Security? where to? Adrian Aron. Consultant Systems Engineer. 19 Oct

Transcription

1 Security? where to? Adrian Aron Consultant Systems Engineer 19 Oct

2 Agenda Industry shift and trends Router security, switch security OpenDNS Integration and automation Q&A

3 Road from task to implementation Task Goal Implementation Problem set 1 Problem set 2

4 Example 1: car industry sustainable green cars Tesla S Toyota Prius / BMW i Mercedes F-cell Less polution Tesla 3 Rimac Renault Zoe Implementation how? go-to market price, autonomy, what technology? energy distribution

5 Example 2: security architecture segregation 2FA, RBAC, VLAN,VxLan, MPLS ACI fabric automate Machine learning pxgrid, REST, TAXII SDA, SDP, SDN Implementation segment, auth integrate, API inspect, log scripting, react

6 Router security

7 Integrated Security Solution for Branches Options available on the ISR 4000 series: Stealthwatch Learning Network Umbrella Branch (OpenDNS) VPN ZBFW Snort IPS Firepower

8 Snort IPS Container Architecture Snort WAAS Other apps IOSd Traffic Path Management VPG Traffic VPG LXC Linux OS Data Plane KVM Virtual Ethernet Virtualization Manager (VMAN) Virtual Ports (VPG) LXC CPU Cores Allocated Control Plane Data Plane - Snort IPS runs on a Linux Container using control plane resources - Traffic is punted to Snort Container using Virtual Port Group interface - Reserved CPU and memory for Snort process enables deterministic performance

9 Cisco Umbrella Branch Your first layer of defense at branch offices Cisco Umbrella Branch Cisco ISR Block MALWARE C2 CALLBACKS PHISHING Visibility & enforcement at the DNSlayer Block requests to malicious domains and IPs Predictive intelligence: uncover current & emergent threats Protect all devices on your branch network against: o Malware o Phishing o C2 callbacks Devices on branch network

10 How Umbrella Branch Works OpenDNS DNS recursive server HTTPS server DNS Request (1) DNS Response (4) Internet Client ISR4K Approved Content (5) Web Servers

11 Firepower Threat Defense on ISR - IDS Host the IDS Sensor on the UCS-E server colocated within router Replicate and push all the traffic to be inspected to the Sensor FP sensor examines traffic ESXi WARNING: It is not recommended to install FP sensor and Firepower Management Center VMs on the same UCS-E unless it is for testing purpose

12 Firepower Threat Defense for ISR- IPS (front panel port) Host the Sensor on the UCS-E server IPS is in inline mode Packets ingress via the UCS-E front panel port SF sensor examines traffic; allowed packets egress the WAN interface UCS-E front panel Port ESXi UCS-E ucse 1/0 ucse 1/1 LAN port WAN port 12

13 Automating Security in your Branch Offices Packet Analysis Packet recorder Manager ISE Private / Public Network ISR4K with Agent Branch Network ISR4K with Agent

14 Basic Operation of the Learning Network Learning Builds map of IP addresses to Discovers traffic paths 1 Network 2 learn Agent about its environment Studies traffic movement, Identifies applications on 3 4 volumes, patterns, NBAR and DPI times of day Precisely identifies anomaly; Learns to distinguish normal 5 6 allows operator to take from anomalous action to remediate

15 Stealthwatch Portfolio: Learning Network Cisco ISE Learning Network Manager Stealthwatch Management Console Stealthwatch Labs Intelligence Center (SLIC) threat feed User and Device Information Flow Collector The Stealthwatch Learning Network License Branch Network Flow Enabled Infrastructure adds anomaly detection & mitigation capabilities deployed in an ISR 4000.

16 Inbox Top Level view

17 Inbox Conversations

18 Open DNS

19 1: Provision On-Network Devices via DNS Server Acme Widgets Policy enforce all security settings for DNS DNS Internet Quer Respon y se Internal Network Egress: Internet DNS Server external DNS resolution = default Gateway DNS server = ACME WIDGETS

20 ENCRYPT ED 2: Provision On or Off-Network Mac / PCs via Roaming Client Acme Widgets Policy enforce all security settings for GUID = Acme employee s Mac default DNS Quer y DNS Respons e Internet Roaming Client inserts GUID & Org ID in EDNS request, encrypts and forwards STARBUCKS Employee s Mac / PC Network Egress: Internet Gateway e.g. Wi-Fi, router 20

21 A Single, Correlated Source of Intelligence Passive DNS database WHOIS record data Malware file analysis ASN attribution IP geolocation Domain & IP reputation scores Domain co-occurrences INVESTIGATE Anomaly detection (DGAs, FFNs) DNS request patterns/geo. distribution

