ONE POLICY Tengku Shahrizam, CCIE Asia Borderless Network Security 20 th June 2013
Agenda Secure Unified Access with ISE Role-Based Access Control Profiling TrustSec Demonstration
How ISE is Used Today BYOD Users get safely on the internet fast and easy GUEST ACCESS It s easy to provide guests limited time and resource access SECURE ACCESS ON WIRED, WIRELESS & VPN Control with one policy across wired, wireless & remote infrastructure TRUSTSEC NETWORK POLICY Rules written in business terms controls access
Cisco Secure Access Enabled by ISE Policy Management Identity Services Engine (ISE) Prime Infrastructure Policy Information User Directory Profiling from Cisco Infrastructure Posture from End-Point Agents Policy Enforcement Cisco Infrastructure: Switches, Wireless Controllers, Firewalls, Routers
Cisco Identity Services Engine (ISE) All-in-one Enterprise Policy Control WHO Identity Context WHAT Security Policy Attributes WHERE ISE Business-Relevant Policies WHEN HOW Wired Wireless VPN VM client, IP device, guest, employee, remote user Replaces AAA & RADIUS, NAC, guest mgmt & device identity servers
Secure Unified Access Securing the Intelligent Platform for the Connected World Cisco Prime Cisco ISE MDM Manager Third-Party MDM Appliance Cisco Catalyst Switches Cisco WLAN Controller Cisco Web Security Wired Network Devices Cisco CSM and ASDM Cisco ASA Firewall and IPS Cisco AnyConnect Cisco AnyConnect Cisco AnyConnect Office Wired Access Office Wireless Access Remote Access
ISE & MDM Integration The New Way Best Practice Today ISE 1.2 ISE Device Access Control Device Profiling BYOD On-boarding Device Access Control MDM Mobile Devices Security Control Device Compliance Mobile Application Management Securing Data at Rest ISE and MDM Enforced Mobile Device Compliance Forces on-boarding to MDM with personal devices used for work Register but restrict access for personal devices not managed by MDM Quarantine non-compliant devices based on MDM policy MDM cannot see non-registered devices to enforce device security but the network can! Version: 6.2 Version: 7.1 Version: 2.3 MDM: Mobile Device Manager Version: 5.0
Secure Access Role Based, Dynamic Provisioning 1 Context-Aware Classification Who? What? When? Where? How? 2 Context-Aware Policy ISE 3 Enforcement
Secure Access: Classification Attributes Who? Employee Attacker Guest What? Personal Device Company Asset How? Wired Wireless VPN Where? @ Starbucks Headquarters When? Weekends Week Days 8:00 AM 6:00 PM (8:00am 5:00pm) PST
Identity Services Engine (ISE) Identity Stores / Attribute Sources Identity Store ISE RADIUS Internal Endpoints, Internal Users OS / Version RFC 2865-compliant RADIUS servers Active Directory Microsoft Windows Active Directory 2003, 32-bit only Microsoft Windows Active Directory 2003 R2, 32-bit only Microsoft Windows Active Directory 2008, 32-bit and 64-bit Microsoft Windows Active Directory 2008 R2, 32-bit and 64-bit LDAP Servers SunONE LDAP Directory Server, Version 5.2 Linux LDAP Directory Server, Version 4.1 NAC Profiler, Version 2.1.8 or later Token Servers RSA ACE/Server 6.x Series RSA Authentication Manager 7.x Series RADIUS RFC 2865-compliant token servers SafeWord Server prompts
ISE Authentication Policy Who = 802.1X Managed Users Examples: Employees/Staff, Faculty/Students, Extended Access Partners/Contractors Primary Auth Methods: 802.1X or Agent-based Who? How?
