BRKSEC-2044 Building An Enterprise Access Control Architecture Using ISE and TrustSec
BRKSEC-2044 Building An Enterprise Access Control Architecture Using ISE and TrustSec
BRKSEC-2044
Imran Bashir
Technical Marketing Engineer
#clmel
Introduction
Session Abstract
Tomorrow's requirement to network the Internet of Things requires an access control Profiling
architecture
that contextually regulates who and what is allowed onto the network. Identity Service Engines (ISE)
plays a central role in providing network access control for Wired, Wireless and VPNAAA networks. In
(802.1x
addition, ISE is the policy control point for TrustSec, which controls access from & MAB)
the network edge to
resources.
ISE Guest &
Employee
This session will focus on: 1. Emerging business requirements and ISE services WebAuth
such as: Guest,
profiling, posture, BYOD and MDM. 2. Secure policy based access control including 802.1X, MAB,
Web Authentication, and certificates/PKI. The session will show you how to expand policy decisions
Compliance
to include contextual information gathered from profiling, posture assessment, Desktop
location,Posture
and external
BYOD & MDMmeans
data stores such as AD and LDAP. 3. Enforcing network access policy through conventional
such as VLANs and ACLS and emerging technologies such as TrustSec.
PxGrid
Cisco TrustSec technology is used to segment the campus and data centre to increase security and
drive down the operational expenses associated with managing complex ACL firewall rule tables and
TrustSec
ACLs lists. This session is an introduction to the following advanced sessions: BRKSEC-3699;
BRKSEC-3698; BRKSEC-3690; TECSEC-3691.
ISE Deployment
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
IT Trends of Securing Access
Antivirus software installed BYOD for productivity and Over 15 Billion devices by 2015
personalisation 71% mobile video traffic in 2016
Operating system patches up-
to-date Average worker with 3 devices 2/3 of worker in cloud by 2016
~ 7 Billion connected devices 50% workloads are virtualised
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Mobile Malware doubled
ISE Provides ONE Policy for Unified Access
ONE MANAGEMENT
ONE NETWORK
Single Plane of Glass
Management with
Integrated
Wired and Wireless Cisco Prime
CISCO
in ONE Physical
Infrastructure, UNIFIED
with ONE Operating ACCESS
System & Open APIs
ONE POLICY
Network
Partner
Who Context Data
What
Cisco ISE
Where
Consistent Secure
Access Policy
When
How
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
The Importance of Contextual Identity
Introduction
Profiling
AAA
(802.1x & MAB)
Network? Compliance
Desktop Posture
BYOD & MDM
PxGrid
TrustSec
ISE Deployment
11
Profiling
• What ISE Profiling is:
– Dynamic classification of every device that connects to network using the infrastructure.
– Provides the context of “What” is connected independent of user identity for use in access policy
decisions
PCs
PCs Non-PCs
Non-PCs
UPS
UPS PhonePhone Printer
Printer AP
AP
How?
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Profiling Non-User Devices
Dynamic Population of MAB Database Based on Device Type
Cameras = Video
VLAN
Management
Access Switch
UPS =
Management_Only
dACL
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
ISE
Profiling User Devices
Differentiated Access Based on Device Type
Kathy + Corp Laptop
= Full Access to
Marketing VLAN
• How can I restrict access to my
network?
• Can I manage the risk of using
personal PCs, tablets, smart- Named ACL = Internet_Only
devices?
VLAN = Marketing
Corp
Internet
WLAN
Controller
Kathy
Guest
Marketing
Kathy + Personal
Tablet / Smartphone
= Limited Access
(Internet Only)
ISE
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Profiling Technology
How Do We Classify a Device?
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Profiling Policy Overview
Profile Policies Use a Combination of Conditions to Identify Devices
DHCP:host-name IP:User-Agent
CONTAINS iPad CONTAINS iPad
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Device Sensor in Action
# show device-sensor cache all
Switch Device Sensor Cache
SEP002155D60133
10.100.15.100
Cisco Systems, Inc. IP Phone CP-7945G
SEP002155D60133
ISE Profiling result
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Device Profile Feed Service
Another Cisco Innovation and Industry First!
