Inside Cisco IT: How Cisco IT Deploy ISE and TrustSec Throughout the Enterprise

Transcription

1

2 Inside Cisco IT: How Cisco IT Deploy ISE and TrustSec Throughout the Enterprise Donald Gunn Program Manager IT, Cisco Adam Cobbsky Senior Engineer IT, Cisco

3 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot# 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

4 Related ISE Sessions Designing ISE for Scale & High Availability [BRKSEC-3699] Deploying ISE in a Dynamic Environment [BRKSEC-2059] ISE under magnifying glass. How to troubleshoot ISE [BRKSEC-3229] Lets get practical with your network security by using Cisco Identity Services Engine (Cisco ISE) [BRKSEC-2464] Advanced Security Integration, Tips & Tricks [BRKSEC-3557]

5 Agenda Defending the Enterprise Addressing the Challenge Guest Access Production System Architecture Increasing Security Step by Step Enforcement Identity Based Differentiated Access Posture Based Differentiated Access Q&A

6 Defending the Enterprise

7 Cisco at a Glance 94 Countries 434 Offices 133,361 Connected Stakeholders 72,354 Employees 6,243 Routers 500+ Cloud ASPs 468 WLCs 28.1MW Data Center Capacity 87PB Overall Usable Storage 192,770 Connected User Devices SJC 45% AM Other 6% RTP 14% Global Distribution of IT Staff 76,136 Virtual Machines EU/EM 7% India 21% 100 Services AP Other 7% 7.6 Billion DNS Requests per day 8,415 LAN Switches 10,690 UCS Servers 47TB Daily Bandwidth Usage Data as of January Cisco and/or its affiliates. All rights reserved. Cisco Public 7

8 Cisco IT Network Security Requirements Visibility + Attribution Integration Consistency Centralization Control Real-Time Defense Automation Simplification 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 8

9 What is Identity Services Engine (ISE)? A centralized security solution that enables context-aware access control and shares contextual data Network Door Identity Profiling and Posture Threat Vulnerability Who What When Where Traditional Guest Access BYOD Access Role-Based Access Access Policy Cisco TrustSec Network Resources How Compliant Context Threat Containment ISE pxgrid Controller 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9

10 Cisco IT ISE Production Deployment Metrics ~14K Guest/Day CWA Central Web Auth ISE 1.2, 8 VMs, 2 DCs Guest Net (Internet) 468 WLC; ~200K EP 26K CVO x 2; ~60K EP ISE 2.1, 24 VMs, 8 DCs 70 ASA; ~90K EP 2K SW; ~200K EP 25 Sites; ~50K EP Corporate Access WLAN, CVO, VPN, LAN 1.5 Million active profiled Endpoints Max ~450K Concurrent Endpoints 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10

11 Seamless Connectivity and Integrated Security Identity Services Engine StealthWatch Cisco Core Network Umbrella WSA ESA AMP For Network Device Management Wired Network Devices Wireless Devices Adaptive Security Appliance FireSight Home Access (CVO) AnyConnect - VPN - Umbrella AMP - AMP For Endpoints Threat-Grid 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11

12 ISE As a Data Provider - Spark Board Locations 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12

13 Addressing the Challenge

14 ISE Program Management Structure ISE Architecture & Design Security model & ISE Architecture Desktop & Mobility Services Device Management, Posture Compliance, User Experience Directory Services (AD) DC & Hosting Services (VMs) Network Infra & Security Services Access, Platform management, Deployment & Operations ISE Program Management ISE BU & TAC ISE Best Practices, Config Optimization, Support InfoSec Security Policies, Quarantine Cisco and/or its affiliates. All rights reserved. Cisco Public 14

