TrustSec NaaE (NaaS / )
advertisement
TrustSec (NaaS / NaaE) per@cisco.com Security on top of the mind for our customers 60% of data is stolen in HOURS 85% of point-of-sale intrusions aren’t discovered for WEEKS 54% of breaches remain undiscovered for MONTHS 51% increase of companies reporting a $10M loss or more in the last 3 YEARS “A community that hides in plain sight avoids detection and attacks swiftly” - “Cisco Security Annual Security Report” US-CERT “Effective network segmentation5 restricts communication between networks and reduces the extent to which an adversary can move across the network.” How TrustSec Simplifies Network Segmentation Traditional Segmentation DC Servers TrustSec DC Firewall / Switch Static ACL Micro/Macro Segmentation Enterprise Backbone Routing Redundancy DHCP Scope Central Policy Provisioning No Topology Change Aggregation Layer VACL Address VLAN Voice Quarantine VLAN Voice VLAN ISE Policy No VLAN Change Access Layer Non-Compliant Enterprise Backbone Access Layer Employee Supplier BYOD Voice Data VLAN Guest VLAN BYOD VLAN Voice VLAN Security Policy based on Topology High cost and complex maintenance Employee Tag Supplier Tag Non-Compliant Tag Non-Compliant Employee Supplier BYOD Data VLAN Use existing topology and automate security policy to reduce OpEx Driven by Customer Top-of Mind Segmentation for Threat Defense Segmentation at access layer to block “lateral-movement of threats”, access control to improve security Privileged Access to DC Regulatory Compliance Segmentation for scope reduction, protecting sensitive information from other connected devices (PCI, HIPAA, Financial Regulation, etc.) Restricting application access based on user / device privilege in scalable fashion • Banks • Universities • Major Retailers segmenting critical assets in stores and DC driven by recent hacks • Bank - 3 use-cases in production • Governments, tech companies, healthcare, manufacturing increasing network security controls to mitigate risk • Multiple retailers for PCI compliance • Utilities • Defense customer – export controls • Defense • Healthcare – Segmenting clinical/non-clinical devices and protecting patient data • Manufacturers • Bank – deploying across 350,000 endpoints • Broadcaster • Federal/Central Govts • Insurance • Consumer electronics • Research Agenda Overview of Cisco TrustSec Prescriptive Approach for Effective Segmentation Case Studies and Design Considerations Summary and Key Takeaways Agenda Overview of Cisco TrustSec Prescriptive Approach for Effective Segmentation Case Studies and Design Considerations Summary and Key Takeaways TrustSec ! About Security Group Tags Priority Users / Devices Classification: The process of assigning SGTs Users Servers Propagation: The process of carrying tags in the network Enforcement: The process of controlling access based on tags. Endpoints Infected Hosts Sites / Branch Offices Full Access Partial Access Access Deny TrustSec in Action ISE Remote Access 5 SGT Wireless DC Firewall DC Switch Switch Classification Application Servers 8 SGT Application Servers 7 SGT Network Routers Users Directory Propagation Enforcement Classification Classification Types DYNAMIC CLASSIFICATION MAC Auth Bypass STATIC CLASSIFICATION IP Address VLANs Subnets L2 Interface SGT L3 Interface Virtual Port Profile 802.1X Authentication Web Authentication Common Classification for Mobile Devices Layer 2 Port Lookup Common Classification for Servers, Topology-based Policy, etc. Propagation Inline Tagging Ethernet Frame Cisco Meta Data MACsec Frame Destination MAC CMD EtherType Destination MAC Source MAC Version Source MAC 802.1Q Length CMD SGT Option Type ETHTYPE SGT Value PAYLOAD Other CMD Option CRC EtherType:0x8909 SGT Value:16bits 802.1AE Header AES-GCM 128bit Encryption Faster, and most scalable way to propagate SGT within LAN or Data Center SGT embedded within Cisco Meta Data (CMD) in Layer 2 frame Capable switches understands and process SGT in line-rate Protected by enabling MACsec (IEEE802.1AE) – optional for capable hardware No impact to QoS, IP MTP/Fragmentation L2 Frame Impact: ~20 bytes 16 bits field gives ~ 64,000 tag space Non-capable device drops frame with unknown Ethertype 802.1Q CMD ETHTYPE PAYLOAD 802.1AE Header CRC Propagation SGT Exchange Protocol (SXP) • Propagation method of IP-SGT binding – Propagate IP-SGT from classification to enforcement point • Open protocol (IETF-Draft) & ODL Supported Routers – TCP - Port:64999 • Role: Speaker (initiator) and Listener (receiver) (SXP Aggregation) Switches 6 10.4.9.5 6 10.4.9.5 • Use MD5 for authentication and integrity check Speaker • Support Single Hop SXP & Multi-Hop SXP (aggregation) Firewall Listener 5 10.0.1.2 5 10.0.1.2 Switches 12 Propagation SGT Transport over L3 networks SGACL Enterprise Network Enterprise LAN Switch ISE CTS Link on Roadmap Finance OTP SXP Wireless Nexus 7000 Nexus 1000v Internet SXP BYOD DMVPN Switch Catalyst 6500 SXP Switch Enterprise MPLS GETVPN HR • • • • Multiple options for SGT transport over non CTS Layer 3 networks DMVPN for Internet based VPNS GETVPN for security private MPLS clouds Over The Top (OTP) for private enterprise networks (1HCY15) Data Center Enforcement SGACL Enforcement Policy Source Destination Policy Representing Source = Empoloye_SGT Destination=CreditCard_Server Policy = Deny IP Enforcement Policy Enforcement on Firewalls: ASA SG-FW SGT Defined in the ISE or locally defined on ASA Trigger IPS/CX based on SGT Use Destination SGT received from Switches connected to destination Use Network Object (Host, Range, Network (subnet), or FQDN) TrustSec Functions Classification Propagation Enforcement 5 Employee 6 Supplier 8 Suspicious A B 8 5 Static Inline SGACL Dynamic SXP SGFW WAN SGZBFW TrustSec Supported Platforms Employee SGT WAN (GETVPN DMVPN IPSEC) User Classification Router Switch Propagation Classification Catalyst 2960-S/-C/-Plus/-X/-XR Catalyst 3560-E/-C/-X/-CX Catalyst 3750-E/-X Catalyst 3850/3650 Catalyst 4500E (Sup6E/7E) Catalyst 4500E (Sup8) Catalyst 6500E (Sup720/2T) Catalyst 6800 WLC 2500/5500/5400/WiSM2/8510/8540 WLC 5760 Nexus 7000 Nexus 6000 Nexus 5500/2200 Nexus 1000v ISRG2, CGR2000, ISR4000 IE2000/3000/CGR2000 ASA5500 (RAS VPN) Router Firewall Propagation Propagation Catalyst 2960-S/-C/-Plus/-X/-XR Catalyst 3560-E/-C/, 3750-E Catalyst 3560-X/3750-X Catalyst 3850/3650 Catalyst 4500E (Sup6E) Catalyst 4500E (Sup, 7E, 7LE, 8E) Catalyst 4500X Catalyst 6500E (Sup720) Catalyst 6500/Sup2T, 6800 WLC 2500/5500/5400/WiSM2/8510/8540 WLC 5760 Nexus 7000 Nexus 6000 Nexus 5500/2200 Nexus 1000v ISRG2,ISR4000 IE2000/3000/CGR2000 ASR1000 ASA5500 DC Switch vSwitch Server ISE Enforcement Enforcement Catalyst 3560-X Catalyst 3750-X Catalyst 3850/3650 WLC 5760 Catalyst 4500E (7E) Catalyst 4500E (8E) Catalyst 6500E (2T) Catalyst 6800 Nexus 7000 Nexus 6000 Nexus 5500/5600 Nexus 1000v ISR G2, ISR4000, CGR2000 ASR 1000 Router CSR-1000v Router ASA 5500 Firewall ASAv Firewall Web Security Appliance Agenda Overview of Cisco TrustSec Prescriptive Approach for Effective Segmentation Case Studies and Design Considerations Summary and Key Takeaways Approaching a TrustSec Design • Start with Policy Goals Use Cases can be Localized Controlled access to Production systems or PCI Servers • User to DC Access Control • Secure BYOD • Contractor Access Control • Extranet Security • Simplified Firewall Rule, VPN Access, ACLs or WSA rules Focus on Business Problem • Maintain Compliance • Protect against breach • Complex ACLs, Firewall rule complexity Implementing Business Policy through Segmentation Discover and Classify Assets Active Monitoring Network Segmentation Enforce Policy Understand Behavior Design and Model Policy Discover and Classify Assets Discover and Classify Assets Profile Assets with ISE • User & Device Authentication (User ID, SmartCard, Digital Certificate, etc.) • MAC Address based Authentication • Web Portal based Authentication Network Segmentation Profile Assets with NetFlow and StealthWatch • Services, applications, hosts • Behaviour profiling ISE Provides Device Visibility via Profiling Network infrastructure provides local sensing function Active Scanning: Enhanced Accuracy Cisco® ISE augments passive network insight with active endpoint data Active Endpoint Scanning CDP/LLDP DHCP RADIUS DNS SNMP NetFlow HTTP NMAP Integrated Profiling: Visibility in Scale Cisco ISE Device Feed* Device Feed — Identity in Scale Manufacturers and ecosystem provide constant updates to new devices Cisco Device Sensor (Network Based) Profiler Design Guide: http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-30-ISE_Profiling_Design_Guide.pdf Locate Assets with Lancope StealthWatch Find hosts communicating on the network • Pivot based on transactional data 2 Implementing Effective Segmentation Understand Behavior Network Segmentation Understand Critical Business Processes • Applications, services, protocol, time of day, etc. • Profile systems Understand Behavior Complete list of all hosts communicating with HTTP Servers: Who, What, When, Where and How Profile Business Critical Processes PCI Zone Map Overall System Profile Inter-system relationships Implementing Effective Segmentation Design Policy • Leverage group definitions from profiling activities • Monitor mode deployment Classify Objects into Security Groups • Directory server search / group mapping • Device Profiling (Device type