Cisco Trusted Security Enabling Switch Security Services Michal Remper, CCIE #8151 CSE/AM mremper@cisco.com 2009 Cisco Systems, Inc. All rights reserved. 1
Enter Identity & Access Management Strategic context: The virtual enterprise network The infrastructure challenge The disappearing perimeter turns enterprises inside out Necessitates opening the network, creating a dichotomy: more flexible access and stronger security Security must span logical and physical boundaries Apps, databases, OS lack scalable, holistic means to manage identity, credentials, policy across these boundaries Wireless and other devices increase complexity Mistaken desire for SSO muddies the water Legal, social, and regulatory trends raising the bar for protecting networks, identities, brands, and content Source: Suppliers Partners Employees Internal Systems & Data Employees Vendors Customers 2009 Cisco Systems, Inc. All rights reserved. 2
Problem Definition: Identity authentication across all access methods Converged Policy Engine Employee Catalyst Switch Contractor ASA AAA - VPN Sub-Contractor Aironet WLAN Access Points Catalyst 6500 WiSM LAN AAA - WLAN Guest Catalyst Switch Call Manager AAA - LAN Unknown Catalyst Switch Benefit: Transformation from topology-aware network into one role-aware network. 2009 Cisco Systems, Inc. All rights reserved. 3
Where to transform from topology-aware 802.1X w/vlans & Topology Segmentation only goes so far 1 All VLANs have must exists on all NADs to accommodate host mobility 2 All VLANs must be extended across L3 boundaries via manual configuration of VRFs. This will be the same case for VNETs 3 All resources requiring access control must manually be segmenting into VLANs or manually defined in Firewall Policies 4 Any change to the access security policy requires manually reconfiguring all devices in the network 5 Not suitable for large numbers of security groups nor does it accommodate frequent policy changes Source: Ken Hook 2009 Cisco Systems, Inc. All rights reserved. 4
Cisco TrustSec (Trusted Security) Seamless Authentication for Various Access Types Secure Campus Access Control Converged Policy Framework Converged Policy Definition for Different Access Types Policy Enforced Throughout the Network MAC Authentication IEE 80201x Web Authentication Cisco TrustSec Transforming From Topology-aware to Roleaware Access Control Role Aware Network Integrity & Confidentiality Prevent Data Sniffing and Tampering with Line-rate Hop-by-hop Encryption 2009 Cisco Systems, Inc. All rights reserved. 5
Cisco TrustSec Overview Identification and Authorization Builds a Trusted Network Infrastructure with Network Device Admission Control (NDAC) Extends IBNS and NAC by adding Topology Independent Ingress Security Group Assignment L2/L3 TrustSec Confidentiality and Integrity Wire-rate Encryption and Data Integrity on L2 Ethernet Switch Ports Preserves all network based accounting, deep packet inspection, and intelligent services Uniform encryption transparent to application, protocols, etc. Scalable Topology Independent Access Control Centralized Access Control Policy Administration Consistent Policy for Wired, Wireless and Remote Access VPNs Network Access Control Policy is decoupled from Network Topology providing unparalleled scale 2009 Cisco Systems, Inc. All rights reserved. 6
Evolution to Network Access Control Topology Aware to Role Aware Cisco TrustSec Network-wide role-based access control Network device access control Consistent policies for wired, wireless and remote access Identity-Based Access Control Network Admission Control (NAC) Posture validation endpoint policy compliance Flexible authentication options: 802.1x, MAB, WebAuth, FlexAuth Comprehensive post-admission control options: dacl, VLAN assignment, URL redirect, QoS Network Address-based Access Control ACL, VACL, PACL, PBACL etc 2009 Cisco Systems, Inc. All rights reserved. 7
Scaling Access Control Cisco TrustSec provides scalable access via topology independent group tags referred to as Security Group Tags (SGT) These tags are represent logical groups of users and/or servers based on having similar sets of privileges The SGTs are 16-Bits (2-byte) supporting up to 64K (65536) logical groups Individuals Individual Servers Data Center Sample Logical Security Groups In this simple example source entities are reduced from 46 to 4 Sample Logical Security Groups Employee Partner Company Confidential SG-ACL NDA Confidential In this simple example destination entities are reduced from 60 to 4 Contractor Sensitive Example Access Policy Simplification Guest Unknown Before - 46 (source IPs) x 60 (dest IPs) x 4 TCP/UDP Port Permissions = 11040 ACE/ACLs After - 4 (source SGTs) x 4 (dest SGTs) x 4 TCP/UDP Port Permissions = 64 SGACLs General Access 2009 Cisco Systems, Inc. All rights reserved. 8
