6 SGACL Prod_Server (SGT=7) Dev_Server (SGT=10)
41 Typical SGACL Deployment Approach Egress Enforcement Security Group ACL PCI Server Monitor Mode Users, Endpoints authentication port-control auto authentication open dot1x pae authenticator Catalyst Sw itches/wlc (3K/4K/6K) Campus Netw ork AUTH=OK SGT= PCI User (10) Development Server Production Server SRC \ DST PCI Server (111) Dev Server (222) Dev User(8) Deny all Permit all PCI User (10) Permit all Permit all Unknow n (0) Deny all Deny all 1. User connects to network, Monitor mode allows traffic from before authentication 2. Authentication is performed and results are logged by ISE 3. Traffic traverse to Data Centre and hits SGACL at egress enforcement point 4. SGACLs may be enabled gradually on a destination SGT basis N7K 42
42 Environment Data TS2-6K-DIST#show cts environment-data CTS Environment Data ==================== Current state = COMPLETE Last status = Successful Local Device SGT: SGT tag = 2-00 Server List Info: Installed list: CTSServerList1-0004, 3 server(s): *Server: , port 1812, A-ID 04FB30FE056125FE90A340C732ED9530 Status = ALIVE auto-test = FALSE, idle-time = 60 mins, deadtime = 20 secs *Server: , port 1812, A-ID 04FB30FE056125FE90A340C732ED9530 Status = ALIVE auto-test = FALSE, idle-time = 60 mins, deadtime = 20 secs *Server: , port 1812, A-ID 04FB30FE056125FE90A340C732ED9530 Status = ALIVE auto-test = FALSE, idle-time = 60 mins, deadtime = 20 secs Multicast Group SGT Table: Security Group Name Table: : 2-98 : 80 -> Device_SGT unicast-unknown-98 : 80 -> Unknown Any : 80 -> ANY Transport type = CTS_TRANSPORT_IP_UDP Environment Data Lifetime = secs Last update time = 20:56:48 UTC Mon Sep Env-data expires in 0:23:59:59 (dd:hr:mm:sec) Env-data refreshes in 0:23:59:59 (dd:hr:mm:sec) Cache data applied = NONE State Machine is running 46
43 Activating SGACL Enforcement on IOS switch After setting up SGT/SGACL on ISE, you can now enable SGACL Enforcement on IOS switch Defining IP to SGT mapping for servers Switch(config)#cts role-based sgt-map sgt 5 Switch(config)#cts role-based sgt-map sgt 6 Switch(config)#cts role-based sgt-map sgt 7 Enabling SGACL Enforcement Globally and for VLAN Switch(config)#cts role-based enforcement Switch(config)#cts role-based enforcement vlan-list 40 Distribution 6K Sup2T - Enabling Ingress Reflector to support SGACL on legacy linecard (if there is any) Switch(config)#platform cts ingress CTS Ingress reflector will be active only on next system reboot. Please reboot the system for CTS Ingress reflector to be active. Enabling reflector requires system to reboot. 47
44 Downloading SGACL Policy on IOS Switch Verify SGACL Content TS2-6K-DIST#show cts role-based permissions IPv4 Role-based permissions default: Permit IP-00 IPv4 Role-based permissions from group 3 to group 5: Deny IP-00 IPv4 Role-based permissions from group 4 to group 5: ALLOW_HTTP_HTTPS-20 IPv4 Role-based permissions from group 3 to group 6: ALLOW_HTTP_SQL-10 Permit IP-00 IPv4 Role-based permissions from group 4 to group 6: Deny IP-00 IPv4 Role-based permissions from group 3 to group 7: Deny IP-00 IPv4 Role-based permissions from group 4 to group 7: Permit IP-00 SGACL Mapping Policy should match to one on ISE 49
45 Policy Enforcement on Firewalls: ASA SG-FW Security Group definitions from ISE Switches inform the ASA of Security Group membership Trigger other services by SGT Can still use Network Object (Host, Range, Network (subnet), or FQDN) AND / OR the SGT
46 SG-FW Simplifying ASA Rules and Operations Source Destination Action IP SGT IP SGT Port Action Any Web Server PCI Servers SQL Allow Any Audit users PCI Servers TCP Allow Any Developers Any Dev VDI Systems Any Deny Policies can use Security Groups for user roles and server roles Moves and changes do not require IP-address rule-changes New servers/users just require group membership to be established Rule-base reduction with Groups instead of IP addresses can be significant Common classification method for campus and data centre Simplified auditing for compliance purposes 52
47 Using SG-FW and SGACL Enforcement Together SGT Name Download IP Address SGT CSM/ASDM Policies SGT 10 = PCI_User SGT 100 = PCI_Svr ISE SGACL Policies PCI (10) Campus Network Consistent Classification/enforcement between Firewalls and switching. SGT Names will be synchronised between ISE and ASDM SGACL and SG-FW policies need be sync d via policy administration SG-FW on ASA SGACL on Switches Data Centre 53
48 Logging TrustSec Policy Enforcement IP Address SGT CSM/ASDM Policies SGT Name Download SGT 10 = PCI_User SGT 100 = PCI_Svr ISE SGACL Policies PCI (10) Campus Network SG-FW gives richer logging, e.g. URL logging Switch logging is best effort via syslog (e.g. N7000) or NetFlow (C6500 Sup2T) SGACL counters vary per switch platform Per SGT/DGT on Nexus 7000/Cat6500 Sup2T Per Platform on Nexus 5500 SG-FW on ASA SGACL on Switches Data Centre 54
49 TrustSec Platform Support Classification Propagation Enforcement Catalyst 2960S/C/Plus/X/XR Catalyst 3560-E/-C/-X Catalyst 3750-E/-X NEW Catalyst 3850,3650 WLC 5760 Catalyst 4500E (Sup6E/7E) Catalyst 6500E (Sup720/2T) Wireless LAN Controller 2500/5500/WiSM2 Nexus 7000 Nexus 5500 Nexus 1000v ISR G2, CGR2000 IE2000/3000, CGS2000 SGT SGT SGT SGT SGT SGT SGT SGT Catalyst 2960-S/-C/-Plus/-X/-XR Catalyst 3560-E/-C/, 3750-E Catalyst 3560-X, 3750-X Catalyst 3850,3650 Catalyst 4500E (Sup6E) Catalyst 4500E (7E), 4500X Catalyst 6500E (Sup720) Catalyst 6500E (2T) WLC 2500, 5500, WiSM2 WLC 5760 Nexus 1000v NEW Nexus 5500/22xx FEX Nexus 7000/22xx FEX GETVPN IPsec NEW ISRG2* CGR2000 SGACL SGACL SGACL SGACL SGACL SGFW SGFW Catalyst 3560-X Catalyst 3750-X Catalyst 3850,3650 WLC 5760 Catalyst 4500E (7E) Catalyst 6500E (2T) Nexus 7000 Nexus 5500 NEW ISR G2, CGR2000 ASR 1000 Router NEW NEW ASA5500 (VPN RAS) Beta SGT GETVPN IPsec ASR1000 ASA5500 Firewall, ASASM SGFW ASA 5500 Firewall Inline SGT on all ISRG2 except 800 series:
50 Where Can I Get Started
51 Getting Started It s a Jouney Start with understanding SGT s exist. (This session) Start with understanding existing network and what may be easy targets Develop your Policy! Proof of concepts (PoC) - talk to your SE. Use the use-cases for reference at Look at monitor mode with SGT Look to have infrastructure with SGT ACL Support.