ISE Authentication Policy Who = VPN Users Examples: Employees/Staff, Faculty/Students, Extended Access Partners/Contractors Primary Auth Methods: 802.1X or Agent-based Who? How? OTP Server Configuration
ISE Authentication Policy Allowed Protocols Who? How? More specific condition can be defined to Match flow (Ex: User, Location) Protocol Specific
Agents AnyConnect 3.1 Unified access interface for 802.1X for LAN / WLAN VPN (SSL-VPN and IPSec) Mobile User Security (WSA / ScanSafe) Supports MACSec / MKA (802.1X-REV) for data encryption in software; Performance based on endpoint CPU MACSec-capable hardware (network cards) enhance performance w/ AC 3.0 NAC Agent currently used for posture. Will be merged into AnyConnect in AC3.2
ISE Web Authentication Who? Centralized and customizable Web authentication portal Both employee and guest auth supported Tunable username and password policies Support print, email, SMS guest notifications Controller switch Need Something to intercept browser requests to provide captive portal and /or redirection to local or remote web auth portal
Authorization Policy Who Who? Who? Permissions = Authorizations Employee_iPAD Set VLAN = 30 (Corp Access) Contractor_iPAD Set VLAN = 40 (Internet Only)
What is Profiling? Classifies based on Device fingerprint NMAP NetFlow Classification HTTP LLDP SNMP DHCP Radius Collection Process of collecting data to be used for identifying devices Uses Probes for collecting device attributes Classifies based on Device fingerprint
Collection: Getting traffic to Probes: DHCP via IP Helper What? DHCP-REQ PSN Great and simple method of getting DHCP traffic to ISE Requires configuration of NADs to relay DHCP packets to ISE. DHCP probe in ISE will collect DHCP data to use in profiling policy For WLCs disable DHCP proxy Configuration Commands: Interface Vlan50 Ip address 10.1.10.1 255.255.255.0 ip helper-address 10.1.100.10 Ip helper-address 10.1.100.5 (For ISE)
DHCP Policy Example What? DHCP:dhcp-class-identifier CONTAINS Cisco Systems, Inc. IP Phone
Collection: Getting traffic to ISE: HTTP via URL Redirection What? PSN User-Agent is an HTTP request header that is sent from Web Browsers to Web Servers. The User-Agent includes Application, Vendor and OS information that can be used in profiling endpoints. User-Agent attributes can be collected from Web browser sessions redirected to ISE for existing services such as: - Central Web Auth (CWA), - Device Registration WebAuth (DRW) - Native Supplicant Provisioning (NSP) Endpoint Redirection (TCP/8443)
Collection: HTTP via URL Redirection NAD Configuration What? Configuration Commands: ip http server ip http secure-server ip access-list extended REDIRECT-ACL deny tcp any any <PSN_IP_address> permit tcp any any eq http permit tcp any any eq https Enable CoA Support on WLC Switch Configuration
HTTP Policy Example What? HTTP Probe Attributes collected during Client Provisioning. If: User-Agent CONTAINS ipad
Collection: Getting traffic to Probes: IOS Sensor What? PSN Aggregate and forward profiling information over existing RADIUS traffic between NAD and ISE IOS switches collect DHCP, LLDP and CDP data. Data sent to ISE as cisco-av-pair using RADIUS accounting updates. DHCP, CDP, LLDP Using Radius IOS Sensor - Supported on IOS 15.0(1)SE1 for Cat 3K - Supported on IOS 15.1(1)SG for Cat 4K - WLC 7.2.11 Configuration Commands: device-sensor accounting device-sensor notify all-changes Advantages: improved scalability and simplified deployment
Collection: Getting traffic to Probes: IOS Sensor What? Collected data using IOS Sensor CDP and DHCP data is sent using Cisco- AV-Pair
Collection: Getting traffic to ISE: NMAP (Targeted Scan) What? Trigger scan for endpoints with OUI = Apple PSN PSN Subnet Scan (On demand) NMAP utility incorporated into ISE, allows profiler to detect new endpoints via a subnet scan and to classify endpoints based on their operatingsystem, OS version and services as detected by the NMAP. The Network Scan probe is considered an active assessment m echanism since it communicates directly with the endpoint to obtain information from the source. Scan can be triggering dynamically based on policy. 10.76.40.0/24
Getting traffic to Probes: NMAP(Continued) What? Active scan triggered by policy If an Apple Device then Scan and report OS version
