Cisco Day Hotel Mons Wednesday

Transcription

1 Cisco Day Hotel Mons Wednesday

2 Why Identity is so important? - Identity Services Engine update György Ács IT Security Consulting Systems Engineer 20 April 2016 ISE Champion

3 Agenda Best Practices, Tips and Tricks on these selected topics: Hardware, infrastructure review Authentication and Authorization Policies Certificates Guest, Profiling, Posture pxgrid, Fire & ISE TACACS+ REST API

4 Hardware, infrastructure review

5 Scaling by Deployment/Platform/Persona Determining Minimum Appliance Quantity and Platform Type Determining Minimum MnT PAN PAN Appliance Quantity and Platform PSN MnT Type Persona Deployment Max Nodes by Type Max Endpoints for Entire Deployment All Personas running on single or redundant nodes 2 Admin+MnT+PSN nodes 5k with SNS k with SNS k with SNS k with SNS-3595 Administration and Monitoring colocated on single or redundant nodes Dedicated Policy Service nodes 2 Admin+MnT nodes 5 Policy Service nodes 5k with SNS-3415 PAN+MnT 7.5k with SNS-3515 PAN+MnT 10k with SNS-3495 PAN+MnT 20k with SNS-3595 PAN+MnT PSN PAN MnT PSN Dedicated Administration node(s) Dedicated Monitoring node(s) Dedicated Policy Service nodes 2 Admin nodes 2 MnT nodes 40 Policy Service nodes (3495s) 50 Policy Service nodes (3595s) 250k with SNS-3495 for PAN and MnT 500k with SNS-3595 for PAN and MnT Note: Max Endpoints = Max Active Sessions; ISE supports 1M Endpoints in DB 5

6 Policy Service Node Sizing Physical and Virtual Appliance Guidance Max Endpoints Per Appliance for Dedicated PSN Form Factor Physical Platform Size Appliance Maximum Endpoints Small SNS ,000 Large SNS ,000 Small (New) SNS-3515 * 7,500 Large (New) SNS-3595 * 40,000 Virtual S/L VM *5,000-40,000 General VM appliance sizing guidance: 1) Select physical appliance that meets required persona and scaling requirements * Under ISE 2.0.x, scaling for Small & Large 35x5 appliance same as Small & Large 34x5 appliance. 2) Configure VM to match or exceed the ISE physical appliance specifications 6

7 ISE VM Provisioning & Disk IO Guidance VMotion officially supported in ISE 1.2 Thin Provisioning officially supported in ISE 1.3 (recommend Thick Provisioning for MnT) Hyper-Threading not required, but can TPS IO Performance Requirements: Read 300+ MB/sec Write 50+ MB/sec Recommended disk/controller: 10k RPM+ disk drives Caching RAID Controller RAID mirroring (Slower writes using RAID 5*) Starting in ISE 1.3: No more storage media and file system restrictions. For example, VMFS is not required and NFS is allowed provided storage is supported by VMware and meets ISE IO performance requirements. Customers with VMware expertise may choose to disable resource reservations and over-subscribe, but do so at own risk. *RAID performance levels: 7

8 ISE Bandwidth Calculator (Multi-Site) Note: Bandwidth required for RADIUS traffic is not included. Calculator is focused on inter-ise node bandwidth requirements. Now available to 8

9 Location Based Authorization Authorize User Access to the Network Based on Their Location UI to Configure MSE MSE 8.0 ISE 2.0 I have Location Data Campus:Building:Floor:Zone

10 Tracking Location in Authorization Policy Limit Location Tracking to Critical Locations and Resource Access Track Movement of the endpoint after authentication using MAC address Query MSE every 5 minutes to verify current location. If no change, do nothing If change, update endpoint info and issue CoA. Best Practice: Do NOT track every session! Limit tracking to critical access based on location. Excessive tracking can lead to lookup failures. (Max 150 TPS)

