Cisco ACI Security in Action - Security Module (ACT2 HSM) • Validates the FPGA software, ... DHCP and ISIS All switches need ... Not EC’ed Target Q3-CY16

  • View
    243

  • Download
    8

Embed Size (px)

Text of Cisco ACI Security in Action - Security Module (ACT2 HSM) • Validates the FPGA...

  • Cisco ACI Security in Action

    Jason Gmitter, CCIE 12030

    Technical Solutions Architect

    BRKACI-2320

  • Introduction

    Secure Fabric

    A Little About Policy

    Micro-Segmentation

    Service-Graphs

    ACI-TrustSec Integration

    Micro-Services

    Agenda

  • 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

    Trends Impacting Datacenter Security

    EVOLVING

    THREATS

    NEW APPLICATIONS

    (PHYSICAL, VIRTUAL

    AND CLOUD)

    NEW TRAFFIC TRENDS

    Source: Cisco Global Cloud Index, 2012

    BRKACI-2320 4

  • 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

    Secure Network Segmentation and Auditing

    Policy defined in simple language

    Group policy based secure multi-

    tenant network segmentation

    L4-7 Service insertion to stateful

    NGFW, IPS

    Centralized RBAC and two factor

    Authentication

    Centralized Auditing and Security

    Monitoring

    SECURE

    NETWORK

    ACCESS

    CONTROL

    SECURITY

    POLICYCENTRALIZED

    AUDIT

    MONITORING

    ACCESS

    BRKACI-2320 5

  • 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

    Outside

    (Tenant

    VRF)

    App DBWeb

    QoS

    Filter

    QoS

    Service

    QoS

    Filter

    ACI Fabric

    Application Policy

    Infrastructure Controller

    Integrated GBP VXLAN Overlay

    APIC

    Introducing: Application Centric Infrastructure (ACI)

    BRKACI-2320 6

  • Introduction

    Secure Fabric

    A Little About Policy

    Micro-Segmentation

    Service-Graphs

    ACI-TrustSec Integration

    Micro-Services

    Agenda

  • 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

    ACI SecurityAutomated Security With Built In Multi-Tenancy

    Security AutomationEmbedded Security

    White-list Firewall Policy Model

    RBAC rules

    Hardened CentOS 7.2

    Authenticated Northbound API (X.509)

    Encrypted Intra-VLAN (TLS 1.2)

    Secure Key-store for Image Verification

    Dynamic Service Insertion and Chaining

    Closed Loop Feedback for Remediation

    Centralized Security Provisioning & Visibility

    Security Policy Follows Workloads

    Distributed Stateless Firewall

    Line Rate Security Enforcement

    Open: Integrate Any Security Device

    PCI, FIPS, CC, UC-APL, USG-v6

    ACI Services

    Graph

    Micro-Segmentation

    Hypervisor Agnostic (ESX, Hyper-V, KVM*)

    Physical, Virtual Machine, Container

    Attribute Based Isolation/Quarantine

    Point and Click Micro-segmentation

    TrustSec-ACI Integration

    Encryption

    Link MACSEC

    INS-SEC Overlay Encryption

    MKA, SAP

    GCM-AES-256/128-XPN

    GCM-AES-256/128

    BRKACI-2320 8

  • 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

    APIC & ACI A Crypto Based Platform

    APIC

    Same SSL Certificate

    presented by all APICs to

    External HTTPS

    connections

    User and Orchestration access to APIC

    Web-Token or X.509 based certs

    APIC to Switch - SSL connection leveraging public key certificates

    APIC ISO is encrypted and keys are stored on APIC TPM

    Anti Counterfeit Technology-2 Hardware Security Module (ACT2 HSM)

    Validates the FPGA software, ROMMON software, switch preboot image and the switch full image

    Cisco Signed Certificates

    (shipped with switch and APIC)SSL

    SSL

    BRKACI-2320 9

  • 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

    Secure Fabric Overview Permissive Mode Default mode of operation

    Allows any existing fabrics with invalid SSL certs to operate normally

    APICs to Switch communication is encrypted

    No serial number based authorization

    Strict Mode

    Enforces serial number based authorization

    Controllers and switches are manually authorized to join the fabric

    Only Nodes with SSL cert with authorized Serial number are allowed

    Strict Mode is allowed only when all the nodes in the existing fabric have valid SSL certificates

    All communication between Switches and APICs are encrypted except LLDP, DHCP and ISIS

