TrustSec NaaE (NaaS / )

advertisement
TrustSec (NaaS / NaaE)
per@cisco.com
Security on top of the mind for our customers
60%
of data is stolen in
HOURS
85%
of point-of-sale intrusions
aren’t discovered for
WEEKS
54%
of breaches remain
undiscovered for
MONTHS
51%
increase of companies
reporting a $10M loss
or more in the last 3
YEARS
“A community that hides in plain sight avoids detection and attacks swiftly”
- “Cisco Security Annual Security Report”
US-CERT
“Effective network segmentation5
restricts communication between networks
and reduces the extent to which an
adversary can move across the network.”
How TrustSec Simplifies Network Segmentation
Traditional Segmentation
DC Servers
TrustSec
DC Firewall / Switch
Static ACL
Micro/Macro Segmentation
Enterprise
Backbone
Routing
Redundancy
DHCP Scope
Central Policy Provisioning
No Topology Change
Aggregation Layer
VACL
Address
VLAN
Voice
Quarantine
VLAN
Voice
VLAN
ISE
Policy
No VLAN Change
Access Layer
Non-Compliant
Enterprise
Backbone
Access Layer
Employee
Supplier
BYOD
Voice
Data
VLAN
Guest
VLAN
BYOD
VLAN
Voice
VLAN
Security Policy based on Topology
High cost and complex maintenance
Employee Tag
Supplier Tag
Non-Compliant Tag
Non-Compliant Employee
Supplier
BYOD
Data
VLAN
Use existing topology and automate
security policy to reduce OpEx
Driven by Customer Top-of Mind
Segmentation
for Threat
Defense
Segmentation at access layer to
block “lateral-movement of threats”,
access control to improve security
Privileged
Access to DC
Regulatory
Compliance
Segmentation for scope reduction,
protecting sensitive information
from other connected devices (PCI,
HIPAA, Financial Regulation, etc.)
Restricting application access
based on user / device privilege in
scalable fashion
• Banks
• Universities
• Major Retailers segmenting critical
assets in stores and DC driven by
recent hacks
• Bank - 3 use-cases in production
• Governments, tech companies,
healthcare, manufacturing
increasing network security controls
to mitigate risk
• Multiple retailers for PCI compliance
• Utilities
• Defense customer – export controls
• Defense
• Healthcare – Segmenting
clinical/non-clinical devices and
protecting patient data
• Manufacturers
• Bank – deploying across 350,000
endpoints
• Broadcaster
• Federal/Central Govts
• Insurance
• Consumer electronics
• Research
Agenda
Overview of Cisco TrustSec
Prescriptive Approach for Effective Segmentation
Case Studies and Design Considerations
Summary and Key Takeaways
Agenda
Overview of Cisco TrustSec
Prescriptive Approach for Effective Segmentation
Case Studies and Design Considerations
Summary and Key Takeaways
TrustSec
!
About Security Group Tags
Priority Users / Devices
Classification: The process of
assigning SGTs
Users
Servers
Propagation: The process of
carrying tags in the network
Enforcement: The process of
controlling access based on tags.
Endpoints
Infected
Hosts
Sites / Branch Offices
Full Access
Partial Access
Access Deny
TrustSec in Action
ISE
Remote
Access
5 SGT
Wireless
DC Firewall
DC Switch
Switch
Classification
Application
Servers
8 SGT
Application
Servers
7 SGT
Network
Routers
Users
Directory
Propagation
Enforcement
Classification
Classification Types
DYNAMIC CLASSIFICATION
MAC Auth Bypass
STATIC CLASSIFICATION
IP Address
VLANs
Subnets
L2 Interface
SGT
L3 Interface
Virtual Port Profile
802.1X
Authentication
Web
Authentication
Common Classification
for Mobile Devices
Layer 2 Port Lookup
Common Classification for Servers,
Topology-based Policy, etc.
