Keeping up with mobility and security (Cisco TrustSec)

Cisco TrustSec
Security Solution Overview
Nicole Johnson
Systems Engineer
Cisco
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
1
•Movement from Location-Based to Identity-Based Security Strategy
•Cisco TrustSec Approach
•802.1x
•MacSec (802.1ae) encryption
•Security Group Tags
•Identity Services Engine (ISE) and it’s role in the network
•Network Control System
•Introduction on how to manage the lifecycle of both wired and
wireless devices in your network
•Q & A
•Next Steps
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
2
Anyone
The RIGHT Person
Borderless
Networks
Any Device
An approved Device
Anywhere
In The Right Way
Anytime
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
3
Enables Business
Productivity
Wireless
User
Remote
VPN User
Devices
VPN User
VLANs
Guest Access
Identity-enabled
infrastructure
Profiling
Devices
Delivers Security &
Risk Management
dACLs
Posture
SGTs
Scalable Enforcement
Policy-Based Access
& Services
Data Center
© 2010 Cisco and/or its affiliates. All rights reserved.
Intranet
Internet
Security
Zones
Improves IT
Operational
Efficiency
Cisco Confidential
4
Think of it as “NAC-Next_Generation”
TrustSec is an Umbrella Term:
• Covers anything having to do with Identity:
• IEEE 802.1X (Dot1x)
• Cisco NAC Appliance
• Profiling Technologies
• Guest Services
• Secure Group Access (SGA)
• MACSec (802.1AE)
• Access Control Server (ACS)
• Identity Services Engine (ISE)
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
5
Who are you?
1
802.1X (or supplementary method)
authenticates the user
Where can you go?
2
3
4
© 2010 Cisco and/or its affiliates. All rights reserved.
Keep the Outsiders
Out
Keep the Insiders
Honest
Based on authentication, user is
placed in correct VLAN
What service level to you receive?
The user can be given per-user
services (ACLs today, more to come)
What are you doing?
The user’s identity and location can
be used for tracking and accounting
Personalize the
Network
Increase Network
Visibility
Cisco Confidential
6
 Ensure that only allowed types of user and machine connect to key resources
 Provide guest network access in a controlled and specific manner
 Deliver differentiated network services to meet security policy needs, for
examples like:
Ensure compliance requirements (PCI, etc.) for user authentication are met
Facilitate voice/data traffic separation in the campus
Ensure that only employees with legitimate devices access classified systems
Ensure that contractors/business partners get appropriate access
 Provide user and access device visibility to network security operations
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
7
Industry-standard
approach to
identity
© 2010 Cisco and/or its affiliates. All rights reserved.
Most secure
user/machine
authentication
solution
Complements
other switch
security features
Easier to
deploy
Provides foundation
for additional
services (e.g.,
posture)
Cisco Confidential
8
8
Authenticator
Switch, router, WAP
Identity Store/Management
Active directory, LDAP
Layer 3
Layer 2
Request for Service
(Connectivity)
Back-End Authentication
Support
Identity Store
Integration
Authentication Server
Supplicant
© 2010 Cisco and/or its affiliates. All rights reserved.
RADIUS server
Cisco Confidential
9
User Authentication
Device Authentication
alice
host\XP2
• Enables User-Based Access
Control and Visibility
• If Enabled, Should Be In
Addition To Device
Authentication
© 2010 Cisco and/or its affiliates. All rights reserved.
• Enables Devices To Access
Network Prior To (or In the
Absence of) User Login
• Enables Critical Device Traffic
(DHCP, NFS, Machine GPO)
• Is Required In Managed Wired
Environments
Cisco Confidential
10
• 802.1X provides various authorization
mechanisms for policy enforcement.
• Three major enforcement / segmentation
mechanisms:
• Dynamic VLAN assignment – Ingress
• Downloadable per session ACL – Ingress
• Security Group Access Control List
(SGACL) - Egress
• Three different enforcement modes:
• Monitor Mode
• Low Impact Mode (with Downloadable ACL)
• High-Security Mode
• Session-Based on-demand authorization:
• Change of Authorization (RFC3576
RADIUS Disconnect Messages)
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
11
• A Systems Approach:
Fully Planned, Tested, and Vetted
SYSTEM for identity
The many business units have all worked
together to form a full System-Based approach
to ensure the most capable / fully functional &
proven identity system in the industry.
Multi-Auth
Deployment
Modes
• Consistent across all switch platforms!
Same Features
Pre-Emptive Dead
Server Detection
Same Code
Critical Vlan
DACL per Host
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
12
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
13
Media Access Control (MAC) Security is standards based
• MACsec is a Layer 2 encryption mechanism (Ratified in 2006)
• 802.1AE defines the use of AES-GCM-128 as the encryption cipher.
• Cisco working with IETF to extend to AES-GCM-256
Secures communication for trusted components on the LAN
• Builds on 802.1X for Key Management, Authentication, and Access
Control
• 802.1X-2010 defines the use of MACsec, MACsec Key Agreement (MKA)
(Previously 802.1AF), and 802.1AR (Ratified in 2010)
MACsec is very efficient
• Authenticated Encryption with Associated Data (AEAD)
• HW implementations run very quickly
• 1G and 10G line rate crypto currently deployed
• Intel AES-NI support in CPU (Cisco FIPS 140-2 Validated)
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
14
Confidentiality and Integrity
Securing Data Path with MACSec
Media Access Control Security (MACSec)
• Provides “WLAN / VPN equivalent” encryption (128bit AES GCM) to LAN
connection
• NIST approved* encryption (IEEE802.1AE) + Key Management (IEEE802.1X2010/MKA or Security Association Protocol).
• Allows the network to continue to perform auditing (Security Services)
* National Institute of Standards and Technology Special Publication 800-38D
Guest User
Data sent in clear
Encrypt
Authenticated
User
Decrypt
802.1X
&^*RTW#(*J^*&*sd#J$%UJ&(
Supplicant
with
MACSec
&^*RTW#(*J^*&*sd#J$%UJWD&(
MACSec
Capable Devices
MACSec Link
© 2010 Cisco and/or its affiliates. All rights reserved.
Note: Cat3750-X currently supports MACSec on downlink only
Cisco Confidential
15
Benefits
Limitations
Confidentiality
Strong encryption at Layer 2 protects data.
Endpoint Support
Not all endpoints support MACSec
Integrity
Integrity checking ensures data cannot be
modified in transit
Network Support
Line-rate encryption typically requires
updated hardware on the access switch
Flexibility
Selectively enabled with centralized policy
Technology Integration
MACSec may impact other technologies that
connect at the access edge (e.g. IP Phones)
Network Intelligence
Hop-by-hop encryption enables the network to
inspect, monitor, mark and forward traffic
according to your existing policies.
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
16
• Security Group Tags
 Unique 16 bit (65K) tag assigned to unique role
 Represents privilege of the source user, device, or entity
 Tagged at ingress of TrustSec domain
 Provides topology-independent policy
 Flexible and scalable policy based on user role
 Centralized policy management for dynamic policy provisioning
• Hop-by-hop encryption (802.1AE)
Provides confidentiality and integrity while still allowing for
inspection of traffic between endpoints
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
17
Layer 2 SGT Frame Format
Authenticated
Encrypted
DMAC
SMAC
802.1AE Header
CMD EtherType Version
802.1Q
Length
CMD
ETYPE
SGT Opt Type
PAYLOAD
SGT Value
ICV
CRC
Other CMD Options
Cisco Meta Data
Ethernet Frame field

802.1AE Header
CMD
ICV
are the L2 802.1AE + TrustSec overhead
 Frame is always tagged at ingress port of SGT capable device
 Tagging process prior to other L2 service such as QoS
 No impact IP MTU/Fragmentation
 L2 Frame MTU Impact: ~ 40 bytes = less than baby giant frame (~1600 bytes
with 1552 bytes MTU)
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
18
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
19
Define network policy as an
extension of business goals
Product
Bookings
Corporate
issued laptop
Customer
Data
X
Finance
Manager
SalesForce
.com
Policy extends to all access
types (wired, wireless, VPN)
Personal iPad
Lifecycle Services Integration –
guest, profiling, posture
Optional encryption-based
Policies for Securityconscious users
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
20
ISE: Policies for people and devices
Authorized Access
Guest Access
Non-User Devices
• How can I restrict access
to my network?
• Can I allow guests
Internet-only access?
• How do I discover
non-user devices?
• Can I manage the risk of
using personal PCs,
tablets, smart-devices?
• How do I manage guest
access?
• Can I determine what
they are?
• Can this work in wireless
and wired?
• Can I control their
access?
• How do I monitor guest
activities?
• Are they being spoofed?
• Access rights on
premises, at home, on
the road?
• Devices are healthy?
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
21
“Employees should be able to
access everything but have
limited access on personal
devices”
Internet
“Everyone’s traffic
should be encrypted”
Internal
Resources
Campus
Network
“Printers should only
ever communicate
internally”
Cisco
Switch
Cisco
Access
Point
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Wireless
LAN Controller
Cisco® Identity Services Engine
Cisco Confidential
22
Let’s Start With What We Know
Previous Cisco TrustSec Solution Portfolio
Identity & Access Control
Access Control System
AnyConnect
Identity & Access Control +
Posture
NAC Manager
Device Profiling &
Provisioning + Identity
Monitoring
NAC Profiler
NAC Server
NAC Agent
NAC Collector
Standalone appliance or
licensed as a module on
NAC Server
Guest Lifecycle Management
NAC Guest Server
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
23
Introducing Identity Services Engine
Next Generation Solution Portfolio
Identity & Access Control
Access Control System
AnyConnect
Identity & Access Control +
Posture
NAC Manager NAC Server
Device Profiling &
Provisioning + Identity
Monitoring
ISE
Identity Service
Engine
NAC Profiler NAC Collector
Standalone appliance or
licensed as a module on
NAC Server
Guest Lifecycle Management
NAC Guest Server
© 2010 Cisco and/or its affiliates. All rights reserved.
NAC Agent
Cisco Confidential
24
Consolidated Services,
Software Packages
NAC Manager
ACS
Visibility
User ID
Flexible Service
Deployment
Access Rights
All-in-One
HA Pair
NAC Profiler
Admin
Console
Monitoring
ISE
NAC Server
NAC Guest
Location
Device (& IP/MAC)
Distributed Policy servers
Simplify Deployment & Admin
Track Active Users & Devices
Optimize Where Services Run
Guest
Manage Security
Group Access
System-wide Monitoring
& Troubleshooting
Manage Guests & Sponsors
© 2010 Cisco and/or its affiliates. All rights reserved.
SGT
Public
Private
Staff
Permit
Permit
Guest
Permit
Deny
Keep Existing Logical Design
Consolidate Data, Three-Click
Drill-In
Cisco Confidential
25
Authorized Users
802.1X
IP Phones
Cisco®
Catalyst® Switch
MAB & Network
Device
Profiling
Consistent identity features supported
on all Catalyst switch models
authenticates authorized users
(802.1X), devices (MAB/profiling) and
guests (Web Auth)
Web Auth Guests
Identity Feature Differentiators
Monitor Mode
Delivers visibility by
authenticating users/devices
(without enforcement)
© 2010 Cisco and/or its affiliates. All rights reserved.