Profiling
Verification Control
AAA
(802.1x & MAB)
PxGrid
TrustSec
ISE Deployment
20
ISE is a Standards-Based AAA Server
Access Control System Must Support All Connection Methods
VPN VPN
SSL / IPsec
Cisco Prime
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Authentication and Authorisation
What’s the Difference?
Who/what the
endpoint is.
What the
endpoint has
access to.
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Separation of Authentication and Authorisation
Policy Set
Condition
Authentication
Authorisation
Policy
Groups
23
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tree View
AuthC
Protocols
Identity
Store
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Authentication Rules
Choosing the Right ID Store
Authentication
Options
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
• Microsoft AD Servers 2003-2012.
Integrating My Identity Stores • LDAPv3-Compliant Servers
Local / LDAP / AD / RADIUS / Token Servers • External RADIUS Servers
• RSA and RFC-2865-Compliant One-
Time Password/Token Servers
• Certificate Servers
• Identity Sequences
ISE Policy Server
VPN
Cisco Prime
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Multi–Forest Active Directory Support
ISE 1.3 is designed for growing businesses. With
support for multiple Active Directory domains, ISE
1.3 enables authentication and attribute collection example-1.com
across the largest enterprises.
example-n.com
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
AD Authentication Flow
Identity
Scope AD Join
Rewrite
AuthC (Optional) Point (Optional)
Policy to
AD Domain List Target
(Optional) AD
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Test Authentication
Can run
from
scope
level
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Test Authentication
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Authorisation Rules
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
What About That 3rd “A” in “AAA”?
Accounting
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Detailed Visibility into Passed/Failed Attempts
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Detailed Visibility into All Active Sessions and Access Policy Applied
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Introduction
Profiling
Verification Control
AAA
(802.1x & MAB)
PxGrid
TrustSec
ISE Deployment
35
Let’s Begin by Securing User Access with 802.1X
I’ve done my
homework in Proof
of Concept Lab and
it looks good. I’m
turning on 802.1X
tomorrow…
IT Mgr.
Enabled 802.1X
I can’t connect to my
network. It says
Authentication failed
but I don’t know how
to fix. My presentation
is in 2 hours…
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Monitor Mode
A Process, Not Just a Command
Interface Config
• Enables 802.1X authentication on the switch,
interface GigabitEthernet1/0/1
authentication host-mode multi-auth but even failed authentication will gain access
authentication open • Allows network admins to see who would have
authentication port-control auto
mab failed, and fix it, before causing a Denial of
dot1x pae authenticator Service
Pre-AuthC Post-AuthC
SWITCHPORT SWITCHPORT
P P
DH C TFTP D HC TFTP
5 P 5 P
KRB HT T KRB HT T
oL oL
EAP Permit All EA P Permit All
AuthC = Authentication
Traffic always allowed AuthZ = Authorisation
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Low-Impact Mode
If Authentication is Valid, Then Specific Access!
SWITCHPORT SWITCHPORT
P P
DHC TFTP DHC RDP
KRB
5
HTT
P
KRB
5 HTT
P
SGT
L Permit L
E APo E AP o
Some Role-Based ACL
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Closed Mode
No Access Prior to Login, Then Specific Access!
Pre-AuthC Post-AuthC
SWITCHPORT SWITCHPORT
P
DHC
P
T FT P DH C TFTP
5 P SGT
K RB
5
HT T
P KR B HTT
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
MAC Authentication Bypass (MAB)
What is it?
• A list of MAC Addresses that are allowed to “skip” authentication
• Is this a replacement for 802.1X?
– No Way!
• This is a “Band-aid”
– In a Utopia, ALL devices authenticate.
• List may be Local or Centralised
– Can you think of any benefits to a centralised model?
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
One MAB For All
ISE and 3rd-Party MAB Support
• MAC Authentication is NOT a defined standard.
• Cisco uses the Service-Type = Call-Check to
detect MAB and uses Calling-Station-ID for host
lookup in identity store.
• Most 3rd parties use Service-Type = Login for
802.1X, MAB and WebAuth
– Some 3rd Parties do not populate Calling-Station-ID
with MAC address.