Propagation
Inline Tagging
Ethernet Frame
Cisco Meta Data
MACsec Frame
Destination MAC
CMD EtherType
Destination MAC
Source MAC
Version
Source MAC
802.1Q
Length
CMD
SGT Option Type
ETHTYPE
SGT Value
PAYLOAD
Other CMD Option
CRC
EtherType:0x8909
SGT Value:16bits
802.1AE Header
AES-GCM 128bit
Encryption
Faster, and most scalable way to
propagate SGT within LAN or Data Center
SGT embedded within Cisco Meta Data
(CMD) in Layer 2 frame
Capable switches understands and
process SGT in line-rate
Protected by enabling MACsec
(IEEE802.1AE) – optional for capable
hardware
No impact to QoS, IP MTP/Fragmentation
L2 Frame Impact: ~20 bytes
16 bits field gives ~ 64,000 tag space
Non-capable device drops frame with
unknown Ethertype
802.1Q
CMD
ETHTYPE
PAYLOAD
802.1AE Header
CRC
Propagation
SGT Exchange Protocol (SXP)
• Propagation method of IP-SGT binding
– Propagate IP-SGT from classification to enforcement
point
• Open protocol (IETF-Draft) & ODL Supported
Routers
– TCP - Port:64999
• Role: Speaker (initiator) and Listener (receiver)
(SXP Aggregation)
Switches
6 10.4.9.5
6 10.4.9.5
• Use MD5 for authentication and integrity check
Speaker
• Support Single Hop SXP & Multi-Hop SXP
(aggregation)
Firewall
Listener
5 10.0.1.2
5 10.0.1.2
Switches
12
Propagation
SGT Transport over L3 networks
SGACL
Enterprise
Network
Enterprise LAN
Switch
ISE
CTS Link
on Roadmap
Finance
OTP
SXP
Wireless
Nexus 7000
Nexus 1000v
Internet
SXP
BYOD
DMVPN
Switch
Catalyst 6500
SXP
Switch
Enterprise
MPLS
GETVPN
HR
•
•
•
•
Multiple options for SGT transport over non CTS Layer 3 networks
DMVPN for Internet based VPNS
GETVPN for security private MPLS clouds
Over The Top (OTP) for private enterprise networks (1HCY15)
Data Center
Enforcement
SGACL Enforcement Policy
Source
Destination
Policy Representing
Source = Empoloye_SGT
Destination=CreditCard_Server
Policy = Deny IP
Enforcement
Policy Enforcement on Firewalls: ASA SG-FW
SGT Defined in the ISE or locally
defined on ASA
Trigger IPS/CX based on
SGT
Use Destination SGT received
from Switches connected to
destination
Use Network Object (Host, Range,
Network (subnet), or FQDN)
TrustSec Functions
Classification
Propagation
Enforcement
5 Employee
6 Supplier
8 Suspicious
A
B
8
5
Static
Inline
SGACL
Dynamic
SXP
SGFW
WAN
SGZBFW
TrustSec Supported Platforms
Employee SGT
WAN
(GETVPN
DMVPN
IPSEC)
User
Classification
Router
Switch
Propagation
Classification
Catalyst 2960-S/-C/-Plus/-X/-XR
Catalyst 3560-E/-C/-X/-CX
Catalyst 3750-E/-X
Catalyst 3850/3650
Catalyst 4500E (Sup6E/7E)
Catalyst 4500E (Sup8)
Catalyst 6500E (Sup720/2T)
Catalyst 6800
WLC 2500/5500/5400/WiSM2/8510/8540
WLC 5760
Nexus 7000
Nexus 6000
Nexus 5500/2200
Nexus 1000v
ISRG2, CGR2000, ISR4000
IE2000/3000/CGR2000
ASA5500 (RAS VPN)
Router
Firewall
Propagation
Propagation
Catalyst 2960-S/-C/-Plus/-X/-XR
Catalyst 3560-E/-C/, 3750-E
Catalyst 3560-X/3750-X
Catalyst 3850/3650
Catalyst 4500E (Sup6E)
Catalyst 4500E (Sup, 7E, 7LE, 8E)
Catalyst 4500X
Catalyst 6500E (Sup720)
Catalyst 6500/Sup2T, 6800
WLC 2500/5500/5400/WiSM2/8510/8540
WLC 5760
Nexus 7000
Nexus 6000
Nexus 5500/2200
Nexus 1000v
ISRG2,ISR4000
IE2000/3000/CGR2000
ASR1000
ASA5500
DC Switch
vSwitch
Server
ISE
Enforcement
Enforcement
Catalyst 3560-X
Catalyst 3750-X
Catalyst 3850/3650
WLC 5760
Catalyst 4500E (7E)
