Sécurisation de l'accès au réseau

1,388 views
1,243 views

Published on

Les firewalls ne sont efficaces que si l'on contrôle qui est derrière une adresse IP! Si personne ne songe à se passer de firewall, on constate encore beaucoup de déploiements pour lesquels l'accès n'est pas complètement protégé (absence de contrôle d'accès sur les ports des commutateurs, de mécanisme permettant d'éviter le vol d'adresse…).

Au cours de cette présentation, nous ferons le point sur les techniques de sécurisation de l'accès au réseau (802.1X, MAB, First Hop Security, ACL…), et aborderons les dernières innovations en la matière (Security Group Tags, profilage, EAP chaining, MACsec, Identity Service Engine…). Nous verrons également, comment la mise en place de configurations de sécurité peut simplifier le réseau et son exploitation.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,388
On SlideShare
0
From Embeds
0
Number of Embeds
17
Actions
Shares
0
Downloads
65
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Sécurisation de l'accès au réseau

  1. 1. Petit-déjeuner – 20 mai 2014 Sécurisation de l'accès au réseau Jérôme Durand Consulting Systems Engineer, Enterprise Networking Solutions Federico Ziliotto Consulting Systems Engineer, CCIE 23280 (Wireless, R&S)
  2. 2. Cisco Confidential 2© 2013-2014 Cisco and/or its affiliates. All rights reserved. !  802.1X sur le filaire : mythe ou réalité ? !  Contrôle d’accès avancé et démo !  First hop security Agenda
  3. 3. Cisco Confidential 3© 2013-2014 Cisco and/or its affiliates. All rights reserved. 802.1X sur le filaire : mythe ou réalité ?
  4. 4. Cisco Confidential 4© 2013-2014 Cisco and/or its affiliates. All rights reserved. Short History of Identity Services •  In the Dark Ages, there was IEEE 802.1X •  Then we had MAB, Auth-Fail VLAN, Guest VLAN, Deployment Modes, … •  We will be finally walking upright with the help of the new version of the Identity Engine for TrustSec: Session Aware Networking Where do we come from, where do we go to?
  5. 5. Cisco Confidential 5© 2013-2014 Cisco and/or its affiliates. All rights reserved. Legos and Identity / IEEE 802.1X Rolling out Identity can be a Tedious Task We Deliver a Ton of useful and very specific Features Deployment Scenarios address 80% but the remaining 20% are the most complex Where’s my individual Assembly Instruction? What do I do if I’m missing a specific brick (feature)?
  6. 6. Cisco Confidential 6© 2013-2014 Cisco and/or its affiliates. All rights reserved. ACS / ISE •  Cisco Secure ACS: TACACS+ / RADIUS Veteran •  Supports RADIUS and TACACS+ •  Two major versions: Windows based (< 5.0) and Linux based (>= 5.0) •  As software only (< 5.0) and appliance (4.x and 5.x) •  Identity Services Engine (ISE): New Kid on the Block •  Complete re-write (no TACACS+ as of today) •  Focusing on access control / identity / TrustSec •  Integrating formerly separate modules / products (profiler, guest services, RADIUS server, NAC) •  Recommended going forward for Identity Projects Brief History
  7. 7. Cisco Confidential 7© 2013-2014 Cisco and/or its affiliates. All rights reserved. Authorization Authentication Policy Teamwork & Organization Credentials, DBs, EAP, Supplicants, Agentless, Order / Priority Windows GPO, machine auth, PXE, WoL, VM Network, IT, Desktop Desktops Multiple Endpoints Confidentiality Thinking About Authentication
  8. 8. Cisco Confidential 8© 2013-2014 Cisco and/or its affiliates. All rights reserved. EAPoL Start EAP-Response Identity: Alice EAPoL Request Identity RADIUS Access Request [AVP: EAP-Response: Alice] EAP-Request: PEAP EAP-Response: PEAP EAP Success RADIUS Access-Accept [AVP: EAP Success] [AVP: VLAN 10, dACL-n] RADIUS Access-Challenge [AVP: EAP-Request PEAP] RADIUS Access Request [AVP: EAP-Response: PEAP] Multiple Challenge- Request Exchanges Possible Beginning Middle End Layer 2 Point-to-Point Layer 3 Link Authenticator Authentication ServerSupplicant EAP over LAN (EAPoL) RADIUS IEEE 802.1X Provides Port-Based Access Control Using Authentication (“Switch”) (“AAA /RADIUS Server”)(“Client”)
  9. 9. Cisco Confidential 9© 2013-2014 Cisco and/or its affiliates. All rights reserved. Choosing Credentials for 802.1X Username / Password Directory alice c1sC0L1v Certificate Authority Token Server Common Types Passwords Certificates Tokens Deciding Factors Security Policy Validation Distribution & Maintenance
  10. 10. Cisco Confidential 10© 2013-2014 Cisco and/or its affiliates. All rights reserved. Mutual Authentication •  Server must validate client’s identity and vice versa Security •  Client credentials cannot be snooped or cracked. How To Submit Credentials Server CA Server Cert Authentication: " Signed by trusted CA " Belongs to allowed server Encrypted Tunnel Client Authentication: " Known Username " Valid password Server CA Server Cert Authentication: " Signed by trusted CA " Belongs to allowed server Client CA Client Cert Authentication: " Signed by trusted CA " Additional checks PEAP-MSCHAPv2 EAP-TLS Username Password
  11. 11. Cisco Confidential 11© 2013-2014 Cisco and/or its affiliates. All rights reserved. Users and Machines Can Have Credentials Machine Authentication User Authentication hostwin7 !  Enables Devices To Access Network Prior To (or In the Absence of) User Login !  Enables Critical Device Traffic (DHCP, NFS, Machine GPO) !  Is Required In Managed Wired Environments !  Enables User-Based Access Control and Visibility !  If Enabled, Should Be In Addition To Device Authentication alice
  12. 12. Cisco Confidential 12© 2013-2014 Cisco and/or its affiliates. All rights reserved. Example 1: Call Center Objective: Differentiated Access for Agents Conditions: Shared Use PCs (desktop) Method: PEAP Business Case & Security Policy Determines Whether You Need User Auth Machine + User Example 2: Enterprise Campus Objective: Access for Corporate Assets Only Conditions: One Laptop = One User Method: EAP-TLS Machine Only Bonus Question: Could this customer enable password-based user authentication if they wanted to?
  13. 13. Cisco Confidential 13© 2013-2014 Cisco and/or its affiliates. All rights reserved. Massive Outage After OS Upgrade Understanding Your Supplicant is Essential Best Practice: Make Friends With Your Desktop Team! •  XP SP2: single service & profile for all 802.1X (wired / wireless) •  XP SP3 / Vista / Win 7 / Win 8: separate services and profiles for wired and wireless. •  wired service is disabled by default •  http://support.microsoft.com/kb/953650 •  Switch expects 3 failures by default •  XP SP3, Vista, Win 7, Win 8: 20 minute block timer on first EAP failure •  http://support.microsoft.com/kb/957931 •  (config-if)#authentication event fail retry 0 Auth Fail VLAN Doesn’t Work Open Source Hardware Native Premium
  14. 14. Cisco Confidential 14© 2013-2014 Cisco and/or its affiliates. All rights reserved. Machine and User Authentication With the native Windows 802.1X supplicant: •  The same EAP method is used for both machine and user. •  Once logged in to Windows, since the user’s identity is available, only user authentication is triggered. With Cisco AnyConnect NAM: •  Different, separate EAP methods can be used for the machine and the user. •  EAP Chaining supports authenticating both the machine and the user, in the same session, whenever 802.1X is triggered. How to force a user to authenticate from an already authenticated machine?
  15. 15. Cisco Confidential 15© 2013-2014 Cisco and/or its affiliates. All rights reserved. Machine Access Restriction (MAR) •  Supplicant agnostic. •  The network access device (NAD) sends the endpoint’s MAC in the RADIUS attribute [31] Calling-Station-ID. •  ISE caches the MAC address of the authenticated machine in the MAR cache. •  When the user authenticates from the same device, ISE can tell it’s from the previously authenticated machine thanks to the MAR cache. Machine Access Restriction
  16. 16. Cisco Confidential 16© 2013-2014 Cisco and/or its affiliates. All rights reserved. EAP Chaining •  Supported with AnyConnect 3.1 and ISE. •  It relies on advanced options of EAP-FAST to authenticate both the machine and the user in the same EAP(-FAST) session. •  If no user information is available (logged out), only machine credentials are used. •  If also the user’s identity is available, both machine and user information will be used for 802.1X authentication. EAP Chaining
  17. 17. Cisco Confidential 17© 2013-2014 Cisco and/or its affiliates. All rights reserved. Unauthenticated Real Networks Can’t Live on 802.1X Alone Default Access Control is Binary SWITCHPORT DHCP SWITCHPORT TFTP KRB5 HTTP EAPoL KRB5 HTTP EAPoL DHCP TFTP 802.1X Passed Employee (bad credential) 1X enabled Guest Managed Assets Rogue Employee
  18. 18. Cisco Confidential 18© 2013-2014 Cisco and/or its affiliates. All rights reserved. EAPoL: EAP Request-Identity Any Packet RADIUS Access-Accept RADIUS Access-Request [AVP: 00.0A.95.7F.DE.06 ] Switch RADIUS Server IEEE 802.1X Timeout 1 MAB EAPoL: EAP Request-Identity EAPoL: EAP Request-Identity MAC Authentication Bypass (MAB) “Authentication” for Clientless Devices 00.0A.95.7F.DE.06 How Are MACs “Authenticated” ?
  19. 19. Cisco Confidential 19© 2013-2014 Cisco and/or its affiliates. All rights reserved. MAC Databases: Device Discovery Find It •  Leverage Existing Asset Database •  e.g. Purchasing Department, CUCM Build It •  Bootstrap methods to gather data •  e.g. SNMP, Syslog, Accounting Buy It •  Automated Device Discovery •  e.g. ISE
  20. 20. Cisco Confidential 20© 2013-2014 Cisco and/or its affiliates. All rights reserved. Profiler ACS SNMP, DHCP, MAC OUISNMP, DHCP, MAC OUI Building Your MAB Database Profiling Tools Are Evolving RADIUS Access-Request LDAP RADIUS Accounting Device Sensor 15.0(1)SE1 ISE 1.1
  21. 21. Cisco Confidential 21© 2013-2014 Cisco and/or its affiliates. All rights reserved. To Fail or Not to Fail MAB? Two options for unknown MAC addresses 1) No Access 2) Switch-based Web-Auth 3) Guest VLAN RADIUS-Access Request (MAB) RADIUS-Access Reject MAB Fails – control of session passes to switch RADIUS-Access Request (MAB) RADIUS-Access Accept Guest Policy Unknown MAC…Apply Guest Policy MAC is Unknown but MAB “passes” •  AAA server determines policy for unknown endpoints (e.g. network access levels, re-auth policy) •  Good for centralized control & visibility of guest policy (VLAN, ACL)
  22. 22. Cisco Confidential 22© 2013-2014 Cisco and/or its affiliates. All rights reserved. Authorization Authentication Policy Teamwork & Organization Pre-Auth, VLAN, ACL, Failed Auth, AAA down Desktops Multiple Endpoints Phones, Link State, VMs, Desktop Switches Confidentiality Thinking About Authorization
  23. 23. Cisco Confidential 23© 2013-2014 Cisco and/or its affiliates. All rights reserved. Default: Closed Authorization Options: Pre-Authentication SWITCHPORT DHCP ? SWITCHPORT SWITCHPORT TFTP KRB5 HTTP EAPoL DHCP TFTP KRB5 HTTP EAPoL DHCP TFTP KRB5 HTTP Open Selectively Open EAPoL switch(config-if)#authentication open switch(config-if)#ip access-group PRE-AUTH in switch(config-if)#authentication open
  24. 24. Cisco Confidential 24© 2013-2014 Cisco and/or its affiliates. All rights reserved. SWITCHPORT Authorization Options: Passed Authentication SWITCHPORT DHCP TFTP KRB5 HTTP EAPoL DHCP TFTP KRB5 Torrent Default: Open Dynamic ACL EAPoL SWITCHPORT KRB5 HTTP EAPoL DHCP TFTP Dynamic VLAN Alice
  25. 25. Cisco Confidential 25© 2013-2014 Cisco and/or its affiliates. All rights reserved. Default: Closed Authorization Options: Failed 802.1X SWITCHPORT DHCP ? SWITCHPORT TFTP KRB5 HTTP EAPoL KRB5 HTTP EAPoL DHCP TFTP Auth-Fail VLAN Next-method* switch(config-if)#authentication event fail action authorize vlan 50 SWITCHPORT DHCP TFTP KRB5 HTTP Single packet for MAB switch(config-if)#authentication event fail action next-method *Final authorization determined by results of next method
  26. 26. Cisco Confidential 26© 2013-2014 Cisco and/or its affiliates. All rights reserved. Default: Closed Authorization Options: No Client SWITCHPORT DHCP ? SWITCHPORT TFTP KRB5 HTTP EAPoL KRB5 HTTP DHCP TFTP Guest VLAN Next-method* switch(config-if)#authentication event no-response action authorize vlan 51 SWITCHPORT DHCP TFTP KRB5 HTTP Single packet for MAB switch(config-if)#mab *Final authorization determined by results of next method
  27. 27. Cisco Confidential 27© 2013-2014 Cisco and/or its affiliates. All rights reserved. Default: Closed Authorization Options: AAA Server Dead SWITCHPORT ? SWITCHPORT TFTP KRB5 HTTP EAPoL KRB5 HTTP DHCP TFTP Critical VLAN switch(config-if)# authentication event server dead action authorize vlan 52 DHCP
  28. 28. Cisco Confidential 28© 2013-2014 Cisco and/or its affiliates. All rights reserved. •  Multiple MACs not allowed to ensure validity of authenticated session •  Hubs, VMware, Phones, Gratuitous ARP… •  Applies in Open and Closed Mode interface gigabitEthernet 1/0/1 dot1x pae authenticator authentication port-control auto SWITCHPORT SECURITY VIOLATION VM Default: Single Host Mode Authorization: Single MAC Filtering
  29. 29. Cisco Confidential 29© 2013-2014 Cisco and/or its affiliates. All rights reserved. interface gigabitEthernet 1/0/1 dot1x pae authenticator authentication port-control auto authentication host-mode multi-domain SWITCHPORT EAPoL √ Authenticated √ Authenticated Multi-Domain Authentication (MDA) Host Mode Single device per port Single device per domain per port IEEE 802.1X MDA •  MDA replaces CDP Bypass •  Supports Cisco & 3rd Party Phones •  Phones and PCs use 802.1X or MAB Data Domain Voice Domain EAPoL Modifying Single-MAC Filtering For IP Phones
  30. 30. Cisco Confidential 30© 2013-2014 Cisco and/or its affiliates. All rights reserved. •  MAC-based enforcement for each device •  802.1X and / or MAB interface gigabitEthernet 1/0/1 dot1x pae authenticator authentication port-control auto authentication host-mode multi-auth SWITCHPORT VM Multi-Authentication Host Mode Modifying Single-MAC Filtering For Virtualized Endpoints
  31. 31. Cisco Confidential 31© 2013-2014 Cisco and/or its affiliates. All rights reserved. Authorization Authentication Policy Teamwork & Organization Credentials, DBs, EAP, Supplicants, Agentless, Order/ Priority Pre-Auth, VLAN, ACL, Failed Auth, AAA down Windows GPO, machine auth, PXE, WoL, VM Definition, Enforcement, RolloutNetwork, IT, Desktop Desktops Multiple Endpoints Phones, Link State, VMs, Desktop Switches Confidentiality Encryption Thinking About Deployment Scenarios
  32. 32. Cisco Confidential 32© 2013-2014 Cisco and/or its affiliates. All rights reserved. Three Proven Deployment Scenarios Monitor Mode •  Authentication without Access Control Low Impact Mode •  Minimal Impact to Network and Users Closed Mode • Logical Isolation • Formerly “High Security”
  33. 33. Cisco Confidential 33© 2013-2014 Cisco and/or its affiliates. All rights reserved. Monitor Mode: How To !  Enable 802.1X & MAB !  Enable Open Access !  All traffic in addition to EAP is allowed !  Like not having 802.1X enabled except authentications still occur !  Enable Multi-Auth Host-Mode !  No Authorization Monitor Mode Goals !  No Impact to Existing Network Access !  See … … what is on the network … who has a supplicant … who has good credentials … who has bad credentials !  Deterrence through accountability Scenario 1: Monitor Mode Overview SSC
  34. 34. Cisco Confidential 34© 2013-2014 Cisco and/or its affiliates. All rights reserved. Monitor Mode Switch Configuration Example interface GigabitEthernet1/4 switchport access vlan 60 switchport mode access switchport voice vlan 61 authentication host-mode multi-auth authentication open authentication port-control auto mab dot1x pae authenticator authentication violation restrict aaa new-model aaa authentication dot1x default group radius aaa authorization network default group radius aaa accounting dot1x default group radius radius-server host 10.100.10.150 auth-port 1812 acct-port 1813 key cisco radius-server vsa send authentication authentication mac-move permit Basic 802.1X/MAB Monitor Mode •  Switch Global Config •  Switch Interface Config
  35. 35. Cisco Confidential 35© 2013-2014 Cisco and/or its affiliates. All rights reserved. RADIUS Authentication & Accounting Logs •  Passed / Failed 802.1X (Who has bad credentials? Misconfigurations?) •  Passed / Failed MAB attempts (What don’t I know?) Monitor Mode: Next Steps Monitor Mode Next Steps !  Improve Accuracy !  Evaluate Remaining Risk !  Leverage Information !  Prepare for Access Control
  36. 36. Cisco Confidential 36© 2013-2014 Cisco and/or its affiliates. All rights reserved. Preparing for Access Control: Fix 802.1X Observed Failures: Root Cause: untrusted or self- signed cert on AAA server Fix: Import server cert signed by enterprise CA Helpful supplicant: AC3.0 NAM / Win7 Not as helpful: XP SP2
  37. 37. Cisco Confidential 37© 2013-2014 Cisco and/or its affiliates. All rights reserved. Preparing for Access Control: Learn MACs Using ACS 5 as an Example Observed Failure: Fix: MAC.CSV
  38. 38. Cisco Confidential 38© 2013-2014 Cisco and/or its affiliates. All rights reserved. Low Impact Mode: How-To !  Start from Monitor Mode !  Add ACLs, dACLs and flex-auth !  Limit number of devices connecting to port !  Add new features to support IP Phones Low Impact Mode Goals !  Begin to control / differentiate network access !  Minimize Impact to Existing Network Access !  Retain Visibility of Monitor Mode !  “Low Impact” == no need to re- architect your network Keep existing VLAN design Minimize changes Scenario 2: Low Impact Mode
  39. 39. Cisco Confidential 39© 2013-2014 Cisco and/or its affiliates. All rights reserved. interface GigabitEthernet1/4 switchport access vlan 60 switchport mode access switchport voice vlan 61 ip access-group PRE-AUTH in authentication open authentication port-control auto mab dot1x pae authenticator authentication violation restrict Low Impact Mode: Switch SWITCHPORT KRB5 HTTP EAPoL DHCP TFTP Block General Access until Successful 802.1X, MAB or WebAuth Pinhole explicit TCP / UDP ports to allow desired access UDP ip device-tracking Switch Interface Config Pre-Authentication Port Authorization State From Monitor Mode For Low Impact Switch Global Config (add to Monitor Mode)
  40. 40. Cisco Confidential 40© 2013-2014 Cisco and/or its affiliates. All rights reserved. Approach 1: Selectively block traffic Selectively protect certain assets / subnets Low risk of inadvertently blocking wanted traffic Example: Block unauthenticated users from Finance servers Pre-Auth ACL Considerations •  Pre-auth port ACL is arbitrary and can progress as you better understand the traffic on your network •  Recommendation: use least restrictive ACL that you can; time- sensitive traffic is a good candidate for ACL. Approach 2: Selectively allow traffic More secure, better control May block wanted traffic Example: Only allow pre-auth access for PXE devices to boot SWITCHPORT SWITCHPORT
  41. 41. Cisco Confidential 41© 2013-2014 Cisco and/or its affiliates. All rights reserved. Low Impact Mode: AAA Server Configure downloadable ACLs for authenticated users SWITCHPORT permit ip host 10.100.20.200 any permit tcp any any established permit udp any any eq bootps permit udp any host 10.100.10.116 eq domain permit udp any host 10.100.10.117 eq tftp EAPoL Pre-Auth ACL Switch dynamically substitutes endpoint’s address: • Contents of dACL are arbitrary • Can have as many unique dACLs as there are user permission groups • Same principles as pre-auth port ACL • TCAM restrictions apply!
  42. 42. Cisco Confidential 42© 2013-2014 Cisco and/or its affiliates. All rights reserved. Example: Using Low Impact Mode to bootstrap a new phone • Pre-auth ACL allows just enough access for config, CTL • New config enables 802.1X on phone • After 802.1X, phone has full access SWITCHPORT permit ip host 10.100.20.200 any permit udp any any eq bootps permit udp any host 10.100.10.238 eq tftp permit udp any host 10.100.10.238 range 32768 61000 EAPoL Pre-Auth ACL TFTP CTL, CNF DHCP 10.100.10.238
  43. 43. Cisco Confidential 43© 2013-2014 Cisco and/or its affiliates. All rights reserved. Closed: How-To !  Return to default “closed” access !  Timers or authentication order change !  Implement identity-based VLAN assignment Closed Mode Goals !  No access before authentication !  Rapid access for non-802.1X- capable corporate assets !  Logical isolation of traffic at the access edge Scenario 3: Closed Mode Network Virtualization Solution See BRKCRS-2033 for more on Network Virtualization
  44. 44. Cisco Confidential 44© 2013-2014 Cisco and/or its affiliates. All rights reserved. Closed Mode: AAA Server •  If no VLAN sent, switch will use static switchport VLAN •  Configure dynamic VLANs for any user that should be in different VLAN SWITCHPORT MAC
  45. 45. Cisco Confidential 45© 2013-2014 Cisco and/or its affiliates. All rights reserved. Key Takeaways •  Monitor mode before access control •  Least restrictive ACLs, fewest VLANs Start Simple and Evolve •  Know where every device & user should / could end up •  For troubleshooting: Start at a central point, work outward as required – a good AAA server is invaluable Design / Plan / Implement •  Adapt new features where available •  Familiarize with new policy model and capabilities Optimize Deployment Scenarios With New Features
  46. 46. Cisco Confidential 46© 2013-2014 Cisco and/or its affiliates. All rights reserved. Contrôle d’accès avancé et démo
  47. 47. Cisco Confidential 47© 2013-2014 Cisco and/or its affiliates. All rights reserved. Catalyst 3650/3850: Per-Session VLAN Assignment •  Before Cat3650/Cat3850: One port, one VLAN per access port (1:1) •  Exception: Voice (one Data Device untagged, one Voice Device tagged w/ VVLAN) •  Later: Allowing VLAN assignment on multi- authentication ports, but first device ‘rules’ the port. •  Now with Catalyst 3650/3850: Each session can have individual VLAN assigned “MAC based VLANs” 160 WIRED-EMPLOYEE active Gi1/0/13 V M Gi1/0/13 Not a trunk! 170 WIRED-GUEST active Gi1/0/13 http://gblogs.cisco.com/fr-reseaux/2013/08/26/jai-teste-pour-vous-802-1x-et-la- possibilite-dassigner-des-vlans-differents-sur-un-meme-port/
  48. 48. Cisco Confidential 48© 2013-2014 Cisco and/or its affiliates. All rights reserved. Extending the Network Edge SWITCHPORT Hubs on an 802.1X network: •  introduce multiple MACs per port •  may not actually be hubs •  are not managed devices Ideally, extended edge: •  Extends trust and policy •  Uses a managed device •  Works on any access port
  49. 49. Cisco Confidential 49© 2013-2014 Cisco and/or its affiliates. All rights reserved. Network Edge Authentication Topology (NEAT) SWITCHPORT Supplicant Switch (SSw) EAP-Response: SSw RADIUS Access Request [AVP: EAP-Response: SSw RADIUS Access-Accept [device-traffic-class=switch] TRUNK EAP-Response: Alice RADIUS Access Request [AVP: EAP-Response: Alice RADIUS Access-Accept [VLAN Orange] CISP: Allow Alice’s MAC 1)  NEAT-capable sSW authenticates itself to Authenticator Switch (ASw). 2)  ASw converts port to trunk 3)  SSw authenticates users and devices in conference room 4)  ASw learns authenticated MACs via Client Information Signaling Protocol (CISP) 1) 3) 4) 2)
  50. 50. Cisco Confidential 50© 2013-2014 Cisco and/or its affiliates. All rights reserved. Evolving Deployment Scenarios •  Popular Deployment Scenarios • Demonstrating Industry Leadership • Phased Deployments # Clear Plan of Action • High Visibility + Incremental Access Control •  Now You Want More! • “What if AAA goes down?” • What about IPv6 ACLs? •  The Need for Flexible Authorization • ACL, VLAN, QoS, URL-Redirect, IPv6 enabled identity… • Flex Authentication plus Flex Authorization
  51. 51. Cisco Confidential 51© 2013-2014 Cisco and/or its affiliates. All rights reserved. Identity Configuration Today interface FastEthernet2/0/1 switchport access vlan 201 switchport mode access ip access-group PREAUTH in authentication control-direction in authentication event fail action authorize vlan 201 authentication event server dead action authorize vlan 201 authentication event no-response action authorize vlan 201 authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer reauthenticate server authentication timer inactivity server dynamic authentication violation restrict mab dot1x pae authenticator dot1x timeout tx-period 5 spanning-tree portfast end Typical Identity Configuration This list can even get longer! For Every Interface
  52. 52. Cisco Confidential 52© 2013-2014 Cisco and/or its affiliates. All rights reserved. Introducing: Session-aware Networking In a Nutshell The new Identity Policy Engine for TrustSec ANY Authentication Method with ANY Authorization Feature using ANY Media Leverages Templates for Sessions and Interfaces
  53. 53. Cisco Confidential 53© 2013-2014 Cisco and/or its affiliates. All rights reserved. Your Every Day Policy Management E-Mail Policy (aka Inbox Filtering) •  Event: E-Mail arrives •  Class: additional Attributes •  Sender is Wife •  Mail is Spam •  Mail is addressed to Mail List •  Action: Result, based on Class •  Wife: 1) Mark Urgent 2) Put in Inbox •  Spam: 1) Mark as Spam 2) Delete •  Marketing 1) Put in Marketing Folder What’s an Event? What’s a Class? What’s an Action?
  54. 54. Cisco Confidential 54© 2013-2014 Cisco and/or its affiliates. All rights reserved. From E-Mail Policy to Identity Policy The concept still applies... Event session-started Class always Action authenticate via 802.1X authorize port Terminate 802.1X Assign Guest VLAN NO-RESPONSE Assign Guest VLANauthentication-failure AAA-DOWN 1X-FAIL FIRST ALL
  55. 55. Cisco Confidential 55© 2013-2014 Cisco and/or its affiliates. All rights reserved. The SaNet Control Policy Construct Mostly for your Reference $ event match-all or match-first class actions do-all or do-until-failure or do-until-success aaa-available absolute-timeout agent-found authentication-failure authentication-success authorization-failure inactivity-timeout session-started tag-added tag-removed template-activated template-activation-failed template-deactivated template-deactivation-failed timer-expiry violation activated-service-template authorization-failure authorization-status authorization-method-priority client-type current-method-priority ip-address ipv6-address mac-address method port-type result-type service-template tag timer username “always” authenticate using deauthorize activate fallback template <name> activate template <name> deactivate template <name> set timer <name> <seconds> clear-session restrict err-disable protect replace shutdown terminate <method> authentication-restart reinitialize-port authorize Control Policy Available action depends on the event which triggered the action
  56. 56. Cisco Confidential 56© 2013-2014 Cisco and/or its affiliates. All rights reserved. . [...] policy-map type control subscriber POLICY event session-started match-all 10 class always do-until-failure 10 authenticate using dot1x retries 2 retry-time 0 priority 10 event authentication-failure match-first 10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure 10 activate service-template VLAN201 20 authorize 30 pause reauthentication 20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure 10 pause reauthentication 20 authorize 30 class DOT1X_NO_RESP do-until-failure 10 terminate dot1x 20 authenticate using mab priority 20 40 class MAB_FAILED do-until-failure 10 terminate mab 20 activate service-template VLAN201 30 authorize [...] . Identity Configuration With SaNet . interface FastEthernet2/0/1 switchport access vlan 201 switchport mode access ip access-group PREAUTH in authentication periodic authentication timer reauthenticate server access-session host-mode single-host access-session port-control auto access-session control-direction in mab dot1x pae authenticator dot1x timeout tx-period 5 spanning-tree portfast service-policy type control subscriber POLICY end For Every Interface Global (once) Remaining Identity Config New Policy Model Common Config
  57. 57. Cisco Confidential 57© 2013-2014 Cisco and/or its affiliates. All rights reserved. Configuration Mode Display •  Existing configurations ‘simply work’ •  Converting in the background to new Policy Mode •  Use CLI to change how configuration is shown: switch# authentication display ? legacy Legacy configuration new-style New style (c3pl) configuration Bridging the Gap between ‘Old Style’ and ‘New Style’ Tip: Start with known good configuration and see how changes in ‘legacy mode’ change the new configuration!
  58. 58. Cisco Confidential 58© 2013-2014 Cisco and/or its affiliates. All rights reserved. Gi1/0/4 Access Point Gi1/0/1 User Port Templates Dynamic Configuration Done the Right Way Gi1/0/2 User Port Gi1/0/3 User Port Configuration by Reference: •  Service Templates •  will be dynamically assigned to a session •  can be locally defined -or- •  downloaded via RADIUS •  Interface Templates •  Cure for the Configuration Bloat •  Generic tool, not restricted to Session / Identity •  Like Port Profiles
  59. 59. Cisco Confidential 59© 2013-2014 Cisco and/or its affiliates. All rights reserved. Applying a Template Similar to Applying a Port ACL via filter-id Switch RADIUS •  Can also be triggered via RADIUS CoA •  Service-Templates activation can be a local Control Policy action •  If it doesn’t exist, it can be downloaded like an dACL Access-Accept AV-Pair “subscriber:service-name=TEMPLATE” Access-Request username=jdoeEAPoL Enforce DEFINED ON SWITCH service-template TEMPLATE access-group PERMIT-ANY vlan 100 inactivity-timer 360
  60. 60. Cisco Confidential 60© 2013-2014 Cisco and/or its affiliates. All rights reserved. MACsec and NDAC •  MACsec: Layer-2 Encryption (802.1AE) •  Industry Standard Extension to 802.1X •  Encrypts the links between host and switch and links between switches. •  Traffic in the backplane is unencrypted for inspection, etc. •  Client requires a supplicant that supports MACsec and the encryption key-exchange •  NDAC: Authenticate and Authorize switches entering the network •  Only honors SGTs from Trusted Peers •  Can retrieve policies from the ACS/ISE Server and “proxy” the trust to other devices. Media Access Control Security and Network Device Admission Control Encrypted Link ######## Encrypted Link ######## ######## Encrypted Link SWITCHPORTSWITCHPORT
  61. 61. Cisco Confidential 61© 2013-2014 Cisco and/or its affiliates. All rights reserved. Access Policy Based on User and Device Type WiFi LAN Internet Kathy Marketing Full Access to Marketing Vlan ISE •  How can I restrict access to my network? •  Can I manage the risk of using personal PCs, tablets, smart-devices?
  62. 62. Cisco Confidential 62© 2013-2014 Cisco and/or its affiliates. All rights reserved. Access Policy Based on User and Device Type WiFi LAN Internet Kathy Marketing Tablet / Smartphone = Limited Access Internet Only ISE •  How can I restrict access to my network? •  Can I manage the risk of using personal PCs, tablets, smart-devices? Named ACL = Internet_Only
  63. 63. Cisco Confidential 63© 2013-2014 Cisco and/or its affiliates. All rights reserved. Use Case: Manage Non-User Devices WiFi LAN Internet Printers = Print VLAN ISE Cameras = Video VLAN Specific device = Enforce ACL •  How do I discover non-user devices? •  Can I determine what they are? •  Can I control their access? •  Are they being spoofed?
  64. 64. Cisco Confidential 64© 2013-2014 Cisco and/or its affiliates. All rights reserved. Enpoint profile / Identity Group ISE Profiler: 3 Steps Printing VLAN Voice VLAN SNMPonly Dynamic VLANs Video VLAN Internet Only ISE
  65. 65. Cisco Confidential 65© 2013-2014 Cisco and/or its affiliates. All rights reserved. Device Sensor : Best Practice when available •  Profiling based on CDP, LLDP & DHCP for switches and DHCP & HTTP for WLC •  Centralize visibility without big ISE sensor investment •  Automatic discovery for most common devices (Printers, Cisco devices, phones) •  Topology independent Catalyst 3k, 4k, WLC ISE WLC Device Sensor Support •  3560/3750 running 15.0(1)SE1 (excludes LAN Base) •  3560C/CG running 15.0(2)SE (excludes LAN Base) •  4500 running 15.1(1)SG (excludes LAN Base) •  4500 running IOS-XE 3.3.0SG (excludes LAN Base) •  Wireless Controllers running 7.2.110.0 (DHCP only) •  Wireless Controllers running 7.3.101.0 (DHCP/HTTP) Device Sensor not yet supported 2960, 2960SF, 2960XR, 3650, 3850, 6500, WLC 5760 Check Release Notes!
  66. 66. Cisco Confidential 66© 2013-2014 Cisco and/or its affiliates. All rights reserved. Device Sensor Switch Implementation Device Detection Based on CDP, LLDP or DHCP MAB or EAP-OL RADIUS Accounting ISE device-sensor filter-list dhcp list my_dhcp_list option name host-name option name class-identifier option name client-identifier device-sensor filter-spec dhcp include list my_dhcp_list Filter DHCP, CDP, LLDP options/TLV Enable RADIUS probe device-sensor filter-list cdp list my_cdp_list tlv name device-name tlv name platform-type device-sensor filter-spec cdp include list my_cdp_list device-sensor filter-list lldp list my_lldp_list tlv name system-name tlv name system-description device-sensor filter-spec lldp include list my_lldp_list device-sensor accounting device-sensor notify all-changes ip dhcp snooping ip dhcp snooping vlan <x,y-z,…> lldp run interface <Interface> lldp receive
  67. 67. Cisco Confidential 67© 2013-2014 Cisco and/or its affiliates. All rights reserved. SwitchDeviceSensorCache Device Sensor in Action Cisco IP Phone 7945 SEP002155D60133 Cisco Systems, Inc. IP Phone CP-7945G SEP002155D60133 ISEProfilingresult 10.100.15.100 # show device-sensor cache all
  68. 68. Cisco Confidential 68© 2013-2014 Cisco and/or its affiliates. All rights reserved. Device Sensors for Wireless WLC Device Detection Based on DHCP / HTTP RADIUS Accounting ISE !  Local profiling can be Enabled/ Disabled per WLAN !  DHCP (7.2.110.0) •  Hostname, Class Identifier !  HTTP (7.3) •  User Agent !  FlexConnect supported DHCP WLC Best Practice for HTTP probe
  69. 69. Cisco Confidential 69© 2013-2014 Cisco and/or its affiliates. All rights reserved. Segmentation The Challenge of Traditional Security Enforcement Distribution Core Data Center Identity Service Engine Directory Service WLC permit tcp 3.1.1.1 100.1.1.1 eq https permit tcp 3.1.1.1 100.1.1.1 eq 8081 deny ip 3.1.1.1 200.1.1.2 permit tcp 2.1.1.1 150.1.1.1 eq https permit tcp 2.1.1.1 150.1.1.1 eq 8081 permit tcp 2.1.1.1 150.1.1.1 eq 445 deny ip 2.1.1.1 200.1.1.2 permit tcp 3.1.1.1 100.1.1.1 eq https permit tcp 3.1.1.1 100.1.1.1 eq 8081 deny ip 3.1.1.1 200.1.1.2 permit tcp 2.1.1.1 150.1.1.1 eq https permit tcp 2.1.1.1 150.1.1.1 eq 8081 permit tcp 2.1.1.1 150.1.1.1 eq 445 deny ip 2.1.1.1 200.1.1.2 permit tcp 1.1.1.1 100.1.1.1 eq https deny ip 1.1.1.1 100.1.1.2 permit tcp 1.1.1.1 100.1.1.2 eq https deny ip 1.1.1.1 100.1.1.2 permit tcp 1.1.1.1 200.1.1.1 eq https deny ip 1.1.1.1 200.1.1.1 permit tcp 1.1.1.1 100.1.1.1 eq https deny ip 1.1.1.1 100.1.1.2 permit tcp 1.1.1.1 100.1.1.2 eq https deny ip 1.1.1.1 100.1.1.2 permit tcp 1.1.1.1 200.1.1.1 eq https deny ip 1.1.1.1 200.1.1.1 permit tcp any 200.1.1.1 eq https permit tcp any 200.1.1.1 eq 8081 deny ip all permit tcp any 150.1.1.1 eq https permit tcp any 150.1.1.1 eq 8081 permit tcp any 150.1.1.1 eq 445 deny ip all permit tcp any 100.1.1.1 eq https deny ip all Access Control with IP Access Control Lists •  Topology-based •  Manual configurations •  Error prone •  Unscalable •  Difficult to maintain VLAN 10 IT 3.1.1.1 VLAN 20 Finance 2.1.1.1 VLAN 30 Doctor 1.1.1.1 VLAN 99 Doctor or IT or Finance ? 99.1.1.1 VLAN 99 Doctor or IT or Finance ? 98.1.1.1 VPN
  70. 70. Cisco Confidential 70© 2013-2014 Cisco and/or its affiliates. All rights reserved. VLAN 100 MAB WebAuth Agent-less Device SGT Enforcement Security Group Access (SGA) 70 3850 / 4500 / 5760802.1X Users, Endpoints IT Portal (SGT 4) 10.1.100.10 IP Address SGT 10.1.10.102 5 10.1.100.10 4 10.1.99.100 12 SGT-IP Active Directory ISE SGT=5 SGT = Security Group Tag SXP = SGT eXchange Protocol SGACL = SGT ACL deny%sgt)src%5%sgt)dst%4% BRKEWN-2022 BRKSEC-2203
  71. 71. Cisco Confidential 71© 2013-2014 Cisco and/or its affiliates. All rights reserved. VLAN 100 MAB WebAuth Agent-less Device Campus Network Untagged Frame Tagged Frame SGT Enforcement Security Group Access (SGA) 71 2960S/X or WLC802.1X Users, Endpoints IT Portal (SGT 4) 10.1.100.10 Catalyst 3750-X Cat 6500 Distribution The WLC sends the IP-to-SGT binding table via SXP to SGT tagging or SGACL capable devices (e.g. Catalyst 3850) IP Address SGT 10.1.10.102 5 10.1.10.110 14 10.1.99.100 12 SXP Speaker Listener SGT=5SGT=5 Active Directory ISE SGT=5 SGT = Security Group Tag SXP = SGT eXchange Protocol SGACL = SGT ACL deny%sgt)src%5%sgt)dst%4% BRKSEC-2203 BRKSEC-3690
  72. 72. Cisco Confidential 72© 2013-2014 Cisco and/or its affiliates. All rights reserved. First hop security
  73. 73. Cisco Confidential 73© 2013-2014 Cisco and/or its affiliates. All rights reserved. Les réseaux sont des chateaux de sable… Courtesy of Curt Smith Attacker Layer-2 Layer-7 Data and services Firewall
  74. 74. Cisco Confidential 74© 2013-2014 Cisco and/or its affiliates. All rights reserved. Pourquoi implémenter de la sécurité dès l’accès ? Risk and Exposure • Exposed to end users, the access layer is inherently vulnerable Infrastructure Protection • Security at the network edge protects the network infrastructure Network Intelligence • Key data can only be gathered at the access layer
  75. 75. Cisco Confidential 75© 2013-2014 Cisco and/or its affiliates. All rights reserved. Vous vous rappelez de CISF ? Catalyst Integrated Security Features (CISF) IPv4 vulnerabilities & Countermeasures
  76. 76. Cisco Confidential 76© 2013-2014 Cisco and/or its affiliates. All rights reserved. Game is changing… Heard of IPv6 ? Example - CiscoLive Milan 2014 ~9500 MAC addresses seen ~80-90% hosts are dual-stack
  77. 77. Cisco Confidential 77© 2013-2014 Cisco and/or its affiliates. All rights reserved. What is different with IPv6? Threats are very much topology dependent: what is specific to IPv6 from topology standpoint ? •  More addresses! •  More end-nodes allowed on the link (up to 264 !) •  Bigger neighbor cache on end-nodes and on default-router •  May lead to some dramatic topology evolution •  Creates new opportunities for DoS attacks Threats are also dependent on the protocols in use: what is different ? •  More distributed and more autonomous operations •  Nodes discover automatically their default router •  Nodes auto-configure their addresses •  Nodes defend themselves (SeND) •  Distributed address assignment creates more challenges for address security
  78. 78. Cisco Confidential 78© 2013-2014 Cisco and/or its affiliates. All rights reserved. NDP & SLAAC changent la donne pour IPv6 •  Neighbor solicitation (NS) •  Neighbor advertisements (NA) •  Router solicitation (RS) •  Router advertisements (RA) •  Neighbor Unreachability Detection (NUD) •  Duplicate Address Detection (DAD) •  Redirects Primary ICMPv6 NDP Messages All can be used as attack vectors Defined in RFC 4861, “Neighbor Discovery for IP Version 6 (IPv6)” and RFC 4862 (“IPv6 Stateless Address Autoconfiguration”) NDP RARS NS NA Redirects NUD DAD IPv6 SLAAC •  IPv6 Stateless Address Auto Configuration (SLAAC)
  79. 79. Cisco Confidential 79© 2013-2014 Cisco and/or its affiliates. All rights reserved. Et toujours plus d’adresses IP…. Déjà entendu parler de scan ? Jusqu’à 264 adresses par lien-local
  80. 80. Cisco Confidential 80© 2013-2014 Cisco and/or its affiliates. All rights reserved.
  81. 81. Cisco Confidential 81© 2013-2014 Cisco and/or its affiliates. All rights reserved. Rogue Router Advertisement 1.  RS: Data = Query: please send RA 2.  RA: Data= options, prefix, lifetime, A+M+O flags 2. RA1. RS RA w/o Any Authentication Gives Exactly Same Level of Security as DHCPv4 (None)Router Advertisements contains: •  Prefix to be used by hosts •  Data-link layer address of the router •  Miscellaneous options: MTU, DHCPv6 use, … 2. RA DoSMITM
  82. 82. Cisco Confidential 82© 2013-2014 Cisco and/or its affiliates. All rights reserved. Pas uniquement des attaques… Wireless to Wired – Internet sharing Host on Wireless Network (coffee shop, home etc) Internet sharing enabled Host becomes 6to4 gateway Host moves to wired network First Hop Switch RA
  83. 83. Cisco Confidential 83© 2013-2014 Cisco and/or its affiliates. All rights reserved. Conséquences des Rogue Router Advertisements !  Dévastatrices !!! !  Denial of service: all traffic sent to a black hole !  Man in the Middle attack: attacker can intercept, listen, modify unprotected data !  Also affects legacy IPv4-only network with IPv6-enabled hosts !  Most of the time from non-malicious users !  Requires layer-2 adjacency !  Was the major blocking factor for enterprise intranet IPv6 deployment
  84. 84. Cisco Confidential 84© 2013-2014 Cisco and/or its affiliates. All rights reserved. Mitigating Rogue RA with RA Guard RA-guard lite: also dropping all RA received on this port interface GigabitEthernet1/0/2 ipv6 nd raguard RA-guard ipv6 nd raguard policy HOST device-role host ipv6 nd raguard policy ROUTER device-role router ipv6 nd raguard attach-policy HOST vlan 100 interface FastEthernet0/0 ipv6 nd raguard attach-policy ROUTER RA RA RA RA RA
  85. 85. Cisco Confidential 85© 2013-2014 Cisco and/or its affiliates. All rights reserved. Isolated Port •  Prevent Node-Node Layer-2 communication by using: •  Private VLANs (PVLAN) where nodes (isolated port) can only contact the official router (promiscuous port) •  WLAN in ‘AP Isolation Mode’ •  1 VLAN per host (SP access network with Broadband Network Gateway) •  Link-local multicast (RA, DHCP request, etc) sent only to the local official router: no harm Mitigating Rogue RA with Host Isolation RA RA RA RA RA Promiscuous Port RA
  86. 86. Cisco Confidential 86© 2013-2014 Cisco and/or its affiliates. All rights reserved. DHCP Guard Même principe que RA guard appliqué à DHCPv6 (auto-configuration avec état) Before DHCP Guard After DHCP Guard Host First Hop Switch Host First Hop Switch DHCP RequestDHCP Request DHCP ServerDHCP Server I am a DHCP Server I am a DHCP Server I am a DHCP Server I am a DHCP Server
  87. 87. Cisco Confidential 87© 2013-2014 Cisco and/or its affiliates. All rights reserved.
  88. 88. Cisco Confidential 88© 2013-2014 Cisco and/or its affiliates. All rights reserved. Address Resolution ICMP type = 135 (Neighbor Solicitation) Src = A Dst = Solicited-node multicast address of B Data = B Option = link-layer address of A Query = what is B s link-layer address? ICMP type = 136 (Neighbor Advertisement) Src = one B s IF address Dst = A Data = B Option = link-layer address of B NS NA A and B can now exchange packets on this link BA C Resolves IP address into MAC address Creates neighbor cache entry % Messages: Neighbor Solicitation, Neighbor Advertisement
  89. 89. Cisco Confidential 89© 2013-2014 Cisco and/or its affiliates. All rights reserved. Attack On Address Resolution Attacker can claim victim's IP address B NS Dst = Solicited-node multicast address of B Query = what is B s link-layer address? Src = B or any C s IF address Dst = A Data = B Option = link-layer address of C NA A C &
  90. 90. Cisco Confidential 90© 2013-2014 Cisco and/or its affiliates. All rights reserved. Duplicate Address Detection ICMP type = 135 (Neighbor Solicitation) Src = UNSPEC = 0::0 Dst = Solicited-node multicast address of A Data = A Query = Does anybody use A already? NS Node A can start using address A BA C Verify address uniqueness Probe neighbors to verify nobody claims the address % Messages: Neighbor Solicitation, Neighbor Advertisement
  91. 91. Cisco Confidential 91© 2013-2014 Cisco and/or its affiliates. All rights reserved. Attack On DAD Attacker hacks any victim's DAD attempts Victim can't configure IP address and can't communicate Src = UNSPEC Dst = Solicited-node multicast address of A Data = A Query = Does anybody use A already? NS Src = any C s IF address Dst = A Data = A Option = link-layer address of C NA it s mine ! CA &
  92. 92. Cisco Confidential 92© 2013-2014 Cisco and/or its affiliates. All rights reserved. •  Deep control packet Inspection •  Address Glean (ND , DHCP, data) •  Address watch •  Binding Guard IPv6 Snooping Instrumental link-operation security feature that analyzes control/data switch traffic, detect IP address, and store/update them in Binding Table to ensure rogue users cannot spoof or steal addresses. Intf IPv6 MAC VLAN State g1/0/10 ::001A 001A 110 Active g1/0/11 ::001C 001C 110 Stale g1/0/16 ::001E 001E 200 Verifying IPv6 Binding Table IPv6 Source Guard IPv6 Destination Guard Device Tracking
  93. 93. Cisco Confidential 93© 2013-2014 Cisco and/or its affiliates. All rights reserved. Address GLEAN H1 Binding table NS [IP source=A1, LLA=MACH1] DHCP- server REQUEST [XID, SMAC = MACH2] REPLY[XID, IPA21, IPA22] H2 H3 data [IP source=A3, SMAC=MACH3] DAD NS [IP source=UNSPEC, target = A3] NA [IP source=A1, LLA=MACH3] IPv6 MAC VLAN IF A1 MACH1 100 P1 A21 MACH2 100 P2 A22 MACH2 100 P2 A3 MACH3 100 P3 DHCP LEASEQUERY DHCP LEASEQUERY_REPLY Goal: to monitor address allocation and store bindings
  94. 94. Cisco Confidential 94© 2013-2014 Cisco and/or its affiliates. All rights reserved. Device tracking H1 Binding table IPv6 MAC VLAN IF STATE A1 MACH1 100 P1 STALE A21 MACH2 100 P2 REACH A22 MACH2 100 P2 REACH A3 MACH3 100 P3 STALE H2 H3 Address glean DAD NS [IP source=UNSPEC, target = A1] DAD NS [IP source=UNSPEC, target = A3] NA [target = A1LLA=MACH1] IPv6 MAC VLAN IF STATE A1 MACH1 100 P1 REACH A21 MACH2 100 P2 REACH A22 MACH2 100 P2 REACH – Keep track of device state – Probe devices when becoming stale – Remove inactive devices from the binding table – Record binding creation/deletion/changes Goal: to track active addresses (devices) on the link
  95. 95. Cisco Confidential 95© 2013-2014 Cisco and/or its affiliates. All rights reserved. Binding Identity Guard host Binding table Address glean – Arbitrate collisions, check ownership – Check against max allowed per box/vlan/port – Record & report changes Valid? bridge Goal: to enforce address ownership and mitigates against address DoS
  96. 96. Cisco Confidential 96© 2013-2014 Cisco and/or its affiliates. All rights reserved. IPv6 FHS – Binding Identity Guard Host A First Hop Switch NA(::001A,mac - 001A) I am Host A Makes sure NA match IPv6 NDP snooping table Intf IPv6 MAC VLAN State g1/0/10 ::001A 001A 110 Active g1/0/11 ::001C 001C 110 Stale g1/0/16 ::001E 001E 200 Verifying g1/0/21 ::0021 0021 200 Active ::001A No you are not! NA(::001A,mac- 002A)
  97. 97. Cisco Confidential 97© 2013-2014 Cisco and/or its affiliates. All rights reserved. Attack On Address Resolution Attacker can claim victim's IP address B NS Dst = Solicited-node multicast address of B Query = what is B s link-layer address? Src = B or any C s IF address Dst = A Data = B Option = link-layer address of C NA A C & Intf IPv6 MAC VLAN State g1/0/10 ::001A 001A 110 Active g1/0/11 ::001C 001C 110 Stale g1/0/16 ::001E 001E 200 Verifying g1/0/21 ::0021 0021 200 Active
  98. 98. Cisco Confidential 98© 2013-2014 Cisco and/or its affiliates. All rights reserved.
  99. 99. Cisco Confidential 99© 2013-2014 Cisco and/or its affiliates. All rights reserved. IPv6 FHS – IPv6 Source Guard First Hop Switch I send packet using host A IPv6 address Makes sure IPv6 source address of all packets matches ::001A Packetwith source::001A
  100. 100. Cisco Confidential 100© 2013-2014 Cisco and/or its affiliates. All rights reserved. IPv6 MAC VLAN IF A1 MACA1 100 P1 A21 MACA21 100 P2 A22 MACA22 100 P2 A3 MACA3 100 P3 IP-Source Guard H1 Binding table H2 H3 Address glean –  Allow traffic sourced with known IP/SMAC –  Deny traffic sources with unknown IP/SMAC P1:: data, src= A1, SMAC = MACA1 P2:: data src= A21, SMAC = MACA21 P3:: data src= A1, SMAC = MACA3 Goal: to validate source address of IPv6 traffic sourced from the link
  101. 101. Cisco Confidential 101© 2013-2014 Cisco and/or its affiliates. All rights reserved.
  102. 102. Cisco Confidential 102© 2013-2014 Cisco and/or its affiliates. All rights reserved. •  Attacker is off link •  Attacker can be a plain PC, running simple attack tools •  Attacker goal is to launch Flood-Based DoS attack targeting the last-hop router, the link behind it, and all nodes on the link •  Attacker method is to “scan” the link prefix to force high resolution attempts rate, exhaust the router resources, slow or deny valid resolutions, load the link with useless multicast packets Remote address resolution cache exhaustion* - Target deployment model * Similar attacks exist in IPv4 but at smaller scale
  103. 103. Cisco Confidential 103© 2013-2014 Cisco and/or its affiliates. All rights reserved. Remote address resolution cache exhaustion– Vulnerability scope Internet •  Attacker is anywhere on the internet •  His primary victim is the last-hop Layer 3 device (router) •  He can also harm the link and nodes behind it
  104. 104. Cisco Confidential 104© 2013-2014 Cisco and/or its affiliates. All rights reserved. X scanning 2 64 addresses (ping PFX::a, PFX::b, …PFX::z) Gateway PFX::/64 NS Dst = Solicited-node multicast address of PFX::a Query = what is PFX::a ’s link-layer address? NS Dst = Solicited-node multicast address of PFX::b Query = what is PFX::b ’s link-layer address? NS Dst = Solicited-node multicast address of PFX::z Query = what is PFX::z’s link-layer address? 3 seconds history Remote address resolution cache exhaustion - Protocol
  105. 105. Cisco Confidential 105© 2013-2014 Cisco and/or its affiliates. All rights reserved. Where What Routers −  Address Provisioning Mechanisms −  Allocate addresses by blocks and filter at the edge −  ND resolution algorithm implementation -  Rate limiting of new resolutions -  Separate cache for confirmed reachable entries -  Circular buffer for new resolution -  Cache boundaries Layer 3 Switch Destination Guard Remote address resolution cache exhaustion - Mitigations
  106. 106. Cisco Confidential 106© 2013-2014 Cisco and/or its affiliates. All rights reserved. host Forward packet • Mitigate prefix-scanning attacks and Protect ND cache • Useful at last-hop router and L3 distribution switch • Drops packets for destinations without a binding entry Lookup D1 found B NO L3 switch DST=D1 Internet Address glean Scanning {P/ 64} DST=Dn Binding table Neighbor cache Destination guard Goal: to validate destination address of IPv6 traffic reaching the link
  107. 107. Cisco Confidential 107© 2013-2014 Cisco and/or its affiliates. All rights reserved. Pour résumer Monitor device address assignment with Binding Integrity Guard Maintain a trustworthy database of IPv6 devices and block illegitimate IPv6 data traffic with Source Guard IPv6 First Hop Security in the access switch Block rogue advertisements from illegitimate routers and DHCP servers with RA Guard and DHCPV6 Guard The Solution IPv6 Snooping and Guard Data Security at Edge Authenticated Device SiSi SiSi SiSi SiSi Intf IPv6 MAC VLAN State g1/0/10 ::001A 001A 110 Active g1/0/11 ::001B 001B 110 Active g1/0/11 ::001C 001C 110 Stale g1/0/15 ::001D 001D 110 Active g1/0/16 ::001E 001E 200 Verifying g1/0/17 ::0020 0020 200 Active g1/0/21 ::0021 0021 200 Active … … … … … Pre-configure port roles and dynamically learn a trusted domain of routers/DHCP servers Track IPv6 devices by snooping neighbor and router solicitations, DHCP requests and query their status when they become inactive NS ND RS DAD NS DHCP RA
  108. 108. Cisco Confidential 108© 2013-2014 Cisco and/or its affiliates. All rights reserved. IPv6 Snooping La boîte à outils IPv6 First Hop Security IPv6 FHS RA Guard DHCPv6 Guard Source/Prefix Guard Destination Guard Protection: •  Rouge or malicious RA •  MiM attacks Protection: •  Invalid DHCP Offers •  DoS attacks •  MiM attacks Protection: •  Invalid source address •  Invalid prefix •  Source address spoofing Protection: •  DoS attacks •  Scanning •  Invalid destination address Instrumental link-operation security feature that analyzes control/data switch traffic, detect IP address, and store/update them in Binding Table RA Throttler Facilitates: •  Scale converting multicast traffic to unicast ND Multicast Suppress Reduces: •  Control traffic necessary for proper link operations to improve performance Core Features Advance Features Scalability & Performance
  109. 109. Cisco Confidential 109© 2013-2014 Cisco and/or its affiliates. All rights reserved. !  Article reseauxblog http://gblogs.cisco.com/fr-reseaux/2012/11/19/jai-teste-pour-vous-ipv6-first-hop- security/ !  First Hop Security white paper http://www.cisco.com/en/US/partner/prod/collateral/iosswrel/ps6537/ps6553/whitepaper_c11-602135.html !  First Hop Security documentation http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-first_hop_security.html
  110. 110. Thank you.

×