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Introduction
Profiling
AAA
(802.1x & MAB)
PxGrid
TrustSec
ISE Deployment
Handling Guests and Employees Without 802.1X
Guest Users
Employee Guest
**** ****
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Network Access for Guests and Employees
• Unifying network access for guest users
and employees
Guest
Contractor
SSID
Corp
SSID
Guest
IP Phone
Printer
Employee
Desktop
On wireless: On wired:
Using multiple SSIDs No notion of SSID
Open SSID for Guest Unified port: Need to use different auth
methods on single port ► Enter Flex Auth
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Flex Auth
Converging Multiple Authentication Methods on a Single Wired Port
Interface Config
802.1X
interface GigabitEthernet1/0/1 Timeout/
failure
authentication host-mode multi-auth
authentication open
authentication port-control auto MAB
mab
dot1x pae authenticator
Timeout/
! Failure
authentication event fail action next-method
authentication order dot1x mab
authentication priority dot1x mab WebAuth
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
CWA Flow
Tracking session ID provides support for session lifecycle management including CoA.
https://ise.company.com:8443/guestportal/gateway?sessionId=0A010A...73691A&action=cwa
Try MAB
Connect to WLAN=Corp
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
CWA Flow
CoA allows re-authentication to be processed based on new endpoint identity context.
CoA
ISE Policy Server
VPN
Existing Session matches Employee Policy
= Remove Redirect + ACL permit ip any any
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
A Systems Approach
Switch/Controller is the Enforcement Point
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
URL Redirection
ISE uses URL Redirection for:
Central Web Auth
Client Software Provisioning
Posture Discovery /
Assessment
Device Registration WebAuth
BYOD On-Boarding
Certificate Provisioning
Supplicant Configuration
Mobile Device Management
External Web Pages
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Session ID
Glue That Binds Client Session to Access Device and ISE
RADIUS
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
CoA from Live Sessions Log
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Introduction
Profiling
AAA
(802.1x & MAB)
Enhancements Compliance
Desktop Posture
BYOD & MDM
PxGrid
TrustSec
ISE Deployment
ISE for Guest Access Management
Automate and Control the Entire Guest Lifecycle
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco ISE Guest
All New Guest Admin Experience
Setup a Guest experience in 5 minutes!
Flow Visualiser: see what guests will experience
Customisation Preview: See your customisation real time
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Branded Guest Receipts & Notifications
Guest Receipts with Your Brand
Whether you’re delivering guest credentials
on the printed page, over email or SMS,
ISE makes it easy to deliver your complete
branded experience.
Email Notifications
Do you have Guests visiting? Send
them login credentials before they
even arrive!
Your credentials
username: trex42
password: littlearms
SMS Notifications
Send credentials directly to a guests mobile phone.
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Sponsor Portal
Branding with Themes!
Themes give you complete
control over the look and feel of
your sponsor Portal. Use our out-
of-the-box themes or create your
own using ThemeRoller for
jQuery Mobile or standard CSS.
Mobile Sponsors
You are free to move about the cabin! Create and
manage guest accounts from your mobile phone or
tablet.
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Basic Supported Guest Flows
1. Hotspot
2. Self Service
3. Self Service Sponsor Approved
4. Sponsored
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hotspot
Guest Flow #1
Acceptable
Use Policy
I promise
to be good.
Day Ends
I Agree
44:6D:77:B4:FD:01
44:6D:77:B4:FD:01
Goal: Get them on the Internet with AUP acceptance no matter who they are and remember who they are next
time so you don’t get in their way.
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secret Code Controls Access to Guest Wi-Fi
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Self Service with Email Verification
Guest Flow #2
hansolo
nerfherder
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Self Service with SMS
Guest Flow #2
optional optional
Visiting email?
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Approving Self Registration Requests
DESKTOP Mobile
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Sponsored Flow
Guest Flow #4
Hi! Can I
get on your Sure. I just
Wi-Fi? need a little
information.
Print, email
& SMS
credentials.
Cool!