Catalyst 4500E (8E)
Catalyst 6500E (2T)
Catalyst 6800
Nexus 7000
Nexus 6000
Nexus 5500/5600
Nexus 1000v
ISR G2, ISR4000, CGR2000
ASR 1000 Router
CSR-1000v Router
ASA 5500 Firewall
ASAv Firewall
Web Security Appliance
Agenda
Overview of Cisco TrustSec
Prescriptive Approach for Effective Segmentation
Case Studies and Design Considerations
Summary and Key Takeaways
Approaching a TrustSec Design
•
Start with
Policy Goals
Use Cases can
be Localized
Controlled access to
Production systems
or PCI Servers
• User to DC Access
Control
• Secure BYOD
• Contractor Access
Control
• Extranet Security
• Simplified Firewall Rule,
VPN Access, ACLs or
WSA rules
Focus on
Business Problem
• Maintain Compliance
• Protect against breach
• Complex ACLs,
Firewall rule
complexity
Implementing Business Policy through
Segmentation
Discover and Classify Assets
Active Monitoring
Network
Segmentation
Enforce Policy
Understand Behavior
Design and Model Policy
Discover and Classify Assets
Discover and Classify Assets
Profile Assets with ISE
• User & Device Authentication
(User ID, SmartCard, Digital Certificate, etc.)
• MAC Address based Authentication
• Web Portal based Authentication
Network
Segmentation
Profile Assets with NetFlow and StealthWatch
• Services, applications, hosts
• Behaviour profiling
ISE Provides Device Visibility via Profiling
Network infrastructure provides
local sensing function
Active Scanning:
Enhanced Accuracy
Cisco®
ISE augments passive
network insight with active
endpoint data
Active Endpoint
Scanning
CDP/LLDP
DHCP
RADIUS
DNS
SNMP
NetFlow
HTTP
NMAP
Integrated Profiling:
Visibility in Scale
Cisco
ISE
Device Feed*
Device Feed —
Identity in Scale
Manufacturers and ecosystem provide
constant updates to new devices
Cisco Device Sensor
(Network Based)
Profiler Design Guide: http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-30-ISE_Profiling_Design_Guide.pdf
Locate Assets with Lancope StealthWatch
Find hosts communicating on the network
• Pivot based on transactional data
2
Implementing Effective Segmentation
Understand
Behavior
Network
Segmentation
Understand Critical Business Processes
• Applications, services, protocol, time of day, etc.
• Profile systems
Understand Behavior
Complete list of all hosts communicating
with HTTP Servers:
Who, What, When, Where and How
Profile Business Critical Processes
PCI Zone Map
Overall System Profile
Inter-system relationships
Implementing Effective Segmentation
Design Policy
• Leverage group definitions from profiling activities
• Monitor mode deployment
Classify Objects into Security Groups
• Directory server search / group mapping
• Device Profiling (Device type certainty)
• Other attributes: Access Time, Location, Method, etc.
Network
Segmentation
Model Policy with StealthWatch
• Passively model policy
Design and
Model Policy
Starting a TrustSec Design
Discuss
assets to
protect
Example:
Cardholder Data,
Medical Record,
intellectual data
Policy
Enforcement
Points
Classification
Mechanisms
Example:
Dynamic,
Static, etc.
•
•
•
DC segmentation (DC
virtual/ physical switches
or virtual/physical
Firewalls)
User to DC access control
(Identify capable switches
or firewalls in the path)
Propagation
Methods
•
•
•
•
•
•
Inline Tagging
SXP
DM-VPN
GET-VPN
IPSec
OTP etc..
How to Tag Users / Devices?