15 Sample ISE Basic Deployment Roadmap Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 Completion Foundation ISE 1.2 Install Infra Network Guest Wireless VPN Apply patches Fine tune Wired Optimize ISE 1.3 Upgrade Fine tune Monitor Design, Proof of Concepts, Data Analysis Endpoint Analysis: Wired dot1x MM & Profiling ISE 1.4 Upgrade Optimize Guest Access Wireless (WLAN) Auth Deployment CVO (Home Office) Wireless Auth CVO Wired Auth VPN Auth Wired 802.1X Monitor Mode Deployment Limited Sites Wired Auth Global Wired Auth Enforcement Posture Assessment (DM) Posture Enforcement (ISE) Security Group Tagging (SGT) Quarantine/Remediation PxGrid Integration Advanced Capabilities 802.1x Authentication ISE 2.1 Upgrade Fine tune 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15

16 Guest Access

17 Primary Primary Guest Access Deployment (ION) Visitor Management Tool (API Integration) Lobby Ambassadors (Physical & Virtual) Guest Account Creation Integration With Reception PPAN Alias PAN MnT PSN MTV PSN PAN PSN AER MnT PSN ion-mtv-guest ion-aer-guest ION LB VIPs ion-mtv-sponsor Secondary ion-aer-sponsor ION LB VIPs Account Creation Guest Portal Auth Wireless access NADs AMER Wired access Sponsor Portal GSS internet.cisco.com Guest Account Creation Secondary Guest Portal Auth Wireless access Wired access NADs EMEA/APJC Authentication 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17

18 Cisco IT ISE Guest Network 2,107 6,379 3,583 2,232 Top 4 cities by number of guest authentication on a typical business day 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18

19 Production System Architecture

20 Single Global ISE Deployment (WLAN, CVO, LAN, VPN) 24 ISE Nodes 20 PSNs; 8 DC (Node Groups) MTV ALN RTP AER TYO HKG BGL SNG Primary ISE PAN/M&T Secondary ISE PAN/M&T ISE PSNs 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20

21 Cisco IT ISE Global Deployment (WLAN, VPN, LAN) ISE PSNs Data Center (8) Network Devices (sites/cities) 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 21

22 Authentication Statistics (24 hours) 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22

23 ISE Deployment High Availability Architecture HA NAD Configuration HA SLB Configuration ISE Product Evolution Modularity MTV-WLAN PS N PS N PS N PS N PSN1 Primary -> Secondary Automatic Failover MTV-LAN MTV-VPN MTV-CVO VIP by Service MTV-VIPs PS N ALN-VIPs RTP-VIPs Load Balancer User-probe Auth Is PSN Authenticating? PSN2 PSN3 PPAN PMnT SPAN SMnT Interval = 10 sec Down Time = 30 sec MTV ALN Retries = 3 Primary, Secondary RADIUS Servers NADs Proximity 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23

24 We Recommend You Use Load Balancers VLAN 98 ( /24) VLAN 99 ( /24) Ease of global configuration Overcome device limits for AAA servers Ease of migration, cluster split. No need to change thousands of network devices DNS Request for request sent service at to resolve single host psn.cluster psn-cluster FQDN User Access Device Request sent to Virtual IP Address (VIP) Response received from real server DNS Lookup = psn-cluster.company.com DNS Response = Request to psn-cluster.company.com LB Response from ise-psn-3.company.com VIP: PSN-CLUSTER DNS Server PSN ISE-PSN-1 PSN ISE-PSN-2 PSN ISE-PSN Cisco and/or its affiliates. All rights reserved. Cisco Public 24

25 Load Balancing Dashboard Authentication, Accounting, and Profiling events over 24 hours Cisco and/or its affiliates. All rights reserved. Cisco Public 25

26 Consideration When Using Load Balancers CoA SRC= CoA SRC= PSN ISE-PSN SLB PSN ISE-PSN Before aaa server radius dynamic-author client server-key cisco123 client server-key cisco123 client server-key cisco123 client server-key cisco123 client server-key cisco123 client server-key cisco123 < one entry per PSN > PSN ISE-PSN-3 PSN ISE-PSN-X x After aaa server radius dynamic-author client server-key cisco Cisco and/or its affiliates. All rights reserved. Cisco Public 26

