Scribd
Upload
89 views38 pages

Cisco Trustsec: Security Solution Overview

Uploaded by

Paul Zeto
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
89 views38 pages

Cisco Trustsec: Security Solution Overview

Uploaded by

Paul Zeto
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 38

Cisco TrustSec

Security Solution Overview


Nicole Johnson
Systems Engineer
Cisco

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
Agenda

•Movement from Location-Based to Identity-Based Security Strategy

•Cisco TrustSec Approach


• 802.1x
• MacSec (802.1ae) encryption
• Security Group Tags

•Identity Services Engine (ISE) and it’s role in the network

•Network Control System


• Introduction on how to manage the lifecycle of both wired and
wireless devices in your network
•Q & A
•Next Steps
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Policy Evolving with Borderless Network

Anyone

The RIGHT Person

Any Device
Borderless
Networks An approved Device

Anywhere
In The Right Way
Anytime

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Introducing Cisco TrustSec

Enables Business
Productivity
Remote Wireless VPN User Devices Devices
VPN User User

Delivers Security &


Guest Access VLANs Risk Management
Identity-enabled
Profiling infrastructure dACLs

Posture SGTs

Policy-Based Access Scalable Enforcement


& Services Improves IT
Operational
Data Center Security Efficiency
Intranet Internet Zones

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
What is TrustSec?

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Why Identity Is Important

Authentication
Who are you?
Keep the Outsiders
1 802.1X (or supplementary method) Out
authenticates the user

Keep the Insiders


Where can you go? Honest
2 Based on authentication, user is
placed in correct VLAN

3
Authorization
What service level to you receive?
The user can be given per-user
Personalize the
Network
services (ACLs today, more to come)

What are you doing?

Accounting
Increase Network
4 The user’s identity and location can Visibility
be used for tracking and accounting

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
What does Identity allow you to do?
 Ensure that only allowed types of user and machine connect to key resources
 Provide guest network access in a controlled and specific manner
 Deliver differentiated network services to meet security policy needs, for
examples like:
Ensure compliance requirements (PCI, etc.) for user authentication are met

Facilitate voice/data traffic separation in the campus

Ensure that only employees with legitimate devices access classified systems

Ensure that contractors/business partners get appropriate access

 Provide user and access device visibility to network security operations

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Why 802.1X?
Industry-standard Most secure Complements Provides foundation
approach to user/machine other switch Easier to for additional
identity authentication security features deploy services (e.g.,
solution posture)

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 8
How Does 802.1X Work?
Authenticator
Switch, router, WAP

Identity Store/Management
Active directory, LDAP

Layer 3
Layer 2
Request for Service Back-End Authentication Identity Store
(Connectivity) Support Integration

Authentication Server
RADIUS server
Supplicant

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Who (or What) Can Be Authenticated?
User Authentication Device Authentication
alice

host\XP2

• Enables Devices To Access


• Enables User-Based Access
Network Prior To (or In the
Control and Visibility
Absence of) User Login
• If Enabled, Should Be In
• Enables Critical Device Traffic
Addition To Device
(DHCP, NFS, Machine GPO)
Authentication
• Is Required In Managed Wired
Environments

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Various Authorization Mechanisms
• 802.1X provides various authorization
mechanisms for policy enforcement.
• Three major enforcement / segmentation
mechanisms:
• Dynamic VLAN assignment – Ingress
• Downloadable per session ACL – Ingress
• Security Group Access Control List
(SGACL) - Egress
• Three different enforcement modes:
• Monitor Mode
• Low Impact Mode (with Downloadable
ACL)
• High-Security Mode
• Session-Based on-demand authorization:
• Change of Authorization (RFC3576
RADIUS Disconnect Messages)

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Cisco Switches with 802.1X
• A Systems Approach:
Fully Planned, Tested, and Vetted
SYSTEM for identity
The many business units have all worked Multi-Auth
together to form a full System-Based approach
to ensure the most capable / fully functional &
proven identity system in the industry.
Deployment
Modes
• Consistent across all switch platforms!
Pre-Emptive
Pre-Emptive Dead
Dead
Same Features Server
Server Detection
Detection
Same Code
Critical Vlan

DACL per Host

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
MACsec (802.1AE) Overview

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Quick Review of MACsec (802.1AE)

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Confidentiality and Integrity
Securing Data Path with MACSec
Media Access Control Security (MACSec)

• Provides “WLAN / VPN equivalent” encryption (128bit AES GCM) to LAN


connection
• NIST approved* encryption (IEEE802.1AE) + Key Management (IEEE802.1X-
2010/MKA or Security Association Protocol).
• Allows the network to continue to perform auditing (Security Services)