    All switches need to have valid SSL certificate All Controllers need to have valid SSL certificateApproving/Rejecting Controller

    BRKACI-2320 10

  • 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

    APIC Hardening

    CentOS

    6.3

    CentOS

    7.2Hardening

    Surface Analysis: Nessus, Nmap, Nexpose, Qualys, etc

    Web Analysis: WebInspect , AppScan, BurpSuite, etc

    OS Network Config Testing: IPv6, IPv4, Firewalls, Listening services, Vulnerability scans, NFS permissions & TPS review

    API: REST, SOAP, XML & JSON APIs Injection

    CLI: CLI Injection

    DB: Imperva's Scuba Scanner, password stored hash, encrypted data store

    Manual: Security Penetration Testing

    Not ECedTarget Q3-CY16

    BRKACI-2320 11

  • 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

    System AccessAuthentication, Authorization, RBAC

    Universe

    Tenant: Pepsi

    App Profile

    EPGs

    L3 Networks

    Tenant: Coke

    App Profile

    EPGs

    L3 Networks

    Fabric

    Switch

    Line Cards

    Ports

    Local & External AAA (TACACS+, RADIUS, LDAP) Authentication & Authorisation

    RBAC to control READ and WRITE for ALL Managed Objects

    RBAC to enforce Fabric Admin and per-Tenant Admin separation

    Authentication for all Management Interfaces

    Roles: What user can do?

    Domain: Which Subtree role apply

    APIC

    BRKACI-2320 12

  • 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

    Will provide the ability to

    prevent an admin from

    adding a server to the wrong

    Zone.

    Security Domain

    BRKACI-2320 13

  • 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

    To prevent Network admin from

    creating contracts and VRFs.

    Security admin responsible for

    contract and VRF creation only.

    Roles Based Access Control

    BRKACI-2320 14

  • 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

    Capacity Dashboard

    Troubleshooting Wizards

    Drag and Drop Configuration

    APIC provides full FCAPSAutomation and Operations

    BRKACI-2320 15

  • 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

    Audit for all Changes Audit-logs are native to

    the object model, the aaaModLR type objects is an element of the subtree for each MO

    These contain:

    The object that was affected by a change

    What changed, Time stamp, user who made the change, the trigger,

    etc.

    BRKACI-2320 16

  • 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

    ACI Endpoint Tracker Application Enables Compliance and Auditing

    Tracks all attachment, detachment, movement of Endpoints

    Timestamps all end-point attach/detach events for auditing

    Stores full historical data in MySQL database for forensics

    Supports open visualization and query tools

    Built on top of open source ACI ToolkitBRKACI-2320 17

  • 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

    Configuring ACL Logging

    At contract-subject-

    filter

    Between two end-

    point groups

    Enabled on both

    points

    Logging default value

    Enabled for deny

    Disabled for

    permit

    9300 (-EX) Required for Permit Logging

    APIC SyslogSplunk

    SIEM Tools

    BRKACI-2320 18

  • 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

    A whiteboard diagram of how network is configured to secure applications.

    http://blog.esquilax.org/2015/01/14/generating-aci-diagrams-with-acitoolkit/

    https://github.com/cgascoig/aci-diagram

    ACI Diagrams

    BRKACI-2320 19

  • 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

    A python script that you can import the .json config of a tenant and have it converted into a word doc with explanation of how tenant is configured:

    https://github.com/erjosito/stuff/blob/master/json2doc.py

    JSON2DOC

    BRKACI-2320 20

  • 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

    MAC-Limit > Maximum MACs, the following actions will happen on the port:

    Learning is disabled

    Exceeded mac-address are not added into CAM table

    Exceeded mac-address traffic is dropped

    Generate 1 syslog entry for violation action

    MAC Limit would be supported only Per Port

    FEX would not be supported

    MAC Limit would enforce only on MAC and would not enforce on MAC & IP (this means IP learning will continue on learnt MAC)

    Port-Security for MAC-Table: Protect Mode Behavior Details

    Leaf Switch SW Release Timeline

    9300 and 9300(-E) 2.0 Q3-CY-16

    9300 (-EX) 2.X Q4-CY-16

    BRKACI-2320 21

  • 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

    ACI Security Certifications

    Certification ACI

    Done

    Target Q4 CY 16

    Target Q3 CY 16

    Target Q4 CY 16

    Planning

    BRKACI-2320 22

  • Introduction

    Secure Fabric

    A Little About Policy

    Micro-Segmentation

    Service-Graphs

    ACI-TrustSec Integration