52 Possibilities Existing Wireless Networks with Guest BYOD Monitor Mode with SGT Create Guest Policy Create Policy Create Policy on Wireless controller on Wireless Controller Implement ISE and AD groups ASA with SGT Rules ASA with SGT Rules on wired with Monitor mode Provides SGT differentiated WIFI Rules that allow BYOD devices to only certain servers Provides scalable differentiated Employee access to sensitive information Apply SGT rules on ASA to provide protection to Servers Provides Scalable Rule-set that is easy to understand and audit
53 How to Implement TrustSec Starts with the policy Can start small and expand out, do not have to boil the ocean. Deploy ISE for central policy Implement Classification, Marking at Access (wired and wireless) Implement for propagation to Enforcement devices (ASA, Switches with SGACL support for extending over layer 3 boundaries. Implement enforcement. Check out IBNS 2.0 for policy
54 Use Cases
55 TrustSec Security Group Tagging Desired Policy Who can talk to whom Who can access protected assets How systems can talk to other systems Simplified Access Management Accelerated Security Operations Consistent Policy Switch Router DC FW DC Switch Flexible and Scalable Policy Enforcement 61
56 TrustSec Concept Users, Devices Classification ISE Directory Enforcement Fin Servers SGT = 4 SGT:5 Switch Router DC FW DC Switch HR Servers SGT = 10 SGT Propagation Classification of systems/users based on context (user role, device, location, access method) The context-based classification propagates via a SGT SGT used by firewalls, routers and switches to make intelligent forwarding or blocking decisions
57 ID & Profiling Data SGT Assignment - BYOD Example Classification Result: Personal Asset SGT Device Type: Apple ipad User: Fay Group: Tech Marketing Corporate Asset: No ISE Profiling SGT ISE (Identity Services Engine) Security Group Policy Company Asset DC Resource Access Tech Marketing Personal Asset AP Wireless LAN Controller NetFlow DCHP HTTP DNS RADIUS OUI NMAP SNMP Distributed Enforcement based on Security Group Restricted Internet Only
58 Traditional Segmentation Steps replicated across floors, buildings and sites ACL Aggregation Layer VLAN Addressing DHCP Scope Redundancy Routing Static ACL Access Layer Quarantine Voice Data Suppliers Guest Simple More Policies Segmentation using more with 2 VLANs 64
59 User to Data Centre Access Control with TrustSec SGT Regardless of topology or location, policy (Security Group Tag) stays with users, devices and servers Data Centre Firewall Campus Core Data Centre Access Layer Employee Tag Supplier Tag Guest Tag Voice Voice Employee Suppliers Guest Quarantine Quarantine Tag Building 3 WLAN Data VLAN Main Building Data VLAN 65
60 Campus Segmentation with TrustSec SGT Enforcement is based on the Security Group Tag, can control communication in same VLAN Data Centre Firewall Campus Core Data Centre Access Layer Building 3 Data VLAN (200) Voice Voice Employee Employee Guest Quarantine Main Building Data VLAN (100) Employee Tag Supplier Tag Guest Tag Quarantine Tag 66
61 Traditional OpEx in Security Policy Maintenance NY SF LA SJC NY / / / / / /24. DC-MTV (SRV1) DC-MTV (SAP1) DC-RTP (SCM2) DC-RTP (VDI) Production Servers Source Traditional ACL/FW Rule Destination permit NY to SRV1 for HTTPS deny NY to SAP2 for SQL deny NY to SCM2 for SSH permit SF to SRV1 for HTTPS deny SF to SAP1 for SQL ACL for 3 source objects & 3 destination objects deny SF to SCM2 for SSH permit LA to SRV1 for HTTPS deny LA to SAP1 for SQL deny LA to SAP for SSH Permit SJC to SRV1 for HTTPS deny SJC to SAP1 for SQL Adding source Object Complexity and Operational Effort deny SJC to SCM2 for SSH permit NY to VDI for RDP deny SF to VDI for RDP deny LA to VDI for RDP Adding destination Object deny SJC to VDI for RDP
62 Reduced OpEx in Policy Maintenance Employee BYOD NY SF LA SJC Source SGT: Employee (10) Security Group Filtering DC-MTV (SRV1) DC-MTV (SAP1) DC-RTP (SCM2) DC-RTP (VDI) Destination SGT: Production_Servers (50) Policy Stays with BYOD Users (200) / Servers regardless VDI (201) of location or topology Permit Employee to Production_Servers eq HTTPS Simpler Auditing Process (Low OpEx Cost) Permit Employee to Production_Servers eq SQL Simpler Permit Security Employee Operation to Production_Servers (Resource Optimisation) eq SSH Permit Employee to VDI eq RDP Deny BYOD to Production_Servers Deny BYOD to VDI eq RDP ROI from OpEx reduction Production Servers VDI Servers
63 Ease of Data Centre Provisioning Ease of Provisioning Manual Automated Firewalls must be manually updated with new IP address & permissions New workload is provisioned Firewall applies the correct security policy based on security group membership Workload is provisioned with security group attribute TrustSec policies applied to Switches and Firewalls
64 Use Cases: User to DC Access Control
65 Source User to Data Centre Access Control POLICY VIEW Employee (managed asset) Production Servers PERMIT Protected Assets Development Servers DENY Internet Access PERMIT Employee (Registered BYOD) PERMIT DENY PERMIT Employee (Unknown BYOD) DENY DENY PERMIT ENG VDI System DENY PERMIT PERMIT LOGICAL VIEW Classification ISE Enforcement Production Servers Users/ Devices Switch Router DC FW DC Switch SGT Propagation Development Servers 71
66 User to DC Access Control Unified Access/BYOD Wired Access Campus Core DC Firewall DC Core DC Distribution DC Virtual Access VM Server VM Server Wireless Access WLAN / UA DC Physical Access Physical Server Physical Server Catalyst 2960-S/-C/-Plus/-X/-XR Catalyst 3560-E/-C/, 3750-E Catalyst 3560-X, 3750-X Catalyst 3850 Catalyst 4500E (Sup6E) Catalyst 4500E (7E), 4500X Catalyst 6500E (Sup720) Catalyst 6500E (2T) WLC 2500, 5500, WiSM2 SGT SGT SGT SGT SGACL SGACL Campus Core Switch: Catalyst 6500E (2T) Catalyst 4500 Sup7(L3 cfg) WLAN/Unified Access: Catalyst 3850 WLC 5760 Classify destination SGTs in enforcement device using: - Subnet-SGT mappings - IP-SGT mappings WLC 5760 SGT 7