* National Institute of Standards and Technology Special Publication 800-38D

Guest User Data sent in clear TrustSec™


provides encrypted
Encrypt Decrypt
Authenticated User data path regardless
802.1X your access
&^*RTW#(*J^*&*sd#J$%UJ&( &^*RTW#(*J^*&*sd#J$%UJWD&( methods (WLAN,
Remote Access, and LAN!)
Supplicant
with
MACSec MACSec
Capable Devices
MACSec Link Note: Cat3750-X currently supports MACSec on downlink only
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
MACSec Benefits and Limitations
Benefits Limitations
Confidentiality Endpoint Support
Strong encryption at Layer 2 protects data. Not all endpoints support MACSec

Integrity Network Support


Integrity checking ensures data cannot be Line-rate encryption typically requires
modified in transit updated hardware on the access switch

Flexibility Technology Integration


Selectively enabled with centralized policy MACSec may impact other technologies that
connect at the access edge (e.g. IP Phones)

Network Intelligence
Hop-by-hop encryption enables the network to
inspect, monitor, mark and forward traffic
according to your existing policies.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Cisco TrustSec
• Security Group Tags
 Unique 16 bit (65K) tag assigned to unique role
 Represents privilege of the source user, device, or entity
 Tagged at ingress of TrustSec domain
 Provides topology-independent policy
 Flexible and scalable policy based on user role
 Centralized policy management for dynamic policy provisioning

• Hop-by-hop encryption (802.1AE)


Provides confidentiality and integrity while still allowing for
inspection of traffic between endpoints

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Layer 2 SGT Frame Format
Authenticated
Encrypted
DMAC SMAC 802.1AE Header 802.1Q CMD ETYPE PAYLOAD ICV CRC

CMD EtherType Version Length SGT Opt Type SGT Value Other CMD Options

Cisco Meta Data

Ethernet Frame field

 802.1AE Header CMD ICV are the L2 802.1AE + TrustSec overhead


 Frame is always tagged at ingress port of SGT capable device
 Tagging process prior to other L2 service such as QoS
 No impact IP MTU/Fragmentation
 L2 Frame MTU Impact: ~ 40 bytes = less than baby giant frame (~1600 bytes
with 1552 bytes MTU)

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Identity Services Engine (ISE)

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Policy-Based Access
Identity Services Engine Delivers “Business Policy”

Define network policy as an


extension of business goals
Product
Bookings
Corporate Customer
issued laptop Data

X
X Policy extends to all access
Finance
Manager
SalesForce. types (wired, wireless, VPN)
com

Personal iPad
Lifecycle Services Integration –
guest, profiling, posture

Optional encryption-based
Policies for Security-
conscious users

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Identity Services Engine
ISE: Policies for people and devices

Authorized Access Guest Access Non-User Devices


• How can I restrict access • Can I allow guests • How do I discover
to my network? Internet-only access? non-user devices?
• Can I manage the risk of • How do I manage guest • Can I determine what
using personal PCs, access? they are?
tablets, smart-devices? • Can this work in wireless • Can I control their
• Access rights on and wired? access?
premises, at home, on • How do I monitor guest • Are they being spoofed?
the road? activities?
• Devices are healthy?

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
A Practical Example of Policies
“Employees should be able to
access everything but have Internet
limited access on personal
devices”

“Everyone’s traffic
should be encrypted” Internal
Resources
Campus
Network
“Printers should only Cisco
ever communicate Switch
internally”

Cisco® Identity Services Engine


Cisco Cisco Wireless
Access LAN Controller
Point

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Let’s Start With What We Know
Previous Cisco TrustSec Solution Portfolio

Identity & Access Control

Access Control System


AnyConnect

Identity & Access Control +


Posture
NAC Manager NAC Server NAC Agent

Device Profiling &


Provisioning + Identity
Monitoring
NAC Profiler NAC Collector
Standalone appliance or
licensed as a module on
NAC Server

Guest Lifecycle Management

NAC Guest Server

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Introducing Identity Services Engine
Next Generation Solution Portfolio

Identity & Access Control

Access Control System


AnyConnect

Identity & Access Control +


Posture
NAC Manager NAC Server
ISE

Device Profiling & Identity Service


Provisioning + Identity Engine
Monitoring
NAC Profiler NAC Collector
Standalone appliance or
licensed as a module on
NAC Server

Guest Lifecycle Management

NAC Guest Server NAC Agent

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Benefits of Identity Services Engine
Consolidated Services, Visibility Flexible Service
Software Packages Deployment

ACS User ID Access Rights


NAC Manager
Admin Monitoring
All-in-One Console
NAC Profiler HA Pair
NAC Server ISE

Distributed Policy servers


NAC Guest Location Device (& IP/MAC)

Simplify Deployment & Admin Track Active Users & Devices Optimize Where Services Run