22 Top Ways to Add OpenDNS to Customer s Security Stack OFF- NETWORK SECURITY SECURE DIRECT- TO-NET OFFICES NEW LAYER OF PREDICTIVE SECURITY AUTOMATE ENFORCEMENT & VISIBILITY SPEED UP INCIDENT RESPONSE Umbrella + ASA / AnyConnect Umbrella + ISR / Meraki Umbrella + AMP for Endpoints Umbrella + Threat Grid Investigate + Threat Grid

23 Integration looking forward Automation is a consequence

24 Policy enforcement Visibility Threat Analysis SXP, pxgrid Network Analysis SGT Group Provisioning APIC EM SGACLs REST Group Membership APIC-DC ACI RADIUS, SXP, pxgrid Group/Membership Info SGT EPG Translation Group-based Policies Next-Gen firewalls ASA firewalls VPN appliances Web Security appliances Group Download, Dynamic Classifications Dynamic Policy Download (SGACL) Software-Defined Segmentation Catalyst switches Nexus switches Industrial Ethernet switches Integrated Service Routers Wireless LAN Connected Grid Routers & Switches

25 Enabling Group-based Policies across the Enterprise Policy corelation DB DB SG-FW SG-ACL Contract Campus / Branch / Non ACI DC TrustSec Policy Domain APIC DC Data Center APIC Policy Domain Shared Policy Groups Voice Employee Supplier BYOD Voice VLAN Data VLAN TrustSec domain ACI Fabric Web App DB

26 Making StealthWatch Aware of ACI Groups Policy enrichment and adjustoment What s new? SGT-aware StealthWatch Integration of TrustSec and ACI policy groups allows us to make NetFlow aware of Groups from the DC SGTs in NetFlow Records APIC-DC StealthWatch then receives NetFlow with SGT information based on the DC groups from ACI ACI Group Info ACI Info shared using Security Group Tags www Voice Non- Compliant Employee Supplier BYOD Web Prod App Dev App PCI App Database

27 Cisco Platform Exchange Grid (pxgrid) Any-to-Any Platform Data & Service Exchange I have SIEM events! I need p-capture I have cloud security data! I need EMM data I have vulnerability info! I need threat data I have threat data! I need app data I have firewall logs! I need identity? Direct, Secured Interfaces We need to pxgrid Proprietary share security Context APIs aren t & Service the Sharing solution data & service capabilities Single, Reusable Framework I have application info! I need location & auth-group I have p-capture info! I need identity I have location! I need identity I have EMM info! I need location I have endpoint inventory info! I need vulnerability data I have identity & device-type! I need endpoint inventory & vulnerability

28 Rapid Threat Containment Use Cases Benefits Detect threats early ANC Mitigation actions sent to ISE for real-time response Automate alerts Leveraging ISE ANC to alert the network of suspicious activity according to policy Leverage a growing ecosystem of partners that provide rapid threat containment by integrating with ISE Rapid Threat Containment with Ecosystem Partners and ISE Corporate user downloads file Malware detected on device Scans user activity and file Behavioral Analysis Vulnerability Scans SIEM/TD Detects suspicious file and alerts ISE using pxgrid by changing the Security Group Tag (SGT) to suspicious Based on the new tag, ISE enforces policy on the network Access based on organizations security policy ANC Mitigation Actions ISE EPS RESTful API pxgrid (EndpointProtectionService/AdaptiveNetwork Control STIX- Threat Centric NAC- AMP/Qualys

29 pxgrid Industry Adoption Critical Mass 40+ Partner Product Integrations and 12 Technology Areas in 18 Months Since Production Release Net/App Performance IoT Security Firewall & Access Control SIEM UEBA Threat Defense Cisco ISE IAM & SSO Cisco pxgrid SECURITY THRU INTEGRATION Cisco FirePower Cisco StealthWatch? Vulnerability Assessment Cisco WSA DDI Packet Capture & Forensics Rapid Threat Containment (RTC) Cloud Access Security pxgrid-enabled Partners: Cisco: WSA, FirePower, ISE, StealthWatch RTC: Cisco FirePower, Cisco StealthWatch, Attivo, Bayshore, E8, Elastica, Hawk, Huntsman, Infoblox, Intelliment, Invincea, Lemonfish, LogRhythm, NetIQ, Rapid7, RedShift, SAINT, Splunk, Tenable, ThreatTrack, TrapX Firewall: Check Point, Infoblox, Intelliment, Bayshore DDI: Infoblox CASB: Elastica, Netskope, SkyHigh Net/App: Lumeta, Savvius SIEM/TD: LogRhythm, NetIQ, Splunk UEBA: E8, FortScale, Niara, Rapid7 IAM: NetIQ, Ping, SecureAuth, Situational Vulnerability: Rapid7, SAINT, Tenable IoT Security: Bayshore Networks P-Cap/Forensics: Emulex

30 Conclusions Infrastructure takes many forms to ensure telemetry and detection Time to detection becomes critical Router security, switch security, no longer a switch / router DNS is a tool used for attacking and defending, if time to detection! Integration and automation, contains a breach Q&A