67 User to DC Access Control DC Switch Enforcement Wired Access Campus Core DC Core DC Distribution DC Virtual Access VM Server VM Server Wireless Access DC Physical Access Physical Server Physical Server Catalyst 2960-S/-C/-Plus/-X/-XR Catalyst 3560-E/-C/, 3750-E Catalyst 3560-X, 3750-X Catalyst 3850 Catalyst 4500E (Sup6E) Catalyst 4500E (7E), 4500X Catalyst 6500E (Sup720) Catalyst 6500E (2T) WLC 2500, 5500, WiSM2 WLC 5760 SGT SGT SGT SGT SGT CLASSIFY SERVERS WITH: Nexus 1000v Port Profile SGT mappings - VMs are associated with Nexus 1000V Port Profiles - N1000v sends SGT assignment to N7000s Nexus VLAN SGT mappings - IP-SGT used for physical servers: - IP Mappings pushed from ISE to N7000 switches Nexus 5500/2000/FEX - Port SGT mappings used for physical servers 73
68 User to DC Access Control SG-Firewall Wired Access Wireless Access Campus Core DC Firewall DC Core DC DC Virtual Distribution Access DC Physical Access VM Server VM Server Physica l Server Physica l Server Catalyst 2960-S/-C/-Plus/-X/-XR Catalyst 3560-E/-C/, 3750-E Catalyst 3560-X, 3750-X Catalyst 3850 Catalyst 4500E (Sup6E) Catalyst 4500E (7E), 4500X Catalyst 6500E (Sup720) Catalyst 6500E (2T) WLC 2500, 5500, WiSM2 WLC 5760 PROPAGATION to ASA CLASSIFY SERVERS WITH: IP Firewall rule entries from Nexus 1000v/5500/7000: - Nexus 1000v Port Profile SGT mappings - Nexus 7000 VLAN SGT mappings IP-SGT mappings (can be from ISE) - Nexus 5k/2k IP-SGT mappings (can be from ISE)
69 User to DC Access Control - Topology View Site B ISRG2 ISRG2 Encrypted WAN Site C ASR1000 Cat4KSup7 Cat6K-A Core Campus Cat3560-X Cat6K-B Policy Enforcement options Site A Cat6500 Cat3850 ISRG2 ASA N7K-A N5500 N2K N7K-B ASA N2K N1Kv Data Centre Prod DB ISE1.2 Dev Dev 75
70 Use Cases: Data Centre Segmentation
71 Data Centre Segmentation SGT: Production (6) SGT: Dev (10) SGACL Deny Segment servers into logical zones Control access to logical DC entities based on role Apply controls to physical and virtual systems (virtual servers, VDI.. Sample server groups: Production, Development, User Acceptance Test Export Controlled data Engineering vs. Business Servers PCI compliance-critical
72 Sources Data Centre Segmentation POLICY VIEW Production Servers Protected Assets Development Servers HR Database Storage Production Servers PERMIT DENY DENY PERMIT Development Servers HR Database Storage DENY PERMIT DENY PERMIT DENY DENY PERMIT PERMIT PERMIT PERMIT PERMIT PERMIT LOGICAL VIEW Enforcement ISE HR Database DC FW SGT Propagation DC Switch Classification Development Servers 78
73 Server Classifications Nexus 1000v Port Profile SGT mappings Nexus 7000 VLAN SGT mappings Nexus 7000 IP-SGT mappings Nexus 5500 Port-SGT assignments for inline tagging/sgacls Enterprise Backbone DC Firew all DC Core DC Distribution Virtual Access Physical Access VM Server VM Server Physical Server Physical Server Nexus 5500 IP-SGT mappings to send via 80
74 Using SG-FW and SGACL Together in the DC Risk Level 1 PCI_Users Risk Level 2 ISE PCI_Web PCI_App PCI_DB LOB2_DB SGACL on switches enforcing policy within each Risk Level ASA enforcing policy between Risk Levels (with IP/SGT mappings supplied from switch infrastructure) 81
75 Combining SGACL and SG-FW in the Data Centre SGT provides common policy objects used throughout FW and ACL rules Centralised SGACL definition & automation SGT can be propagated to other DCs to further simplify policy New SGACL batch programming (needs enabling) & Fragmented SGACL downloads N (6) N (2)N2 New SGT caching + 200k IP-SGT mappings in N (6) Virtual Access Physical Servers Data Centre Core SGACL enabled Device SG Firewall enabled Device DC Access Layer DC Aggregation DC Service Layer 82
76 SGT Caching Possible 3 rd party devices for Server Load Balancing (SLB), Intrusion Prevention Services (IPS), etc Caches IP-SGT mappings from data plane Can send IP-SGT mappings to ASA in 8 8 SRC: DST: SGT: 8 DC Access Layer IP Address SGT (Employee) SGT Tagged Traffic Untagged Traffic Physical Servers Physical Servers SGACL enabled Device
77 Use Cases: Campus and Branch Segmentation
78 Source Campus and Branch Segmentation POLICY VIEW LoB1 Production Users LoB1 Developers LoB2 Employees Guest *LoB = Line of Business LoB1 Production Users Malware Block Malware Block DENY DENY LoB1 Developers Malware Block Malware Block DENY DENY Guests DENY DENY Internet Access PERMIT PERMIT DENY Malware Block DENY PERMIT DENY Protected Assets LoB2 Employees DENY Malware Blocking ACL Deny tcp dst eq 445 log Deny tcp dst range log Permit DENY all PERMIT LOGICAL VIEW Classification ISE Switch Router Enforcement
79 SGT Malware Recon/Propagation Security Overlay Distribution SW SGACL Egress Policy Name MAC Address SGT IP Address Endpoint A 00:00:00:00:00:0a Endpoint B 00:00:00:00:00:0b SGT SGACL can for be SGT assigned 7 is applied via RADIUS attributes statically on in 802.1X switch Authorization dynamically OR downloaded statically from assigned ISE. to VLAN Exploits by sending payload Endpoint A Endpoint B Cat3750X 1 Scan for open ports / OS SRC \ DST 7 - Employee 7 - Employee Anti-Malw are-acl Anti-Malware-ACL deny icmp deny udp src dst eq domain deny tcp src dst eq 3389 deny tcp src dst eq 1433 deny tcp src dst eq 1521 deny tcp src dst eq 445 deny tcp src dst eq 137 deny tcp src dst eq 138 deny tcp src dst eq 139 deny udp src dst eq snmp deny tcp src dst eq telnet deny tcp src dst eq www deny tcp src dst eq 443 deny tcp src dst eq 22 deny tcp src dst eq pop3 deny tcp src dst eq 123 deny tcp match-all -ack +fin -psh -rst -syn -urg deny tcp match-all +fin +psh +urg permit tcp match-any +ack +syn
80 Campus Segmentation SGACL segmentation available on :- Wired Access Distribution Core Catalyst 3560-X, 3750-X Catalyst 3850 Catalyst 4500E (7E), 4500X Wireless Access Catalyst 6500E (2T) WLC 5760 Other WLC platforms can also be configured to forward all P2P traffic into SGACL-capable switch for policy enforcement from WLC to switch propagates role info for the Wireless users 87
81 Implementing Wireless User User Policy Enforcement Permit ISE Vlan WLAN Controller Deny interface Vlan2 ip local-proxy-arp ip route-cache same-interface! cts role-based enforcement cts role-based enforcement vlan-list