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Pre-Expiration Notification
DESKTOP Mobile
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Introduction
Profiling
AAA
(802.1x & MAB)
PxGrid
TrustSec
ISE Deployment
68
Posture Assessment
Does the Device Meet Security Requirements? Posture
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
ISE Posture Assessment
Authenticate
Quarantine
AuthC User
AuthC Posture Assess
dVLAN
Endpoint
dACLs Remediate
OS
SGT Hotfix Authorise
WSUS
Posture =
Unknown/ AV / AS Launch App Permit
Non-compliant Personal Scripts Access
FW • dACL
Etc… • dVLAN
More….
• SGT
Posture = • Etc…
Compliant
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
ISE – Posture Policies
Employee Policy: Contractor Policy:
• Microsoft patches updated • Any AV installed,
• Trend Micro AV installed, running, and current
running, and current
• Corp asset checks
• Enterprise application Guest Policy: Accept AUP
running (No posture - Internet Only)
Employees Contractors/Guests
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Posture Flow
If Posture Status = Unknown/Non-Compliant, then Redirect to ISE for Posture Assessment
If Posture Agent not deployed, then provision Web Agent or Persistent NAC Agent
https://ise.company.com:8443/guestportal/gateway?sessionId=0A010A...73691A&action=cpp
Remediation Servers
ISE Policy Microsoft.com
Remediate Server
Windows
Posture Compliant = Full Access Updates
Agent
ASA
CoA
Cisco.com
ISE
Policy Intranet
ASA Server
Limited
VPN Full Access
Access
Database
Posture
Agent
Non-Compliant
Compliant
AV Server
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
ASA 9.2.1, ISE 1.2 Patch 5, AnyConnect 3.1 mr6
Limited Access
Posture Assessment
Posture Compliant
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Introduction
Profiling
AAA
(802.1x & MAB)
PxGrid
TrustSec
ISE Deployment
76
BYOD
Onboarding Personal Devices
Registration, Certificate and Supplicant Provisioning
Provisions device Certificates.
‒ Based on Employee-ID & Device-ID.
Certificate
Provisioning
Provisions Native Supplicants:
‒ Windows: XP, Vista, 7 & 8
‒ Mac: OS X 10.6, 10.7, 10.8, 10.9 & 10.10
MyDevices Supplicant
Portal Provisioning ‒ iOS: 4, 5, 6, 7 & 8
Device ‒ Android – 2.2 and above
Onboarding ‒ 802.1X + EAP-TLS, PEAP & EAP-FAST
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Walk Through BYOD Onboarding
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Java-Less Provisioning
Downloads as
DMG
Double-Click to
Run App
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Certificate Renewals
Works Comments 1.2.1
Before Expiry
iOS
Android
Windows
MAC-OSX
After Expiry
iOS
Android
Windows Supplicant will not use an expired cert
MAC-OSX Not tested yet
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Allowing Expired Certificates
1.2.1
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Redirect Expired Certs
1.2.1
Windows
Everything Else
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Certificate Renewal: Optional Message
1.2.1
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Single Versus Dual SSID Provisioning
• Single SSID • Dual SSID
– Start with 802.1X on one SSID – Start with CWA on one SSID
using PEAP
SSID = BYOD-Open
(MAB / CWA)
– End on same SSID with 802.1X – End on different SSID with 802.1X
using EAP-TLS using PEAP or EAP-TLS
WLAN Profile WLAN Profile
SSID = BYOD-Closed SSID = BYOD-Closed
EAP-TLS PEAP or EAP-TLS
Certificate=MyCert (Certificate=MyCert)
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Client Provisioning Policy
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
BYOD Policy in ISE
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
ISE BYOD Certificate Configuration
SCEP Enrollment Profile and CA Certificate Import
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
ISE 1.3: Internal Certificate Authority
Simplifying certificate management for BYOD devices
• Managing certificates for BYOD adds significant complexity
Enterprise CA
and expense when using Microsoft Public Key Infrastructure.
