Integrácia Cisco TrustSec Technológie do BYOD prostredia, 2. časť

Transcription

1 Integrácia Cisco TrustSec Technológie do BYOD prostredia, 2. časť Ing. Peter Mesjar Systems Engineer, CCIE # Cisco and/or its affiliates. All rights reserved. Cisco Public 1

2 Cisco Unified Wireless Network Explained Wireless Components in Detail IEEE 802.1x In Wired/Wireless World Why IEEE 802.1x is Not Enough Q&A 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 2

3 Cisco Unified Wireless Network Explained 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 3

4 Access Points and Wireless LAN Controller Indoor n 1040, 1140, 1260, 3500, 2600, 1600, 3600 with modules Outdoor n 1550 APs Work in Autonomous, Centralized (local), or Flexconnect (HREAP) Indoor/Outdoor MESH WLCs Virtual, 2500, 5500, WiSM2, 7500, 8500, ISM/SM for ISR 1941/2900/3900 Cisco Prime Infrastructure Converged wired/wireless, user/device Management Visibility into the performance and security of the wireless network Locate Physical DOS Attacks and Hidden Rogues Monitor and Alarm when Unwanted Devices are present Appliance or virtual form factor Mobility Services Engine (MSE) Wifi client and tag location tracking CleanAir Zone of Impact Merging Correlates Interference Data at a System Level Historical Reporting and Trending allows Proactive Interference Management Appliance or virtual form factor 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 4

5 CAPWAP - Control And Provisioning of Wireless Access Points is used between APs and WLAN Controller and based on LWAPP CAPWAP carries control and data traffic between the two Control plane is DTLS encrypted Data plane is DTLS encrypted (Optional) LWAPP-enabled access points can discover and join a CAPWAP controller, and conversion to a CAPWAP controller is seamless CAPWAP is not supported on Layer-2 mode deployment Access Point CAPWAP Data Plane Controller WiFi Client Control Plane 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 5

6 From WLC code 5.2 and later, we ship only CAPWAP Feature LWAPP CAPWAP Fragmentation/Re-assembly Relies on IpV4 CAPWAP itself does both Path-MTU Discovery Not supported Has a robust P-MTU discovery mechanism, can also detect dynamic MTU changes Control Channel Encryption between AP and WLC Data Channel Encryption between AP and WLC Yes (using AES) No Yes (Using DTLS) Yes (using DTLS) UDP Ports 12222, (ctrl) 5247 (data) 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 6

7 1. AP boots up and issues a DHCP DISCOVER to get an IP address (unless it has a previously configured static IP address) 2. AP attempts to build a controller candidate list via the following methods: IP broadcast DHCP Option 43 DNS (Pre-defined hostname: CISCO-LWAPP-CONTROLLER or CISCO-CAPWAP-CONTROLLER mapped to Controller s Management IP address) 3. AP sends LWAPP or CAPWAP Discovery Request to all candidate controllers 4. If AP does not receive any LWAPP or CAPWAP Discovery Responses it will go back to step 2 LWAPP or CAPWAP Discovery Request LWAPP or CAPWAP Discovery Response 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 7

8 LWAPP or CAPWAP Discovery Response contains important information from the WLAN Controller: Controller name, controller type, controller AP capacity, current AP load, Master Controller status and AP Manager IP address or addresses AP selects a controller to join using the following decision criteria: 1. Attempt to join a WLAN Controller configured as a Master controller 2. Attempt to join a WLAN Controller with matching name of previously configured primary, secondary, or tertiary controller name 3. Attempt to join the WLAN Controller with the greatest excess AP capacity (dynamic load balancing) Option #2 and option #3 allow for two approaches to controller redundancy and AP load balancing Deterministic and Dynamic LWAPP or CAPWAP Join Request LWAPP or CAPWAP Join Response 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 8

9 Configuration Download Firmware Download LWAPP / CAPWAP Firmware is downloaded by the AP from the WLC Firmware downloaded only if needed, AP reboots after the download Firmware digitally signed by Cisco Network configuration is downloaded by the AP from the WLC Configuration is encrypted in the LWAPP / CAPWAP Tunnel Configuration is applied Cisco WLAN Controller Lightweight Access Points 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 9

10 There are 5 interfaces to consider: Management Communication (HTTP/HTTPS/SNMP/Radius) AP Manager CAPWAP communication with access points Dynamic VLAN interfaces Virtual Mobility Management, DHCP Relay, Layer 3 Security Service Port Out of band management As of WLC 7.0, you no longer need to specify AP-manager interface 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 10