82 TrustSec Support for WLAN Deployment Mode Controller Platforms TrustSec Support Release Centralised AireOS 2504, 5508 WiSM2 Centralised IOS 5760 SGT, SGACL Converged Access IOS FlexConnect 3850, 3650 SGT, SGACL 5508, WiSM2 8510, 7510 None - could use VLAN-SGT mapping as workaround 7.4 onwards IOS XE SE IOS XE SE
83 Extending Inline Tagging Across WAN to Branches Inline tagging across WAN : ISR G2 IOS 15.4(1)T & ASR (1)S Inline tagging on built-in ISRG2 & ASR 1000 Ethernet interfaces (all except 800 series ISR) Carries SGT inline across GET- VPN and IPsec VPN Cat3750-X Cat3750-X Branch B Branch A ISRG2 ISRG2 e.g. 2951/3945 SGT over GET-VPN ASR1000 Router Can also use SGT-aware Zone-based Firewall in branch and DC WAN edge for reasons like PCI compliance SGT allows more dynamic classification in the branch and DC WAN edge SGT is a source criteria only in ISR FW, Source or Dest in ASR 1000 HQ Inline SGT 90
84 Extending Across WAN Data Centre Bidirectional with Loop Detection available now: ISRG2 15.3(2)T ASR1000 IOS XE 3.9 Allows ASR1000 to be an IP/SGT relay from remote to remote is a full replication model each remote router will learn all IP/SGT bindings with this approach N7K IP Address SGT Contractor Employee Contractor Employee - 30 Cat6K Cat6K ASR1K ASR1K Listener-1 Listener-2 v4 WAN Speaker-1 IP Address SGT Contractor Employee Contractor Employee - 30 IP Address Contractor Employee Contractor Employee - 30 Speaker-300 SGT v4 91
85 Putting Use-cases Together - Worked Example Requirement to permit or apply SG-ACL Requirement to block Apply Default policy DESTINATIONS SGT\DGT Users_x Users_y Users - z Biz_Partner_1 Biz_Partner_2 Third_Party_1 Prod_Servers_1 DBMS CRM Test systems Dev Systems users_x users_y User-Business Partner S O U R C E S users - z Business_Partner_1 Business_Partner_2 Third_party_access_1 Production_Server_1 DBMS User-User Segmentation Extranet access control Controlled Access to Critical Servers (User/Context Server) CRM Test_Systems Dev_Systems DC Segmentation 92
86 PCI Compliance
87 PCI Compliance PCI Server Server DATA CENTRE Data Centre Network Key SEGMENTATION ENFORCEMENT PCI SCOPE SEGMENTATION ACROSS COMPANY WAN BRANCH Register Workstation 94
88 PCI Compliance validation.pdf 95
89 Summary
90 Summary TrustSec can be deployed for multiple use-cases Can start with specific use-cases with minimal platform dependencies Non-disruptive deployments; SGACL enforcement can be enabled incrementally and gradually via the policy matrix TrustSec SGT can mean Centralised policy for complete network Distributed enforcement and scale No device-specific ACLs or rules to manage - one place to audit Servers can cycle through Dev>UAT> Prod without readdressing Operational benefits SGACLs avoid VLAN/dACL efforts and admin Security policy managers/auditors do not need to understand the topology or the underlying technology to use the policy matrix Firewall rule simplification and OpEx reduction Faster and easier deployment of new services 97
91 Related Sessions BRKSEC-2692 Identity Based Networking: IEEE 802.1X and Beyond Hariprasad Holla, Cisco Technical Marketing Engineer BRKSEC-3698 Advanced ISE and Secure Access Deployment Aaron Woland, Cisco Technical Marketing Engineer BRKSEC-2203 Deploying TrustSec Security Group Tagging Kevin Regan, Cisco Product Manager BRKSEC-3690 Advanced Security Group Tags: The Detailed Walk Through Darrin Miller, Cisco Distinguished Engineer BRKSEC-2045 Mobile Devices and BYOD Security - Deployment and Best Practices Sylvain Levesque, Consulting Systems Engineer BRKEWN-2020 Wireless LAN Security, Policy and BYOD Best Practices Federico Ziliotto, Senior Systems Engineer BRKSEC-3035 Successful Designing and Deploying Cisco s ISE 1.2/MDM Integration Christoph Altherr, Senior Systems Engineer PSOSEC-2001 BYOD: Management and Control for the Use and Provisioning of Mobile Devices Russell Rice, Director of Product Management Adv X Topics Adv. ISE Topics Intermediate and Adv TrustSec BYOD MDM Mobile Device Security 98
92 Links For more info: TrustSec and ISE Deployment Guides: _TrustSec.html PCI Scope Reduction with Cisco TrustSec QSA (Verizon) Validation: dation.pdf YouTube: Fundamentals of TrustSec: 99
93 Call to Action Visit the Cisco Campus at the World of Solutions to experience the following demos/solutions in action: Cisco Secure Access with ISE, TrustSec in the Data Centre TrustSec in the Campus and Branch, TrustSec Threat Mitigation Meet the Engineer Kevin Regan, Darrin Miller, Craig Hyps, Aaron Woland, Discuss your project challenges at the Technical Solutions Clinics Lunch Time Table Topics, held in main Catering Hall Visit CL365 (CiscoLiveEU.com) after the event for updated PDFs and on-demand session videos. 100
94 Summary TrustSec can be deployed for multiple use-cases Can start with specific use-cases with minimal platform dependencies Non-disruptive deployments; SGACL enforcement can be enabled incrementally and gradually via the policy matrix TrustSec SGT can mean Centralised policy for complete network Distributed enforcement and scale No device-specific ACLs or rules to manage - one place to audit Servers can cycle through Dev>UAT> Prod without readdressing Operational benefits SGACLs avoid VLAN/dACL efforts and admin Security policy managers/auditors do not need to understand the topology or the underlying technology to use the policy matrix Firewall rule simplification and OpEx reduction Faster and easier deployment of new services 101
95 Q & A
96 Complete Your Online Session Evaluation Give us your feedback and receive a Cisco Live 2015 T-Shirt! Complete your Overall Event Survey and 5 Session Evaluations. Directly from your mobile device on the Cisco Live Mobile App By visiting the Cisco Live Mobile Site Visit any Cisco Live Internet Station located throughout the venue T-Shirts can be collected in the World of Solutions on Friday 20 March 12:00pm - 2:00pm Learn online with Cisco Live! Visit us online after the conference for full access to session videos and presentations.
