Cisco TrustSec Security Solution Overview Nicole Johnson Systems Engineer Cisco © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 •Movement from Location-Based to Identity-Based Security Strategy •Cisco TrustSec Approach •802.1x •MacSec (802.1ae) encryption •Security Group Tags •Identity Services Engine (ISE) and it’s role in the network •Network Control System •Introduction on how to manage the lifecycle of both wired and wireless devices in your network •Q & A •Next Steps © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 Anyone The RIGHT Person Borderless Networks Any Device An approved Device Anywhere In The Right Way Anytime © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 Enables Business Productivity Wireless User Remote VPN User Devices VPN User VLANs Guest Access Identity-enabled infrastructure Profiling Devices Delivers Security & Risk Management dACLs Posture SGTs Scalable Enforcement Policy-Based Access & Services Data Center © 2010 Cisco and/or its affiliates. All rights reserved. Intranet Internet Security Zones Improves IT Operational Efficiency Cisco Confidential 4 Think of it as “NAC-Next_Generation” TrustSec is an Umbrella Term: • Covers anything having to do with Identity: • IEEE 802.1X (Dot1x) • Cisco NAC Appliance • Profiling Technologies • Guest Services • Secure Group Access (SGA) • MACSec (802.1AE) • Access Control Server (ACS) • Identity Services Engine (ISE) © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 Who are you? 1 802.1X (or supplementary method) authenticates the user Where can you go? 2 3 4 © 2010 Cisco and/or its affiliates. All rights reserved. Keep the Outsiders Out Keep the Insiders Honest Based on authentication, user is placed in correct VLAN What service level to you receive? The user can be given per-user services (ACLs today, more to come) What are you doing? The user’s identity and location can be used for tracking and accounting Personalize the Network Increase Network Visibility Cisco Confidential 6 Ensure that only allowed types of user and machine connect to key resources Provide guest network access in a controlled and specific manner Deliver differentiated network services to meet security policy needs, for examples like: Ensure compliance requirements (PCI, etc.) for user authentication are met Facilitate voice/data traffic separation in the campus Ensure that only employees with legitimate devices access classified systems Ensure that contractors/business partners get appropriate access Provide user and access device visibility to network security operations © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 Industry-standard approach to identity © 2010 Cisco and/or its affiliates. All rights reserved. Most secure user/machine authentication solution Complements other switch security features Easier to deploy Provides foundation for additional services (e.g., posture) Cisco Confidential 8 8 Authenticator Switch, router, WAP Identity Store/Management Active directory, LDAP Layer 3 Layer 2 Request for Service (Connectivity) Back-End Authentication Support Identity Store Integration Authentication Server Supplicant © 2010 Cisco and/or its affiliates. All rights reserved. RADIUS server Cisco Confidential 9 User Authentication Device Authentication alice host\XP2 • Enables User-Based Access Control and Visibility • If Enabled, Should Be In Addition To Device Authentication © 2010 Cisco and/or its affiliates. All rights reserved. • Enables Devices To Access Network Prior To (or In the Absence of) User Login • Enables Critical Device Traffic (DHCP, NFS, Machine GPO) • Is Required In Managed Wired Environments Cisco Confidential 10 • 802.1X provides various authorization mechanisms for policy enforcement. • Three major enforcement / segmentation mechanisms: • Dynamic VLAN assignment – Ingress • Downloadable per session ACL – Ingress • Security Group Access Control List (SGACL) - Egress • Three different enforcement modes: • Monitor Mode • Low Impact Mode (with Downloadable ACL) • High-Security Mode • Session-Based on-demand authorization: • Change of Authorization (RFC3576 RADIUS Disconnect Messages) © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 • A Systems Approach: Fully Planned, Tested, and Vetted SYSTEM for identity The many business units have all worked together to form a full System-Based approach to ensure the most capable / fully functional & proven identity system in the industry. Multi-Auth Deployment Modes • Consistent across all switch platforms! Same Features Pre-Emptive Dead Server Detection Same Code Critical Vlan DACL per Host © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 Media Access Control (MAC) Security is standards based • MACsec is a Layer 2 encryption mechanism (Ratified in 2006) • 802.1AE defines the use of AES-GCM-128 as the encryption cipher. • Cisco working with IETF to extend to AES-GCM-256 Secures communication for trusted components on the LAN • Builds on 802.1X for Key Management, Authentication, and Access Control • 802.1X-2010 defines the use of MACsec, MACsec Key Agreement (MKA) (Previously 802.1AF), and 802.1AR (Ratified in 2010) MACsec is very efficient • Authenticated Encryption with Associated