Cisco Identity Services Engine. data breaches are mitigated by all means possible. Businesses must strive to adhere to global

Transcription

1 Cisco Identity Services Engine Harrison Forest ICTN6865 An ever-present concern in today s information systems is network security and data integrity. It is essential for enterprises globally to maintain a strict network policy to ensure that data breaches are mitigated by all means possible. Businesses must strive to adhere to global security standards and constantly maintain a network that protects the company itself, the data within and most importantly the client information. Large data breaches have been occurring globally in recent times and these events just increase the concerns for Information Security administrators and officers. The JP Morgan breach serves as a perfect example of recent attacks and the dangers of data breaches where evidence shows that 76 million households were possibly affected by the breach (Silver-Greenberg). The flexibility in businesses today strives from the ever-changing internet and the ability to adapt to these changes. The accessibility to the network for business employees is essential and the idea of bring your own device to access the network is a vital part to this flexibility. Remote access is also important as employees may not always be in office to work, but they should be enabled to accomplish just as much if they are at home or on the go. The introduction of the bring your own device concept can exponentially complicate network security. The demands for mobility also increases the demands for security and making sure users that are connecting to corporate networks are indeed who they say they are. Authentic authorization is absolutely essential to an enterprise and the administration of network policies and permissions helps to provide this. The relegation of these policies and

2 permissions involving Authentication, authorization and accounting is known as AAA. The three A s can be broken down to provide an explanation of the process. Authentication is a way to identify a machine or user. For a user this could be a username/password combination or a MAC address for machine authentication. If the submitted credentials are matched correctly to the machine or user within the AAA server that entity is granted access. Once the network entity is authenticated it is then given its respected privileges to carry out tasks within the network. This is authorization. In example, a user is given certain access to network resources or the ability to access specific services based on the authorization attributes or permissions for that specific authenticated user. Accounting is the last piece that comprises AAA. Accounting is the measurement of various user activities while in session on a network (Rouse). This may include logs of data transfer initiated by the user, network access timestamps and other session statistics. The information collected can be used by administrators to maximize network efficiency by utilization of network resources, scalability planning and security infrastructure improvements. AAA services are provided by a dedicated server within an enterprise network such as Cisco s Identity Services Engine. Have you ever been in an airport, hotel or another public location that offered guest Wi- Fi? You may have been greeted with a web page that has you agree to certain terms of use before being granted guest access to the network. This web page could have in fact been generated by Cisco s Identity Service Engine. ISE allows network administrators to customize this guest portal page in any desired way from the words that appear on the page as well as the overall aesthetic. The Identity Service Engine provides an extensive AAA solution in a standalone or distributed deployment. It is commonly pronounced ice amongst network security administrators.

3 The Remote Authentication Dial in User Service (RADIUS) is a protocol that dictates centralized AAA. Before diving into the specific features of ISE, the RADIUS authentication protocol must be discussed. When implementing Cisco ISE within an enterprise network it acts as a RADIUS server. It is an application layer protocol that uses UDP as transportation. When authentication is using RADIUS the client first sends a RADIUS Access request to the RADIUS server. After the RADIUS server receives this message from the client it can issue several responses. Access-Accept will grant the user access to the network because the credentials provided are among those that will be granted access to the network. If the information initially provided isn t sufficient enough the RADIUS server then sends an Access-Challenge. This message means that the client requesting access must provide additional information for authorization. Lastly, if authentication fails the RADIUS server sends the Access-Reject message, terminates the RADIUS session and the user is denied access. This message can also contain a reply message which informs the user why the authentication failed. In an ISE deployment ISE will function as the RADIUS server while a wireless controller, VPN tunneling device or switch serves as the network access device. This means that the network access device functions as a RADIUS proxy that forwards the RADIUS traffic to the RADIUS server. The advancement of technology has drastically increased the opportunity for data users to become more mobile. This mobility has also increased the demand for network security x is a standard that defines the framework for the Extensible Authentication Protocol over LANs (EAPoL). This standard helps to address the increasing mobility demands of today s networks and helps to ensure the identities of end clients connected to an enterprise network infrastructure via wired or wireless mediums.