11 Authentication, Authorization Policies Optimization

12 Search Speed Test Find the object where Total stars = 10 Total green stars = 4 Total red stars = 2 Outer shape = Red Circle 12

13 AuthZ Policy Optimization Avoid Unnecessary External Store Lookups Policy Logic: o First Match, Top Down o Skip Rule on first negative condition match More specific rules generally at top Try to place more popular rules before less used rules. Example of a Poor Rule: Employee_MDM All lookups to External Policy and ID Stores performed first, then local profile match! 13

14 AuthZ Policy Optimization (Good Examples) Example #1: Employee 1. Endpoint ID Group Rule Sequence and Condition Order is Important! 2. Authenticated using AD? 3. Auth method/protocol 4. AD Group Lookup Example #2: Employee_CWA 1. Location (Network Device Group) 2. Web Authenticated? 3. Authenticated via LDAP Store? 4. LDAP Attribute Comparison 14

15 AD Integration Best Practices (from 1.3) DNS servers in ISE nodes must have all relevant AD records (A, PTR, SRV) Ensure NTP configured for all ISE nodes and AD servers Configure AD Sites and Services (with ISE machine accounts configured for relevant Sites) Configure Authentication Domains (Whitelist domains used) (ISE 1.3) Use UPN/fully qualified usernames when possible to expedite use lookups Use AD indexed attributes* when possible to expedite attribute lookups Run Diagnostics from ISE Admin interface to check for issues. * Microsoft AD Indexed Attributes:

16 Authorization Policies Pro Tip: Combining AND & OR

17 Combining AND with OR in AuthZ Policies Cannot Mix??

18 Combining AND with OR in AuthZ Policies Advanced Editing Advanced Editor

19 Combining AND with OR in AuthZ Policies Advanced Editing Simple Conditions

20 Certificates

21 Pro Tip: Always Add the Root & Sub CA s Import All Certificates in Trust Path, One at-a-time Root CA Subordinate CA Subordinate CA ISE Cert If you must use a PKCS chain, it needs to be in PEM format (not DER)

22 Simple URL for My Devices & Sponsor Portals In 1.3+: Sponsor Portal and My Devices Portal must be accessed via a userfriendly URL and selectable port. Ex: Automatic redirect to FQDN for URL must be added to DNS and resolve to the Policy Service node(s) used for Guest Services. Recommend populating Subject Alternative Name (SAN) field of PSN local cert with this alternative FQDN or Wildcard to avoid SSL cert warnings due to name mismatch.

23 ISE Certificate without SAN Certificate Warning - Name Mismatch DNS Lookup = sponsor.company.com DNS Response = DNS Server ISE-PSN SPONSOR Load Balancer ISE-PSN Name Mismatch! Requested URL = sponsor.company.com Certificate Subject = ise-psn-3.company.com ISE-PSN-3

24 ISE Certificate with SAN No Certificate Warning DNS Lookup = sponsor.company.com DNS Response = DNS Server ISE-PSN SPONSOR Load Balancer ISE-PSN Certificate OK! Requested URL = sponsor.company.com Certificate SAN = sponsor.company.com ISE-PSN

25 ISE Certificate with SAN CN must also exist in SAN Other FQDNs as DNS Names IP Address is also option

26 Traditional Wildcard Certificates Wildcard Certificates are used to identify any secure web site that is part of the domain: e.g.: *.woland.com works for: mydevices.woland.com sponsor.woland.com AnyThingIWant.woland.com!= psn.[ise].woland.com Position in FQDN is fixed

27 Wildcard Certificates Why use with ISE? Use of all portals & friendly URL s without Certificate Match Errors. Most Importantly: Ability to host the exact same certificate on all ISE PSNs for EAP authentications Why, you ask?...