Data (AEAD) • HW implementations run very quickly • 1G and 10G line rate crypto currently deployed • Intel AES-NI support in CPU (Cisco FIPS 140-2 Validated) © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 Confidentiality and Integrity Securing Data Path with MACSec Media Access Control Security (MACSec) • Provides “WLAN / VPN equivalent” encryption (128bit AES GCM) to LAN connection • NIST approved* encryption (IEEE802.1AE) + Key Management (IEEE802.1X2010/MKA or Security Association Protocol). • Allows the network to continue to perform auditing (Security Services) * National Institute of Standards and Technology Special Publication 800-38D Guest User Data sent in clear Encrypt Authenticated User Decrypt 802.1X &^*RTW#(*J^*&*sd#J$%UJ&( Supplicant with MACSec &^*RTW#(*J^*&*sd#J$%UJWD&( MACSec Capable Devices MACSec Link © 2010 Cisco and/or its affiliates. All rights reserved. Note: Cat3750-X currently supports MACSec on downlink only Cisco Confidential 15 Benefits Limitations Confidentiality Strong encryption at Layer 2 protects data. Endpoint Support Not all endpoints support MACSec Integrity Integrity checking ensures data cannot be modified in transit Network Support Line-rate encryption typically requires updated hardware on the access switch Flexibility Selectively enabled with centralized policy Technology Integration MACSec may impact other technologies that connect at the access edge (e.g. IP Phones) Network Intelligence Hop-by-hop encryption enables the network to inspect, monitor, mark and forward traffic according to your existing policies. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 • Security Group Tags Unique 16 bit (65K) tag assigned to unique role Represents privilege of the source user, device, or entity Tagged at ingress of TrustSec domain Provides topology-independent policy Flexible and scalable policy based on user role Centralized policy management for dynamic policy provisioning • Hop-by-hop encryption (802.1AE) Provides confidentiality and integrity while still allowing for inspection of traffic between endpoints © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 Layer 2 SGT Frame Format Authenticated Encrypted DMAC SMAC 802.1AE Header CMD EtherType Version 802.1Q Length CMD ETYPE SGT Opt Type PAYLOAD SGT Value ICV CRC Other CMD Options Cisco Meta Data Ethernet Frame field 802.1AE Header CMD ICV are the L2 802.1AE + TrustSec overhead Frame is always tagged at ingress port of SGT capable device Tagging process prior to other L2 service such as QoS No impact IP MTU/Fragmentation L2 Frame MTU Impact: ~ 40 bytes = less than baby giant frame (~1600 bytes with 1552 bytes MTU) © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 Define network policy as an extension of business goals Product Bookings Corporate issued laptop Customer Data X Finance Manager SalesForce .com Policy extends to all access types (wired, wireless, VPN) Personal iPad Lifecycle Services Integration – guest, profiling, posture Optional encryption-based Policies for Securityconscious users © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 ISE: Policies for people and devices Authorized Access Guest Access Non-User Devices • How can I restrict access to my network? • Can I allow guests Internet-only access? • How do I discover non-user devices? • Can I manage the risk of using personal PCs, tablets, smart-devices? • How do I manage guest access? • Can I determine what they are? • Can this work in wireless and wired? • Can I control their access? • How do I monitor guest activities? • Are they being spoofed? • Access rights on premises, at home, on the road? • Devices are healthy? © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 “Employees should be able to access everything but have limited access on personal devices” Internet “Everyone’s traffic should be encrypted” Internal Resources Campus Network “Printers should only ever communicate internally” Cisco Switch Cisco Access Point © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Wireless LAN Controller Cisco® Identity Services Engine Cisco Confidential 22 Let’s Start With What We Know Previous Cisco TrustSec Solution Portfolio Identity & Access Control Access Control System AnyConnect Identity & Access Control + Posture NAC Manager Device Profiling & Provisioning + Identity Monitoring NAC Profiler NAC Server NAC Agent NAC Collector Standalone appliance or licensed as a module on NAC Server Guest Lifecycle Management NAC Guest Server © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 Introducing Identity Services Engine Next Generation Solution Portfolio Identity & Access Control Access Control System AnyConnect Identity & Access Control + Posture NAC Manager NAC Server Device Profiling & Provisioning + Identity Monitoring ISE Identity Service Engine NAC Profiler NAC Collector Standalone appliance or licensed as a module on NAC Server Guest Lifecycle Management NAC Guest Server © 2010 Cisco and/or its affiliates. All rights reserved. NAC Agent Cisco Confidential 24 Consolidated Services, Software Packages NAC Manager ACS Visibility User ID Flexible Service Deployment Access Rights All-in-One HA Pair NAC Profiler Admin Console Monitoring ISE