Why Security Group Tags Traditional ACLs vs. CTS Security Group Based Access Control Individuals Source Destination Security Groups Security Groups Access Rules Authz Rules Authz Rules Traditional Discretionary Access Control Individuals Permissions Resources Server 1 Server 2 Resources Access List for S1 Partners Internet access-list 101 permit tcp S1/32 D1/32 eq http access-list 101 permit tcp S1/32 D1/32 eq https access-list 101 permit tcp S1/32 D2/32 eq ftp access-list 101 permit tcp S1/32 D2/32 eq http access-list 101 permit tcp S1/32 D2/32 eq https access-list 101 permit tcp S1/32 D2/32 eq ftp access-list 101 permit udp S1/32 D1/32 gt 1023 access-list 101 permit udp S1/32 D2/32 gt 1023 Employee Confidential Employee Outside US Print / Copy Guest/Unknown Special Projects Authz Rules Server 3 Contractor Access Rules Authz Rules Source: Ken Hook Challenges CTS Addresses these challenges via: Leads to ACE explosion Group (SGT) provide a level of abstraction, reducing (# of sources) X (# ofsecurity Destinations) X (#Tags of permissions) = # ACEs ACL/ACE proliferation dramatically IP-address basedthe ACLs are challenging Simplified Policy Definition SGT/RBACLs are logical and - Changes in addressing schemes - Use of DHCP Topology Independent - Proliferation of Wireless devices PortableLAN Policy SGT/RBACL allows for mobility of users and Assumes relatively static placement of users/resources resources 2009 Cisco Systems, Inc. All rights reserved. 9
Cisco TrustSec User Authorization and Access Control Define Security Groups Users and Resources Sessions are Authorized via flexible ABAC model Access Control Policies are created without regards to Network Topology (No IP Addresses, subnets, or VLANs necessary) Access Control Policies are mapped between source and destination Security Groups via a Matrix At runtime user s traffic carries the Security Group Tag (SGT) in every packet These SGTs are are filtered (i.e., SGACLs) processed at wirespeed on egress devices ABAC Define Authorization Security SGACLsGroups Rules Individuals Authz Rules Source Security Groups Destination Security Groups Access Rules Partners Resources Authz Rules Internet Employee Confidential Employee Outside Europe Print/Copy Guest/Unknown Authz Rules Contractor 2009 Cisco Systems, Inc. All rights reserved. Access Rules Special Projects Authz Rules 10
Policy Enforcement Throughout the Network: Role Based Access Control Set-up SGACL Employee E C Confidential Partner P G U I Internet General Guest Process Authorization Rules Cisco ACS External Directory Server Verify Identity Credentials and Obtain Additional Attributes Legend Link/Port Status Unauthenticated Failed Authentication Authenticated Shutdown Ingress Tagging Egress Filtering Security Group Classifications E Employee Group C Confidential Group P Partner Group U Unrestricted Group G Guest Group I Internet Group 1. Authentication Request 2. Radius and AD Authc/Authz 4. Group Membership Dynamically Assigned 5. SGACL Dynamically Applied 6. Links Up 2009 Cisco Systems, Inc. All rights reserved. 11
Policy Enforcement Throughout the Network: Role Based Access Control Deployment Employee E C Confidential Access Denied Partner P G U I Internet General Guest Legend Link/Port Status Unauthenticated Failed Authentication Authenticated Shutdown Ingress Tagging Egress Filtering Security Group Classifications E Employee Group C Confidential Group P Partner Group U Unrestricted Group G Guest Group I Internet Group Source Groups SGACL Matrix E P G Destination Groups C U I 2009 Cisco Systems, Inc. All rights reserved. 12
TrustSec Key Features Security Group Based Access Control Authenticated Networking Environment Confidentiality And Integrity Topology independent access control based on user / device role (SGACL( SGACL) Scalable ingress tagging (SGT) / egress filtering Centralized Policy Management / Distributed Policy Enforcement Endpoint admission enforced via 802.1X authentication, MAB, Web Auth (Full IBNS compatibility) Network device admission control based on 802.1X creates trusted networking environment Only trusted network imposes Security Group TAG Encryption based on IEEE802.1AE (AES-GCM 128-Bit) Wire rate hop to hop layer 2 encryption Key management based on 802.11i (SAP), awaiting for standardization in 802.1X-REV 2009 Cisco Systems, Inc. All rights reserved. 13