28 Clients Misbehave! Example education customer: ONLY 6,000 Endpoints (all BYOD style) 10M Auths / 9M Failures in a 24 hours! 42 Different Failure Scenarios all related to clients dropping TLS (both PEAP & EAP-TLS). Supplicant List: Kyocera, Asustek, Murata, Huawei, Motorola, HTC, Samsung, ZTE, RIM, SonyEric, ChiMeiCo, Apple, Intel, Cybertan, Liteon, Nokia, HonHaiPr, Palm, Pantech, LgElectr, TaiyoYud, Barnes&N 5411 No response received during 120 seconds on last EAP message sent to the client This error has been seen at a number of Escalation customers Typically the result of a misconfigured or misbehaving supplicant not completing the EAP process.

29 Recreating the Issue

30 Clients Misbehave: Apple Example ISE-1 ISE-2 Multiple PSNs Each Cert signed by Trusted Root Apple Requires Accept on all certs! Results in 5411 / 30sec retry Cert Authority ise1.ise.local ise2.ise.local 1 5 SSID NAD Apple ios & MacOS WiFi Profile 1. Authentication goes to ISE-1 2. ISE-1 sends certificate 3. Client trusts ISE-1 4. Client Roams 5. Authentication goes to ISE-2 6. Client Prompts for Accept

31 Solution: Common Cert, Wildcard in SAN Allows anything ending with The Domain Name. - Same EXACT Priv / Pub Key May be installed on all PSNs

32 Coining a New Term

33 Solution: Common Cert, Wildcard in SAN Cert Authority psn.ise.local ISE-1 ISE-2 psn.ise.local CN= psn.ise.local SAN contains all PSN FQDNs psn.ise.local *.ise.local Tested and works with: comodo.com CA SSL.com CA Microsoft 2008 CA 1 5 NAD Failed with: GoDaddy CA -- they don t like * in SAN -- they don t like non-* in CN SSID Apple ios & MacOS WiFi Profile Already Trusted 1. Authentication goes to ISE-1 2. ISE-1 sends certificate 3. Client trusts ISE-1 4. Client Roams 5. Authentication goes to ISE-2 6. Client Already Trusts Cert

34 Scaling Guest

35 Scaling Web Authentication Remember Me Guest Flows Device/user logs in to hotspot or credentialed portal MAC address automatically registered into GuestEndpoint group Prior to ISE 1.3, can chain CWA+DRW or NSP to autoregister web auth users, but no auto-purge Authz policy for GuestEndpoint ID Group grants access until device purged 35

36 Endpoint Purging Examples Matching Conditions Purge by: # Days After Creation # Days Inactive Specified Date On Demand Purge 36

37 Best Practices for Profiling

38 ISE Profiling Best Practices Whenever Possible Use Device Sensor on Cisco switches & Wireless Controllers to optimize data collection. Ensure profile data for a given endpoint is sent to a single PSN (or maximum of 2) Do NOT send profile data to multiple PSNs! Sending same profile data to multiple PSNs increases inter-psn traffic and contention for endpoint ownership. For redundancy, consider Load Balancing and Anycast to support a single IP target for RADIUS or profiling using DHCP IP Helpers SNMP Traps DHCP/HTTP with ERSPAN (Requires validation) DO send profile data to single and same PSN or Node Group! DO use Device Sensor! Ensure profile data for a given endpoint is sent to the same PSN Same issue as above, but not always possible across different probes DO enable the Profiler Attribute Filter! Use node groups and ensure profile data for a given endpoint is sent to same node group. Node Groups reduce inter-psn communications and need to replicate endpoint changes outside of node group. Avoid probes that collect the same endpoint attributes Example: Device Sensor + SNMP Query/IP Helper Enable Profiler Attribute Filter