certainty) • Other attributes: Access Time, Location, Method, etc. Network Segmentation Model Policy with StealthWatch • Passively model policy Design and Model Policy Starting a TrustSec Design Discuss assets to protect Example: Cardholder Data, Medical Record, intellectual data Policy Enforcement Points Classification Mechanisms Example: Dynamic, Static, etc. • • • DC segmentation (DC virtual/ physical switches or virtual/physical Firewalls) User to DC access control (Identify capable switches or firewalls in the path) Propagation Methods • • • • • • Inline Tagging SXP DM-VPN GET-VPN IPSec OTP etc.. How to Tag Users / Devices? • TrustSec decouples network topology and security policy to simplify access control and segmentation • Classification process groups network resources into Security Groups IP-SGT MAB User/Device/ Location Cisco Access Layer PC Web Authentication VLAN-SGT ISE MAC Data Center/ Virtualization NX-OS/ CIAC/ Hypervisors Profiling Port-SGT 802.1X Port Profile IOS/Routing Address Pool-SGT IPv4 Subnet-SGT IPv4 Prefix Learning IPv6 Prefix-SGT IPv6 Prefix Learning Campus & VPN Access non-Cisco & legacy environment Business Partners and Supplier Access Controls Deployment Approach • Users connect to network, Monitor mode allows traffic regardless of authentication • Authentication can be performed passively resulting in SGT assignments Monitor Mode PCI Server Production Server Users, Endpoints • Catalyst® Switches/WLC (3K/4K/6K) Campus Network Tagged traffic traverses the network allowing monitoring and validation that: • Assets are correctly classified • Traffic flows to assets are as predicted/expected N7K Development Server SRC \ DST PCI Server (2000) Prod Server (1000) Dev Server (1010) Employees (100) Permit all Permit all Permit all PCI User (105) Permit all Permit all Permit all Unknown (0) Permit all Permit all Permit all Understand Behavior Custom event triggers on traffic condition Rule name and description SGT DGT Trigger on traffic in both directions; Successful or unsuccessful Modeling Policy in StealthWatch Create flow-based rules for all proposed policy elements Policy Violation alarm will trigger if condition is met. Simulating proposed drop. Modeled Policy: Flow Details Where What When Who Who Is this communication permissible? Yes No More Context Tune Respond Security Group Realistic Enterprise Policy Implementing Effective Segmentation Move to active policy enforcement • Strategic rollout • Security Group Access Control Lists • Firewall policy Network Segmentation Enforce Policy Security Group Access Control Lists Source Destination Policy Representing Source = Empoloye_SGT Destination=CreditCard_Server Policy = Deny IP Enabling Enforcement • Enforcement may be enabled gradually per destination security group basis • Initially use SGACLs with deny logging enabled (remove log later if not required) • Keep default policy as permit and allow traffic ‘unknown SGT’ during deployment Monitor Mode Egress Enforcement (Security Group ACL) PCI Server Production Server Users, Endpoints Catalyst® Switches/WLC (3K/4K/6K) Campus Network N7K Development Server SRC \ DST PCI Server (2000) Prod Server (1000) Dev Server (1010) Employees (100) Deny all Deny all Permit all PCI User (105) Permit all Permit all Permit all Unknown (0) Deny all Deny all Permit all Implementing Effective Segmentation Monitor Network Activity Active Monitoring Network Segmentation • Detect suspicious and malicious activity • Network Behaviour and Anomaly Detection • Policy Violations • Monitor Policy configuration and misconfiguration • Monitor for business continuity Adaptive Network Control • Identify and remediate threats • Dynamically segment network threats NetFlow Monitoring Where What When Who Who • Highly scalable (enterprise class) collection • High compression => long term storage • Months of data retention More Context Security Group Integrated Threat Defense (Detection & Containment) Employee Change Authorization ISE Lancope StealthWatch Supplier Quarantine Event: Policy Violation Source IP: 10.4.51.5 Role: Supplier Response: Quarantine Server Network Fabric Quarantine High Risk Segment Shared Server Internet Employee Quarantine from StealthWatch Agenda Overview of Cisco TrustSec Prescriptive Approach for Effective Segmentation Case Studies and Design Considerations Summary and Key Takeaways One Stop Cisco Partner portal for all “Network as a Sensor and Enforcer” resources: http://bit.ly/naas-e-partner https://www.cisco.com/go/enterprise https://www.cisco.com/go/trustsec Summary Segmentation is foundational TrustSec Automates Network Segmentation Create a Win-Win scenario with TrustSec Start small with Localized Usecases