27 Increasing Security Step by Step

28 First Steps In the Lab Wired 802.1x Identity Based Differentiated Access Posture Based Differentiated Access

29 When You First Enable ISE 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 29

30 802.1X Wired - Monitor Mode MONITOR MODE AuthC without Enforcement Prepares for Enforcement Mode Evaluates Remaining Risk Provides Baseline NAD ISE Known MAC Unknown MAC.1X Failures.1X-Pass RADIUS Authentication & Accounting Logs: Passed / Failed 802.1X (Who has bad credentials? Misconfigurations?) Passed / Failed MAB attempts (What don t I know?) 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 30

31 IBNS 2.0 Concurrent Authentication Faster on-boarding of endpoints into the network Flex Auth - Sequential Authentication.1x authentication order dot1x mab EAP CDP/DHCP EAP Campus LAN RADIUS IBNS Concurrent Authentication event session-started match-all 10 class always do-until-failure 10 authenticate using dot1x priority authenticate using mab priority 20 You configure IBNS using the Cisco Common Classification Policy Language - CCCPL Faster on-boarding, good for delay sensitive endpoints. An endpoint may be authenticated by both methods, but priority determines the ultimate authorization..1x EAP CDP/DHCP EAP Campus LAN RADIUS Additional load to RADIUS Server. Two authentication requests sent for same client 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 31

32 IBNS 2.0 Fine Tuning MAB Devices (w/o supplicants) & minimal traffic Configure switch ports to initiate EAP transactions access-session control-direction in Dot1x timer adjustments Modify defaults per best practices, e.g. dot1x timeout quiet-period 300 dot1x timeout tx-period 10 dot1x timeout supp-timeout 5 dot1x timeout ratelimit-period 300 Apple Thunderbolt ethernet adapter Dot1x authentication not automatically initiated Resolved: Change network profile from System to User type 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32

33 Wired 802.1x AuthLearning Start with Monitor Mode Communicate! Evaluate employee feedback Work with device teams ahead of enforcement Think User-Experience 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 33

34 Enforcement

35 Wired Connection Authentication Access-Request Permit Access Access-Accept dacl Defined on ISE: Permit IP dacl: Permit IP any 802.1x & MAB Port ACL Permit DNS, DHCP, NTP Failed Auth Redirect ACL (Called by ISE) Deny traffic for: Laptop builds, Support portal, PWD Reset Access-Request Access-Accept Access-Accept (Restricted) Access restricted by dacl URL-Redirect dacl Defined on ISE: Permit DNS, TCP 80/443 ICMP, & Redirect Traffic 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 35

36 MAB Devices - Recommendations Manually add them to ISE Identity Group Create an Automated Request Process Enable Probes / Device Sensors Enable Profiling Be aware of challenges and monitor inconsistencies Create your own Custom Profiles Standard naming, OUI Data. Note: When CDP & LLDP concurrently enabled Some older UCV 89xx & 9xxxx phones with firmware > reboot Simple workaround disable LLDP on the phone 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36

37 Minimizing Service Disruption Wired AuthC (automate-tester) X Service Disruption NOT Detected Access-Reject Synthetic AuthC (test user) X Active Directory Service Disruption Detected EEM Access-Reject Access-Accept X Allow Access Temp. AuthC Restore EEM EEM 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37

38 EEM script provides assurance End-to-end test of authentication process If authentication fails: 1. Inserts "ip permit any any as line 1 in the port ACL 2. Records which switch ports configured with dot1x sh run i interface GigabitEthernet dot1x timeout 3. Removes commands under the Interface template "no dot1x pae authenticator, no mab Upon successful authentication: 802.1x restored Users/devices must re-authenticate 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 38

39 OnBoarding IoT Devices IoT Devices Access Based On Endpoint Identity Group Full access No restrictions Franking Machines Coffee Machine Building Management (BMS) Provisioning Web Tool + API to ISE: Auto approval for Internet InfoSec approval for Internal Access (Full/Appropriate) Appropriate Access Internet Only Access 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 39

40 Identity Based Differentiated Access

41 ACLs Dependent Upon Device Profile Redirect-ACLs have size limitation Same as dacls & per-user ACLs Max 4000 ASCII characters (Switch) Max 64 lines (WLC) More apparent when we consider Remediation Others Windows Linux Others Cisco Windows Linux Cisco ACL By Endpoint Type, Profiling Based 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 41

42 Software Defined Segmentation Use Cases Divestiture Development Partners IoT Benefits: Maintain existing network topologies Simple, cost effective Centralize policy management Consistent, faster deployments Quicker response to threats 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 42

43 IP-SGT (TrustSec) Dynamic - SGT Source Static - SG Destination ACL AD Group / Profiling Cisco Employee (1) Divestiture Employee (2) Printer(3) Engr. App. (1000) / / / /14 Mail (1001) / / / /28 DNS (1003) / /29 AD (1009) / /29 Tag assigned by ISE at Authentication cts role-based sgt-map /16 sgt 1000 cts role-based sgt-map /28 sgt 1001 cts role-based sgt-map /29 sgt 1003 cts role-based set-map /28 sgt Cisco and/or its affiliates. All rights reserved. Cisco Public 43

44 Source SGT (Dynamic) Engineering App (1000) Mail (1001) MDM (1002) DNS (1003) Unknown (1005) Cisco Employee (1) Divestiture Emp. (2) Partner (3) Policy Matrix Destination SGT (Static SGT) Divestiture Emp. (2) O SGACL SGACL SGACL SGACL O SGACL O Partner (3) O O SGACL SGACL O O O SGACL Untrusted (1810) O O O O O O O O 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 44

45 Example: DC Access Control with TrustSec Data Center Firewall Data Center Campus Core Enforcement IP-SGT mapping Policy creation Policy enforcement Policy deployment Access Layer Employee Tag Supplier Tag Guest Tag Voice Voice Employee Suppliers Guest Quarantine Quarantine Tag Wireless Wired 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 45

46 IT Objective: Where to Enforce Policy Enforce as close to user as possible Ideally on the access switches and WLCs Challenges: WLC 64 line ACL limit 3850 has a limit of 255 Destination SGTs 4510 could not enforce policies for destination subnets only hosts ASAs configured to support Remote Access VPN (AnyConnect) could not enforce TrustSec policies 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46

47 Solution: Install SXP and Enforce at 1 st Hop Router SXP = SecureGroup Exchange Protocol Dynamically assigned SGT s and SGACLs propagated to the policy enforcement point (PEP) Cisco User AD Group Membership SXP Speaker (NAD) SXP Listener (Enforcement Point) Technicolor SXP Speaker (NAD) 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 47

48 Posture Based Differentiated Access Enforcement COMPLIANT 20 Non-COMPLIANT 21 Assign tag based on device posture Send IP <-> SGT Mapping & Policy Matrix COMPLIANT 20 Internal Network & Internet Non-COMPLIANT 21 NAD Enforcement Point Remediation & Internet Access based on Policy Matrix from ISE 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 48

49 Differentiated Access For AnyConnect VPN Problem Different VPN solutions for different user communities Overhead of HW and management Before TrustSec Solution Use consolidated VPN clusters Tag traffic and enforce policies as required Allows greater resiliency and availability Single Cluster With TrustSec Employee High Risk Partner Employee Partner High Risk 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 49

50 Configuring SXP IP <-> SGT Mapping Via SSH Speaker Listener SSH NAD Policy Enforcement Point ISE PAN Static Connection Dynamic Connection 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 51

51 IP <-> SGT Mapping Via SXP Speaker Speaker Listener ISE PSN 1 SXP NAD Policy Enforcement Point ISE PSN 2 Tip 1: SXP pushes IP-SGT mapping immediately upon configuration Tip 2: IP-SGT mapping is lost if SXP connection drops! ISE PSN Cisco and/or its affiliates. All rights reserved. Cisco Public 52

52 Best Of Both Alternatives SXP Reflectors Speaker Listener Reflector Speaker Speaker Listener ISE Reflector Enforcement Point Hybrid IP <-> SGT mapping via SSH and SXP 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 53

