ONE POLICY. Tengku Shahrizam, CCIE Asia Borderless Network Security 20 th June 2013

Similar documents
2012 Cisco and/or its affiliates. All rights reserved. 1

BYOD: Management and Control for the Use and Provisioning of Mobile Devices

Identity Based Network Access

Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions

Cisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller

The Context Aware Network A Holistic Approach to BYOD

2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1

ISE Primer.

DumpsFree. DumpsFree provide high-quality Dumps VCE & dumps demo free download

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Cisco TrustSec How-To Guide: Central Web Authentication

Cisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1

Vendor: Cisco. Exam Code: Exam Name: Implementing Cisco Secure Access Solutions. Version: Demo

Implementing Cisco Edge Network Security Solutions ( )

Cisco ISE Ports Reference

Cisco Exam Questions & Answers

Integrating Meraki Networks with

Support Device Access

Cisco Network Admission Control (NAC) Solution

Cisco AnyConnect Secure Mobility Solution. György Ács Regional Security Consultant

Cisco Exam Questions & Answers

Support Device Access

Cisco ISE Ports Reference

P ART 3. Configuring the Infrastructure

Networks with Cisco NAC Appliance primarily benefit from:

Question: 1 The NAC Agent uses which port and protocol to send discovery packets to an ISE Policy Service Node?

Borderless Networks. Tom Schepers, Director Systems Engineering

Configure Client Posture Policies

Configure Client Posture Policies

ISE Version 1.3 Self Registered Guest Portal Configuration Example

CertKiller q

TECHNICAL NOTE CLEARPASS PROFILING QUICK START GUIDE

ISE. Profilování typů koncových zařízení. Cisco Expo T-SECA2 Jiří Tesař Cisco

Cisco Secure Access Control

Posture Services on the Cisco ISE Configuration Guide Contents

Cisco ISE Ports Reference

Cisco TrustSec How-To Guide: Monitor Mode

Cisco ISE Ports Reference

Exam Questions Demo Cisco. Exam Questions

Cisco Identity Services Engine (ISE) Mentored Install - Pilot

Introduction to 802.1X Operations for Cisco Security Professionals (802.1X)

Cisco.Actualtests v by.Ralph.174.vce

Configure Guest Flow with ISE 2.0 and Aruba WLC

Cisco.Actualtests v by.Ralph.174.vce

Klaudia Bakšová System Engineer Cisco Systems. Cisco Clean Access

Cisco ISE Features Cisco ISE Features

Authentication and Authorization Policies

Cisco S802dot1X - Introduction to 802.1X(R) Operations for Cisco Security Professionals.

Universal Wireless Controller Configuration for Cisco Identity Services Engine. Secure Access How-To Guide Series

Configure Client Posture Policies

Configuring Network Admission Control

A. Post-Onboarding. the device wit be assigned the BYOQ-Provision firewall role in me Aruba Controller.

Monitor Mode Deployment with Cisco Identity Services Engine. Secure Access How -To Guides Series

BEST PRACTICE - NAC AUF ARUBA SWITCHES. Rollenbasierte Konzepte mit Aruba OS Switches in Verbindung mit ClearPass Vorstellung Mobile First Features

Wireless BYOD with Identity Services Engine

Policy User Interface Reference

CISCO EXAM QUESTIONS & ANSWERS

Guest Access User Interface Reference

ISE Identity Service Engine

Secure wired and wireless networks with smart access control

Secure Mobility. Klaus Lenssen Senior Business Development Manager Security

What Is Wireless Setup

ExamTorrent. Best exam torrent, excellent test torrent, valid exam dumps are here waiting for you

Introducing Cisco Identity Services Engine for System Engineer Exam

Cisco ISE Endpoint Profiling Policies

Manage Authorization Policies and Profiles

Configuring Client Profiling

Configuring Network Admission Control

BYOD: BRING YOUR OWN DEVICE.

Cisco TrustSec How-To Guide: Phased Deployment Overview

ISE Version 1.3 Hotspot Configuration Example

Cisco TrustSec How-To Guide: Global Switch Configuration

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

Cisco NAC Network Module for Integrated Services Routers

Cisco Trusted Security Enabling Switch Security Services

Provide One Year Free Update!