Security Group based Access Control What is SGACL? Access Control based on Security Group Tag Policy enforced at egress of TrustSec capable device No IP address required in ACE Policy (ACL) is distributed from central policy server (ACS), or configured statically on TrustSec device SGACL Benefit Provides topology independent policy enforcement (No more VLAN based enforcement!) Policy can be role based, more scalable and flexible Automatic and dynamic policy provisioning from policy server Egress filtering results to reduce TCAM impact 2009 Cisco Systems, Inc. All rights reserved. 14
Security Group Tag (SGT) Unique 16 bit tag, assigned to each unique role set in a TrustSec domain. A single label indicating the privileges of the source within the entire enterprise Scope is global within a TrustSec domain, using a flat numbering scheme Layer 2 SGT Frame Format DMA C SMAC 802.1ae Header 802.1Q CMD ETYPE Payload ICV CRC CMD EtherType Version Length SGT Opt Type Cisco Meta Data Format SGT Value Other CMD Options 2009 Cisco Systems, Inc. All rights reserved. 15
SGT Assignment Practice Every endpoint that touches TrustSec network is classified and tagged (SGT). SGT can be sent to switch via RADIUS VSA after: - 802.1X based authentication - MAC Authentication Bypass - Web Authentication Bypass Fully integrated with Cisco IBNS Solution -Or statically assigned on switch Every servers that touches TrustSec network is classified and tagged (SGT). SGT usually assigned to those servers: - Manually (IP-to-SGT mapping on TrustSec Device) - via Port Identity lookup to ACS Server 2009 Cisco Systems, Inc. All rights reserved. 16
Sample Policy - SGT ACS 5.0 Server auto-generates SGT. Total of 64K SGT is supported. 2009 Cisco Systems, Inc. All rights reserved. 17
Sample Policy - SGACL 2009 Cisco Systems, Inc. All rights reserved. 18
Legacy Platform Support SGT native tagging requires hardware (ASIC) support Non-TrustSec hardware capable devices can still receive SGT attributes from ACS for authenticated users or devices, and then forward the IP-to-SGT binding to a TrustSec SGACL capable device for tagging & enforcement SGT Exchange Protocol (SXP) is used to exchange IPto-SGT bindings between TrustSec capable and noncapable device Currently Catalyst 6500 and 4500 switch platform support SXP SXP accelerates deployment of SGACL by avoiding extensive hardware upgrade for TrustSec 2009 Cisco Systems, Inc. All rights reserved. 19
Authenticated Network Environment What does it provide? Network Device Admission Control (NDAC) provides strong mutual device authentication to form trusted environment Authentication leads to Security Association Protocol (SAP) to negotiate keys and cipher suite for encryption Trusted device acquires trust and policies from ACS server NDAC Benefit Mitigate rogue network devices, establish trusted network fabric to ensure SGT integrity Automatic key and cipher suite negotiation for strong 802.1AE based encryption 2009 Cisco Systems, Inc. All rights reserved. 20
Network Device Admission Control NDAC 802.1X authentication (EAP-FAST/MSCHAPv2) derives keys and negotiates cipher suite automatically Devices automatically determine their role, Supplicant or Authenticator ACS 5.0 resolves NDAC requests without configuration NDAC is NOT required for 802.1AE encryption or SGACL but is recommended Adds extra layer of security and trust to your network 2009 Cisco Systems, Inc. All rights reserved. 21
Confidentiality and Integrity What does it provide? Layer 2 Hop by Hop Encryption and Integrity, based on IEEE802.1AE technology Line rate Encryption / Decryption for both 10GbE / 1GbE interfaces Replay Protection of each and every frame Benefits? Protects against man-in-the-middle attacks (snooping, tampering, replay) Standards based frame format and algorithm (AES-GCM) 802.1X-REV/MKA addition supports per-device security associations in shared media environments (e.g. PC vs. IP Phone) to provide secured communication Network service amenable hop-by-hop approach compared to end-to-end approach (e.g. Microsoft Domain Isolation/IPsec) 2009 Cisco Systems, Inc. All rights reserved. 22
Hop-by-Hop Encryption via IEEE802.1AE Bump-in-the-wire model - Packets are encrypted on egress - Packets are decrypted on ingress - Packets are in the clear in the device Allows the network to continue to perform all the packet inspection features currently used Can be incrementally deployed depending on link vulnerability In the Clear Cipher Data In the Clear Cipher Data TrustSec /802.1 AE Encrypted TrustSec /802.1 AE Encrypted TrustSec /802.1 AE Encrypted Decrypt On Ingress Interface Encrypt On Egress Interface Decrypt Incrypt Packets in the Clear Inside the System 2009 Cisco Systems, Inc. All rights reserved. 23
Sample Trace for 802.1AE 2009 Cisco Systems, Inc. All rights reserved. 24
2009 Cisco Systems, Inc. All rights reserved. 25