• Like
TrustSec for a Secure Network- CLLE
 

TrustSec for a Secure Network- CLLE

on

  • 614 views

TrustSec for a Secure Network, Cisco Live Sled East. "There's now a growing sense of fatalism: It's no longer if or when you get hacked, but the assumption that you've already been hacked, with a ...

TrustSec for a Secure Network, Cisco Live Sled East. "There's now a growing sense of fatalism: It's no longer if or when you get hacked, but the assumption that you've already been hacked, with a focus on minimizing the damage."

Statistics

Views

Total Views
614
Views on SlideShare
614
Embed Views
0

Actions

Likes
1
Downloads
14
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    TrustSec for a Secure Network- CLLE TrustSec for a Secure Network- CLLE Presentation Transcript

    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicLocal EditionTrustSec for a Secure NetworkClark Gambrel (cgambrel@cisco.com) - KentuckySam Camarda (scamarda@cisco.com) - LouisianaConsulting Systems Engineer – Security
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicTable of Contents• Advanced Threats• Authentication• Profiling• Posture Assessment• Network Segmentation• Security Group Tags2
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicLocal EditionWhy?
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicLocal EditionAdvanced Threats
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 5”“ Theres now a growingsense of fatalism: Its nolonger if or when youget hacked, but theassumption that youvealready been hacked,with a focus onminimizing the damage.Source: Security’s New Reality: Assume the Worst; Dark Reading
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicAdvanced Threats – Advanced Persistent Threat (APTs)6• APT is the Hot Topic in Information Security‒ Aurora (2009) brought the term into the mainstream‒ They actually incorporate a number of threats• APT have Common Features‒ Defined goal, not opportunistic‒ Stealthy infiltration, horizontal propagation‒ Obfuscate trail, to ensure continued compromise‒ Multiple tools / tactics used throughout campaign‒ Significant resources required over an extended period• APT Components Parts are Not Really Advanced‒ Off the shelf malware dev kits‒ Spear phishing & social engineering‒ Drop an infected key in the car park / smoking area etc..
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicAPT Attack Targets & Methodology• Who Are The Targets?‒ GovernmentsEconomic offices, military, diplomatic corps, etc. – anyone working overseasOutside government contractors, advisors (e.g. academic scholars)Dissident and activist support organizations (and related NGOs)‒ Private sector & commercialMultinational businesses – aerospace, energy, pharmaceutical, finance, technology,• How Do They Work?Infiltrate Extract IP0-day MalwareReconIdentifyTargetPhishingSpreadPersistExtractInitial Access7
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicTo defend we must recognize actors’ motives• Stock Price Manipulation• Company Financials• Sales Forecasts• Gain Competitive Advantage• Go-to-market strategies• Product roadmaps and schedules• Acquisition plans• Customer lists• Impact Operations• Damage the Company Brand• Web Site Defacing• Denial of Service• Obtain Intellectual Property• ASIC designs• Source Code• Exploit the Network Potential• Huge amount of Internet Bandwidth• Hundreds of thousands of PCs• Fraud• RMA Fraud• Bank Account Transfers• Toll Dial Fraud• Credit Card Data• Identity Theft• Counterfeiting• Attack Specific Customers• Vulnerabilities in Source Code• Bug Tracking Data.. And More!
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicLocal EditionThreats? Is that all I need to worryabout?Sadly…No
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicThe Device LandscapeCorporate Laptops Corporate VXI EndpointsMobile Devices (BYOD)Other
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicTop of Mind Security ConcernsHow can we minimizethe threats thesedevices bring withthem?How to deploy aconsistent policy forall these devices?How to ensure end-to-endsecurity in a scalable way?Device Proliferationwill lead to billions of devices(Internet of Everything)The ChallengeDevice Proliferation –What threat? Where?
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicLocal EditionHow it’s made
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicConcept: Kill Chain13• http://computer-forensics.sans.org/blog/2009/10/14/security-intelligence-attacking-the-kill-chain/• Harvesting email addresses, identifying information, etc.Reconnaissance• Coupling exploit with backdoor into deliverable payloadWeaponization• Delivering weaponized bundle to the victim via email, web, USB,etc.Delivery• Exploiting a vulnerability to execute code in victim systemExploitation• Command channel for remote manipulation of victimCommand and Control• Intruders accomplish their original goalActions on Objectives