Configuring IEEE 802.1x Port-Based Authentication

Configure Guest Access

ACCP-V6.2Q&As. Aruba Certified Clearpass Professional v6.2. Pass Aruba ACCP-V6.2 Exam with 100% Guarantee

CISCO EXAM QUESTIONS & ANSWERS

Configuring 802.1X Port-Based Authentication

Configuring IEEE 802.1x Port-Based Authentication

ClearPass NAC and Posture Assessment for Campus Networks

Pulse Policy Secure X Network Access Control (NAC) White Paper

Cisco Exam Implementing Advanced Cisco Unified Wireless Security v2.0 Version: 9.0 [ Total Questions: 206 ]

Reviewer s guide. PureMessage for Windows/Exchange Product tour

Cisco TrustSec 4.0:How to Create Campus and Branch-Office Segmentation

Implementing Cisco Network Security (IINS) 3.0

Delivering a Secure BYOD Solution with XenMobile MDM and Cisco ISE

Written to Realised Security Policy

Manage Authorization Policies and Profiles

Simplifying your 802.1X deployment

Symbols. Numerics I N D E X

TrustSec (NaaS / NaaE)

Securing BYOD with Cisco TrustSec Security Group Firewalling

New Features for ASA Version 9.0(2)

Network Admission Control

Partner Webinar. AnyConnect 4.0. Rene Straube Cisco Germany. December 2014

Guest Management. Overview CHAPTER

Configuring IEEE 802.1x Port-Based Authentication

Transcription:

ONE POLICY Tengku Shahrizam, CCIE Asia Borderless Network Security 20 th June 2013

Agenda Secure Unified Access with ISE Role-Based Access Control Profiling TrustSec Demonstration

How ISE is Used Today BYOD Users get safely on the internet fast and easy GUEST ACCESS It s easy to provide guests limited time and resource access SECURE ACCESS ON WIRED, WIRELESS & VPN Control with one policy across wired, wireless & remote infrastructure TRUSTSEC NETWORK POLICY Rules written in business terms controls access

Cisco Secure Access Enabled by ISE Policy Management Identity Services Engine (ISE) Prime Infrastructure Policy Information User Directory Profiling from Cisco Infrastructure Posture from End-Point Agents Policy Enforcement Cisco Infrastructure: Switches, Wireless Controllers, Firewalls, Routers

Cisco Identity Services Engine (ISE) All-in-one Enterprise Policy Control WHO Identity Context WHAT Security Policy Attributes WHERE ISE Business-Relevant Policies WHEN HOW Wired Wireless VPN VM client, IP device, guest, employee, remote user Replaces AAA & RADIUS, NAC, guest mgmt & device identity servers

Secure Unified Access Securing the Intelligent Platform for the Connected World Cisco Prime Cisco ISE MDM Manager Third-Party MDM Appliance Cisco Catalyst Switches Cisco WLAN Controller Cisco Web Security Wired Network Devices Cisco CSM and ASDM Cisco ASA Firewall and IPS Cisco AnyConnect Cisco AnyConnect Cisco AnyConnect Office Wired Access Office Wireless Access Remote Access

ISE & MDM Integration The New Way Best Practice Today ISE 1.2 ISE Device Access Control Device Profiling BYOD On-boarding Device Access Control MDM Mobile Devices Security Control Device Compliance Mobile Application Management Securing Data at Rest ISE and MDM Enforced Mobile Device Compliance Forces on-boarding to MDM with personal devices used for work Register but restrict access for personal devices not managed by MDM Quarantine non-compliant devices based on MDM policy MDM cannot see non-registered devices to enforce device security but the network can! Version: 6.2 Version: 7.1 Version: 2.3 MDM: Mobile Device Manager Version: 5.0

Secure Access Role Based, Dynamic Provisioning 1 Context-Aware Classification Who? What? When? Where? How? 2 Context-Aware Policy ISE 3 Enforcement

Secure Access: Classification Attributes Who? Employee Attacker Guest What? Personal Device Company Asset How? Wired Wireless VPN Where? @ Starbucks Headquarters When? Weekends Week Days 8:00 AM 6:00 PM (8:00am 5:00pm) PST

