Cisco Study: State of Web Security

3,894 views

Published on

This session explains how the combination of IEEE 802.1AE (data link encryption) with the power of Session Group Tags achieves trusted security in a network. It covers the protocols details as well as use case and more importantly how CTS can be deployed in a network. This session is targeted mainly to enterprise customers.

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,894
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
150
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide

Cisco Study: State of Web Security

  1. 1. #CNSF2011© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
  2. 2. • Mobile phones - Please put on silent or vibrate mode • Q&A – During Session Time Permitting and at End of Session • Please Go Online and fill the evaluation form© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
  3. 3. • Introduction Defining Network Access Management Foundation Technology • Security Group Access Overview Source Group Tag (SGT)/ Source Group ACL (SGACL) Concepts Network Device Access Control (NDAC) Concept 802.1AE/SAP Concept • SGT Use Cases SGT with Identity Deployment Modes SGT in the Data Center/VDI • Monitoring and Troubleshooting© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
  4. 4. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
  5. 5. Policy-based access Identity-aware Data integrity and control for networking confidentiality  Users  Identity information  Securing data for granular controls path in the switching  Endpoint devices environment  Role-based business  Networking service delivery  IEEE 802.1AE infrastructure standard encryption© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
  6. 6. Identity Other Authorization Information Conditions Profiles Employee Time and Date Broad Access Limited Access Contractor + Guest/Internet Quarantine Posture Location Guest Deny Access Device Types Access Type Track for Accounting© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
  7. 7. Guest Service to provide full guest access management with Web Scalable / Flexible Policy Authentication Flexible Authentication Methods (802.1X, MAB, Web Auth in any order) & Authentication Server NAC Guest Server supporting RBAC Printer MAB ACS5.x NAC Profiler 802.1X RADIUS Employee Catalyst Web Auth ISE Switch Various Authorization Methods (VLAN, Downloadable ACL, URL Redirect, etc) Guest Directory Server Profiling System to perform Cisco IOS © intelligence to automatic device profiling for provide phased deployment mode unattended device or any type of for 802.1X (Monitor Mode, Low network attached device Impact Mode, High Security Mode)© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
  8. 8. • Can I create / manage the new VLANs or IP Address scope? • How do I handle DHCP refresh in new subnet? VLAN • How do I manage ACL on VLAN interface? Assignment • Any impact to the route summarization? 802.1X/MAB/Web Auth ACL • Who’s going to maintain ACLs? Download • What if my destination IP addresses are changed? • Does my switch have enough TCAM to handle all request? Traditional access authorization methods leave some deployment concerns  Detailed design before deployment is required, otherwise…  Not so flexible for changes required by today’s business  Access control project ends up with redesigning whole network© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
  9. 9. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
  10. 10. • SGA is a broad umbrella for security improvements based on the capability to strongly identify users, hosts and network devices within a network • SGA provides topology independent and scalable access controls by uniquely classifying data traffic for a particular role • SGA ensures data confidentiality and integrity by establishing trust among authenticated peer and encrypting links with those peers© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