11 Roaming occurs when a wireless client moves association from one AP and reassociates to another, typically because it s mobile Cisco Unified Wireless Network supports intra-controller roaming as well as intercontroller L2 and L3 roaming (symmetric L3 roaming only) Roaming must be fast, latency can be introduced: Client channel scanning and AP selection algorithms Re-authentication of client device and re-keying Roaming must maintain security: Open auth, static WEP session continues on new AP WPA/WPAv2 Personal New session key for encryption derived via standard handshakes 802.1x, i, WPA/WPAv2 Enterprise Client must be re-authenticated and new session key derived for encryption Use Cisco Fast Secure Roaming (CCX+CCKM+PKC) or r (from WLC 7.2MR1) 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 11

12 Hybrid architecture with single management and control Connected AP has reachability to WLC Standalone AP does not have reachability to WLC Data traffic switching Central-switched (split MAC) Local-switched (local MAC) Traffic switching is configured per WLAN, ACL & AAA VLAN override is supported IPv6 supported only in bridged mode Flexconnect feature matrix: cts_tech_note09186a0080b3690b.shtml 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 12

13 Flexconnect group allows sharing of: CCKM Fast Roaming Keys Local User Authentication Local EAP Authentication Efficient Image Download Scaling Information Scaling Flex 7500 CT WiSM2 Virtual WLC CT FlexConnect Groups APs per FlexConnect Group Cisco and/or its affiliates. All rights reserved. Cisco Public 13

14 Data Center Branch Office ISE 1 Dot1X Auth Req AP New Client Flex Dot1x Auth Success ISR 3925 ISR 3925 VPN All client authentication requests travels through Central Controller If Controller is not reachable, then no clients can authenticate 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 14

15 Data Center Branch Office ISE 1 Dot1X Auth Req 2 Dot1x Auth Success AP New Client Flex 7500 ISR 3925 ISR 3925 VPN All client authentication requests travels straight from AP to AAA Server If Controller is not reachable, clients can still continue to authenticate and access network services 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 15

16 Data Center Branch Office 1 Dot1X Auth Req ISE Flex 7500 ISR 3925 ISR Dot1x Auth Success AP New Client All client authentication requests travels straight from AP to Local Branch AAA Server If WAN link is down, clients can still continue to authenticate and access network services 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 16

17 Data Center Branch Office ISE Flex 7500 ISR 3925 ISR Dot1X Auth Req AP 2 Dot1x Auth Success All clients are authenticated directly by the AP (EAP-FAST and LEAP only) If WAN link & Local Backup Radius Server is down clients can still continue to authenticate and access network services 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 17

18 Data Center Branch Office AP-1 New Client 1 Central Auth Flex Push Keys To Branch APs ISR 3925 ISR 3925 VPN 3 Roam AP-2 Fast roam is not dependent on the availability of WLC, because keys are pushed to and cached on APs after initial client authentication 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 18

19 Provides L3 web redirect to external server (eg. ISE) from locally switched VLAN Guest client is provided with URL/ACL permit to ISE Clients does webauth with ISE Guest moves to local switching FlexConnect AP must be in Connected state with Centralized Controller to work 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 19

20 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 20

21 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 21

22 BEFORE Client-link Disabled Wireless Client Performance AFTER Client-link Enabled No feedback from client required Lower Data Rates Higher Data Rates 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 22

23 Functionality Aironet 1140* Aironet 1260 Aironet 1550 Aironet 3500 Aironet 3600 Aironet 2600 Aironet 1040* ClientLink 1.0 Videostream 2x2:2 MIMO up to 300 Mbps Enterprise class performance for smaller networks Enterprise Branch Small Enterprise ClientLink 1.0 VideoStream 2x3:2 MIMO up to 300 Mbps High performance for indoor and indoor ruggedized spaces All Enterprise Outdoor ClientLink 1.0 2x3:2 MIMO up to 300 Mbps High performance for indoor and indoor ruggedized spaces Service Provider Manufacturing Transportation ClientLink 1.0 VideoStream 2x3:2 MIMO up to 300 Mbps High performance with spectrum intelligence All Enterprise ClientLink 2.0 VideoStream 3600: 4x4:3 MIMO 2600: 3x4:3 MIMO up to 450 Mbps Dual band antennas Top performance with client acceleration and spectrum intelligence Education Healthcare * Due to ETSI regulations, AP 1042 and 1142 are EoS - recommended replacement is AP 1602i and 2602i Scale and Performance 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 23

24 Modules available as of Q1CY13 Security Monitor Module IEEE ac Wave1 Module Modules require additional power to PoE Installed modules have slight rise Recommended to use mounting Bracket-2 or Bracket-3 AP 3600 deployment guide: products_tech_note09186a0080bb9102.shtml 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 24