4 802.1x helps to define the messages relayed between an authenticating client and a network access server. This is usually a wireless access point or switch (Goransson) x authentication is provided by a supplicant on the client machine. Network administrators can make end devices install Cisco AnyConnect to be used as the native supplicant on the machine. If 802.1x authentication cannot be achieved the network access server can be configured for mac authentication bypass (MAB). MAB allows for a fall back mechanism if 802.1x authentication cannot be achieved. However, there are security concerns that MAC addresses can be spoofed and thwart security mechanisms using MAB authentication. The RADIUS server will use various protocols to check authentication. Extensible Authentication Protocol (EAP) is a protocol in which RADIUS will use to check authentication. There are several different forms of EAP. One of the variants used extensively by ISE is EAP- Transport Layer Security (EAP-TLS). EAP-TLS requires the use of internet certificates as well as key exchange and helps provide authenticity. EAP-TLS was developed as a result of the widely adopted wireless technologies. Below is a visual summary of an EAP and RADIUS exchange:

5 Configuring 802.1x Port-Based Authentication (Cisco) The EAP-TLS conversation begins with an authenticator sending an EAP- Request/Identity packet. The peer (the client requesting connectivity) will then respond with an EAP-Response/Identity packet which contains the user ID. In the case of an ISE deployment the EAP authenticator will be a switch or wireless device that sits between ISE and the peer. The EAP packets are received by the authenticator from the peer and are encapsulated into a RADIUS packet and sent to the authentication server, ISE in our case. After the identity of the peer has been confirmed ISE responds with a start EAP-TLS packet. The client then responds with an additional EAP message and begins the conversation. This begins the TLS handshake during which certificates and keys are exchanged. EAP-TLS is limited to the user s understanding of false credentials as well as its support by wireless LAN technologies. The strength in EAP-TLS authentication spans from the client-side certificate. With the client-side certificate just a compromised password is not enough to break into the EAP-TLS enabled system.

6 Cisco ISE provides a way of regulating permissions in an enterprise network through user authentication and authorization. Network access is regulated by the RADIUS communication between the authenticating device and ISE node. Authorization can be controlled by various policies maintained by ISE. ISE can also be linked to external identity sources such as Active Directory. The policies maintained by ISE are distributed throughout an enterprise network through switches and wireless controllers. There are two types of ISE deployments standalone and distributed. An ISE deployment has different personas a node can undertake. In a standalone deployment there is one ISE node that runs all personas. It is easier to maintain and administer, however, redundancy and scalability is limited. A distributed environment allows administrators to have several ISE nodes, each running dedicated personas and services. This option allows for greater scalability and failover redundancy. Each persona runs its respective service on the respected node. The persona types include Administration, Policy and Monitoring. The administration and monitoring personas can each have primary and secondary instances. In this case, if a primary node of either persona goes down the secondary can take the primary role and continue to function without the loss of services. There can be several policy nodes in a distributed deployment as well. The Administration nodes provide a central point for administrators to control all functions of ISE. These are where authorization policies are made, profiles are configured, etc. and the overall functionality of ISE is controlled. The policy nodes are what analyze the incoming authentication requests and take the bulk of the processing away from the administrative nodes. Authorization policies are created on the administrative nodes then replicated across the ISE deployment to the policy nodes. Policy nodes (PSN) are where

7 posturing, guest access, profiling services. The actual enforcement of authorization policies, however, occurs at the switch or wireless controller connecting between the end clients and the ISE deployment. A third type of persona that an ISE node can partake in is the monitoring service (MNT). This node persona will collect logs from the administration and policy services for later review. Lastly the inline posture node (IPN) persona can be used to provide Change of Authorization (CoA) features to a device that does not natively support this functionality. Cisco TrustSec How-To Guide: ISE Deployment Types and Guidelines (Cisco) Change of Authorization (CoA) allows attributes of AAA to be changed through RADIUS packets. This provides dynamic changing of authorizations and user sessions. It becomes necessary for RADIUS to make changes to a session when certain attributes of an endpoint are discovered. Change of Authorization allows this to happen without the network