Profiling Policies: Requirements probes and collection methods Device Profile Unique Attributes Probes Used Collection Method Cisco IP Phone OUI RADIUS RADIUS Authentication CDP SNMP Query Triggered by RADIUS Start IP Camera OUI RADIUS RADIUS Authentication CDP SNMP Query Triggered by RADIUS Start Printer OUI RADIUS RADIUS Authentication POS Station (static IP) DHCP Class Identifier DHCP MAC Address RADIUS (MAC RADIUS Authentication Address discovery) ARP Cache for MAC to IP mapping SNMP Query Triggered by RADIUS Start DNS name DNS Triggered by IP Discovery Apple ipad/iphone OUI RADIUS RADIUS Authentication Browser User Agent HTTP Authorization Policy posture redirect to central Policy Service node cluster DHCP Class Identifier + MAC to IP mapping DHCP IP Helper from local L3 switch SVI Device X MAC Address RADIUS (MAC Address discovery) RADIUS Authentication Requested IP Address for MAC to IP DHCP RSPAN of DHCP Server ports to local mapping Policy Service node Optional to acquire ARP Cache for SNMP Query Triggered by RADIUS Start MAC to IP mapping Port # traffic to Destination IP Netflow Netflow export from Distribution 6500 switch to central Policy Service node
Canned profile Built in to ISE Apple Lexmark WYSE VMware HP Microsoft Motorola Samsung Cisco Xerox Blackberry
Canned profile Built in to ISE
Rule Condition Profiler Policy Authorization Policy 1) Must match Minimum Certainty Factor 2) In this case two conditions in the rules table will need to be met Authorization Policy: If BlackBerry then Allow Internet Access
What can I do when ISE can t recognize and profile a specific type of endpoint (EX: APC UPS)? ISE does learn the OUI and possibly other info which can be used to write a custom profile Attribute that can be used for writing custom profiling conditions
Profile policy creation and endpoint assignment Profile will be distributed to all ISE nodes and APC devices on the network will be profiled correctly. Custom Profiles created by Customer and Cisco Partner can be shared after publishing to Cisco Feed Services. Cisco Feed Services.
Profiler Feed Service Zero Day availability PSN Cisco PSN Feed Server DB Partner Notifications Supported No need to wait for new ISE version Zero day support for popular endpoints is added using Feed Server
Feed Service policy and OUI update report are also available Email notifications
ISE Authorization Smart Phone vs Corp Policy Who? What? What =? Who = Employee Permissions = Authorizations Employee Phone Set VLAN = 601 (Internet Only) Employee PC Set VLAN = 603 (Full Access)
Logical Profiling What? IP-Phones Would like to group all my Smart phones and ios devices into a logical profile to facilitate writing policy ios-devices
Smart Phone Policy Using logical Profiles Who? What? What =? Who = Employee Permissions = Authorizations Employee Phone Set VLAN = 601 (Internet Only) Employee PC Set VLAN = 603 (Full Access)
What is Posture? Posture = the state-of-compliance with the company s security policy. Is the system running the current Windows Patches? Do you have Anti-Virus Installed? Is it Up-to-Date? Do you have Anti-Spyware Installed? Is it Up-to-Date?
ISE Posture What? What can be checked? Microsoft Updates Service Packs Hotfixes OS/Browser versions Antivirus Installation/Signatures Antispyware Installation/Signatures File data Services Applications / Processes Registry Keys
ISE Posture Polices NAC vs Web Agent Employee Policy: Microsoft patches updated McAfee AV installed, running, and current Corp asset checks Enterprise application running Contractor Policy: Any AV installed, running, and current Guest Policy: Accept AUP (No posture - Internet Only)
Corporate Policy: Must have Kaspersky AV installed Automatic remediation enforced Guest Policy: Must have AV installed but can be ANY vendor ISE Posture Policy Example
User and Machine Policies I Know Who You Are, But are You Logging In from a Corporate Device? User identity Username/password credentials (802.1X or WebAuth) User certificate (802.1X) Hi, I am jsmith and my password is ******* Corporate User or Guest (non-employee)? User Machine identity MAC Address? Machine certificate (802.1X) 00:11:22:AA:BB:CC Machine Corporate or Personal Device How do I tie the two together in a single policy? + = Access Policy
Identifying Corporate Assets Posture Assessment NAC or Web Agent check in Windows registry for domain value. Ex: mycompany.com.