97 Thank you.
98
Policy Defined Segmentation with Cisco TrustSec
Policy Defined Segmentation with Cisco TrustSec Session ID 18PT Rob Bleeker Consulting System Engineer CCIE #: 2926 Abstract This session will explain how TrustSec Security Group Tagging can be used to
More informationTrustSec (NaaS / NaaE)
TrustSec (NaaS / NaaE) per@cisco.com Security on top of the mind for our customers 60% 85% 54% of data is stolen in HOURS of point-of-sale intrusions aren t discovered for WEEKS of breaches remain undiscovered
More informationCisco TrustSec 4.0:How to Create Campus and Branch-Office Segmentation
Ordering Guide TrustSec 4.0:How to Create Campus and Branch-Office Segmentation Ordering Guide November 2013 2013 and/or its affiliates. All rights reserved. This document is Public Information. Page 1
More information2012 Cisco and/or its affiliates. All rights reserved. 1
2012 Cisco and/or its affiliates. All rights reserved. 1 Policy Access Control: Challenges and Architecture UA with Cisco ISE Onboarding demo (BYOD) Cisco Access Devices and Identity Security Group Access
More informationContents. Introduction
Contents Introduction Prerequisites Requirements Components Used Configure Network Diagram ISE - Configuration Steps 1. SGT for Finance and Marketing 2. Security group ACL for traffic Marketing ->Finance
More informationWe re ready. Are you?
We re ready. Are you? Network as a Sensor and Enforcer Matt Robertson, Technical Marketing Engineer BRKSEC-2026 Why are we here today? Insider Threats Leverage the network Identify and control policy,
More informationCisco TrustSec Quick Start Configuration Guide
Cisco TrustSec Quick Start Configuration Guide Table of Contents Introduction... 5 Using This Guide... 5 Baseline ISE Configuration for TrustSec... 7 Active Directory Integration (optional)... 7 Defining
More informationTrustSec Configuration Guides. TrustSec Capabilities on Wireless 8.4 Software-Defined Segmentation through SGACL Enforcement on Wireless Access Points
TrustSec Configuration Guides TrustSec Capabilities on Wireless 8.4 Software-Defined Segmentation through SGACL Enforcement on Wireless Access Points Table of Contents TrustSec Capabilities on Wireless
More informationCisco Trusted Security Enabling Switch Security Services
Cisco Trusted Security Enabling Switch Security Services Michal Remper, CCIE #8151 CSE/AM mremper@cisco.com 2009 Cisco Systems, Inc. All rights reserved. 1 Enter Identity & Access Management Strategic
More informationBorderless Networks. Tom Schepers, Director Systems Engineering
Borderless Networks Tom Schepers, Director Systems Engineering Agenda Introducing Enterprise Network Architecture Unified Access Cloud Intelligent Network & Unified Services Enterprise Networks in Action
More informationCisco Campus Fabric Introduction. Vedran Hafner Systems engineer Cisco
Cisco Campus Fabric Introduction Vedran Hafner Systems engineer Cisco Campus Fabric Abstract Is your Campus network facing some, or all, of these challenges? Host Mobility (w/o stretching VLANs) Network
More informationCisco TrustSec Platform Support Matrix
Sales Tool TrustSec Platform Support Matrix System Component Platform Solution Minimum Solution- Level Validated Classification Control Plane Propagation () (Inline ) MACsec (for WAN) Enforceme nt Identity
More informationDeploying TrustSec - Security Group Tags in the Data Center
Deploying TrustSec - Security Group Tags in the Data Center Shaun White - @trustsecshaun Technical Solutions Architect Agenda Security Group Tag (SGT) Review Use Case Review DC Design Consideration and
More informationUser-to-Data-Center Access Control Using TrustSec Design Guide
CISCO VALIDATED DESIGN User-to-Data-Center Access Control Using TrustSec Design Guide October 2015 REFERENCE NETWORK ARCHITECTURE Table of Contents About This Document... 1 Cisco TrustSec Overview... 2
More informationNetwork as an Enforcer (NaaE) Cisco Services. Network as an Enforcer Cisco and/or its affiliates. All rights reserved.
Network as an Enforcer (NaaE) Cisco Services INTRODUCTION... 6 Overview of Network as an Enforcer... 6 Key Benefits... 6 Audience... 6 Scope... 6... 8 Guidelines and Limitations... 8 Configuring SGACL
More informationContents. Introduction. Prerequisites. Configure. Requirements. Components Used. Network Diagram
Contents Introduction Prerequisites Requirements Components Used Configure Network Diagram Traffic Flow Configurations Switch 3850-1 Switch 3850-2 ISE Verify References Related Cisco Support Community
More informationSecuring BYOD with Cisco TrustSec Security Group Firewalling
White Paper Securing BYOD with Cisco TrustSec Security Group Firewalling Getting Started with TrustSec What You Will Learn The bring-your-own-device (BYOD) trend can spur greater enterprise productivity
More informationEvolving your Campus Network with. Campus Fabric. Shawn Wargo. Technical Marketing Engineer BRKCRS-3800
Evolving your Campus Network with Campus Fabric Shawn Wargo Technical Marketing Engineer BRKCRS-3800 Campus Fabric Abstract Is your Campus network facing some, or all, of these challenges? Host Mobility
More informationCisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller
Cisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller For Comments, please email: howtoguides@external.cisco.com Current Document Version: 3.0 August 27, 2012 Table
More informationCisco Group Based Policy Platform and Capability Matrix Release 6.4
Group d Policy Platform and Capability Matrix Release 6.4 (inclusive of TrustSec Software-Defined Segmentation) Group d Policy (also known as TrustSec Software-Defined Segmentation) uniquely builds upon
More informationCisco TrustSec Software-Defined Segmentation Platform and Capability Matrix Release 6.3
TrustSec Software-Defined Segmentation Platform and Capability Matrix Release 6.3 TrustSec uniquely builds upon your existing identity-aware infrastructure by enforcing segmentation and access control
More informationEnabling Software- Defined Segmentation with TrustSec
Enabling Software- Defined Segmentation with TrustSec Fay-Ann Lee Technical Marketing Engineer Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this
More informationCisco TrustSec How-To Guide: Monitor Mode
Cisco TrustSec How-To Guide: Monitor Mode For Comments, please email: howtoguides@external.cisco.com Current Document Version: 3.0 August 27, 2012 Table of Contents Table of Contents... 2 Introduction...