8 access server (NAS) needing to be involved or reissue a new client session. Authorization levels may change or network administrators may wish to terminate a session currently in progress. CoA is not a standardized protocol due to device incompatibility. The Inline Posture Node (IPN) persona in ISE provides an answer to this issue. This node is placed behind network devices that cannot support CoA requests such as wireless LAN controllers or VPN devices. The IPN will also serve as a RADIUS proxy. Meaning, during authentication all RADIUS requests and messages will be forwarded through the IPN to the RADIUS server (ISE). An IPN can be configured for redundancy as an active-standby pair. The active IPN will act as the RADIUS proxy until it goes down. As this happens, the standby IPN is brought up and continues functioning as the RADIUS proxy. The IPN uses URL redirection to manage the RADIUS messages from the endpoints. When authentication initially occurs the client is granted restricted access to the network. After authentication is successful and the client is found to be compliant after posture assessment, the client is granted access to the network. This is an example of change of authorization. IPNs also are capable of receiving access control lists. Downloadable access control lists (DACLs) are a way for network devices to dynamically manage traffic flow for a specific client. For instance, a client may only be allowed to use a specific type of protocol on a specific network. This is defined as per the specific authorization policy the network administrator has configured within ISE. Once a certain authorization policy is matched access control lists can be sent to an IPN so the authenticating client may only access certain network resources with specified protocols as defined by the DACL.

9 The different features within ISE allow for authorization to be provided based on machine-type and attributes. The basis of Posture Assessment and Client Provisioning stems from this feature. ISE comes bundled with agent software known as the Network Admission Control (NAC) Agent. The NAC agent provides a mean of determining client compliance on a network. Meaning, when a user logs in to the network from a machine the NAC agent checks to make sure that the machine is compliant and matches the necessary requirements needed before access to the network is granted. The NAC agent may already be installed on the client machine or can be temporarily installed via a web-based agent that is downloaded to the specific endpoint before initializing a new session. The posture policies defined by the ISE administrator are what deem a network endpoint to be compliant. These policies can examine an endpoint operating system, anti-virus, anti-spyware and even specific file presence. For instance, a user may be denied access to the network until the anti-virus definition database is up-to-date. Before a device can be postured it must match a device profile that is defined within ISE. Luckily, Cisco maintains an up-to-date database of hundreds of different devices that could potentially connect to a network. This is maintained via an external connection to ISE to Cisco s profiler feed service. However, if a device needs to be given access to the network and is not in this database a network administrator can simply create a custom profile. When a device is trying to authenticate to the network ISE examines the RADIUS messages to determine what profile that device may match. ISE then makes its best assumption based on a number called the certainty factor. This is a variable network administrators can raise or lower on each profile to ensure devices are being correctly mapped to their respected profiles. For instance, a Windows 8 machine may have similar Operating Software attributes as an Xbox One gaming console. If there is not a pre-configured profile for one of these devices a network

10 administrator may need to create a custom profile. Once this profile is configured the administrator would adjust the certainty factor so that if a device was connecting to the network with certain attributes (OS, Network Scan, etc.) ISE would properly apply the necessary profile. Once the device is correctly profiled it is then checked for compliance by posture. ISE provides the ability for network administrators to link to external identity sources. This means ISE can communicate with domain controllers and read active directory permissions without having to input all the users into ISE locally, ISE will just read the users from the domain itself. Once this has been configured ISE can use active directory to validate credentials, user authentication functions and retrieve group information and attributes. One of the most powerful and convenient functions that ISE provides is Self-Service On- Boarding of devices. It addresses the Bring Your Own Device (BYOD) concept. This allows for a user to bring their own device and use their credentials to gain access to an ISE-secured network. However, certificate management becomes a burden for network administration. Certificate management is vital to BYOD. ISE can be configured with Windows Server to function with the Simple Certificate Enrollment Protocol (SCEP). SCEP was designed to make scalability with certificates an easier process. It aims to provide a simplified process for devices to request certificates. This allows users to perform self-registration. With SCEP network administrators no longer have to manually distribute authentication credentials and enable devices on the network. Certificate-based authentication is added within an identity source sequence in ISE. A SCEP profile is configured within the certificate operations area of ISE. Once authentication succeeds the on-boarding process can begin. On-boarding is the process in which the native supplicant on the device brought in by the user is provisioned so it can gain access to the network. Active Directory can be used to determine if the user attempting