Identifying Corporate Assets EAP-Chaining EAP Chaining uses EAP-FAST protocol extensions Ties both machine and user credentials to the device, thus the owner is using a corporate asset Machine credentials are authenticated to the network using 802.1X. Once user logs onto the device, session information from the machine auth and user credentials are sent as part of the same authentication. If both machine + user credentials successfully validated, then owner is tied to the device (corp asset). If both or either credentials fail, restricted network access can be given according to ISE policy. Machine Credentials Machine Authentication RADIUS PSN Machine & User Credentials Validated: User Credentials User Authentication AD (EAP-MSCHAPv2 inner method) PKI (EAP-TLS inner method)
Identifying Corporate Assets EAP-Chaining: Policy Example User Authentication includes both user & machine identity types AnyConnect is required for EAP-Chaining
Context Aware Access ISE Authorization Policy Example Access Policy User Device Type Location Posture Time Access Method Custom
Policy Enforcement VLAN or ACL EAPOL (dot1x) MAB, WEB PSN 10.1.204.126 PSN VLAN or ACL Applied to Switch / WLC Core ISE Finance Finance HR Server Finance HR Finance Server
Policy Enforcement SGACL Enforcement on Switch EAPOL (dot1x) MAB, WEB PSN 10.1.204.126 PSN Core ISE SGACL SXP IP 10.1.204.126 = SGT 5 HR Server Finance Finance Finance Server Finance HR
Policy Enforcement Security Group Firewall on ASA EAPOL (dot1x) MAB, WEB PSN Employee PSN SXP IP 10.1.204.126 = Employee_SGT Core Security Group Filtering ISE Web Servers Policy written in ASA SGTs retrieved from ISE Finance Server
Thank you.
Collection: Getting traffic to Probes: DHCP and HTTP via SPAN What? WWW PSN Traffic is mirrored to an Interface on ISE policy Services node. Both SPAN and Remote SPAN are supported. Not an optimal way to send traffic to ISE DHCP HTTP SPAN Configuration Guide: SPAN http://www.cisco.com/en/us/docs/switches/lan/catalyst2940/softw are/release/12.1_19_ea1/configuration/guide/swspan.html
ISE Posture Assessment / Remediation NAC Agent for Windows Web Agent for Windows NAC Agent for MAC OS Posture Assessment Options OS/Service Packs/Hotfixes Process Check Registry Check File Check Application Check AV Installation AV Version/AV Definition Date AS Installation AS Version/AS Definition Date Windows Update Running Windows Update Configuration WSUS Compliance Settings OS/Service Packs/Hotfixes Process Check Registry Check File Check Application Check AV Installation AV Version/AV Definition Date AS Installation AS Version/AS Definition Date Windows Update Running Windows Update Configuration WSUS Compliance Settings AV Installation AV Version/Def Date AS Installation AS Version/Def Date Remediation Options Message Text (Local Check) URL Link (Link Distribution) File Distribution Launch Program AV Definition Update AS Definition Update Windows Update WSUS Message Text URL Link File Distribution Message Text URL Link AV Live Update (AS Live Update)
EAP Chaining Software/Hardware Requirements Client: Laptop / Desktop with Ethernet / WiFi NIC and one of the following OSes: Windows 7 SP1 x 86 (32-bit) and x64 (64-bit) Windows Vista SP2 x86 and x64 Windows XP SP3 x86 Windows Server 2003 SP2 x86 AnyConnect 3.1MR+ with Network Access Manager Mobile installed AnyConnect 3.1MR+ Profile Editor Server: ISE 1.1.1 (1.1MR) and above