Identity Services Engine (ISE) Identity Stores / Attribute Sources Identity Store ISE RADIUS Internal Endpoints, Internal Users OS / Version RFC 2865-compliant RADIUS servers Active Directory Microsoft Windows Active Directory 2003, 32-bit only Microsoft Windows Active Directory 2003 R2, 32-bit only Microsoft Windows Active Directory 2008, 32-bit and 64-bit Microsoft Windows Active Directory 2008 R2, 32-bit and 64-bit LDAP Servers SunONE LDAP Directory Server, Version 5.2 Linux LDAP Directory Server, Version 4.1 NAC Profiler, Version 2.1.8 or later Token Servers RSA ACE/Server 6.x Series RSA Authentication Manager 7.x Series RADIUS RFC 2865-compliant token servers SafeWord Server prompts

ISE Authentication Policy Who = 802.1X Managed Users Examples: Employees/Staff, Faculty/Students, Extended Access Partners/Contractors Primary Auth Methods: 802.1X or Agent-based Who? How?

ISE Authentication Policy Who = VPN Users Examples: Employees/Staff, Faculty/Students, Extended Access Partners/Contractors Primary Auth Methods: 802.1X or Agent-based Who? How? OTP Server Configuration

ISE Authentication Policy Allowed Protocols Who? How? More specific condition can be defined to Match flow (Ex: User, Location) Protocol Specific

Agents AnyConnect 3.1 Unified access interface for 802.1X for LAN / WLAN VPN (SSL-VPN and IPSec) Mobile User Security (WSA / ScanSafe) Supports MACSec / MKA (802.1X-REV) for data encryption in software; Performance based on endpoint CPU MACSec-capable hardware (network cards) enhance performance w/ AC 3.0 NAC Agent currently used for posture. Will be merged into AnyConnect in AC3.2

ISE Web Authentication Who? Centralized and customizable Web authentication portal Both employee and guest auth supported Tunable username and password policies Support print, email, SMS guest notifications Controller switch Need Something to intercept browser requests to provide captive portal and /or redirection to local or remote web auth portal

Authorization Policy Who Who? Who? Permissions = Authorizations Employee_iPAD Set VLAN = 30 (Corp Access) Contractor_iPAD Set VLAN = 40 (Internet Only)

What is Profiling? Classifies based on Device fingerprint NMAP NetFlow Classification HTTP LLDP SNMP DHCP Radius Collection Process of collecting data to be used for identifying devices Uses Probes for collecting device attributes Classifies based on Device fingerprint

Collection: Getting traffic to Probes: DHCP via IP Helper What? DHCP-REQ PSN Great and simple method of getting DHCP traffic to ISE Requires configuration of NADs to relay DHCP packets to ISE. DHCP probe in ISE will collect DHCP data to use in profiling policy For WLCs disable DHCP proxy Configuration Commands: Interface Vlan50 Ip address 10.1.10.1 255.255.255.0 ip helper-address 10.1.100.10 Ip helper-address 10.1.100.5 (For ISE)

DHCP Policy Example What? DHCP:dhcp-class-identifier CONTAINS Cisco Systems, Inc. IP Phone

Collection: Getting traffic to ISE: HTTP via URL Redirection What? PSN User-Agent is an HTTP request header that is sent from Web Browsers to Web Servers. The User-Agent includes Application, Vendor and OS information that can be used in profiling endpoints. User-Agent attributes can be collected from Web browser sessions redirected to ISE for existing services such as: - Central Web Auth (CWA), - Device Registration WebAuth (DRW) - Native Supplicant Provisioning (NSP) Endpoint Redirection (TCP/8443)

Collection: HTTP via URL Redirection NAD Configuration What? Configuration Commands: ip http server ip http secure-server ip access-list extended REDIRECT-ACL deny tcp any any <PSN_IP_address> permit tcp any any eq http permit tcp any any eq https Enable CoA Support on WLC Switch Configuration

HTTP Policy Example What? HTTP Probe Attributes collected during Client Provisioning. If: User-Agent CONTAINS ipad

Collection: Getting traffic to Probes: IOS Sensor What? PSN Aggregate and forward profiling information over existing RADIUS traffic between NAD and ISE IOS switches collect DHCP, LLDP and CDP data. Data sent to ISE as cisco-av-pair using RADIUS accounting updates. DHCP, CDP, LLDP Using Radius IOS Sensor - Supported on IOS 15.0(1)SE1 for Cat 3K - Supported on IOS 15.1(1)SG for Cat 4K - WLC 7.2.11 Configuration Commands: device-sensor accounting device-sensor notify all-changes Advantages: improved scalability and simplified deployment