39 ISE Profiling Best Practices General Guidelines for Probes HTTP Probe: Use URL Redirects instead of SPAN to centralize collection and reduce traffic load related to SPAN/RSPAN. Avoid SPAN. If used, look for key traffic chokepoints such as Internet edge or WLC connection; use intelligent SPAN/tap options or VACL Capture to limit amount of data sent to ISE. Also difficult to provide HA for SPAN. DHCP Probe: Use IP Helpers when possible be aware that L3 device serving DHCP will not relay DHCP for same! Avoid DHCP SPAN. If used, make sure probe captures traffic to central DHCP Server. HA challenges. Do NOT enable all probes by default! SNMP Probe: Avoid SPAN, SNMP Traps, and NetFlow probes! Be careful of high SNMP traffic due to triggered RADIUS Accounting updates as a result of high re-auth (low session/re-auth timers) or frequent interim accounting updates. For polled SNMP queries, avoid short polling intervals. Be sure to set optimal PSN for polling in ISE NAD config. SNMP Traps primarily useful for non-radius deployments like NAC Appliance Avoid SNMP Traps w/radius auth. NetFlow Probe: Use only for specific use cases in centralized deployments Potential for high load on network devices and ISE. 39

40 Best Practices for Posture

41 Posture Lease Once Compliant, user may leave/reconnect multiple times before re-posture 7 41

42 MDM Scalability and Survivability What Happens When the MDM Server is Unreachable? Scalability 30 Calls per second per PSN. Cloud-Based deployment typically built for scale and redundancy For cloud-based solutions, Internet bandwidth and latency must be considered. Premise-Based deployment may leverage load balancing ISE 1.4+ supports multiple MDM servers could be same or different vendors. Authorization permissions can be set based on MDM connectivity status: MDM:MDMServerReachable Equals UnReachable MDM:MDMServerReachable Equals Reachable All attributes retrieved & reachability determined by single API call on each new session. 42

43 pxgrid

44 pxgrid Bulk Downloads (peer-to-peer) WWW 1. I need Bulk Session Data 3. Direct Data Transfer Splunk > Controller ISE Node 2. Get it From MnT FMC MnT ISE

45 pxgrid Topic Extensibility Topic Publisher Subscribers WWW Session_Directory MnT Splunk, FMC, WSA ISE Admin Vulnerable Hosts Rapid7 Splunk > Controller FMC 1. Req: Add New Topic: Vulnerable Hosts 4. Announce: New Topic Available 3. Publish Topic MnT

46 pxgrid Topic Extensibility Topic Publisher Subscribers WWW Session_Directory MnT Splunk, FMC, WSA ISE Admin Vulnerable Hosts Rapid7 FMC Splunk > Controller FMC 1. Subscribe Vulnerable Hosts 2. Direct Transfer MnT

47 How to we Certificate-ify This Scenario? 1. Use a Single Certificate Authority 2. Each pxgrid Participant Trust That Certificate Authority 3. Each pxgrid Client use a pxgrid Certificate from that CA 4. *Controller Must still Authorize the Communication pxgrid Cert = Client Auth Policy Server Auth Policy X.509 X.509 X.509 X.509 pxgrid X.509 pxgrid pxgrid pxgrid pxgrid Splunk > WWW Controller Instant Full Mesh Trust! MnT FMC

48 ISE and Fire

49 Rapid Threat Containment with Firepower Management Center and ISE Fully Supported on FMC 5.4 and ISE 1.3+ Uses pxgrid + Endpoint Protection Services (EPS) Note: ANC is Next Gen version of the older EPS EPS functions are still there for Backward Compatibility Loads as a Remediation Module on FMC Remediation Module Takes Action via the EPS call through pxgrid

50 Rapid Threat Containment with Firepower Management Center and ISE WWW Controller MnT NGFW i-net 1. Security Events / IOCs Reported FMC 3. pxgrid EPS Action: Quarantine + Re-Auth 2. Correlation Rules Trigger Remediation Action

51 Rapid Threat Containment with Firepower Management Center and ISE 4. Endpoint Assigned Quarantine + CoA- Reauth Sent WWW Controller MnT NGFW i-net FMC

52 Cisco StealthWatch: System Overview (Earlier : Lancope) Non-NetFlow Capable Device SPAN StealthWatch FlowSensor Generate NetFlow StealthWatch FlowCollector NetFlow / NBAR / NSEL Network Devices Collect and analyze Up to 4,000 sources Up to 240,000 FPS sustained StealthWatch Management Console (SMC) Management and reporting Up to 25 FlowCollectors Up 6 million FPS globally