53 Posture Based Differentiated Access

54 What is Posture? Posture Security configuration of the device Assessment Measure and check against Company requirements Device Manager 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 55

55 Guiding Principles Enablement Minimise Impact Remediation is key Expect Complexity 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 56

56 Trusted Device Standard Device to user attribution Encryption (Cisco Data) 6 character PIN / password 10 Minute Auto screen lock (Max) Jailbreak / Rooted device detection Approved Anti-malware Minimum OS version Software patching within 4 weeks. Remote Wipe for proprietary data Hardware/Software Inventory 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 57

57 Policy Mapping Device Management ISE AnyConnect Device to user attribution Encryption (Cisco Data) 6 character PIN / password 10 Minute Auto screen lock (Max) Jailbreak / Rooted device detection Approved Anti-malware Minimum OS version Software patching within 4 weeks. Remote Wipe for proprietary data Hardware/Software Inventory Is device under Company Management? Anti-Malware Condition Anti-Spyware Condition Anti-Virus Condition Application Condition Compound Condition Disk Encryption Condition File Condition Patch Management Condition Registry Condition Service Condition USB Condition Windows Update Condition 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 58

58 Issues for Posture Desktop Example Detection of Management Agent after device start-up PWR Windows Startup AnyConnect Posture Check SCCM Service not detected. NOT COMPLIANT! 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 59

59 Issues for Posture Wired MAC address 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 60

60 Mobile Device Posture Device Management Remediation Processes Status and Inventory Read Security Policies Pushed Managed? Compliant? Get all non compliant devices Actively Managed ISE Not Actively Managed Internet 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 61

61 ISE vs MDM Deployment MTV ALN RTP AER TYO HKG BGL SNG MDM Server Many to One Relationship 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 62

62 Managing Scale Enrollment job Detects new devices Device Management Managed? Compliant? Get all non compliant devices ISE Remediation Processes Status and Inventory Read Security Policies Pushed Actively Managed Not Actively Managed Internet 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 63

63 Managing Scale Enrollment job Detects new devices Set Custom Attribute in ISE Indicates Managed Device. Device Management Managed? Compliant? Get all non compliant devices ISE Remediation Processes Status and Inventory Read Security Policies Pushed Actively Managed Not Actively Managed Internet 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 63

64 Managing Scale Enrollment job Detects new devices Set Custom Attribute in ISE Indicates Managed Device. Device Management Managed? Compliant? Get all non compliant devices ISE Remediation Processes Status and Inventory Read Security Policies Pushed Actively Managed Not Actively Managed Internet 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 63

65 User Remediation Issues to Consider When a device is not compliant and has restricted access: Is Device Management system accessible How to enrol a new device in management? How to re-image a device? How does a user remediate a restricted device? How does a user gets access after remediation? How to re-initiate a posture check? How do you ensure the change is recognised immediately? 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 66

66 Evolving Our Capabilities Future State? Device Management 123XXX 123XXX + Status 123XXX 123XXX Unique ID Device Identity Store ISE Query: Device ID & Status ISE Authorisation Access Decision 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 67

67 ISE Deployment Takeaways Focus on user experience first not technical capabilities Consider each platform type separately Phase your deployment - learn small and scale quickly. Speed and automation are critical to meeting challenges Work closely with your device teams Don t forget remediation

68 Come talk to our Cisco IT Experts! Cisco on Cisco will have 5 demo booths placed around the Cisco Campus showcasing how Cisco IT designs, deploys, and manages our own solutions. Through these IT success stories you ll see how Cisco solutions are driving transformational business benefits. World of Solutions Collaboration AppDynamics ACI & TA NSO vbranch 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 69

69 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot# 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

70 Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Complete Your Online Session Evaluation Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at Cisco and/or its affiliates. All rights reserved. Cisco Public

71 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Tech Circle Meet the Engineer 1:1 meetings Related sessions 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 72

72 Thank you

73