More informationEnterprise Network Segmentation with Cisco TrustSec
Enterprise Network Segmentation with Cisco TrustSec Hariprasad Holla @hari_holla Abstract This session provides an overview of the Cisco TrustSec solution for Enterprise network segmentation and Role-Based
More informationONE POLICY. Tengku Shahrizam, CCIE Asia Borderless Network Security 20 th June 2013
ONE POLICY Tengku Shahrizam, CCIE Asia Borderless Network Security 20 th June 2013 Agenda Secure Unified Access with ISE Role-Based Access Control Profiling TrustSec Demonstration How ISE is Used Today
More informationCisco TrustSec How-To Guide: Central Web Authentication
Cisco TrustSec How-To Guide: Central Web Authentication For Comments, please email: howtoguides@external.cisco.com Current Document Version: 3.0 August 27, 2012 Table of Contents Table of Contents... 1
More informationP ART 3. Configuring the Infrastructure
P ART 3 Configuring the Infrastructure CHAPTER 8 Summary of Configuring the Infrastructure Revised: August 7, 2013 This part of the CVD section discusses the different infrastructure components that are
More informationChoice of Segmentation and Group Based Policies for Enterprise Networks
Choice of Segmentation and Group Based Policies for Enterprise Networks Hari Holla Technical Marketing Engineer, Cisco ISE BRKCRS-2893 hari_holla /in/hariholla Cisco Spark How Questions? Use Cisco Spark
More informationCisco TrustSec Software-Defined Segmentation Release 6.1 System Bulletin
System Bulletin TrustSec Software-Defined Segmentation Release 6.1 System Bulletin Introduction Network segmentation is essential for protecting critical business assets. TrustSec Software Defined Segmentation
More informationVeč kot SDN - SDA arhitektura v uporabniških omrežjih
Več kot SDN - SDA arhitektura v uporabniških omrežjih Aleksander Kocelj SE Cisco Agenda - Introduction to Software Defined Access - Brief description on SDA - Cisco SDA Assurance - DEMO 2 New Requirements
More informationISE Primer.
ISE Primer www.ine.com Course Overview Designed to give CCIE Security candidates an intro to ISE and some of it s features. Not intended to be a complete ISE course. Some topics are not discussed. Provides
More informationCisco TrustSec How-To Guide: Phased Deployment Overview
Cisco TrustSec How-To Guide: Phased Deployment Overview For Comments, please email: howtoguides@external.cisco.com Current Document Version: 3.0 August 27, 2012 Table of Contents Table of Contents... 2
More informationCisco SD-Access Policy Driven Manageability
BRKCRS-3811 Cisco SD-Access Policy Driven Manageability Victor Moreno, Distinguished Engineer Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session
More informationCisco TrustSec Software-Defined Segmentation Release 6.1 System Bulletin
System Bulletin TrustSec Software-Defined Segmentation Release 6.1 System Bulletin Introduction Network segmentation is essential for protecting critical business assets. TrustSec Software Defined Segmentation
More informationSD-Access Wireless: why would you care?
SD-Access Wireless: why would you care? CUWN Architecture - Centralized Overview Policy Definition Enforcement Point for Wi-Fi clients Client keeps same IP address while roaming WLC Single point of Ingress
More informationIdentity Based Network Access
Identity Based Network Access Identity Based Network Access - Agenda What are my issues Cisco ISE Power training What have I achieved What do I want to do What are the issues? Guest Student Staff Contractor
More informationExam Questions Demo Cisco. Exam Questions
Cisco Exam Questions 300-208 SISAS Implementing Cisco Secure Access Solutions (SISAS) Version:Demo 1. Which functionality does the Cisco ISE self-provisioning flow provide? A. It provides support for native
More informationCertKiller q
CertKiller.500-451.28q Number: 500-451 Passing Score: 800 Time Limit: 120 min File Version: 5.3 500-451 Cisco Unified Access Systems Engineer Exam I just passed today with 89%. My sole focus was the VCE.
More informationSwitch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions
Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions To ensure Cisco ISE is able to interoperate with network switches and functions from Cisco ISE are successful across
More informationMonitor Mode Deployment with Cisco Identity Services Engine. Secure Access How -To Guides Series
Monitor Mode Deployment with Cisco Identity Services Engine Secure Access How -To Guides Series Author: Adrianne Wang Date: December 2012 Table of Contents Monitor Mode... 3 Overview of Monitor Mode...
More informationP ART 2. BYOD Design Overview
P ART 2 BYOD Design Overview CHAPTER 2 Summary of Design Overview Revised: August 7, 2013 This part of the CVD describes design considerations to implement a successful BYOD solution and different deployment
More informationAdvanced Security Group Tags: The Detailed Walk Through
Advanced Security Group Tags: The Detailed Walk Through Darrin Miller Distinguished TME BRKSEC-3690 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find
More informationAdvanced Security Group Tags: The Detailed Walk Through
Advanced Security Group Tags: The Detailed Walk Through Darrin Miller Distinguished TME #clmel Housekeeping We value your feedback- don't forget to complete your online session evaluations after each session
More informationAdvanced Security Group Tags: The Detailed Walk Through
Advanced Security Group Tags: The Detailed Walk Through Darrin Miller Distinguished TME BRKSEC-3690 Cisco Spark How Questions? Use Cisco Spark to chat with the speaker after the session 1. Find this session
More informationCisco Systems Korea Cisco Systems, Inc. All rights reserved. 1
(taecho@cisco.com) Cisco Systems Korea 2008 Cisco Systems, Inc. All rights reserved. 1 (Cisco Integrated Security Features) - Port Security - DHCP Snooping - Dynamic ARP Inspection - IP Source Guard -
More informationModular Policy Framework. Class Maps SECTION 4. Advanced Configuration
[ 59 ] Section 4: We have now covered the basic configuration and delved into AAA services on the ASA. In this section, we cover some of the more advanced features of the ASA that break it away from a
More informationSDN Security BRKSEC Alok Mittal Security Business Group, Cisco
SDN Security Alok Mittal Security Business Group, Cisco Security at the Speed of the Network Automating and Accelerating Security Through SDN Countering threats is complex and difficult. Software Defined
More informationWritten to Realised Security Policy
Written to Realised Security Policy Yuval Shchory Manager, Product Management, SBG #clmel Session Abstract From ISE 1.3 This session covers the building blocks for a policy-based access control architecture
More informationPASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year