The ISE Certificate Authority is designed to work in concert Subordinate
with your existing PKI to simplify BYOD deployments. Optional
*Designed for BYOD and MDM use-cases only, not a general purpose CA
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Primary PAN is Root CA for ISE deployment
PKI Hierarchy and Roles
• All PSNs are Subordinate CAs to PAN
PSNs are SCEP Registration Authorities
(RAs)
Enterprise Root
(optional) • ISE PAN may be Subordinate to an existing
Root CA or may be Standalone Root.
Primary PAN
• Promotion of Standby PAN:
ISE CA
Standby PAN Will not have any effect on operation of the
subordinate CAs.
For Standby to become Root CA must
PSN PSN PSN PSN manually install the Private/Public keys from
Primary PAN.
Subordinate CA Subordinate CA Subordinate CA Subordinate CA
SCEP RA SCEP RA SCEP RA SCEP RA
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Native Supplicant Profile
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Certificate Template(s)
Define Internal or
External CA
Set the Key Sizes
SAN Field Options
UUID
DNS Name
MAC Address
Serial #
(No Free-Form Input)
Set length of validity
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE is OCSP Responder for cert
Revoke Certificates from ISE validation – no CRL Lists !
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Introduction
Profiling
AAA
(802.1x & MAB)
PxGrid
TrustSec
ISE Deployment
ISE Integration with 3rd-Party
MDM Vendors
• MDM device registration via ISE
– Non registered clients redirected to MDM
registration page
• Restricted access
– Non compliant clients will be given restricted
access based on policy
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Sample Authorisation Policy
Combining BYOD + MDM
MDM:DeviceRegistrationStatus MDM:DeviceCompliantStatus
EQUALS UnRegistered EQUALS NonCompliant
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
MDM Flow
If MDM Registration Status EQUALS UnRegistered, then Redirect to MDM for Enrollment
If MDM Compliance Status EQUALS NonCompliant, then Redirect to MDM for Compliance
https://ise.company.com:8443/guestportal/gateway?sessionId=0A010A...73691A&action=mdm
ISE Policy
Google Server
Play/AppStore Cloud MDM
Authentication
MDM API
Connect to WLAN=Corp
Options
• Edit
• Reinstate
• Lost?
• Delete
• Full Wipe
• Corporate Wipe
• PIN Lock
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Reporting
Mobile Device Management Report
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Introduction
Profiling
AAA
(802.1x & MAB)
PxGrid
TrustSec
ISE Deployment
104
Single-Purpose APIs are Great for One Purpose
…Integrating One System to One Other System
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Platform Exchange Grid – pxGrid
Enabling the Potential of Network-Wide Context Sharing
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Next Wave of Cisco pxGrid Partnerships
Sharing Context with an Even Broader Ecosystem
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
pxGrid Components
pxGrid
Publisher
Threat
IPS Defense ASA-CX
WWW
pxGrid pxGrid
Controller Subscriber
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
pxGrid Architecture
Certificate Based Auth Certificate Based Auth
SF-IPS
Grid Publish
Grid
Subscribe
WSA
ISE In 1.0 of pxGrid:
• ISE is the only Publisher
• Session Directory is only Topic
StealthWatch
• Future versions will allow Pub & Sub
IDS, Firew alls,
Threat Defence, etc.
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
SIEM/Threat Defence Integration
Use Case: Identity and device aware threat management
Increase confidence around event severity levels in SIEMs and TD consoles; make
events actionable in the network. SIEM/TD share “worst offenders” with ISE for
user/device policy decisions.