Collection: Getting traffic to Probes: IOS Sensor What? Collected data using IOS Sensor CDP and DHCP data is sent using Cisco- AV-Pair

Collection: Getting traffic to ISE: NMAP (Targeted Scan) What? Trigger scan for endpoints with OUI = Apple PSN PSN Subnet Scan (On demand) NMAP utility incorporated into ISE, allows profiler to detect new endpoints via a subnet scan and to classify endpoints based on their operatingsystem, OS version and services as detected by the NMAP. The Network Scan probe is considered an active assessment m echanism since it communicates directly with the endpoint to obtain information from the source. Scan can be triggering dynamically based on policy. 10.76.40.0/24

Getting traffic to Probes: NMAP(Continued) What? Active scan triggered by policy If an Apple Device then Scan and report OS version

Profiling Policies: Requirements probes and collection methods Device Profile Unique Attributes Probes Used Collection Method Cisco IP Phone OUI RADIUS RADIUS Authentication CDP SNMP Query Triggered by RADIUS Start IP Camera OUI RADIUS RADIUS Authentication CDP SNMP Query Triggered by RADIUS Start Printer OUI RADIUS RADIUS Authentication POS Station (static IP) DHCP Class Identifier DHCP MAC Address RADIUS (MAC RADIUS Authentication Address discovery) ARP Cache for MAC to IP mapping SNMP Query Triggered by RADIUS Start DNS name DNS Triggered by IP Discovery Apple ipad/iphone OUI RADIUS RADIUS Authentication Browser User Agent HTTP Authorization Policy posture redirect to central Policy Service node cluster DHCP Class Identifier + MAC to IP mapping DHCP IP Helper from local L3 switch SVI Device X MAC Address RADIUS (MAC Address discovery) RADIUS Authentication Requested IP Address for MAC to IP DHCP RSPAN of DHCP Server ports to local mapping Policy Service node Optional to acquire ARP Cache for SNMP Query Triggered by RADIUS Start MAC to IP mapping Port # traffic to Destination IP Netflow Netflow export from Distribution 6500 switch to central Policy Service node

Canned profile Built in to ISE Apple Lexmark WYSE VMware HP Microsoft Motorola Samsung Cisco Xerox Blackberry

Canned profile Built in to ISE

Rule Condition Profiler Policy Authorization Policy 1) Must match Minimum Certainty Factor 2) In this case two conditions in the rules table will need to be met Authorization Policy: If BlackBerry then Allow Internet Access

What can I do when ISE can t recognize and profile a specific type of endpoint (EX: APC UPS)? ISE does learn the OUI and possibly other info which can be used to write a custom profile Attribute that can be used for writing custom profiling conditions

Profile policy creation and endpoint assignment Profile will be distributed to all ISE nodes and APC devices on the network will be profiled correctly. Custom Profiles created by Customer and Cisco Partner can be shared after publishing to Cisco Feed Services. Cisco Feed Services.

Profiler Feed Service Zero Day availability PSN Cisco PSN Feed Server DB Partner Notifications Supported No need to wait for new ISE version Zero day support for popular endpoints is added using Feed Server

Feed Service policy and OUI update report are also available Email notifications

ISE Authorization Smart Phone vs Corp Policy Who? What? What =? Who = Employee Permissions = Authorizations Employee Phone Set VLAN = 601 (Internet Only) Employee PC Set VLAN = 603 (Full Access)

Logical Profiling What? IP-Phones Would like to group all my Smart phones and ios devices into a logical profile to facilitate writing policy ios-devices

Smart Phone Policy Using logical Profiles Who? What? What =? Who = Employee Permissions = Authorizations Employee Phone Set VLAN = 601 (Internet Only) Employee PC Set VLAN = 603 (Full Access)

What is Posture? Posture = the state-of-compliance with the company s security policy. Is the system running the current Windows Patches? Do you have Anti-Virus Installed? Is it Up-to-Date? Do you have Anti-Spyware Installed? Is it Up-to-Date?