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicKill Chain: Post Breach2. Command andControl1.SocialEngineeringExploit
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicKill Chain: Post Breach1. Command andControl2. Reconnaissance
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicKill Chain: Post Breach1. Command andControl2. Reconnaissance3.Propagation
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicKill Chain: Post Breach1. Command andControl2. Reconnaissance3.Propagation4. C&CAlternate Path
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicKill Chain: Post Breach1. Command andControl2. Reconnaissance3.Propagation
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicKill Chain: Post Breach1. Command andControl2. Reconnaissance3.Propagation
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicKill Chain: Post Breach1. Command andControl2. Reconnaissance3.Propagation 4. Data TheftStealth/Sleep
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicLocal EditionSit back and watch it happen?Nope…
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicSo, What to do first?• Educate Users• Standardize• Anti-Virus• User Privileges• Patch, Patch, Patch• Isolate – Java?• Upgrade• AAA - Segment and ContainHow do I limit my exposure22AAA - Segment and ContainAuthenticate & Authorize
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicOther ConditionsIdentityInformation+Group:ContractorGroup:Full-TimeEmployeeGroup:GuestNetwork Access PoliciesAuthentication and AuthorizationTime and DateAccess TypeLocationPostureAuthorization(Controlling Access)Broad AccessLimited AccessGuest/InternetDeny AccessQuarantineTrack Activity forComplianceDevice TypeVicky SanchezEmployee, MarketingWireline3 p.m.Frank LeeGuestWireless9 a.m.Security Camera G/WAgentless AssetMAC: F5 AB 8B 65 00 D4Francois DidierConsultantHQ—StrategyRemote Access6 p.m.Access Scenarios
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicTrustsecTrustSec AuthenticationOverviewIEEE 802.1X Standard for link layer authentication and access control Components: supplicant (client), authenticator (switch), and AAA server Uses Extensible Authentication Protocol (EAP) to transport authentication info.MAC Auth Bypass (MAB) Authenticate using the client’s MAC address For devices that don’t support 802.1X (no supplicant), such as printers.Web Authentication For clients that don’t support 802.1X (no supplicant), but are capable forinteractive HTTP authenticationIEEE802.1XMACAuthenticationWebAuthentication
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicEAP Credentials Sent &ValidatedPort Authorized25Wired Flexible AuthenticationOne Configuration Fits AllEAP1XMABURL• One configuration addresses all use cases, all host modes• Controllable sequence of access control mechanisms, with flexible failure and fallback authorization• Support for IP Telephony• Support single-host and multi-auth scenarios802.1x times out orfails`WEB802.1XClientIP PhoneGuestUserEmployee PartnerFacultySubContractorNetworkPrinterGuestUser802.1XClientIP PhoneKnown MAC - Access AcceptPort AuthorizedHostChangeISEUnknown MAC AccessAcceptPort Authorizedw/ URL RedirectMAB
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicProfiling Technology• Why Classify?‒ Originally: identify the devices that cannot authenticate and automagically buildthe MAB list.i.e.: Printer = Bypass Authentication‒ Today: Now we also use the profiling data as part of an authorization policy.i.e.: Authorized User + i-Device = Internet OnlyThe Ability to Classify Devices26
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicLocal EditionAll those devices
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicPCs Non-PCsUPS Phone Printer APPCs Non-PCsUPS Phone Printer APHow?ISE Profiling• What ISE Profiling is:‒ Dynamic classification of every device that connects to network using the infrastructure.‒ Provides the context of “What” is connected independent of user identity for use in access policydecisions What Profiling is NOT:‒ An authentication mechanism.‒ An exact science for device classification.
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicProfiling TechnologyVisibility Into What Is On the Network29
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicProfiling Non-User DevicesDynamic Population of MAB Database Based on Device Type30Access SwitchManagementISEUPS =Management_OnlydACLCameras = VideoVLANPrinters = PrinterVLANValue-Add
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicProfiling User DevicesDifferentiated Access Based on Device Type31WLANControllerInternetKathyMarketingKathy + PersonalTablet / Smartphone= Limited Access(Internet Only)ISEKathyMarketingKathy + Corp Laptop =Full Access toMarketing VLANNamed ACL = Internet_OnlyVLAN = MarketingCorpGuestValue-Add
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicUnderstanding ISE Profiling• All Endpoints are uniquely identified by theirMAC Address‒ One workstation connected to both Wired & Wireless= 2 devices in ISE• Some probes collect data based on IP addressonly. If ISE is not L2 adjacent, then IP-to-MACAddress binding required.‒ This means other probes must be in place andworking to collect IP-to-MAC data.• Collection methods that bypass MAC-IPrequirement:‒ HTTP (URL-Redirected traffic)‒ IOS SensorIP to MAC Address is Critical32DNSIOS SensorDHCPNMAP
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicFeed Service• Automatic Updates• Feeds OUIs, Profiles, Posture,Bootstraps, and Agents• Has approval / publish process
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicLocal EditionWhere has this device been doing?
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicPosture Assessment• Posture = the state-of-compliance with the company’s security policy.‒ Is the system running the current Windows Patches?‒ Anti-Virus Installed? Is it Up-to-Date?‒ Anti-Spyware Installed? Is it Up-to-Date?‒ Screensaver enabled? Password Protected?‒ Personal Firewall Enabled?• User / System Identity is extended to include their Posture Status.• Can be extended to Mobile Devices‒ MobileIron, AirWatch, Citrix, Afaria, SAP‒ Device Registration, Wipe, LockDoes the Device Meet Security Requirements? Posture35
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicISE – Posture PoliciesWired WirelessVPNEmployees Contractors/GuestsEmployee Policy:• Microsoft patches updated• Trend Micro AV installed,running, and current• Corp asset checks• Enterprise applicationrunningContractor Policy:• Any AV installed,running, and currentGuest Policy: Accept AUP(No posture - Internet Only)
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicLocal EditionAuthorization and Segmentation
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicNetwork Segmentation• Primary Network Segmentation Methods Ingress port dynamic VLAN assignment Ingress port ACLs Downloadable ACLs (dACLs) Named ACLs (filter-id) Egress port ACLs (Security Group ACLs, or SGACLs)• Complementary Technologies and Segmentation Methods Virtual Route Forwarding (VRF) Generic Route Encapsulation (GRE) Virtual Private Networking (VPN) Policy-Based Routing (PBR) Other tunneling / path isolation technologies‒ (L2TPv3, MPoE, QinQ, WDM, etc)
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicVLANs and dACLsVLANs• Authorization policy dynamically sets port VLAN• VLAN assignment based on user compliance or role; for example:• Quarantine/Remediation VLAN• Guest VLAN• Employee VLAN• Infrastructure is responsible for isolating or securing traffic on VLAN such as ACLs,Firewalls, and/or path isolation (VRFs, tunnels, etc).• Typically requires IP change, thus often disruptive to user access with potentialdelays and/or conflicts with other endpoint processes.dACLs• Authorization policy dynamically sets port ACL to limit device access• ACL source (any) automatically converted to specific host address• Resource limits per switch on ACE count per ACL, thus intended for course-grainedaccess restrictions• No IP address change required, thus typically less disruptive to endpoint andimproved user experience.802.1X/MAB/Web AuthVLANAssignmentACLDownload
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicAuthorizationSwitch/Controller is the Enforcement Point41
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicAuthorizationSwitch/Controller is the Enforcement Point42
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicWhat Makes this Work• CoA allows an enforcement device (switchport, wireless controller, VPNdevice) to change the VLAN/ACL/Redirection for a device/user withouthaving to start the entire process all over again.• Without it: Manually remove the user from the network & then have theentire AAA process begin again.‒ Example: disassociate wireless device & have to join wireless again.• RFC 3576 and 5176Change of Authorization (CoA)43
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicRADIUS Change of Authorization (CoA)Quarantine VLAN CORPVLAN1 Endpoint fails Posture Assessmentand gets assigned to Quarantine VLAN2 Endpoint remediates itself and isreported: Posture=Compliant3 ISE issues RADIUS CoA to re-authenticate4 Client is re-authenticated and assigned toCORP VLAN44
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicRADIUS Change of Authorization (CoA)QuarantineVLAN CORPVLAN1 Endpoint fails Posture Assessmentand gets assigned to Quarantine VLAN2 Endpoint remediates itself and isreported: Posture=Compliant3 ISE issues RADIUS CoA to re-authenticate4 Client is re-authenticated and assigned toCORP VLANDynamic session controlfrom a Policy server Re-authenticate session Terminate session Terminate session with portbounce Disable host port Session Query For Active Services For Complete Identity Service Specific Service Activate Service De-activate Service Query45
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicPower OnKernel LoadingWindows HAL LoadingDevice Driver LoadingCoA BenefitNative Supplicant or EAP-Chaining with AnyConnectObtain Network Address(Static, DHCP)Determine Site and DC(DNS, LDAP)Establish SecureChannel to AD(LDAP, SMB)Kerberos Authentication(Machine Account)Computer GPOs Loading (Async)GPO based StartupScript ExecutionCertificate Auto EnrollmentTime SynchronizationDynamic DNS UpdateGINAComponents that depend onnetwork connectivityKerberos Auth(User Account)User GPOs Loading(Async)GPO based LogonScript Execution (SMB)Machine AuthenticationUserAuthentication
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicAuthorization ChallengesIngress Access Control47• Can I create / manage the new VLANs or IP Address scope?• How do I deal with DHCP refresh in new subnet?• How do I manage ACL on VLAN interface?• Does protocol such as PXE or WOL work with VLAN assignment?• Any impact to the route summarization?• Who’s going to maintain ACLs?• What if my destination IP addresses are changed?• Does my switch have enough TCAM to handle all request?• Traditional access authorization methods leave some deployment concerns:– Detailed design before deployment is required, otherwise…• Not so flexible for changes required by today’s business• Access control project ends up with redesign for entire network• Access devices now being used at Security devices802.1X/MAB/Web AuthACLDownloadVLANAssignment
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicEnter Secure Group Access• Term describing use of:‒ Secure Group TAGs (SGTs)‒ Secure Group ACLs (SGACLs)‒ When a user logs in they are assigned a TAG (SGT) that identifies their role‒ The TAG is carried throughout the Network• Removes concern TCAM Space for detailed Ingress ACLs• Removes concern of ACE explosion on DC Firewalls• Enforce that tag in the DataCenter or at the ASA Edge• SGACLs are applied based on a matrix:Topology Independent Access ControlSGT Public PrivateStaff Permit PermitGuest Permit Deny48
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicSecurity Group-Based Access Control In ActionSecurity Group Based Access Control• Authorization policy dynamically sets egress port ACL (SGACL) to limit device access• ACL source (any) automatically converted to specific host address• Since ACL applied close to destination (protected resource), SGACLs intended for fine-grained access restrictions• SGA abstracts the network topology from the policy thus reducing the number of policy rules necessary for theadmin to maintain802.1X/MAB/Web AuthFinance (SGT=4)HR (SGT=10)I’m a contractorMy group is HRSGT = 100Contactor & HRSGT = 100SGACL
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicHow is the Tag Assigned?SGT Assignment Process:1. A user (or device) logs intonetwork via 802.1X2. ISE is configured to send a TAGin the Authorization Result –based on the “ROLE” of theuser/device3. The Switch/Controller appliesthis TAG to the users traffic.50
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicSecurity Group Based Access ControlSGA Allows Customers:‒ To keep existing logical design at access layer‒ To change / apply policy to meet today’s business requirement‒ To distribute policy from central management serverEgress EnforcementSGACLSGT=100I am an employeeMy group is HRHR SGT = 100HR (SGT=100)Ingress EnforcementFinance (SGT=4)802.1X/MAB/Web Auth51
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicSecurity Group Based Access Control for FirewallsSecurity Group Firewall (SGFW)52Source Tags Destination Tags
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicLocal EditionMore Good Stuff
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicMACSec and NDAC• MACSec: Layer-2 Encryption (802.1AE)‒ Industry Standard Extension to 802.1X‒ Encrypts the links between host and switch and links between switches.‒ Traffic in the backplane is unencrypted for inspection, etc.‒ Client requires a supplicant that supports MACSec and the encryption key-exchange• NDAC: Authenticate and Authorize switches entering the network‒ Only honors SGTs from Trusted Peers‒ Can retrieve policies from the ACS/ISE Server and “proxy” the trust to other devices.Media Access Control Security and Network Device Admission ControlEncrypted Link########54Encrypted Link######## ########Encrypted LinkSWITCHPORTSWITCHPORT
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicClient MACSec in ActionWiring ClosetSwitch1 User bob connects.2 Bob’s policy indicates endpoint must encrypt.3 Key exchange using MKA, 802.1AE encryption complete.User is placed in corporate VLAN.Session is secured.4 User steve connectsUser: bobPolicy: encryptionUser: stevePolicy: encryption5 Steve’s policy indicates endpoint must encrypt.6 Endpoint is not MACSec enabled.Assigned to guest VLAN.802.1X-Rev Components• MACSec enabled switches• AAA server 802.1X-Rev aware• Supplicant supporting MKA and802.1AE encryptionNon-MACSecenabledCampusNetwork55MACSecenabled
    • © 2013 Cisco and/or its affiliates. All rights reserved. Cisco PublicRegister for Cisco Live - OrlandoCisco Live - OrlandoJune 23 – 27, 2013www.ciscolive.com/us5656