SIEM/TD
Platform
Policy: Detect sensitive data
access on mobile devices;
quarantine such users
Data: “Sensitive Data” Cisco ISE ISE Quarantines/Remediates
Type: “Mobile Device” User/Traffic
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Introduction
Profiling
AAA
(802.1x & MAB)
PxGrid
TrustSec
ISE Deployment
TrustSec Introduction
Policy and Segmentation
Design needs to be replicated to multiple locations,
buildings, floors
ACL
Aggregation Layer
VLAN Addressing DHCP Scope
Access Layer
Simple
More Policies
Segmentation
using more
with 2VLANs
VLANs
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
Software-Defined Segmentation with Cisco
TrustSec/ SGT
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
How TrustSec/ SGT is Used Today
User to DC
Access Control
Network & Role BYOD Application Secure PCI & PHI
Segmentation Security Protection Contractor Access Compliance
Campus & DC
Segmentation
Server Firewall Rule Fast Server Threat Defence Machine-
Segmentation Reduction Provisioning Machine Control
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Segmentation with Security Group
DC-MTV (SRV1)
DC-MTV (SAP1) Production
DC-RTP (SCM2) Servers
http://www.asd.gov.au/infosec/top-mitigations/top35mitigations-2014-table.htm
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
TrustSec Authorisation and Enforcement
VLANS dACL or Named ACL Security Group Access
Employee
IP Any
Remediation
• Does not require switch port • Less disruptive to endpoint • Simplifies ACL management
ACL management (no IP address change
• Uniformly enforces policy
required)
• Preferred choice for path independent of topology
isolation • Improved user experience
• Fine-grained access control
• Requires VLAN proliferation • Increased ACL management
and IP refresh
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Enforcing Policy Downstream
Propagation Enforce
Classify
&
Timecard
Mark application
server
Credit Card
Firewall transaction server
Context Telemetry:
• Manager Enforcement
• Windows PC
• Compliant
Cisco ISE
Classify Mark, Propagate, Enforce
• IP Precedence and DiffServ code points
• 802.1Q User Priority
• MPLS VPN
• TrustSec
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Classification
Enterprise
Backbone
SRC: 10.1.100.98
Hypervisor SW
VLAN is mapped
WLC FW
to SGT
Virtual Machine is
BYOD device is mapped to SGT
classified with
SGT
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
Classification
Classification Summary
Dynamic Classification Static Classification
• IP Address
• VLANs
• Subnets
802.1X/ RAS VPN Authentication • L2 Interface
SGT
• L3 Interface
Web Authentication • Virtual Port Profile
• Layer 2 Port Lookup
Pre-fix learning
MAC Auth Bypass
Common Classification for Mobile Common Classification for Servers,
Devices Topology-based policy, etc.
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
Classification
Static Classification
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
Classification
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
Classification
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
Propagation
10.1.100.98 50
ASIC ASIC ASIC
Optionally Encrypted L2 Ethernet Fram e
SRC: 10.1.100.98
(No CMD)
Enterprise
Backbone
WLC FW
IP Address SGT SRC
Inline Tagging (data plane):
10.1.100.98 50 Local
If Device supports SGT in its ASIC
SXP IP-SGT Binding Table
Inline Tagging
• SGT embedded within Cisco Meta Ethernet Frame Cisco Meta Data MACsec Frame
Data (CMD) in Layer 2 frame Destination MAC CMD EtherType Destination MAC
Source MAC Source MAC
• Capable switches understands and 802.1Q
Version
802.1AE Header
process SGT at line-rate CMD
Length
802.1Q
AES-GCM 128bit
SGT Option Type
• Optional MACsec protection ETHTYPE CMD
Encryption
SGT Value
ETHTYPE
MTU/Fragmentation CRC
PAYLOAD
16 bit
• L2 Frame Impact: ~40 bytes ETHTYPE:0x8909
64K name space 802.1AE Header
CRC
• Recommend L2 MTU~1600 bytes
ETHTYPE:0x88E5
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
Propagation
SXP Flow
IP Src: 10.1.3.2 Dst: 10.1.3.1
TCP Src Port: 16277 Dst Port: 64999
Flags: 0x02 (SYN)
IP Src: 10.1.3.1 Dst: 10.1.3.2
TCP Src Port: 64999 Dst Port: 16277
IP Src: 10.1.3.2 Dst: 10.1.3.1 Flags: 0x12 (SYN, ACK)