PASS4TEST \ http://www.pass4test.com We offer free update service for one year Exam : 300-208 Title : Implementing Cisco Secure Access Solutions Vendor : Cisco Version : DEMO Get Latest & Valid 300-208
More informationConfiguring Web Cache Services By Using WCCP
CHAPTER 44 Configuring Web Cache Services By Using WCCP This chapter describes how to configure your Catalyst 3560 switch to redirect traffic to wide-area application engines (such as the Cisco Cache Engine
More informationCisco Network Admission Control (NAC) Solution
Data Sheet Cisco Network Admission Control (NAC) Solution New: Updated to include the Cisco Secure Network Server (SNS) Cisco Network Admission Control (NAC) solutions allow you to authenticate wired,
More informationConfigure Devices Using Converged Access Deployment Templates for Campus and Branch Networks
Configure Devices Using Converged Access Deployment Templates for Campus and Branch Networks What Are Converged Access Workflows?, on page 1 Supported Cisco IOS-XE Platforms, on page 3 Prerequisites for
More informationSoftware-Defined Access 1.0
Software-Defined Access 1.0 What is Cisco Software-Defined Access? The Cisco Software-Defined Access (SD-Access) solution uses Cisco DNA Center to provide intent-based policy, automation, and assurance
More informationCISCO EXAM QUESTIONS & ANSWERS
CISCO 642-618 EXAM QUESTIONS & ANSWERS Number: 642-618 Passing Score: 800 Time Limit: 120 min File Version: 39.6 http://www.gratisexam.com/ CISCO 642-618 EXAM QUESTIONS & ANSWERS Exam Name: Deploying Cisco
More informationAccess Rules. Controlling Network Access
This chapter describes how to control network access through or to the ASA using access rules. You use access rules to control network access in both routed and transparent firewall modes. In transparent
More informationCisco TrustSec Software-Defined Segmentation Platform and Capability Matrix
Sales Tool TrustSec Software-Defined Segmentation Platform and Capability Matrix TrustSec uniquely builds upon your existing identity-aware infrastructure by enforcing segmentation and access control policies
More informationConfiguring IPv6 First-Hop Security
This chapter describes the IPv6 First-Hop Security features. This chapter includes the following sections: Finding Feature Information, on page 1 Introduction to First-Hop Security, on page 1 RA Guard,
More informationBYOD: Management and Control for the Use and Provisioning of Mobile Devices
BYOD: Management and Control for the Use and Provisioning of Mobile Devices Imran Bashir Technical Marketing Engineer BYOD: Management and Control for the Use and Provisioning of Mobile Devices -- 3:30
More informationConfiguring Network Admission Control
45 CHAPTER This chapter describes how to configure Network Admission Control (NAC) on Catalyst 6500 series switches. With a PFC3, Release 12.2(18)SXF2 and later releases support NAC. Note For complete
More informationSecuring Wireless LAN Controllers (WLCs)
Securing Wireless LAN Controllers (WLCs) Document ID: 109669 Contents Introduction Prerequisites Requirements Components Used Conventions Traffic Handling in WLCs Controlling Traffic Controlling Management
More informationConfiguring Network Admission Control
CHAPTER 59 This chapter describes how to configure Network Admission Control (NAC) in Cisco IOS Release 12.2SX. Note For complete syntax and usage information for the commands used in this chapter, see
More informationSupported Platforms for Cisco Path Trace, Release x. This document describes the supported platforms for the Cisco Path Trace, Release x.
Cisco Path Trace Application for APIC-EM Supported Platforms, Release 1.5.0.x First Published: 2017-06-23, Release 1.5.0.x This document describes the supported platforms for the Cisco Path Trace, Release
More informationIPv6 Access Control Lists
Access lists determine what traffic is blocked and what traffic is forwarded at device interfaces and allow filtering of traffic based on source and destination addresses, and inbound and outbound traffic
More informationConfiguring Web-Based Authentication
The Web-Based Authentication feature, also known as web authentication proxy, authenticates end users on host systems that do not run the IEEE 802.1x supplicant. Finding Feature Information, on page 1
More informationCisco Exam Questions & Answers
Cisco 648-385 Exam Questions & Answers Number: 648-385 Passing Score: 800 Time Limit: 120 min File Version: 34.4 http://www.gratisexam.com/ Cisco 648-385 Exam Questions & Answers Exam Name: CXFF - Cisco
More informationTech Update Oktober Rene Andersen / Ib Hansen
Tech Update 10 12 Oktober 2017 Rene Andersen / Ib Hansen DNA Solution Cisco Enterprise Portfolio DNA Center Simple Workflows DESIGN PROVISION POLICY ASSURANCE Identity Services Engine DNA Center APIC-EM
More informationConfiguring IP ACLs. About ACLs
This chapter describes how to configure IP access control lists (ACLs) on Cisco NX-OS devices. Unless otherwise specified, the term IP ACL refers to IPv4 and IPv6 ACLs. This chapter includes the following
More informationHigh Availability Synchronization PAN-OS 5.0.3
High Availability Synchronization PAN-OS 5.0.3 Revision B 2013, Palo Alto Networks, Inc. www.paloaltonetworks.com Contents Overview... 3 Device Configuration... 4 Network Configuration... 9 Objects Configuration...
More informationConfiguring Cache Services Using the Web Cache Communication Protocol
Configuring Cache Services Using the Web Cache Communication Protocol Finding Feature Information, page 1 Prerequisites for WCCP, page 1 Restrictions for WCCP, page 2 Information About WCCP, page 3 How
More informationCisco Exam Questions & Answers
Cisco 648-375 Exam Questions & Answers Number: 648-375 Passing Score: 800 Time Limit: 120 min File Version: 22.1 http://www.gratisexam.com/ Cisco 648-375 Exam Questions & Answers Exam Name: Cisco Express
More informationAdvanced Security Group Tags (SGT)
Advanced Security Group Tags (SGT) The Detailed Walk Through Darrin Miller, DTME About Me Darrin Miller Security focused Technical Marketing Engineer Focused on Architecture, Policy, and Threat Author
More informationConfiguring Web-Based Authentication
This chapter describes how to configure web-based authentication on the switch. It contains these sections: Finding Feature Information, page 1 Web-Based Authentication Overview, page 1 How to Configure
More informationTrustSec Configuration Guide. TrustSec with Meraki MS320 Switch Configuration Guide
TrustSec Configuration Guide TrustSec with Meraki MS320 Switch Configuration Guide Table of Contents TrustSec with Meraki MS320 Switch... 3 Introduction... 3 Summary of Operation... 3 Configuration...
More informationExam Code: Exam Code: Exam Name: Advanced Borderless Network Architecture Systems Engineer test.