Flex Authentication
Sequence
IP Telephony
Interoperability
VDI Deployment
Support
Most flexible authentication in
the market automates ports
for rolling authentication with
a flexible sequence
Features like multi-domain
auth and link state provides
authentication for IP
telephony environments, or
users behind VoIP devices
Multi-authentication feature
enables authentication of
multiple MAC addresses
behind a single port
Cisco Confidential
26
Wired, wireless,
VPN user
Non-Compliant
Employee Policy:
• Microsoft patches updated
• McAfee AV installed, running, and
current
• Corp asset checks
• Enterprise application running
Temporary Limited
Network Access until
remediation is
complete
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
27
Provision: Guest accounts
via sponsor portal
Web Auth Guests
Internet
Manage: Sponsor privileges,
guest accounts and policies,
guest portal
Notify: Guests of account
details by print, email, or SMS
Guest Policy:
• Wireless or wired access
• Internet-only access
© 2010 Cisco and/or its affiliates. All rights reserved.
Report: On all aspects of
guest accounts
Cisco Confidential
28
“What is on my Network”
•
•
•
•
Reduces MAB effort by identifying more
than 90 device categories
Create policy for users and endpoints –
• “Limited access by employee on IPAD”
Confidence-match based on multiple
attributes
Future “template feed”
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
29
Smart
Phones
Minimum
Confidence for a
Match
Multiple
Rules to Establish
Confidence Level
Gaming
Consoles
Workstations
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
30
• Once the device is profiled, it is stored within
the ISE for future associations:
Is the MAC Address
from Apple?
Does the Hostname
Contain “iPad”?
Is the Web Browser
Safari on an iPad?
ISE
Apple iPad
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
31
NCS
ISE
Centralized Monitoring
of Wired and Wireless
Networking, Users and
Endpoints
Central Point of Policy for
Wired and Wireless Users
and Endpoints
• Unified wired and wireless policy (ISE) and management (NCS).
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
32
Monitor Mode
Low Impact Mode
High Security Mode
Primary Features
Primary Features
Primary Features
 Open mode
 Open mode
 Traditional Closed Mode
 Multi-Auth
 Multi-Domain
 Dynamic VLANs
 Flex Auth (Optional)
 Port & dACLs
Benefits
Benefits
Benefits
 Unobstructed Access
 Maintain Basic Connectivity
 Strict Access Control
 No Impact on Productivity
 Increased Access Security
 Gain Visibility AAA Logs
 Differentiated Access
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
33
Typical TrustSec deployment Scenario
Planning
Proof of Concept
Plan in advance and keep user
experience impact as minimum as possible
Pilot Deployment
(Size: 1 segment or 1 floor)
Supplicant Provisioning
Expansion
RADIUS Setup
Switch Setup
No Enforcement (Monitor Mode)
Review & Adjust
Enforcement (Low Impact Mode)
Review & Adjust
(Size: Multi-Floor, Bldg.)
Services
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
34
 One Policy for wired, wireless and VPN
 Integrated lifecycle services (posture, profiling, guest)
 Differentiated identity features (monitor mode, flex auth,
multiauth.. )
 Phased approach to deployments – i.e. monitor mode
 Flexible and scalable authorization options
 Encryption to protect communications and SGT tags
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
35
Trustsec.cisco.com
www.cisco.com/go/trustsec
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
36
•
http://www.cisco.com/en/US/products/ps6662/products_ios_protocol_option_hom
e.html
• http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns171/CiscoIBNSTechnical-Review.pdf
• http://en.wikipedia.org/wiki/IEEE_802.1X
• http://www.networkworld.com/news/2010/0506whatisit.html
• http://www.ieee802.org/1/pages/802.1x.html
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
37
•
http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750x_3560x/s
oftware/release/15.0_1_se/configuration/guide/swmacsec.html
• https://videosharing.cisco.com/vportal/VideoPlayer.jsp?ccsid=C-9323e79a0395-475c-9c65-27f6e6afff3b:1#
• http://en.wikipedia.org/wiki/IEEE_802.1AE
• http://www.ieee802.org/1/pages/802.1ae.html
• http://www.networkworld.com/details/7593.html
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
38