Guest Manage Security System-wide Monitoring


Group Access & Troubleshooting

SGT Public Private

Staff Permit Permit

Guest Permit Deny

Manage Guests & Sponsors Keep Existing Logical Design Consolidate Data, Three-Click
Drill-In
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Identity & Context-Awareness
Leveraging your Infrastructure Network
Authorized Users
Consistent identity features supported
802.1X on all Catalyst switch models
Cisco® authenticates authorized users
IP Phones
Catalyst® Switch (802.1X), devices (MAB/profiling) and
MAB & Network guests (Web Auth)
Profiling Device

Web Auth Guests

Identity Feature Differentiators

Monitor Mode Flex Authentication IP Telephony VDI Deployment


Sequence Interoperability Support

Most flexible authentication in Features like multi-domain


Delivers visibility by Multi-authentication feature
the market automates ports auth and link state provides
authenticating users/devices enables authentication of
for rolling authentication with authentication for IP
(without enforcement) multiple MAC addresses
a flexible sequence telephony environments, or
behind a single port
users behind VoIP devices

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
ISE Lifecycle Services
ISE Posture Ensures Endpoint Health before Network Access

Wired, wireless,
Non-Compliant
VPN user

Employee Policy:
• Microsoft patches updated
• McAfee AV installed, running, and
current
• Corp asset checks
• Enterprise application running

Temporary Limited
Network Access until
remediation is
complete

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
ISE Lifecyle Services
ISE Guest Service for managing guests

Provision: Guest accounts


via sponsor portal

Web Auth Guests Internet Manage: Sponsor privileges,


guest accounts and policies,
guest portal

Notify: Guests of account


details by print, email, or SMS

Guest Policy:
• Wireless or wired access
• Internet-only access Report: On all aspects of
guest accounts

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Identity and Context-Awareness
ISE Profiling for Non-Authenticating Devices

“What is on my Network”

• Reduces MAB effort by identifying more


than 90 device categories
• Create policy for users and endpoints –
• “Limited access by employee on IPAD”
• Confidence-match based on multiple
attributes
• Future “template feed”

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
ISE Device Profiling Capabilities
Smart
Phones

Minimum
Confidence for a
Match

Multiple
Rules to Establish
Confidence Level
Gaming
Consoles

Workstations
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
ISE Device Profiling Example - iPad

• Once the device is profiled, it is stored within


the ISE for future associations:
Is the MAC Address
from Apple?

Does the Hostname


Contain “iPad”?

Is the Web Browser


Safari on an iPad?

ISE

Apple iPad
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Cisco ISE Provides Policy for Wired and
Wireless LANs

NCS Centralized Monitoring


of Wired and Wireless
ISE
Networking, Users and
Endpoints

Central Point of Policy for


Wired and Wireless Users
and Endpoints

• Unified wired and wireless policy (ISE) and management (NCS).

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
TrustSec Deployment Options
Monitor Mode Low Impact Mode High Security Mode

Primary Features Primary Features Primary Features


 Open mode  Open mode  Traditional Closed Mode
 Multi-Auth  Multi-Domain  Dynamic VLANs
 Flex Auth (Optional)  Port & dACLs

Benefits Benefits Benefits


 Unobstructed Access  Maintain Basic Connectivity  Strict Access Control
 No Impact on Productivity  Increased Access Security
 Gain Visibility AAA Logs  Differentiated Access

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Deployment Overview
Planning Typical TrustSec deployment Scenario
Plan in advance and keep user
Proof of Concept experience impact as minimum as possible

Pilot Deployment (Size: 1 segment or 1 floor)

Supplicant Provisioning RADIUS Setup Switch Setup

No Enforcement (Monitor Mode) Review & Adjust

Expansion Enforcement (Low Impact Mode) Review & Adjust

(Size: Multi-Floor, Bldg.)


Services

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Why Cisco TrustSec Architecture

 One Policy for wired, wireless and VPN


 Integrated lifecycle services (posture, profiling, guest)
 Differentiated identity features (monitor mode, flex auth,
multiauth.. )
 Phased approach to deployments – i.e. monitor mode
 Flexible and scalable authorization options
 Encryption to protect communications and SGT tags

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Trustsec.cisco.com
www.cisco.com/go/trustsec

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
802.1x Resources
• http://www.cisco.com/en/US/products/
ps6662/products_ios_protocol_option_home.html

• http
://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns171/CiscoIBNS-Tech
nical-Review.
pdf

• http://en.wikipedia.org/wiki/IEEE_802.1X

• http://www.networkworld.com/news/2010/0506whatisit.html

• http://www.ieee802.org/1/pages/802.1x.html

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
MACsec Resources
• http
://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750x_3560x/softw
are/release/15.0_1_se/configuration/guide/swmacsec.
html

• https
://videosharing.cisco.com/vportal/VideoPlayer.jsp?ccsid=C-9323e79a-0395-47
5c-9c65-27f6e6afff3b:1
#

• http://en.wikipedia.org/wiki/IEEE_802.1AE

• http://www.ieee802.org/1/pages/802.1ae.html

• http://www.networkworld.com/details/7593.html

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38

You might also like