NAC Server NAC Guest Location Device (& IP/MAC) Distributed Policy servers Simplify Deployment & Admin Track Active Users & Devices Optimize Where Services Run Guest Manage Security Group Access System-wide Monitoring & Troubleshooting Manage Guests & Sponsors © 2010 Cisco and/or its affiliates. All rights reserved. SGT Public Private Staff Permit Permit Guest Permit Deny Keep Existing Logical Design Consolidate Data, Three-Click Drill-In Cisco Confidential 25 Authorized Users 802.1X IP Phones Cisco® Catalyst® Switch MAB & Network Device Profiling Consistent identity features supported on all Catalyst switch models authenticates authorized users (802.1X), devices (MAB/profiling) and guests (Web Auth) Web Auth Guests Identity Feature Differentiators Monitor Mode Delivers visibility by authenticating users/devices (without enforcement) © 2010 Cisco and/or its affiliates. All rights reserved. Flex Authentication Sequence IP Telephony Interoperability VDI Deployment Support Most flexible authentication in the market automates ports for rolling authentication with a flexible sequence Features like multi-domain auth and link state provides authentication for IP telephony environments, or users behind VoIP devices Multi-authentication feature enables authentication of multiple MAC addresses behind a single port Cisco Confidential 26 Wired, wireless, VPN user Non-Compliant Employee Policy: • Microsoft patches updated • McAfee AV installed, running, and current • Corp asset checks • Enterprise application running Temporary Limited Network Access until remediation is complete © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 Provision: Guest accounts via sponsor portal Web Auth Guests Internet Manage: Sponsor privileges, guest accounts and policies, guest portal Notify: Guests of account details by print, email, or SMS Guest Policy: • Wireless or wired access • Internet-only access © 2010 Cisco and/or its affiliates. All rights reserved. Report: On all aspects of guest accounts Cisco Confidential 28 “What is on my Network” • • • • Reduces MAB effort by identifying more than 90 device categories Create policy for users and endpoints – • “Limited access by employee on IPAD” Confidence-match based on multiple attributes Future “template feed” © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29 Smart Phones Minimum Confidence for a Match Multiple Rules to Establish Confidence Level Gaming Consoles Workstations © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30 • Once the device is profiled, it is stored within the ISE for future associations: Is the MAC Address from Apple? Does the Hostname Contain “iPad”? Is the Web Browser Safari on an iPad? ISE Apple iPad © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31 NCS ISE Centralized Monitoring of Wired and Wireless Networking, Users and Endpoints Central Point of Policy for Wired and Wireless Users and Endpoints • Unified wired and wireless policy (ISE) and management (NCS). © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32 Monitor Mode Low Impact Mode High Security Mode Primary Features Primary Features Primary Features Open mode Open mode Traditional Closed Mode Multi-Auth Multi-Domain Dynamic VLANs Flex Auth (Optional) Port & dACLs Benefits Benefits Benefits Unobstructed Access Maintain Basic Connectivity Strict Access Control No Impact on Productivity Increased Access Security Gain Visibility AAA Logs Differentiated Access © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33 Typical TrustSec deployment Scenario Planning Proof of Concept Plan in advance and keep user experience impact as minimum as possible Pilot Deployment (Size: 1 segment or 1 floor) Supplicant Provisioning Expansion RADIUS Setup Switch Setup No Enforcement (Monitor Mode) Review & Adjust Enforcement (Low Impact Mode) Review & Adjust (Size: Multi-Floor, Bldg.) Services © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34 One Policy for wired, wireless and VPN Integrated lifecycle services (posture, profiling, guest) Differentiated identity features (monitor mode, flex auth, multiauth.. ) Phased approach to deployments – i.e. monitor mode Flexible and scalable authorization options Encryption to protect communications and SGT tags © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35 Trustsec.cisco.com www.cisco.com/go/trustsec © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36 • http://www.cisco.com/en/US/products/ps6662/products_ios_protocol_option_hom e.html • http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns171/CiscoIBNSTechnical-Review.pdf • http://en.wikipedia.org/wiki/IEEE_802.1X • http://www.networkworld.com/news/2010/0506whatisit.html • http://www.ieee802.org/1/pages/802.1x.html © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37 • http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750x_3560x/s oftware/release/15.0_1_se/configuration/guide/swmacsec.html • https://videosharing.cisco.com/vportal/VideoPlayer.jsp?ccsid=C-9323e79a0395-475c-9c65-27f6e6afff3b:1# • http://en.wikipedia.org/wiki/IEEE_802.1AE • http://www.ieee802.org/1/pages/802.1ae.html • http://www.networkworld.com/details/7593.html © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38