  11. 11.  Topology independent access control based on roles Security Group Based Access Control  Scalable ingress tagging via Source Group Tag (SGT) / egress filtering via Source Group ACL (SGACL)  Centralized Policy Management / Distributed Policy Enforcement  Endpoint admission enforced via 802.1X authentication, Authenticated MAB, Web Auth (Full IBNS compatibility) Networking Environment  Network device admission control based on 802.1X creates trusted networking environment  Only trusted network imposes Security Group TAG  Encryption based on IEEE802.1AE (AES-GCM 128-Bit) Confidentiality  Wire rate hop to hop layer 2 encryption and Integrity  Key management based on 802.11n (SAP), will migrate to standard based key management 802.1X-2010/MKA© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
  12. 12. SGT=100 I’m a contractor My group is HR Finance (SGT=4) HR (SGT=10) 802.1X/MAB/Web Auth SGACL Contactor & HR SGT = 100  Security Group Based Access Control allows customers  To keep existing logical design at access layer  To change / apply policy to meet today’s business requirement  To distribute policy from central management server© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
  13. 13. Security • Unique 16 bit (65K) tag assigned to unique role Group Tag • Represents privilege of the source user, device, or entity • Tagged at ingress of TrustSec domain • Filtered (SGACL) at egress of TrustSec domain SGACL SG • No IP address required in ACE (IP address is bound to SGT) • Policy (ACL) is distributed from central policy server (ISE) or configured locally on TrustSec device Customer Benefits  Provides topology independent policy  Flexible and scalable policy based on user role  Centralized Policy Management for Dynamic policy provisioning© 2010 Cisco and/or its affiliates. All rights reserved.  Egress filtering results to reduce TCAM impact Cisco Confidential 13
  14. 14. Layer 2 SGT Frame and Cisco Meta Data Format Authenticated Encrypted DMAC SMAC 802.1AE Header 802.1Q CMD ETYPE PAYLOAD ICV CRC CMD EtherType Version Length SGT Opt Type SGT Value Other CMD Options Cisco Meta Data  802.1AE Header CMD ICV are the L2 802.1AE + TrustSec overhead  Frame is always tagged at ingress port of TrustSec capable device  Tagging process prior to other L2 service such as QoS  SGT namespace is managed on central policy server (ISE)  No impact IP MTU/Fragmentation© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
  15. 15. User (Source) Servers (Destination) Managers D1 S1 to D1 Access Control S1 Sales D2 permit tcp S1 D1 eq https permit tcp S1 D1 eq 8081 S2 permit tcp S1 D1 eq 445 D3 deny ip S1 D1 H S3 D4 R HR Rep Access Control Entry - S4 D5 ACE # grows as # of Financ permission statement D6 e increases IT Admins • Source (S1~S4) * Destination (S1~S6) * Permission (4) = 96 ACEs for S1~4 • The growing number of ACEs leads to resource comsumption on the enforcement point • Network Admin manages every IP source to IP destination relationship explicitly© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
  16. 16. Security Group Security Group User (Source) (Destination) Servers SGACL D1 S1 MGMT A (SGT 10) D2 Sales SRV (SGT 500) S2 MGMT B D3 (SGT 20) S3 HR SRV D4 HR Rep (SGT 600) (SGT 30) S4 D5 Finance IT Admins SRV (SGT D6 (SGT 40) 700) • Network Admin manages every source “group” to destination “group” relationship • This abstracts the network topology from the policy and reducing the number of policy rules necessary for the admin to maintain • The network automates the alignment of users/servers to groups© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
  17. 17. Source Security Destination Security Group SGACLS Group (Dec/Hex) (Dec/Hex) Contractor (10/A) Server A (111/6F) Permit All Contractor (10/A) Server B (222/DE) Deny All Server C (333/14D) Contractor (10/A) Deny All HR (30/1E) Server A (111/6F) Deny All HR (30/1E) Server B (222/DE) SGACL-D HR (30/1E) Server C (333/14D) Permit All© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
  18. 18. SGACL-D • No IP defined remark destination SQL permit permit tcp dst eq 1433 • Downloaded from ISE remark source SQL permit permit tcp src eq 1433 • Enforcement at Egress Remark http permit permit tcp dst eq 80 Remark https permit permit tcp dst eq 443 deny all© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
  19. 19. Step 1 SGT Policy definition on ISE • ISE is configured for its policy and all User A User C endpoints need to be mapped to SGT in policy Campus Access TrustSec Enabled Network AD User Role SGT User A Contractor 10 Data Center User B Finance 20 User C HR 30 ISE Server Role IP SGT HTTP Server Server Group A 10.1.100.111 111 Server A Server B Server C Directory Service File Server Server Group B 10.1.100.222 222 SQL Server Server Group C 10.1.200.3 333© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
  20. 20. User A User C Step 2 SGTs are assigned to role and bound to IP address 802.1X / MAB / Web • With 802.1x/MAB/Web Authentication, SGTs are Auth assigned in an authorization policy via RADIUS Campus Access • Access devices snoops ARP and/or DHCP for authenticated MAC Address, then bind assigned SGT to snooped IP Address TrustSec Enabled • Server IP address are bound to SGT statically on Network access switch or dynamically looked on ISE using IPM feature AD User Role SGT User A Contractor 10 Data Center User B Finance 20 10 30 User C HR 30 ISE Server Role IP SGT HTTP Server Server Group A 10.1.100.111 111 Server A Server B Server C Directory Service File Server Server Group B 10.1.100.222 222 SQL Server Server Group C 10.1.200.3 333© 2010 Cisco and/or its affiliates. All rights reserved. 333 222 111 Cisco Confidential 20
  21. 21. Step 3 ISE provisions Egress Policy to User A User C TrustSec capable Device • Each Trustsec capable device downloads policy from ISE 10 30 Destination Source Security Security Group SGACLs Campus Access Group (Dec/Hex) (Dec/Hex) Contractor Server A (111/6F) Permit All (10/A) Contractor Server B (222/DE) Deny All (10/A) TrustSec Enabled Contractor Server C Network Deny All (10/A) (333/14D) HR (30/1E) Server A (111/6F) Deny All Data Center HR (30/1E) Server B (222/DE) SGACL-D SGACL-D Server C HR (30/1E) Permit All SGACL SGACL (333/14D) permit tcp src dst eq 1433 #remark destination SQL permit ISE permit tcp src eq 1433 dst #remark source SQL permit permit tcp src dst eq 80 Server A Server B Server C Directory # web permit Service permit tcp src dst eq 443 111 222 333 # secure web permit© 2010 Cisco and/or its affiliates. All rights reserved. deny all Cisco Confidential 21
  22. 22. Step 4 Policy enforcement begins User A User C • User’s traffic is tagged at ingress of TrustSec domain 10 30 • SGT is carried when packed traverses within domain Packets are tagged Campus with SGT at ingress interface • At egress port, TrustSec device looks up local policy Access and drops packet if needed Destination Source Security Security Group SGACLs TrustSec Enabled Group (Dec/Hex) (Dec/Hex) SGACL Applied Network Contractor (10/A) Server A (111/6F) Permit AllSGT10 to SGT111 Contractor (10/A) Server B (222/DE) Deny All Permit all Contractor (10/A) Server C (333/14D) Deny All Data Center HR (30/1E) Server A (111/6F) Deny All HR (30/1E) Server B (222/DE) SGACL-D ISE HR (30/1E) Server C (333/14D) Permit All Server A Server B Server C Directory Untagged Traffic Service 111 222 333 CMD Tagged Traffic 22© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
  23. 23. Step 5 SGACL allows topology independent access control • Even another user accesses on same VLAN as User A User C previous example, his traffic is tagged differently 10 30 • If traffic is destined to restricted resources, packet will be dropped at egress port of TrustSec domain Packets are tagged Source Security Destination Security Campus with SGT at ingress SGACLs Group (Dec/Hex) Group (Dec/Hex) Access interface Contractor (10/A) Server A (111/6F) Permit All Contractor (10/A) Server B (222/DE) Deny All Contractor (10/A) Server C (333/14D) Deny All TrustSec Enabled HR (30/1E) Server A (111/6F) Deny All Network SGACL-D is applied HR (30/1E) Server B (222/DE) SGACL-D SQL = OK SMB = NO HR (30/1E) Server C (333/14D) Permit All Data Center SGACL-D permit tcp src dst eq 1433 #remark destination SQL permit ISE permit tcp src eq 1433 dst #remark source SQL permit SQL traffic permit tcp src dst eq 80 # web permit Server A Server B Server C Directory SMB traffic permit tcp src dst eq 443 Service SGACL 111 222 333 # secure web permit© 2010 Cisco and/or its affiliates. All rights reserved. deny all Cisco Confidential 23
  24. 24. • Any member of TrustSec domain needs to establish trust relationship to its peer, otherwise not trusted • Only SGT from trusted member can be “trusted” and processed by its peer • SGT from distrusted device is tagged as “Unknown”, a special SGT (value is zero) • A process of authenticating network device is called “Network Device Admission Control” or NDAC in short© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
  25. 25.  Network Device Admission Control (NDAC) provides strong mutual authentication (EAP-FAST) to form trusted domain NDAC  Only SGT from trusted peer is honored  Authentication leads to Security Association Protocol (SAP) to negotiate keys and cipher suite for encryption automatically (mechanism defined in 802.11i)  802.1X-2010/MKA will replace SAP for switch to switch encryption in the future  Trusted device acquires trust and policies from ISE server Customer Benefits  Mitigate rogue network devices, establish trusted network fabric to ensure SGT integrity and its privilege  Automatic key and cipher suite negotiation for strong 802.1AE based encryption© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
  26. 26. NDAC validates peer identity before peer becomes the circle of Trust! • The first device to authenticate is called the Seed Device • Seed Device becomes authenticator to is peer supplicant • Role determination process selects EAP-FAST over RADIUS both Authenticator and Suppicant roles Authorization ISE • NDAC utilizes EAP-FAST/MSCHAPv2 Seed Device (PAC, Env Data, ISE Policy) • Credential (including PAC) is stored in hardware key store© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
  27. 27. As device connects to its peer, TrustSec domain expands its border of trust • If the device is not connected to ISE directly, the device is called Non-Seed Device Supplicant Authenticator Supplicant • First peer to gain ISE connectivity wins Non-Seed Device authenticator role 802.1X NDAC • Lower MAC address is the tie breaker Non-Seed Device 802.1X NDAC Supplicant 802.1X NDAC Seed Device ISE ISE Seed Device Authenticator© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
  28. 28. CTS7K-CORE CTS7K-DS 10.1.50.1 10.1.50.2 CTS7K-CORE# show cts interface ethernet 1/15 CTS7K-DC# show cts interface ethernet 1/3 CTS Information for Interface Ethernet1/15: CTS Information for Interface Ethernet1/3: CTS is enabled, mode: CTS_MODE_DOT1X CTS is enabled, mode: CTS_MODE_DOT1X IFC state: CTS_IFC_ST_CTS_OPEN_STATE IFC state: CTS_IFC_ST_CTS_OPEN_STATE Authentication Status: CTS_AUTHC_SUCCESS Authentication Status: CTS_AUTHC_SUCCESS Peer Identity: CTS7K-DC Peer Identity: CTS7K-CORE Peer is: CTS Capable Peer is: CTS Capable 802.1X role: CTS_ROLE_SUP 802.1X role: CTS_ROLE_AUTH Last Re-Authentication: Last Re-Authentication: Authorization Status: CTS_AUTHZ_SUCCESS Authorization Status: CTS_AUTHZ_SUCCESS PEER SGT: 2 PEER SGT: 2 Peer SGT assignment: Trusted Peer SGT assignment: Trusted SAP Status: CTS_SAP_SUCCESS SAP Status: CTS_SAP_SUCCESS Configured pairwise ciphers: GCM_ENCRYPT Configured pairwise ciphers: GCM_ENCRYPT Replay protection: Enabled Replay protection: Enabled Replay protection mode: Strict Replay protection mode: Strict Selected cipher: GCM_ENCRYPT Selected cipher: GCM_ENCRYPT Current receive SPI: sci:18bad853520000 an:2 Current receive SPI: sci:18bad853460000 an:2 Current transmit SPI: sci:18bad853460000 an:2 Current transmit SPI: sci:18bad853520000 an:2© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
  29. 29. • Trustsec provides layer 2 hop-by-hop encryption and integrity, based on IEEE 802.1AE standard 802.1AE • 128bit AES-GCM- NIST Approved* • Line rate encryption/decryption for both 10 GbE/1GbE interface • Replay protection of each and every frame Customer Benefits • 802.1AE encryption to protect CMD field (SGT value)  Protects against man-in-the-middle attacks (snooping, tampering, replay)  Standards based frame format and algorithm (AES-GCM)  802.1X-2010/MKA addition supports per-device security associations in shared media environments (e.g. PC vs. IP Phone) to provide secured communication  Network service amenable hop-by-hop approach compared to end-to-end approach (e.g. Microsoft Domain Isolation/IPsec)• * NIST Special Publication 800-38D (http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf) © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
  30. 30. TrustSec Frame Format Authenticated Encrypted DMAC SMAC 802.1AE Header 802.1Q CMD ETYPE PAYLOAD ICV CRC 0x88e 5 MACSec EtherType TCI/AN SL Packet Number SCI (optional) MACSec Tag Format© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
  31. 31.  “Bump-in-the-wire” model -Packets are encrypted on egress -Packets are decrypted on ingress -Packets are in the clear in the device  Allows the network to continue to perform all the packet inspection features currently used Decrypt at Encrypt at Ingress Egress everything in clear 01010010100010010 01010010100010010 128bit AES GCM 128bit AES GCM 128bit AES GCM Encryption Encryption Encryption1001010001001001000101001001110101 010100100011000100100100010100100111010101 01101001000110001001001000 ASIC© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
  32. 32. • What about all my other network devices that don’t support SGA hardware? • How should I assign SGTs at different points in the network? • What use cases are covered by SGA • How should I phase a rollout with Identity services? • How do I monitor and report on SGA?© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
  33. 33. • SGT native tagging requires hardware (ASIC) support • Non-TrustSec hardware capable devices can still receive SGT attributes from ISE for authenticated users or devices, and then forward the IP-to-SGT binding to a TrustSec SGACL capable device for tagging & enforcement • SGT eXchange Protocol (SXP) is used to exchange IP-to-SGT bindings between TrustSec capable and incapable device • Currently Catalyst 6500, 4500/4900, 3750, 3560 and Nexus 7000 switch platform support SXP • SXP accelerates deployment of SGACL by without extensive hardware upgrade for TrustSec© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
  34. 34. SXP enables communication between User A User C Non-TrustSec and TrustSec-capable devices 10 30 • SGT assigned to user Switch builds • Switch binds endpoint IP to SGT Non TrustSec capable device binding table • Switch uses SXP to send binding table to SXP SXP TrustSec capable device • TrustSec capable device tags packet based on source IP when packet appearsPackets are taggedwith SGT based on TrustSec capable device on forwarding tablesource IP Address Data Center SXP IP-SGT Binding Table IP Address SGT Interface 10.1.10.1 10 Gig 2/10 ISE 10.1.30.4 30 Gig 2/11 Server A Server B Server C Directory 111 222 333 Service User A User C Once SGT is tagged, Untagged Traffic Untagged Traffic then SGACL can be CMD Tagged Traffic CMD Tagged Traffic© 2010 Cisco and/or its affiliates. All rights reserved. applied Cisco Confidential 34
  35. 35. Single-Hop SXP Speaker SXP Listener Non-TrustSec Domain ISE TrustSec Enabled SW TrustSec Capable HW Multi-Hop SXP SXP SXP Speaker Listener Speaker Listener ISE TrustSec TrustSec TrustSec Capable HW Enabled SW Enabled SW Speaker SXP TrustSec© 2010 Cisco and/or its affiliates. All rights reserved. Enabled SW Cisco Confidential 36
  36. 36. CTS6K-AS(config)#cts sxp enable CTS6K-AS(config)#cts sxp default password <password> CTS6K-AS(config)#cts sxp connection peer 10.1.3.1 source 10.1.3.2 password default mode peer listener SXP Speaker Listener Non-TrustSec Domain Catalyst 6500 Nexus 7000 ISE 10.1.3.2 10.1.3.1 CTS7K-DC(config)#cts sxp enable CTS7K-DC(config)#cts sxp connection peer 10.1.2.3 source 10.1.2.1 password required <password> mode speaker© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
  37. 37. SXP Speaker Listener Non-TrustSec Domain ISE Catalyst 6500 Nexus 7000 10.1.3.2 10.1.3.1CTS6K-AS#show cts sxp connections CTS7K-DC# show cts sxp SXP : Enabled CTS SXP Configuration: Default Password : Set SXP enabled Default Source IP: Not SetConnection retry open period: 120 secs SXP retry timeout:60Reconcile period: 120 secs SXP reconcile timeout:120Retry open timer is not running----------------------------------------------Peer IP : 10.1.3.1Source IP : 10.1.3.2Conn status : OnLocal mode : SXP SpeakerConnection inst# : 1TCP conn fd :1TCP conn password: default SXP passwordDuration since last state change: 5:21:56:26 (dd:hr:mm:sec)© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
  38. 38. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
  39. 39. • Open Mode and Multi-Auth at the access layer with Monitor and Reporting • Assign SGTs to a session with permit any any for all flows • Default for “unknown” SGTs is permit any any • Does not have an impact on access layer functions (PXE, WoL, etc.)© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
  40. 40. Egress Enforcement  Security Group ACL HR Server Campus ACME Server Network Users, Catalyst® Switches Nexus® 7000 Endpoints (3K/4K/6K) AUTH=OK ACME Server Monitor Mode SGT=10 ISE Source Security Destination Security SGACLs Group (Dec/Hex) Group (Dec/Hex) authentication port-control auto HR (10/A) HR Server (111/6F) Permit All authentication open ACME dot1x pae authenticator HR (10/A) Permit All Servers(222/DE) Employee (8/8) HR Server (111/6F) Deny All 1. User connects to network 2. Monitor mode allows traffic from endpoint before authentication 3. Authentication is performed and results are logged by ISE 4. Traffic traverse to Data Centre and hits SGACL at egress enforcement point 5. Only permitted traffic path (source SGT to destination SGT) is allowed© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
  41. 41. • Eases dACL challenges by reducing the number of ACEs downloaded to ingress port • Egress access control with SGT differentiates service among Employee group based on role Difference between Monitor and Low Impact Mode is to enable very basic enforcement at ingress interface while keeping openness for easy deployment© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
  42. 42. permit tcp any any eq 80 Egress Enforcement permit udp any any eq bootps Internet  Security Group ACL permit esp any any permit udp any eq 500 eq 500 HR Server ACME Server Campus Users, Catalyst® Switches Network Endpoints Nexus® 7000 (3K/4K/6K) Low Impact Mode AUTH=OK ACME Server SGT=30 ISE authentication port-control auto Destination Source Security Security Group SGACLs authentication open Group (Dec/Hex) (Dec/Hex) ip access-group PRE-AUTH-ACL in Guest (30/1E) Server A (111/6F) Deny All dot1x pae authenticator Guest (30/1E) Server B (222/DE) Deny All1. User connects to network Guest (30/1E) Permit All2. Pre-Auth ACL only allows selective service before authentication3. Authentication is performed and results are logged by ISE. dACL is downloaded along with SGT4. Traffic traverse to Data Center and hits SGACL at egress enforcement point5. Only permitted traffic path (source SGT to destination SGT) is allowed © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
  43. 43. Business continuity for Data Centers Widget, Inc. ACME Virtual Virtual Virtual Physical Network Definition: 1 to Many. One network supports many virtual networks ACME High-level Technical Requirements  Separate Widget and ACME networks until regulatory agencies approve acquisition in multiple countries  Dynamic VLAN assignment allows Widget/ACME employees to be placed in the correct network © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
  44. 44. • Fine-tuning of network policy yields greater scalability –Virtual Network used for coarse-grained virtualization of ACME vs. Widget networks –SGA enhances policy control by providing fine- grained virtualization of user/groups within the existing virtual domains –Servers are separated by color –Traffic will gravitate towards correct server across integrated core •One SGA namespace per network •SGTs must be unique per virtual network –“ACME employee” = SGT 10 while “Widget employee” = SGT 20 Widget ACME © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
  45. 45. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
  46. 46. Campus Access 10 20 SGT Assignment via 802.1X, MAB, Web Auth Cat6500 TrustSec to cover campus network as Cat4500 Cat35750/E well as Data Center network Branch Access  Support for Campus / Branch access  Source SGT assigned via 802.1X, ISR w/ EtherSwitch MAB, or Web Authentication SXP  Server SGT assigned via IPM or statically Data Center  IP-to-SGT binding table is exchanged Nexus 7010 between Campus access switch and Data Center TrustSec capable device Cat6500 Cat4500 Directory Source Security Destination Security Service SGACLs Group (Dec/Hex) Group (Dec/Hex) Contractor (10/A) Server A (111/6F) Permit All File Server WEB Server SQL Server ISE HR (30/1E) Server A (111/6F) Deny All SGACL Enforcement 111 222© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
  47. 47. Campus Access Cat6500 TrustSec to cover Branch office LAN as Cat4500 Cat35750/E well as Data Center network Branch Access  Support for Branch access ISR w/ EtherSwitch  Source SGT assigned via 802.1X, or standalone switch SGT Assignment via 802.1X, MAB, Web Auth MAB, or Web Authentication  Server SGT assigned via IPM or 20 SXP Data Center statically  IP-to-SGT binding table is exchanged Nexus 7010 between branch LAN access switch and Data Center TrustSec capable device Cat6500 Cat4500 Directory Source Security Destination Security Service SGACLs Group (Dec/Hex) Group (Dec/Hex) User B (20/14) Server B(222/DE) SGACL-C File Server WEB Server SQL Server ISE SGACL Enforcement 111 222© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
  48. 48. Data Center N7K • ASR1K- avail. July NDAC/SAP 802.1AE • 6K w/ SUP 2T –avail. July SXP 6K w/ SUP 2T Encryption 6K SXP NDAC Listener-1 ASR1K ASR1K Listener-2 SXP WAN SXP Speaker-1 Speaker-300 ...© 2010 Cisco and/or its affiliates. All rights reserved. Note: For illustration purposes only Cisco Confidential 49
  49. 49. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
  50. 50. Identity Other Access Information Conditions Privilege Rossi Barks Identity: Employee Engineering Network HR Administrator Time and DateHas Everyone a Different Role Human Resources Identity: Full-Time + Location Kowalski Susan Finance Francois Didier Employee Employee Home Access Employee Sales Director Consultant Identity: Guest Guest Access Type Deny Access Vicky Sanchez Employee Marketing© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
  51. 51. Identity Other Access Information Conditions Privilege Identity: Consultant Network Administrator Time and Date Human Resources Identity: Full-Time + Location Finance Employee Marketing Identity: Guest Guest Access Type Deny Access© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
  52. 52. Identity Other Access Information Conditions Privilege Identity: Engineering Network Administrator Time and Date Human Resources Identity: Full-Time + Finance Employee Location:Off Site Home Access Identity: Guest Guest Access Type: Wired Deny Access© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
  53. 53. Identity Other Access Information Conditions Privilege Identity: Engineering Network Administrator Time and Date Human Resources Identity: Full-Time + Finance Employee Location:Airport Home Access Identity: Guest Guest Access Type: VPN Deny Access© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
  54. 54. Egress Enforcement  Security Group ACL HR Server Campus X ACME Server Catalyst® Switches Network HR User Nexus® 7000 not in proper (3K/4K/6K) locale AUTH=OK ACME Server SGT=8 ISE Source Security Destination Security SGACLs Group (Dec/Hex) Group (Dec/Hex) HR User (10/A) HR Server (111/6F) Permit All ACME Server HR User (10/A) Permit All (222/DE) HR Off Site (8/8) HR Server (111/6F) Deny All 1. User connects to network ACME Server HR Off Site (8/8) Permit 2. Pre-Auth ACL only allows selective service before authentication (222/DE) 3. Authentication is performed and results are logged by ISE. dACL is downloaded along with SGT 4. Traffic traverse to Data Center and hits SGACL at egress enforcement point 5. Traffic Denied Due to improper location of HR User© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
  55. 55. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
  56. 56. Campus Access Cat6500 TrustSec to cover Intra Data Center for Cat4500 Cat35750/E server traffic segmentation Branch Access  Manual server IP address to SGT ISR w/ EtherSwitch binding on Nexus 7000 or IPM (Identity or standalone switch Port Mapping to ISE for Centralized SGT management  Server connected to same access SGACL Enforcement Data Center switch can be segmented using Private VLAN feature to distribution SGT Assignment via IPM Nexus 7010 or statically switch SXP Server A Server C SRC DST Server B (222) (111) (333) Cat6500 Cat4500 Server A Directory --- SGACL-A Permit all (111) Service Serer B Permit all --- SGACL-B (222) File Server WEB Server SQL Server ACS5.1 Server C (333) Deny all Deny all --- 111 222 333© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
  57. 57. Nexus 7000 SGT/DGT App-SVR (222) Public-SVR (333) App-SVR (222) Permit Deny Public-SVR (333) Deny Permit SVI SGACL (VLAN 10) Enforcement Options • Dynamic policy enforcement between servers within 802.1q P Promiscuous Port Trunk same isolated VLAN 10 P (Private VLAN) Primary VLAN Catalyst 200 Secondary • Dynamic policy enforcement VLAN (Isolate) between servers in different community VLANs 222 333© 2010 Cisco and/or its affiliates. All rights reserved. Public-SVR App-SVR Cisco Confidential 58
  58. 58. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
  59. 59. Campus Access• User logs into the thin client (no user authentication performed for this example)• User initiates a connection to Connection Broker via RDP, PCoIP protocols• Broker queries Active Directory for VM pool Connection Broker assignment• Broker redirects user to an available VM in the Data Center VM pool• User is now able to the remotely view and control the VM Cat4500 Pools of VMs Directory Service File Server WEB Server SQL Server ISE© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
  60. 60. Campus Access• User logs into VM which triggers 802.1x User A authentication RDP• Authentication succeeds. Authorization assigns the SGT for the user. Connection Broker• Traffic hits the egress enforcement point• Only permitted traffic path (source SGT to Auth=OK Data Center SXP destination SGT) is allowed 802.1x SGT=10 Pools of VMs WEB Server Cat4500 Directory SRC DST File Server(111) Web Server (222) Service User A (10) Permit all Deny All User B (20) Deny all SGACL-C File Server WEB Server SQL Server ISE© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
  61. 61. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
  62. 62. DC-1 DC-2Nexus 7010 Nexus 7010© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63
  63. 63. DC- DC- Nexus 7010 Nexus 7010 1 2 vP vPC C e1/25 Nexus 7010 Nexus 7010© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64
  64. 64. DC- DC- Nexus 7010 Nexus 7010 1 2 PE Device PE Device vPC vPC MPLS PE Device PE Device Nexus 7010 Nexus 7010© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65
  65. 65. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66
  66. 66. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67
  67. 67. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68
  68. 68. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 69
  69. 69. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 70
  70. 70. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 71
  71. 71. • SGA builds upon Identity services • SGA provides a scalable Identity Access Control model • SGA migration strategies allow customers to deploy with existing hardware • SGA is deployable today© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 72
  72. 72. Platforms Available OS Version Notes Feature Nexus 7000 series Switch SGACL, 802.1AE + SAP, Cisco NX-OS®5.0.2a. Advanced Service Package Enforcement Device, DC NDAC, SXP, IPM, EAC license is required Distribution Catalyst 6500E Switch NDAC (No SAP), SXP, Cisco IOS® 12.2 (33) SXI3 or later release. IP Base Campus / DC Access (Supervisor 32, 720, 720-VSS) EAC K9 image required switch Catalyst 49xx switches SXP, EAC Cisco IOS® 12.2 (50) SG7 or later release. DC Access switch Catalyst 4500 Switch (Supervisor SXP, EAC Cisco IOS® 12.2 (53) SG7 or later release. Campus Access Switch 6L-E or 6-E) Catalyst 3560-X / 3750-X SXP, EAC Cisco IOS® 12.2 (53) SE2 or later release. Campus Access Switch Switches Catalyst 3560(E) / 3750(E) SXP, EAC Cisco IOS® 12.2 (53) SE1 or later release. Campus Access Switch Switches Catalyst Blade Module 3x00 SXP, EAC Cisco IOS® 12.2 (53) SE1 or later release. DC Access Switch Switches Cisco EtherSwitch service SXP, EAC Cisco IOS® 12.2 (53) SE1 or later release. IP Base K9 Branch Access Switch module for ISR Routers image required. Cisco Secure ACS Centralized Policy ACS Version 5.1 with TrustSec 

×