Exam Code: 700-303 Number: 700-303 Passing Score: 800 Time Limit: 120 min File Version: 41.2 http://www.gratisexam.com/ Exam Code: 700-303 Exam Name: Advanced Borderless Network Architecture Systems Engineer
More informationConfiguring IEEE 802.1x Port-Based Authentication
CHAPTER 9 Configuring IEEE 802.1x Port-Based Authentication This chapter describes how to configure IEEE 802.1x port-based authentication on the Catalyst 2960 switch. IEEE 802.1x authentication prevents
More informationImplementing Cisco Edge Network Security Solutions ( )
Implementing Cisco Edge Network Security Solutions (300-206) Exam Description: The Implementing Cisco Edge Network Security (SENSS) (300-206) exam tests the knowledge of a network security engineer to
More informationConfiguring Web-Based Authentication
This chapter describes how to configure web-based authentication on the switch. It contains these sections: Finding Feature Information, page 1 Web-Based Authentication Overview, page 1 How to Configure
More informationPolicing The Borderless Network: Integrating Web Security
Policing The Borderless Network: Integrating Web Security Hrvoje Dogan Consulting Systems Engineer, Security March 16, 2012 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 About Cisco
More informationCisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1
Cisco ISE Overview, page 2 Key Functions, page 2 Identity-Based Network Access, page 2 Support for Multiple Deployment Scenarios, page 3 Support for UCS Hardware, page 3 Basic User Authentication and Authorization,
More informationConfiguring IEEE 802.1x Port-Based Authentication
CHAPTER 10 Configuring IEEE 802.1x Port-Based Authentication IEEE 802.1x port-based authentication prevents unauthorized devices (clients) from gaining access to the network. Unless otherwise noted, the
More informationConfiguring IEEE 802.1x Port-Based Authentication
CHAPTER 8 Configuring IEEE 802.1x Port-Based Authentication This chapter describes how to configure IEEE 802.1x port-based authentication on the switch. IEEE 802.1x authentication prevents unauthorized
More informationUniversal Wireless Controller Configuration for Cisco Identity Services Engine. Secure Access How-To Guide Series
Universal Wireless Controller Configuration for Cisco Identity Services Engine Secure Access How-To Guide Series Author: Hosuk Won Date: November 2015 Table of Contents Introduction... 3 What Is Cisco
More informationBEST PRACTICE - NAC AUF ARUBA SWITCHES. Rollenbasierte Konzepte mit Aruba OS Switches in Verbindung mit ClearPass Vorstellung Mobile First Features
BEST PRACTICE - NAC AUF ARUBA SWITCHES Rollenbasierte Konzepte mit Aruba OS Switches in Verbindung mit ClearPass Vorstellung Mobile First Features Agenda 1 Overview 2 802.1X Authentication 3 MAC Authentication
More informationImplementing VXLAN in DataCenter
Implementing VXLAN in DataCenter LTRDCT-1223 Lilian Quan Technical Marketing Engineering, INSBU Erum Frahim Technical Leader, ecats John Weston Technical Leader, ecats Why Overlays? Robust Underlay/Fabric
More informationWiNG 5.x How-To Guide
WiNG 5.x How-To Guide Tunneling Remote Traffic using L2TPv3 Part No. TME-08-2012-01 Rev. A MOTOROLA, MOTO, MOTOROLA SOLUTIONS and the Stylized M Logo are trademarks or registered trademarks of Motorola
More informationManage Authorization Policies and Profiles
Manage Policies and Profiles Cisco ISE Policies, page 1 Cisco ISE Profiles, page 1 Default, Rule, and Profile Configuration, page 5 Configure Policies, page 9 Permissions for Profiles, page 12 Downloadable
More informationInside Cisco IT: How Cisco IT Deploy ISE and TrustSec Throughout the Enterprise
Inside Cisco IT: How Cisco IT Deploy ISE and TrustSec Throughout the Enterprise Donald Gunn Program Manager IT, Cisco Adam Cobbsky Senior Engineer IT, Cisco Cisco Spark How Questions? Use Cisco Spark to
More informationDGS-1510 Series Gigabit Ethernet SmartPro Switch Web UI Reference Guide. Figure 9-1 Port Security Global Settings window
9. Security DGS-1510 Series Gigabit Ethernet SmartPro Switch Web UI Reference Guide Port Security 802.1X AAA RADIUS TACACS IMPB DHCP Server Screening ARP Spoofing Prevention MAC Authentication Web-based
More informationData Center Security. Fuat KILIÇ Consulting Systems
Data Center Security Fuat KILIÇ Consulting Systems Engineer @Security Data Center Evolution WHERE ARE YOU NOW? WHERE DO YOU WANT TO BE? Traditional Data Center Virtualized Data Center (VDC) Virtualized
More informationSecuring Wireless LANs
Securing Wireless LANs Will Blake Consulting Systems Engineer #clmel Agenda Define terms and approach Enterprise WLANs Threats, Vulnerabilities and Mitigation strategies External threats Detection, Identification
More informationChapter 5. Security Components and Considerations.
Chapter 5. Security Components and Considerations. Technology Brief Virtualization and Cloud Security Virtualization concept is taking major portion in current Data Center environments in order to reduce
More informationNetwork Segmentation Through Policy Abstraction: How TrustSec Simplifies Segmentation and Improves Security Sept 2014
In most organizations networks grow all the time. New stacks of security appliances, new applications hosted on new clusters of servers, new network connections, new subnets, new endpoint platforms and
More informationCisco Virtual Networking Solution Nexus 1000v and Virtual Services. Abhishek Mande Engineer
Cisco Virtual Networking Solution Nexus 1000v and Virtual Services Abhishek Mande Engineer mailme@cisco.com Agenda Application requirements in virtualized DC The Anatomy of Nexus 1000V Virtual Services
More informationCisco Actualanswers Exam
Cisco Actualanswers 648-375 Exam Number: 648-375 Passing Score: 800 Time Limit: 120 min File Version: 15.6 http://www.gratisexam.com/ Cisco 648-375 Exam Exam Name: Cisco Express Foundation for Systems
More informationDumpsFree. DumpsFree provide high-quality Dumps VCE & dumps demo free download
DumpsFree http://www.dumpsfree.com DumpsFree provide high-quality Dumps VCE & dumps demo free download Exam : 300-208 Title : Implementing Cisco Secure Access Solutions Vendor : Cisco Version : DEMO Get
More informationCisco Structured Wireless-Aware Network (SWAN) Implementation Guide
Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide The Cisco Structured Wireless-Aware Network (SWAN) provides the framework to integrate and extend wired and wireless networks to deliver
More informationSoftware-Defined Access Wireless
Introduction to, page 1 Configuring SD-Access Wireless (CLI), page 7 Introduction to The Enterprise Fabric provides end-to-end enterprise-wide segmentation, flexible subnet addressing, and controller-based
More informationConfiguring Web-Based Authentication
CHAPTER 42 This chapter describes how to configure web-based authentication. It consists of these sections: About Web-Based Authentication, page 42-1, page 42-5 Displaying Web-Based Authentication Status,
More informationExamTorrent. Best exam torrent, excellent test torrent, valid exam dumps are here waiting for you
ExamTorrent http://www.examtorrent.com Best exam torrent, excellent test torrent, valid exam dumps are here waiting for you Exam : 400-251 Title : CCIE Security Written Exam (v5.0) Vendor : Cisco Version
More informationISE Identity Service Engine
CVP ISE Identity Service Engine Cisco Validated Profile (CVP) Series 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 10 Contents 1. Profile introduction...
More information