TCP Src Port: 16277 Dst Port: 64999
Flags: 0x10 (ACK)
TCP SYN
Speaker TCP SYN-ACK Listener
TCP ACK
CTS6K CTS7K
10.1.10.100 (SGT6) 10.1.3.2 10.1.3.1
Cisco ISE
SXP OPEN
IP Src: 10.1.3.2 Dst: 10.1.3.1
TCP Src Port: 16277 Dst Port: 64999 SXP OPEN_RESP
Flags: 0x10 ( ACK)
SXP Type: Open SXP UPDATE
IP Src: 10.1.3.1 Dst: 10.1.3.2
Version: 1 TCP Src Port: 64999 Dst Port: 16277
Device ID: CTS6K Flags: 0x18 (PSH, ACK)
SXP Type: Open_Resp
IP Src: 10.1.3.2 Dst: 10.1.3.1 Version: 1
TCP Src Port: 16277 Dst Port: 64999 Device ID: CTS7K
Flags: 0x10 (ACK)
SXP Type: Update
Update Type: Install
IP Address: 10.1.10.100 SGT: 6
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
Enforcement
Destination Classification
Web_Dir: SGT 20
CRM: SGT 30
End user authenticated
FIB Lookup
Classified as Employee (5)
Destination MAC/Port SGT 20
ISE
Web_Dir
SRC\DST CRM (30)
(20)
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
SGACL Policy on ISE for Switches
2
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
Enforcement
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
Review: SGFW Flow
Business Data What was missing in SGFW ? Classification
App / Storage
Firewall Rules
Source Destination Action
Firewall
IP SGT IP SGT Service Action Propagation
Any Employee Any Biz Server HTTPS Allow Enforcement
Any Suspicious Any Biz Server Any Deny
Corp Asset
Endpoints
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
Visibility and Control for Remote Access
Production Apps Development
Data Centre
Data Centre ISE
Firewall
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 137
Use Case: Peer-to-Peer Malware Control
Production
Employee
Servers
HR Database
Cisco ISE
Assets
Sales Developer Guests Malware
Internet Blocking ACL
Access
Source
Malware
Sales DENY DENY PERMIT
Blocking Deny tcp dst eq 445 log; block SMB file
Developer DENY
Malware
DENY sharing
PERMIT
Blocking
Deny tcp dst range 137 139 log; block
Guest DENY DENY DENY PERMIT
NetBios Session Service
Permit all
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 138
Use Case: Data Centre Segmentation
Protected Assets
Production Development HR
Storage
Servers Servers Database
Production
PERMIT DENY DENY PERMIT
Servers
Source
Development
DENY PERMIT DENY PERMIT
Servers
HR
DENY DENY PERMIT PERMIT
Database
Storage PERMIT PERMIT PERMIT PERMIT
Enforcement Classification
HR Database
Development
DC FW DC Switch server
SGT Propagation
Segmentation
No VLANs
Cisco ISE
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 140
ISE + Fire + TrustSec
Before During After
• Containment (Quarantine or
• Threat Detection • Collecting additional telemetry
Block all together)
• Prevention and Mitigation • Added visibility
• Apply QoS
• Evaluate Policy
• Apply policy routing
• Deep inspection
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
TrustSec Platform Support
Classification Propagation Enforcement
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 144
A Systems Approach to Building an Identity
Access Control Architecture
Choosing the Correct Building Blocks
The “TrustSec” Portfolio www.cisco.com/go/trustsec
Policy
Administration Identity Services Engine (ISE)
Policy Decision Identity Access Policy System
Policy
Enforcement Cisco 2960/3560/3700/4500/6500, Nexus 7000
TrustSec Powered Cisco ASA, ISR, ASR 1000
switches, Wireless and Routing Infrastructure
Policy
NAC Agent Web Agent 802.1X Supplicant
Information No-Cost Persistent and Temporal Clients AnyConnect or
TrustSec Powered for Posture, and Remediation OS-Embedded Supplicant
http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 155
Summary
Cisco Secure Access and TrustSec
Technology Review: I want to allow guests into the
network Guest Access
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 159
Links
• Secure Access, TrustSec, and ISE on Cisco.com
– http://www.cisco.com/go/trustsec
– http://www.cisco.com/go/ise
– http://www.cisco.com/go/isepartner
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public 160
Q&A
Complete Your Online Session Evaluation
Give us your feedback and receive a
Cisco Live 2015 T-Shirt!
Complete your Overall Event Survey and 5 Session
Evaluations.
BRKSEC-2044 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public