• TrustSec decouples network
topology and security policy
to simplify access control
and segmentation
• Classification process
groups network resources
into Security Groups
IP-SGT
MAB
User/Device/
Location Cisco
Access Layer
PC
Web
Authentication
VLAN-SGT
ISE
MAC
Data Center/
Virtualization
NX-OS/
CIAC/
Hypervisors
Profiling
Port-SGT
802.1X
Port
Profile
IOS/Routing
Address
Pool-SGT
IPv4
Subnet-SGT
IPv4 Prefix
Learning
IPv6
Prefix-SGT
IPv6 Prefix
Learning
Campus & VPN Access
non-Cisco & legacy
environment
Business Partners and Supplier Access
Controls
Deployment Approach
•
Users connect to network, Monitor mode allows traffic regardless of authentication
•
Authentication can be performed passively resulting in SGT assignments
Monitor Mode
PCI Server
Production Server
Users,
Endpoints
•
Catalyst® Switches/WLC
(3K/4K/6K)
Campus
Network
Tagged traffic traverses the network allowing
monitoring and validation that:
•
Assets are correctly classified
•
Traffic flows to assets are as predicted/expected
N7K
Development Server
SRC \ DST
PCI Server
(2000)
Prod Server
(1000)
Dev Server
(1010)
Employees (100)
Permit all
Permit all
Permit all
PCI User (105)
Permit all
Permit all
Permit all
Unknown (0)
Permit all
Permit all
Permit all
Understand Behavior
Custom event
triggers on traffic
condition
Rule name and
description
SGT
DGT
Trigger on traffic in both directions;
Successful or unsuccessful
Modeling Policy in StealthWatch
Create flow-based rules for all proposed
policy elements
Policy Violation alarm will trigger if
condition is met. Simulating proposed
drop.
Modeled Policy: Flow Details
Where
What
When
Who
Who
Is this
communication
permissible?
Yes
No
More Context
Tune
Respond
Security Group
Realistic Enterprise Policy
Implementing Effective Segmentation
Move to active policy enforcement
• Strategic rollout
• Security Group Access Control Lists
• Firewall policy
Network
Segmentation
Enforce Policy
Security Group Access Control Lists
Source
Destination
Policy Representing
Source = Empoloye_SGT
Destination=CreditCard_Server
Policy = Deny IP
Enabling Enforcement
•
Enforcement may be enabled gradually per destination security group basis
•
Initially use SGACLs with deny logging enabled (remove log later if not required)
•
Keep default policy as permit and allow traffic ‘unknown SGT’ during deployment
Monitor Mode
Egress Enforcement
(Security Group ACL)
PCI Server
Production Server
Users,
Endpoints
Catalyst® Switches/WLC
(3K/4K/6K)
Campus
Network
N7K
Development Server
SRC \ DST
PCI Server
(2000)
Prod Server
(1000)
Dev Server
(1010)
Employees (100)
Deny all
Deny all
Permit all
PCI User (105)
Permit all
Permit all
Permit all
Unknown (0)
Deny all
Deny all
Permit all
Implementing Effective Segmentation
Monitor Network Activity
Active Monitoring
Network
Segmentation
• Detect suspicious and malicious activity
• Network Behaviour and Anomaly Detection
• Policy Violations
• Monitor Policy configuration and misconfiguration
• Monitor for business continuity
Adaptive Network Control
• Identify and remediate threats
• Dynamically segment network threats
NetFlow Monitoring
Where
What
When
Who
Who
• Highly scalable (enterprise class) collection
• High compression => long term storage
• Months of data retention
More Context
Security Group
Integrated Threat Defense (Detection &
Containment)
Employee
Change Authorization
ISE
Lancope
StealthWatch
Supplier
Quarantine
Event: Policy Violation
Source IP: 10.4.51.5
Role: Supplier
Response: Quarantine
Server
Network Fabric
Quarantine
High Risk
Segment
Shared
Server
Internet
Employee
Quarantine from StealthWatch
Agenda
Overview of Cisco TrustSec
Prescriptive Approach for Effective Segmentation
Case Studies and Design Considerations
Summary and Key Takeaways
One Stop Cisco Partner portal for all
“Network as a Sensor and Enforcer”
resources: http://bit.ly/naas-e-partner
https://www.cisco.com/go/enterprise
https://www.cisco.com/go/trustsec
Summary
Segmentation is
foundational
TrustSec
Automates
Network
Segmentation
Create a
Win-Win
scenario with
TrustSec
Start small with
Localized Usecases
Download