ISE Posture What? What can be checked? Microsoft Updates Service Packs Hotfixes OS/Browser versions Antivirus Installation/Signatures Antispyware Installation/Signatures File data Services Applications / Processes Registry Keys

ISE Posture Polices NAC vs Web Agent Employee Policy: Microsoft patches updated McAfee AV installed, running, and current Corp asset checks Enterprise application running Contractor Policy: Any AV installed, running, and current Guest Policy: Accept AUP (No posture - Internet Only)

Corporate Policy: Must have Kaspersky AV installed Automatic remediation enforced Guest Policy: Must have AV installed but can be ANY vendor ISE Posture Policy Example

User and Machine Policies I Know Who You Are, But are You Logging In from a Corporate Device? User identity Username/password credentials (802.1X or WebAuth) User certificate (802.1X) Hi, I am jsmith and my password is ******* Corporate User or Guest (non-employee)? User Machine identity MAC Address? Machine certificate (802.1X) 00:11:22:AA:BB:CC Machine Corporate or Personal Device How do I tie the two together in a single policy? + = Access Policy

Identifying Corporate Assets Posture Assessment NAC or Web Agent check in Windows registry for domain value. Ex: mycompany.com.

Identifying Corporate Assets EAP-Chaining EAP Chaining uses EAP-FAST protocol extensions Ties both machine and user credentials to the device, thus the owner is using a corporate asset Machine credentials are authenticated to the network using 802.1X. Once user logs onto the device, session information from the machine auth and user credentials are sent as part of the same authentication. If both machine + user credentials successfully validated, then owner is tied to the device (corp asset). If both or either credentials fail, restricted network access can be given according to ISE policy. Machine Credentials Machine Authentication RADIUS PSN Machine & User Credentials Validated: User Credentials User Authentication AD (EAP-MSCHAPv2 inner method) PKI (EAP-TLS inner method)

Identifying Corporate Assets EAP-Chaining: Policy Example User Authentication includes both user & machine identity types AnyConnect is required for EAP-Chaining

Context Aware Access ISE Authorization Policy Example Access Policy User Device Type Location Posture Time Access Method Custom

Policy Enforcement VLAN or ACL EAPOL (dot1x) MAB, WEB PSN 10.1.204.126 PSN VLAN or ACL Applied to Switch / WLC Core ISE Finance Finance HR Server Finance HR Finance Server

Policy Enforcement SGACL Enforcement on Switch EAPOL (dot1x) MAB, WEB PSN 10.1.204.126 PSN Core ISE SGACL SXP IP 10.1.204.126 = SGT 5 HR Server Finance Finance Finance Server Finance HR

Policy Enforcement Security Group Firewall on ASA EAPOL (dot1x) MAB, WEB PSN Employee PSN SXP IP 10.1.204.126 = Employee_SGT Core Security Group Filtering ISE Web Servers Policy written in ASA SGTs retrieved from ISE Finance Server

Thank you.

Collection: Getting traffic to Probes: DHCP and HTTP via SPAN What? WWW PSN Traffic is mirrored to an Interface on ISE policy Services node. Both SPAN and Remote SPAN are supported. Not an optimal way to send traffic to ISE DHCP HTTP SPAN Configuration Guide: SPAN http://www.cisco.com/en/us/docs/switches/lan/catalyst2940/softw are/release/12.1_19_ea1/configuration/guide/swspan.html

ISE Posture Assessment / Remediation NAC Agent for Windows Web Agent for Windows NAC Agent for MAC OS Posture Assessment Options OS/Service Packs/Hotfixes Process Check Registry Check File Check Application Check AV Installation AV Version/AV Definition Date AS Installation AS Version/AS Definition Date Windows Update Running Windows Update Configuration WSUS Compliance Settings OS/Service Packs/Hotfixes Process Check Registry Check File Check Application Check AV Installation AV Version/AV Definition Date AS Installation AS Version/AS Definition Date Windows Update Running Windows Update Configuration WSUS Compliance Settings AV Installation AV Version/Def Date AS Installation AS Version/Def Date Remediation Options Message Text (Local Check) URL Link (Link Distribution) File Distribution Launch Program AV Definition Update AS Definition Update Windows Update WSUS Message Text URL Link File Distribution Message Text URL Link AV Live Update (AS Live Update)

EAP Chaining Software/Hardware Requirements Client: Laptop / Desktop with Ethernet / WiFi NIC and one of the following OSes: Windows 7 SP1 x 86 (32-bit) and x64 (64-bit) Windows Vista SP2 x86 and x64 Windows XP SP3 x86 Windows Server 2003 SP2 x86 AnyConnect 3.1MR+ with Network Access Manager Mobile installed AnyConnect 3.1MR+ Profile Editor Server: ISE 1.1.1 (1.1MR) and above

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback