User-to-Data-Center Access Control Using TrustSec Design Guide

Similar documents
How to Get Started with Cisco SBA

How to Get Started with Cisco SBA

Intelligent WAN NetFlow Monitoring Deployment Guide

Cisco Jabber IM for iphone Frequently Asked Questions

SAML SSO Okta Identity Provider 2

Cisco Jabber for Android 10.5 Quick Start Guide

Cisco Unified Communications Self Care Portal User Guide, Release 11.5(1)

Cisco Jabber Video for ipad Frequently Asked Questions

Physical Environmental Specifications Guide. February 2012 Series

Prestigious hospital. Outdated network.

Compatibility Matrix for Cisco Unified Communications Manager and IM & Presence Service, Release 11.x

Cisco Nexus 3000 Series NX-OS Verified Scalability Guide, Release 7.0(3)I7(2)

Wireless Healthcare Vertical

Compatibility Matrix for Cisco Unified Communications Manager and IM & Presence Service, Release 10.x

Cisco Discovery Protocol Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 920 Series)

Cisco FindIT Plugin for Kaseya Quick Start Guide

TrustSec (NaaS / NaaE)

Wireless Education Vertical

User Guide for Cisco Jabber for Mac 11.6

Cisco Proximity Desktop

IP Routing: ODR Configuration Guide, Cisco IOS Release 15M&T

IP Switching Configuring Fast Switching Configuration Guide Cisco IOS Release 15SY

Cisco UCS C-Series IMC Emulator Quick Start Guide. Cisco IMC Emulator 2 Overview 2 Setting up Cisco IMC Emulator 3 Using Cisco IMC Emulator 9

Cisco Unified Communications Self Care Portal User Guide, Release

Cisco Smart Business Communications Systems. Cisco Small Business Unified Communications 300 Series

Managing Device Software Images

Water Provider Relocates, Modernizes Data Center

Cisco Unified Communications Manager Device Package 8.6(2)( ) Release Notes

Flow Sensor and Load Balancer Integration Guide. (for Stealthwatch System v6.9.2)

Segment Your Network for Stronger Security

Cisco TelePresence FindMe Cisco TMSPE version 1.2

Application Launcher User Guide

Wired Network Summary Data Overview

Prime Service Catalog: UCS Director Integration Best Practices Importing Advanced Catalogs

Considerations for Deploying Cisco Expressway Solutions on a Business Edition Server

Cisco Service Control Online Advertising Solution Guide: Behavioral. Profile Creation Using Traffic Mirroring, Release 4.0.x

Cisco WebEx Meetings Server FAQs Release 1.5

Migration and Upgrade: Frequently Asked Questions

Quantum Policy Suite Subscriber Services Portal 2.9 Interface Guide for Managers

Deploying IWAN Routers

Cisco UCS Performance Manager Release Notes

Wireless Clients and Users Monitoring Overview

Cisco IOS Flexible NetFlow Command Reference

Cisco Meeting App. Release Notes. WebRTC. Version number September 27, Cisco Systems, Inc.

SolarWinds Network Management Guide. Revision: H2CY10

Intelligent WAN Public Key Infrastructure Deployment Guide

Cisco Meeting App. What's new in Cisco Meeting App Version December 17

2012 Cisco and/or its affiliates. All rights reserved. 1

Cisco Meeting App. Cisco Meeting App (OS X) Release Notes. July 21, 2017

Cisco Meeting App. Cisco Meeting App (Windows) Release Notes. March 08, Cisco Systems, Inc.

Figures 1 to 3 show the Instant Connect system, the Express system, and the mobile client, respectively. Figure 1. Instant Connect system Figure 2. In

The Need In today s fast-paced world, the growing demand to support a variety of applications across the data center and help ensure the compliance an

Cisco Stealthwatch Endpoint License

Embedded Packet Capture Configuration Guide

ING DIRECT turns ideas into revenue faster with Cisco UCS.

Recovery Guide for Cisco Digital Media Suite 5.4 Appliances

The Cisco HyperFlex Dynamic Data Fabric Advantage

Cisco Aironet 1815T (Teleworker) Access Point Deployment Guide

Cisco Network Admission Control (NAC) Solution

Cisco Evolved Programmable Network System Test Topology Reference Guide, Release 5.0

Network Admission Control Agentless Host Support

Cisco Meeting App. Cisco Meeting App (ios) Release Notes. October 06, 2017

Installation and Configuration Guide for Visual Voic Release 8.5

Dynamic Workload Scaling

Cisco Unified Communications Manager Device Package 10.5(1)( ) Release Notes

Securing BYOD with Cisco TrustSec Security Group Firewalling

Cisco WebEx Best Practices for Secure Meetings for Site Administrators and Hosts

Cisco 1000 Series Connected Grid Routers QoS Software Configuration Guide

Cisco Connected Mobile Experiences REST API Getting Started Guide, Release 10.2

Cisco TelePresence Management Suite Extension for Microsoft Exchange Software version 5.7. User Guide July 2018

Validating Service Provisioning

IP Addressing: Fragmentation and Reassembly Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 1000)

Cisco Nexus 1000V for KVM Interface Configuration Guide, Release 5.x

Cisco Jabber for Windows 10.6 User Guide. User Guide 4 Availability 4 Create Custom Tabs 15 Accessibility 16 Troubleshooting 20

IP Addressing: IPv4 Addressing Configuration Guide, Cisco IOS Release 12.4

Introduction to Cloud Networking. Company and Product Overview

Quick Start Guide for Cisco Prime Network Registrar IPAM 8.0

Cisco Report Server Readme

Cisco TrustSec 4.0:How to Create Campus and Branch-Office Segmentation

Embedded Packet Capture Configuration Guide

Data Sheet Instant Connect Mobile Client When your business is on the line, Instant Connect is here for your most critical communications needs. Welco

Cisco TEO Adapter Guide for Microsoft Windows

Cisco UCS Performance Manager Release Notes

Deploying Cisco SD-WAN on AWS

Cisco Payment Card Industry Compliance Services

MAC Filtering for Lobby Ambassadors

Cisco Unified IP Conference Phone 8831 and 8831NR Release Notes for Firmware Release 10.3(1)SR3

Cisco TelePresence Management Suite Extension for Microsoft Exchange Software version 5.0

Cisco NSH Service Chaining Configuration Guide

Enterprise Chat and Supervisor s Guide, Release 11.5(1)

Cisco Meeting Management

Cisco Connected Grid Design Suite (CGDS) - Substation Workbench Designer User Guide

Cisco TEO Adapter Guide for

BYOD Guest Wireless Access Deployment Guide. February 2012 Series

Cisco TEO Adapter Guide for Microsoft System Center Operations Manager 2007

Cisco Meeting Management

Media Services Proxy Command Reference

IP Addressing: Fragmentation and Reassembly Configuration Guide

Cisco TelePresence Management Suite Extension for Microsoft Exchange Software version 3.1

Cisco Meeting App. Cisco Meeting App (Windows) Release Notes. March 08, Cisco Systems, Inc.

Transcription:

CISCO VALIDATED DESIGN User-to-Data-Center Access Control Using TrustSec Design Guide October 2015 REFERENCE NETWORK ARCHITECTURE

Table of Contents About This Document... 1 Cisco TrustSec Overview... 2 Use Cases... 3 Retail: Segmentation for PCI Compliance...3 Business Problem...3 Solution...3 Healthcare: Securing Access to Medical Devices and Electronic Health Records for HIPAA Compliance...4 Business Problem...4 Solution...5 Finance: Bank Branch Needs to Provide Differentiated Access for the Various Services at a Remote Site...6 Business Problem...6 Solution...6 Line of Business Access Control in Large Enterprises...7 Business Problem...7 Solution...7 Next Steps to Ensuring a Successful TrustSec Implementation... 11

About This Document About This Document This document describes how Cisco TrustSec provides access control for user to data center ( north to south ) traffic for wired and wireless users. Cisco TrustSec provides software-defined segmentation and enables rolebased security policy. Tech Tip For more information about Cisco TrustSec, go to: http://www.cisco.com/go/trustsec page 1

Cisco TrustSec Overview Cisco TrustSec Overview The Cisco TrustSec solution simplifies the provisioning and management of network access control through the use of software-defined segmentation to classify network traffic and enforce policies for more flexible access controls. Traffic classification is based on endpoint identity, not IP address, enabling policy change without network redesign. A centralized policy management platform gathers advanced contextual data about who and what is accessing your network, uses security group tags (SGTs) to define roles and access rights, and then pushes the associated policy to your TrustSec-enabled network devices, such as switches, routers, and security equipment. This provides better visibility through richer contextual information and allows an organization to be better able to detect threats and accelerate remediation, reducing the impact and costs associated with a potential breach. Cisco TrustSec technology is embedded in Cisco switches, routers, and firewalls and is defined in three phases: classification, propagation, and enforcement. When the user s traffic enters the network, the traffic is classified based on the results of authentication, such as 802.1X, MAC authentication bypass, or web authentication. After the user s traffic is classified, Cisco switches and routers then propagate the traffic automatically, without any intervention by the network operator until it hits an enforcement point, which can be a Cisco firewall, router, or switch. Based on the classification, the enforcement device determines if the user s traffic should be allowed or denied. Figure 1 Cisco TrustSec phases: classification, propagation, and enforcement Device Type: Apple ipad User: Mary Group: Employee Corporate Asset: No Personal Asset ID and Data Proofing SGT Classification HR SGT WLC Employee Company Asset Wireless Access Point Switch Routers DC Switch DC Firewall Distributed Enforcement Based on Security Group Finance SGT Device Type: Mac User: Mary Group: Employee Corporate Asset: Yes Personal Asset SGT Company Asset SGT 4010F page 2

Use Cases Use Cases RETAIL: SEGMENTATION FOR PCI COMPLIANCE Business Problem A retail chain is required to comply with Payment Card Industry (PCI) standards where all devices that process credit-card information are in a network that is segmented from other devices. Solution The PCI devices are tagged by the switch or router at the store and provided access to the payment servers in the data center, which is enforced at the data center by a data center switch or the data center firewall. The devices on the network that aren t used for processing payment information get an appropriate tag that prevents them from accessing the payment servers but allows them access to shared services provided in the data center. Figure 2 TrustSec for PCI compliance Data Center Payment s Shared Services PCI Zone Store WAN DMVPN PCI Zone Local s Local s $123 $123 Manager PC POS Associate Voice Voice Associate POS Manager PC Store 1 Store 2 4005F page 3

Use Cases HEALTHCARE: SECURING ACCESS TO MEDICAL DEVICES AND ELECTRONIC HEALTH RECORDS FOR HIPAA COMPLIANCE Business Problem A hospital needs to limit access to electronic health records in order to comply with the Health Insurance Portability and Accountability Act (HIPAA). Figure 3 TrustSec for HIPAA compliance Data Center EHR Billing Database DC Firewall SGFW Clinic Backbone SGACL Vital Monitor Floor 2 SW Floor 1 SW Nurse Workstation Patients/ Guests 4007F page 4

Use Cases The hospital also needs to isolate medical devices used for patient care so that only authorized users, devices and servers have access to these medical devices. Figure 4 TrustSec for medical device segmentation Data Center EHR Billing Database DC Firewall SGFW Clinic Backbone SGACL Vital Monitor Floor 2 SW Floor 1 SW Nurse Workstation Patients/ Guests 4006F Solution Medical professionals use an authorized workstation in order to gain access to the electronic health records. The user authenticates to and the device is verified to make sure it is authorized for access to the health records. The switch or WLC tags (with an SGT) the traffic from this workstation. The policy is enforced on the DC firewall with a Cisco Security Group Firewall (SGFW) that allows access to the electronic health records server only to those devices and users that are authorized, and all other devices and users are denied access. SGTs are applied to authenticated users of medical devices and servers in order to explicitly allow access for authorized users. Devices and users on the network that don t receive the SGT assigned are denied access. page 5

Use Cases FINANCE: BANK BRANCH NEEDS TO PROVIDE DIFFERENTIATED ACCESS FOR THE VARIOUS SERVICES AT A REMOTE SITE Business Problem A financial customer requires segmentation of their various services at a remote office. The employee traffic, voice traffic, and server traffic must be in separate networks, as will any guest or bring your own device (BYOD) access. Each individual service must only be given access to the services that are required. Solution Each service at the remote site is in its own VLAN. When a device or user accesses the network, authenticates and profiles them. The switch tags the traffic per VLAN, and then the policy is enforced on the remote site router using SGACLs as well as at the DC firewall using SGFW. Corporate traffic is only allowed access to the specific resources required for them. In this case, the employee can access the application server, the phone accesses the communication services, and the remote site server has access only to the database server. The guest or BYOD traffic is given access only to the Internet. With this topology, the VLAN scheme and tagging per VLAN can be replicated at every remote site, making policy configuration simple. Figure 5 TrustSec for remote site segmentation Branch s Branch Office Voice Enterprise WAN DC Firewall Database Branch Router DC Router Communications Services Corporate Laptop BYOD Internet Application 4008F page 6

Use Cases LINE OF BUSINESS ACCESS CONTROL IN LARGE ENTERPRS Business Problem New business risk and regulatory concerns require the business to implement security controls for users to the data center and within the data center: Users (and devices) should only be allowed to base services and corresponding line of business applications. Applications should be segregated by line of business as well as restricted within the line of business. Policies are automatically applied for partner/contractors for application and other services. Solution Controlling the Services a User Can Access Based on Group Membership Within the data center, there are specific resources available to different groups of users. For example, there are two servers in the data center, one that only the Finance group can access and another that is only for the Human Resources group. Users identified as members of either group are allowed access to their respective server, and any traffic from any other group is blocked by either the firewall or the data center router. Figure 6 TrustSec for line-of-business access control Data Center Finance HR DC Firewall SGFW DC Router SGACL Enterprise Backbone Switch WiFi HR Tag Finance Tag Finance Voice Voice HR Employee 4001F page 7

Use Cases When the user first accesses the network, they authenticate. The switch or the wireless LAN controller (WLC) authenticates the user by using the Cisco Identity Services Engine (), and the user is assigned a tag. The switch or WLC tags (with the SGT) the traffic from this user. The policy is enforced, based on the SGT, in the data center with a security group access control list (SGACL) on the DC router or the with an SGFW on the DC firewall. Permitting Access to Data Center Resources Based on Device Type An organization may have a BYOD policy that allows employees to use their smartphones and tablets for work. However, some services may not work well on these platforms, or perhaps policy doesn t allow personal devices access to certain resources. These devices are profiled, classified, and prevented from accessing services not intended for their use. Figure 7 TrustSec for BYOD Data Center Corporate BYOD DC Firewall SGFW DC Router SGACL Enterprise Backbone Switch WiFi BYOD Tag Corporate Tag Voice Voice 4002F The user accesses the network with their BYOD device and is prompted for authentication credentials. Upon successful authentication, profiles the device in order to determine the type of device, and the user is assigned a tag based on a combination of user and device type. The WLC tags traffic from the BYOD device and the user is limited to the BYOD server in the data center. This is enforced on the DC router with an SGACL or on the DC firewall with an SGFW. page 8

Providing Differentiated Access to Data Center Resources Based on the User and Location Use Cases An organization may want to provide different levels of access to services in the data center, depending on where the user is located. There may be a different policy for users at a remote site that limits what the user can access remotely. This policy could also implement different levels of access per remote site or region. Figure 8 TrustSec for location-based access control Remote Site Voice Branch s Enterprise WAN DC Firewall Remote Remote Employee Branch Router DC Router HQ Switch WiFi Remote Tag HQ Tag HQ Employee Voice Voice HQ Employee 4003F The remote employee accesses the network and authenticates, and the user is assigned a tag. The switch tags this traffic with the SGT, and this tag information is propagated to the DC firewall, where the policy is enforced with an SGFW. Ensuring That Devices Are Compliant with Security Policy before Accessing Data Center Resources To comply with security policy, all devices on the network must meet certain requirements, such as running an antivirus application or a minimum version of an OS. Without meeting the policy, the user is denied access to the data center resources and instead given access to remediation services. page 9

Use Cases Figure 9 TrustSec for security-policy compliance Data Center Shared Services Application s DC Firewall Remediation DC Switch SGACL Enterprise Backbone SGACL Switch Switch Employee Tag Non-Compliant Tag Non-Compliant Employee Voice Voice Employee Non-Compliant 4004F The user accesses the network with a device that does not comply with the security policy. The user authenticates to the network, and profiles the device and checks for compliance. After the device is determined to be non-compliant, the device is assigned a tag that indicates it is out of compliance and limits access to the remediation service. The policy is enforced with an SGACL, at the access switch or at the DC switch. page 10

Next Steps to Ensuring a Successful TrustSec Implementation Next Steps to Ensuring a Successful TrustSec Implementation 1. Based on the use cases outlined above, identify a use case that has realistic criteria for success and has demonstrable return on investment. Model potential group relationships and high-level permissions for the use case. Develop detailed permissions (specific access control lists) off those relationships 2. Apply detailed SGACLs to the use case in a monitoring function in order to detect items outside the security profile. Firewall Access Control Entries (ACE) logging analysis (if available) SGACL ACE logs and syslog analysis ACE log for unknown/sgt or SGT/unknown matches for the use case Default permission of ACE log for anything that missed the explicit permission Monitor mode SGACLs, if available (Cisco Catalyst 6500 Series) 3. Gather feedback from the above analysis and iterate with the permissions. 4. Finalize permissions and create completed TrustSec matrix. page 11

Please use the feedback form to send comments and suggestions about this guide. Americas Headquarters Cisco Systems, Inc. San Jose, CA Asia Pacific Headquarters Cisco Systems (USA) Pte. Ltd. Singapore Europe Headquarters Cisco Systems International BV Amsterdam, The Netherlands Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices. ALL DESIGNS, SPECIFICATIONS, STATEMENTS, INFORMATION, AND RECOMMENDATIONS (COLLECTIVELY, DESIGNS ) IN THIS MANUAL ARE PRESENTED AS IS, WITH ALL FAULTS. CISCO AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THE DESIGNS, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVD OF THE POSSIBILITY OF SUCH DAMAGES. THE DESIGNS ARE SUBJECT TO CHANGE WITHOUT NOTICE. USERS ARE SOLELY RESPONSIBLE FOR THEIR APPLICATION OF THE DESIGNS. THE DESIGNS DO NOT CONSTITUTE THE TECHNICAL OR OTHER PROFESSIONAL ADVICE OF CISCO, ITS SUPPLIERS OR PARTNERS. USERS SHOULD CONSULT THEIR OWN TECHNICAL ADVISORS BEFORE IMPLEMENTING THE DESIGNS. RESULTS MAY VARY DEPENDING ON FACTORS NOT TESTED BY CISCO. Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. 2015 Cisco Systems, Inc. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) B-000275C-2 10/15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback