1. CISCO TRUSTSEC MODEL
Why?
Will Hatcher, CISO
Roy Sookhoo, CTO
Lynn Witherspoon, CMIO
Jodi Harris, Cisco Account Manager
1
2. Payment Card Industry (PCI) Standards - Problem
Required separate network for debit/credit card processing
2
o Regional WAN with many PCI systems running over flat network.
o Hotels, Restaurants, Spa, Gyms, Post Office, Health Care Registration, etc.
3. PCI Segmentation
Reduction of Scope
Unless you want your entire network to PCI security standards… limited
practical use and expensive monitoring, then one must VLAN PCI
network to reduce compliance scope, cost and monitoring expenses.
VLAN:
• Traditional VLAN requires programming every router/switch in
environment based on ACLs, IP ranges, Firewalls and/or VLAN.
• Cisco Trustsec does this virtually through ISE device profiling, and
SGT tagging for advance packet tagging & routing software.
Cisco Solution - Trustsec (Virtual VLAN)
4. What is a Virtual LAN or VLAN
A virtual LAN (VLAN) is any broadcast domain that is partitioned and isolated in a computer network at the data link
layer (OSI layer 2).Wikipedia
To subdivide a network into virtual LANs, one configures a network switch or router. Simpler network devices can only
partition per physical port (if at all), in which case each VLAN is connected with a dedicated network cable (and VLAN
connectivity is limited by the number of hardware ports available).
Can be based on IP address or MAC address as well.
6. Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE), an identity-based access control policy platform
that enables enterprises:
• enhance infrastructure security (through posturing),
• enforce compliance (through monitoring),
• streamline their service operations in wired, wireless, or virtual private network
(VPN) environments (posture, monitor, tag then control access no matter what
network connection).
• ISE maintains and enforces Cisco switch/router/firewall PCI policies.
Cisco’s unique ISE architecture allows enterprises to gather real-time contextual information from network,
users, and devices to make proactive governance decisions by tying identity back into various network
elements via pxGrid (Cisco Partner Exchange Grid) including DHCP, DNS, enriched IP data, through
partner applications (like Infoblox & Lancope), access switches, wireless controllers, VPN, Firewall and
gateway applications.
7. Security Group Tagging (SGT)
Virtual VLAN
Security Group Tagging transforms segmentation by simplifying administration:
•Security group tags allow organizations to segment their networks without having to
redesign to accommodate more VLANs and subnets.
•Firewall rules are dramatically streamlined by using an intuitive business-level profile
method.
•Policy enforcement is automated, assisting compliance and increasing security efficacy.
•Security auditing becomes much easier, as Qualified Security Assessors can more easily
validate that rules are being enforced to meet compliance.
10. CISCO Trustsec Challenges
Challenges:
Make sure your routers and switches are SGT compatible or upgrade.
(http://www.cisco.com/c/dam/en/us/solutions/collateral/borderless-
networks/trustsec/trustsec_platform_support.pdf )
SGT does not route, it only is used for ACL (pass/not pass) at the switch/router/ASA
firewall.
ISE does not intelligently alert.
GOOD NEWS:
Most modern Cisco switches/routers passes SGT packets.
Cisco ASA firewall recognizes SGT and can apply strict PCI rules to PCI only traffic.
Most SIEM (Security Information Event Manager) systems can intake ISE logs and alert
on them.
Editor's Notes
Network segmentation isolates particular groups of users and computers into logical segments on a network to allow security enforcement points to permit or deny traffic between those groups. Traditionally, this discrete separation uses access controls based on network addressing, VLANs, and firewalls. Companies are then able to apply controls on how traffic flows are permitted between these groups to meet compliance targets. The benefit is that the network area separated from the PCI environment is no longer within the scope of PCI compliance, reducing the cost of managing and sustaining compliance across an environment.
NoteIt is important to note that all three use cases described subsequently use the same policy, demonstrating how easily segmentation can be consistently managed.
Policy Decision Point (PDP)—A policy decision point is responsible for making access control decisions. The PDP provides features such as 802.1x, MAB, and web authentication. The PDP supports authorization and enforcement through VLAN, DACL, and security group access (SGACL/SXP/SGT).
In the Cisco TrustSec feature, the Cisco Identity Services Engine (ISE) acts as the PDP. The Cisco ISE provides identity and access control policy functionality.
An SGT is assigned to a device through IEEE 802.1X authentication, web authentication, or MAC authentication bypass (MAB), which occurs with a RADIUS vendor-specific attribute. An SGT can be assigned statically to a particular IP address or to a switch interface. An SGT is passed along dynamically to a switch or access point after successful authentication.
The Security-group eXchange Protocol (SXP) is a protocol developed for Cisco TrustSec to propagate the IP-to-SGT mapping database across network devices that do not have SGT-capable hardware support to hardware that supports SGTs and security group ACLs. SXP, a control plane protocol, passes IP-SGT mapping from authentication points (such as legacy access layer switches) to upstream devices in the network.
The SXP connections are point-to-point and use TCP as the underlying transport protocol. SXP uses the well-known TCP port number 64999 to initiate a connection. Additionally, an SXP connection is uniquely identified by the source and destination IP addresses.
Information About Internet Key Exchange Version 2
IPsec virtual tunnel interfaces (VTIs) provide a routable interface type for terminating IPsec tunnels and an easy way to define protection between sites to form an overlay network. IPsec VTIs simplify the configuration of IPsec for protection of remote links, support multicast, and simplify network management and load balancing.
Zone Base Firewall ZBF
An SGT is assigned to a device through IEEE 802.1X authentication, web authentication, or MAC authentication bypass (MAB), which occurs with a RADIUS vendor-specific attribute. An SGT can be assigned statically to a particular IP address or to a switch interface. An SGT is passed along dynamically to a switch or access point after successful authentication.
The Security-group eXchange Protocol (SXP) is a protocol developed for Cisco TrustSec to propagate the IP-to-SGT mapping database across network devices that do not have SGT-capable hardware support to hardware that supports SGTs and security group ACLs. SXP, a control plane protocol, passes IP-SGT mapping from authentication points (such as legacy access layer switches) to upstream devices in the network.
The SXP connections are point-to-point and use TCP as the underlying transport protocol. SXP uses the well-known TCP port number 64999 to initiate a connection. Additionally, an SXP connection is uniquely identified by the source and destination IP addresses.
To configure the ASA to function with Cisco TrustSec, you must import a Protected Access Credential (PAC) file from the ISE. For more information, see the “Importing a Protected Access Credential (PAC) File” section.
Importing the PAC file to the ASA establishes a secure communication channel with the ISE. After the channel is established, the ASA initiates a PAC secure RADIUS transaction with the ISE and downloads Cisco TrustSec environment data (that is, the security group table). The security group table maps SGTs to security group names. Security group names are created on the ISE and provide user-friendly names for security groups.
The first time that the ASA downloads the security group table, it walks through all entries in the table and resolves all the security group names included in security policies that have been configured on it; then the ASA activates those security policies locally. If the ASA cannot resolve a security group name, it generates a syslog message for the unknown security group name.
Logging targets are locations where the system logs are collected. In Cisco ISE, targets refer to the IP addresses of the servers that collect and store logs. You can generate and store logs locally, or you can FTP them to an external server. Cisco ISE has the following default targets, which are dynamically configured in the loopback addresses of the local system:
•LogCollector—Default syslog target for the Log Collector.
•ProfilerRadiusProbe—Default syslog target for the Profiler Radius Probe.