25 Objective To benchmark and verify Cisco's ability to support a high density of ipad s on a single AP against Aruba The specific benchmark to be evaluated is the ability to support 22 or more ipad s with an average video stream of 1Mbps Results: 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 25

26 Cisco and/or its affiliates. All rights reserved. Cisco Public 26

27 Functionality Cisco 2500 Wireless Controller On ISR SRE Cisco 5500 Wireless Services Module on Catalyst 6500 Cisco Flex 7500 Cloud Controller Desktop Appliance 50 Access Points 500 Clients 500 Mbps 4 GE ports Small Enterprise and Full Service Branch Software on ISR module 50 Access Points 500 Mbps Small Enterprise and Full Service Branch Virtual WLC I RU Appliance 500 Access Points 7000 Clients 8 GE ports Mid-Large Enterprise Scale and Performance Blade for Catalyst 6500, up to 7 blades per chassis 1000 Access Points Clients 10 GB Backplane Mid-Large Enterprise ESX/ESXi 4.x & 5.x 200 Access points 3000 Clients 500 Mbps 100 Flexconnect Groups (100 APs per group) 1 RU appliance 6000 Access Points Clients 2000 Flexconnect Groups (100 APs per group) Multiple Lean Branch Deployments 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 27

28 A bundled solution for complete wired and wireless lifecycle management Converged user and access management Inventory, discovery, configuration, change and compliance management Monitoring, troubleshooting and reporting Cisco Prime LMS Cisco Prime NCS Simplified ordering and license management Lower TCO with intuitive user experience and workflows Speed troubleshooting, improve network availability 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 28

29 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 29

30 Client status with recommended troubleshooting steps 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 30

31 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 31

32 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 32

33 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 33

34 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 34

35 Network Partitioning Provides the capability for NCS to be segmented by network elements (controllers, AP s, switches, maps) Partitioning Granularity Alarms, reports, searches, applied templates, config groups are virtual domain aware. User-Level Control Granular control of user/admin privilege level (both predefined in NCS and RADIUS/TACAS) Cisco and/or its affiliates. All rights reserved. Cisco Public 35

36 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 37

37 Port based access control using authentication Identity Store 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 38

38 Most common are PEAP and EAP-TLS Most clients such as Windows, Mac OS X, Android, Apple ios support EAP-TLS, PEAP (MS-CHAPv2). Additional supplicants can add more EAP types (Cisco AnyConnect EAP-FAST with EAP-Chaining) Cisco and/or its affiliates. All rights reserved. Cisco Public 39

39 EAP Protocol ISE Internal Windows AD LDAP RADIUS Token RADIUS Proxy EAP-MD5 Yes No No No Yes EAP-TLS No Yes* Yes* No Yes PEAP- MSCHAPv2 Yes Yes No No Yes PEAP-TLS No Yes Yes No Yes EAP-FAST- MSCHAPv2 Yes Yes No No Yes PEAP-GTC Yes Yes Yes Yes Yes EAP-FAST-GTC Yes Yes Yes Yes Yes 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 40

40 What about all the special cases in the network? 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 41

41 Default IEEE timers might cause issues with PXE boot and DHCP Recommended to decrease from 30sec to 10sec 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 42

42 GUEST Switch.1 ACL-GUEST-REDIRECT Open Mode: ACL-DEFAULT: permit DHCP 802.1X / EAP/HTTP RADIUS AAA.21 1) Detection EAPoL-Start aaa authen dot1x default group RADIUS ISE ISE NO Supplicant 2) MAB Failure EAPOL TIMEOUT MAB Request Access-Request Service Selection: MAB NAS-IP: User-Name : [1] 14 "000423b2c55b User-Password : [2] 18 * Service-Type :[6] 6 Call Check [10] 3) Authorization 4) HTTP BROWSER Authorization applied Re-DHCP EAP Success Access-Accept [GUEST ACCESS] RADIUS Authorization: GUEST [27] = (24 hours) [29] = RADIUS-Request (1) [64,65,81] = VLAN, 802, GUEST [26/9/1] = dacl=acl-guest [26/9/1] = url-redirect-acl=acl-webauth- REDIRECT URL-Redirect 302 : Cisco and/or its affiliates. All rights reserved. Cisco Public 43

43 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 44

44 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 45

45 Authorization is the process of granting a level of access to the network Typically policies are applied using a group methodology allows for easier manageability Trustsec uses roles in addition Types of Authorization: Default: Closed until authenticated. Dynamic: VLAN assignment, ACL assignment, SGT Local: Guest VLAN, Auth-fail VLAN, Critical Auth VLAN Session based: RADIUS CoA Five stages of Authorization: Pre-Authentication After Passed Authentication After Failed Authentication No Authentication (no client) No Authentication (AAA server dead) 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 47