53 Network as a Sensor: Cisco StealthWatch Context Information NetFlow Cisco ISE pxgrid Mitigation Action ISE pxgrid for Remediation Real-time visibility at all network layers Data Intelligence throughout network Assets discovery Network profile Security policy monitoring Anomaly detection Accelerated incident response

54 Device Admin TACACS+

55 A long time ago in a development lab far, far away

56

57 AuthC Once + AuthZ Many TACACS+ SSH to Network Device START (authentication) User trying to connect REPLY (authentication) request username AuthC CONTINUE (authentication) username REPLY (authentication) request password Authentication is Complete CONTINUE (authentication) password REPLY (authentication) Pass Shell AuthZ Command AuthZ # show run EXEC is Authorized Command is Authorized REQUEST (authorization) service = shell RESPONSE (authorization) PASS_ADD REQUEST (accounting) START / RESPONSE - SUCCESS REQUEST (authorization) service = command RESPONSE (authorization) Pass_ADD REQUEST (accounting) CONTINUE / RESPONSE - SUCCESS

58 ISE Deployment Node Configuration Policy Service Node for Protocol Processing Session Services (e.g. Network Access/RADIUS) On by default Device Admin Service (e.g. TACACS+) MUST BE ENABLED FOR DEVICE ADMINISTRATION!!

59 Some Device Admin Best Practices USE NDG S! Different Policy Sets for IOS than AireSpace OS Different for Security Apps than Routers Different for ASA Differentiate based on location of Device

60 Device Administration Policy Set Policy Set Ordered List Provides both Management AND Execution order Policy Set Condition For Policy Set How Policy Set is engaged

61 Use Policy Sets Based on Device Type Cisco IOS Switches Airespace WLCs

62 Best Practices for Policy Sets Organization Optimal Size Mix for Policy Set breakdown in ISE 2.0: 6-10 Policy Sets rules Divide Complete Policy into robust Silos representing Use Cases e.g. By Device Type By Region

63 ISE Authorization Processing Policy Set Selection Identity Selection Authorization Policy Evaluation Evaluation (Command Set or Profile) Reply

64 TACACS+ example: Wireless LAN Controllers

65 TACACS+ example: Cisco IOS

66 Best Practice: Use Prefixes for Your Results Results are often specific to the NAD-Type. Different results for AirOS than IOS than NX-OS. Results are not differentiated in GUI by Default

67 T+ Command Sets: Wildcard vs. Regex

68 Command Sets May Be Stacked! A Permit Below will take priority over a Deny above. Except with a Deny_Always IOS-SecOps-NoConfig Deny_Always Config * Permit Everything Else IOS-PermitAllCommands Permit *

69 REST API

70 ISE REST API : ERS: External RESTfull Services Session API (from mnt node) REST API : From ISE ISE 1.3 : added Guest ISE 2.0 : added TrustSec (SGT, SXP, SGACL), internal users Default : ERS is Not enabled XML based Supported resources : End points End point identity groups Guest users Identity groups Internal users Portals Profiler policies Network devices Network device groups Security groups Currently : no Authentication /authorization policies <activesession> <user_name>sfadmin</user_name> <calling_station_id>sfadmin </calling_station_id> <framed_ip_address> </framed_ip_address> </activesession>

71 Enable ERS and Add ERS Admin User Admin or operator based on the READ/WRITE rights Admin: Full access to all ERS API requests such as GET, POST, DELETE, PUT Operator: Read-only access to ERS API, only GET

72 GET internal users

73 Summary Best Practices, Tips and Tricks on these selected topics: Hardware, infrastructure review Authentication and Authorization Policies Guest, Profiling, Posture Certificates pxgrid, Fire & ISE TACACS+ REST API

74 Questions?

75

76