11 authentication is allowed to bring in a device. The identity source sequence is configured within ISE. This determines how it will look through different databases for user credentials. A guest portal page can be administered through ISE. Here users provide their corporate credentials. The guest flow begins with the identity sequence ISE uses to verify the user credentials. The Client Provisioning policies defined in ISE are specific to each operating system. Each Operating System that natively supports 802.1x authentication has a supplicant. Supplicant provisioning then occurs when a user logs in and the end point is matched to a certain profile or endpoint (iphone, ipad, Windows-PC). This endpoint is a profile in which ISE can receive from the built in feeder service. Once authentication is complete Access Control Lists are applied to the authorized machine. Additionally, ISE can provide Central Web Authentication (CWA). ISE will function as a web portal in which provides the means of authentication. Initially, a client is authenticated via layer 2 means (i.e. MAC address). ISE then informs the intermediate device that a web redirection needs to occur for further authorization. An ACL is applied so the client can then be forwarded to the web portal. The user then enters credentials and if authentication is successful a change of authorization occurs and the user is granted access to the network.

12 Central Web Authentication Flow (Cisco) As the mobility demand increases so will the need for network access on the go. With this increase the correlation between AAA and networks globally will only grow stronger. Clearly, the Identity Services Engine provides a robust solution for AAA. Not only does it provide extensive means for user and device authentication in an enterprise network, but it also aims to ease network administration. The centralized administration of network access policies helps with planning network changes and scalability. The on the go concept with technology is becoming a de-facto network standard, increasing the convenience for all users involved. It is important to maintain a level of control while balancing the security/authorization simultaneously. So, next time you go to join the Wi-Fi at an airport or hotel and you are greeted with a welcome sign-on page it could very well be the beginnings of guest flow within ISE.

13 Sources Sited Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., & Levkowetz, H. (2004, June 1). Extensible Authentication Protocol (EAP). Retrieved November 11, 2014, from Antoine, K. (2013, July 25). Posture Services on the Cisco ISE Configuration Guide. Retrieved November 14, Chiba, M., Dommety, G., Eklund, M., Mitton, D., & Adoba, B. (2008, January 1). Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS). Retrieved November 14, 2014, from Goransson, P. (2002) x Provides User Authentication. Network World, 19(12), Rigney, C., Willens, S., Livingston, Rubens, A., Merit, Simpson, W., & Daydreamer. (2000, June 1). Remote Authentication Dial In User Service (RADIUS) RFC Retrieved November 8, 2014, from Rouse, M. (n.d.). Authentication, Authorization and Accounting (AAA). Retrieved October 27, 2014, from Silver-Greenberg, J., Goldstein, M., & Perlroth, N. (2014, October 2). JP Morgan Chase Hacking Affects 76 Million Households. The New York Times. Retrieved October 27, 2014, from Simon, D., Aboba, B., & Hurst, R. (2008, March 1). The EAP-TLS Authentication Protocol. Retrieved November 10, 2014, from West, G. (2013, October 21). Cisco Identity Services Engine - Part 1 - Overview. Retrieved November 11, 2014, from overview/ Xiao, L. (2008). The Realization of the RADIUS Security Authentication. IEEE Xplore, 4(08), 1-4.Retrieved.from Cisco TrustSec How-To Guide: Central Web Authentication. (2012, August 27). Retrieved November14,2014,from

14 Cisco TrustSec How-To Guide: ISE Deployment Types and Guidelines. (2012, April 27). Retrieved,November,11,2014,from Cisco TrustSec How-To Guide: On-boarding and Provisioning. (2012, August 27). Retrieved November11,2014,from -zone-security/howto_61_byod_provisioning.pdf Configuring 802.1x Port-Based Authentication. (n.d.). Retrieved from ISE Setting Up Inline Posture User Guide. (2012, January 1). Retrieved October 27, 2014, from RADIUS Change of Authorization. (n.d.). Retrieved November 11, 2014, from 15-sy-book/sec-rad-coa.html Simple Certificate Enrollment Protocol. (2014, November 11). Retrieved November 8, 2014, from