46 Cisco Innovation DACL or Named ACL VLANS Security Group Access Employee IP Any Remediation Contractor Employees VLAN 3 Guest VLAN 4 Security Group Access SXP, SGT, SGACL, SGFW Less disruptive to endpoint (no IP address change required) Improved user experience Does not require switch port ACL management Preferred choice for path isolation Simplifies ACL management Uniformly enforces policy independent of topology Fine-grained access control 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 48

47 Changing connection policy attributes on-the-fly Dynamic session control from a Policy server Re-authenticate session Terminate session Terminate session with port bounce Disable host port Session Query For Active Services For Complete Identity Service Specific Service Activate Service De-activate Service Query 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 49

48 Monitor Mode (Permit ALL by default) Primary Features Open mode Multi-Auth Flex-Auth (Optional) Low Impact Mode (Pre-auth pinholes) Primary Features Open mode Flex-Auth and Multi-Auth Port ACLs and dacls High Security Mode (Block ALL by default) Primary Features Traditional Closed Mode Dynamic VLANs dacls (optional) Benefits Unobstructed Access No Impact on Productivity Gain Visibility Benefits Maintain Basic Connectivity Increased Access Security Benefits Strict Access Control 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 50

49 Why IEEE 802.1x is Not Enough 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 51

50 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 52

51 Normal operation with MAC learning Switches use CAM (content addressable memory) to store port/mac/vlan binding All CAM tables are fixed size CAM table oveflow causes learning to stop and broadcast all frames, essentially turning switch into hub Macof tool (part of dsniff, Sends packets with random source MAC and IP addresses This attack will also fill CAM tables of other switches within L2 domain 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 53

52 Gobbler/DHCPx looks at the entire DHCP scope and tries to lease all of the DHCP addresses available in the DHCP scope Gobbler can use same or new MAC address in each packet to request a new DHCP lease 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 54

53 Protect your switches from MAC flooding and users from DHCP starvation Does not control access to switch Upon violation can: Send SNMP trap watch out for high CPU utilization, so limit number fo SNMP traps generated Shutdown the port Drop traffic Does not control access to switch 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 55

54 What can attacker do if he is DHCP server? Wrong default gateway attacker is the gateway Wrong DNS server attacker is the DNS server Wrong IP address attacker causes DoS for clients Only trusted ports can receive DHCP Offer, Ack and Nak packets By default all ports in VLAN are untrusted Also builds snooping table If DHCP snooping is not supported, configure ACL to block incoming packets to UDP port Cisco and/or its affiliates. All rights reserved. Cisco Public 56

55 What if the attack used the same interface MAC address, but changed the client hardware address in the request? Gobbler can do this and port security will not work Cisco switches check the CHADDR field of the request to make sure it matches the source MAC of the packet If there is not a match, the request is dropped at the interface Requires DHCP snooping turned on Applies to untrusted interfaces only Some switches don t have this on by default check documentation ACLs will not help here 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 57

56 According to the ARP RFC, a client is allowed to send an unsolicited ARP reply; this is called a gratuitous ARP; other hosts on the same subnet can store this information in their ARP tables Anyone can claim to be the owner of any IP/MAC address they like ARP attacks use this to redirect traffic Dsniff, Cain&Abel, ettercap, Yersinia, etc. Or simply have your host reply to all ARP broadcasts All of ARP spoofing tools capture the traffic/passwords of applications FTP, Telnet, SMTP, HTTP, POP, NNTP, IMAP, SNMP, LDAP, RIP, OSPF, PPTP, MS-CHAP, SOCKS, X11, IRC, ICQ, AIM, SMB, Microsoft 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 58

57 Uses information from DHCP snooping binding table Configured per VLAN and all ports are by default untrusted Looks at the MacAddress and IpAddress fields to see if the ARP from the interface is in the binding If not, traffic is blocked performed only at untrusted ports The DHCP snooping table is built from the DHCP request, but you can put in static entries for DAI to work 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 59

58 Attacker sends packets with incorrect source IP address Whatever device the packet is sent to will never reply to the attacker Basis DoS attacks like ICMP unreachable, TCP SYN, etc. Requires DHCP snooping IP Source Guard allows switch to learn MAC addresses only based on valid DHCP exchange or based on statically configured binding 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 60

59 MAC flooding 802.1x allows multi-auth and multi-host DHCP starvation 802.1x allows multi-auth and multi-host Rogue DHCP Server 802.1x does not prevent authenticated user acting as DHCP server ARP spoofing 802.1x does not prevent MITM attacks IP Spoofing 802.1x works at layer Cisco and/or its affiliates. All rights reserved. Cisco Public 61

60 Thank you.