© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Local Edition
TrustSec for a Secure Network Clark Gambrel ([email protected]) - Kentucky
Sam Camarda ([email protected]) - Louisiana
Consulting Systems Engineer – Security
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Table of Contents
• Advanced Threats
• Authentication
• Profiling
• Posture Assessment
• Network Segmentation
• Security Group Tags
2
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Local Edition
Why?
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Local Edition
Advanced Threats
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
”
“ There's now a growing
sense of fatalism: It's no
longer if or when you
get hacked, but the
assumption that you've
already been hacked,
with a focus on
minimizing the damage.
Source: Security’s New Reality: Assume the Worst; Dark Reading
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advanced Threats – Advanced Persistent Threat (APTs)
6
• APT is the Hot Topic in Information Security
‒ Aurora (2009) brought the term into the mainstream
‒ They actually incorporate a number of threats
• APT have Common Features
‒ Defined goal, not opportunistic
‒ Stealthy infiltration, horizontal propagation
‒ Obfuscate trail, to ensure continued compromise
‒ Multiple tools / tactics used throughout campaign
‒ Significant resources required over an extended period
• APT Components Parts are Not Really Advanced
‒ Off the shelf malware dev kits
‒ Spear phishing & social engineering
‒ Drop an infected key in the car park / smoking area etc..
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
APT Attack Targets & Methodology
• Who Are The Targets?
‒ Governments
Economic offices, military, diplomatic corps, etc. – anyone working overseas
Outside government contractors, advisors (e.g. academic scholars)
Dissident and activist support organizations (and related NGOs)
‒ Private sector & commercial
Multinational businesses – aerospace, energy, pharmaceutical, finance, technology,
• How Do They Work?
Infiltrate Extract IP
0-day Malware
Recon
Identify Target
Phishing
Spread Persist Extract
Initial Access
7
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
To defend we must recognize actors’ motives
• Stock Price Manipulation • Company Financials
• Sales Forecasts
• Gain Competitive Advantage • Go-to-market strategies
• Product roadmaps and schedules
• Acquisition plans
• Customer lists
• Impact Operations
• Damage the Company Brand • Web Site Defacing
• Denial of Service
• Obtain Intellectual Property • ASIC designs
• Source Code
• Exploit the Network Potential • Huge amount of Internet Bandwidth
• Hundreds of thousands of PCs
• Fraud • RMA Fraud
• Bank Account Transfers
• Toll Dial Fraud
• Credit Card Data
• Identity Theft
• Counterfeiting
• Attack Specific Customers • Vulnerabilities in Source Code
• Bug Tracking Data
.. And More!
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Local Edition
Threats? Is that all I need to worry
about?
Sadly…No
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Device Landscape
Corporate Laptops Corporate VXI Endpoints
Mobile Devices (BYOD)
Other
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Top of Mind Security Concerns
How can we minimize the threats these devices bring with them?
How to deploy a consistent policy for all these devices?
How to ensure end-to-end security in a scalable way?
Device Proliferation
will lead to billions of devices
(Internet of Everything)
The Challenge
Device Proliferation –
What threat? Where?
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Local Edition
How it’s made
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Concept: Kill Chain
13
• http://computer-forensics.sans.org/blog/2009/10/14/security-intelligence-attacking-the-kill-chain/
• Harvesting email addresses, identifying information, etc. Reconnaissance
• Coupling exploit with backdoor into deliverable payload Weaponization
• Delivering weaponized bundle to the victim via email, web, USB, etc. Delivery
• Exploiting a vulnerability to execute code in victim system Exploitation
• Command channel for remote manipulation of victim Command and Control
• Intruders accomplish their original goal Actions on Objectives
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Kill Chain: Post Breach
2. Command and
Control
1.Social
Engineering
Exploit
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Kill Chain: Post Breach
1. Command and
Control
2. Reconnaissance
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Kill Chain: Post Breach
1. Command and
Control
2. Reconnaissance
3.Propagation
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Kill Chain: Post Breach
1. Command and
Control
2. Reconnaissance
3.Propagation 4. C&C
Alternate Path
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Kill Chain: Post Breach
1. Command and
Control
2. Reconnaissance
3.Propagation
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Kill Chain: Post Breach
1. Command and
Control
2. Reconnaissance
3.Propagation
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Kill Chain: Post Breach
1. Command and
Control
2. Reconnaissance
3.Propagation 4. Data Theft
Stealth/Sleep
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Local Edition
Sit back and watch it happen?
Nope…
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
So, What to do first?
• Educate Users
• Standardize
• Anti-Virus
• User Privileges
• Patch, Patch, Patch
• Isolate – Java?
• Upgrade
• AAA - Segment and Contain
How do I limit my exposure
22
AAA - Segment and Contain Authenticate & Authorize
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Other Conditions Identity
Information
+ Group:
Contractor
Group:
Full-Time Employee
Group:
Guest
Network Access Policies Authentication and Authorization
Time and Date
Access Type
Location Posture
Authorization (Controlling Access)
Broad Access
Limited Access
Guest/Internet
Deny Access
Quarantine
Track Activity for Compliance Device Type
Vicky Sanchez Employee, Marketing Wireline 3 p.m.
Frank Lee Guest Wireless 9 a.m.
Security Camera G/W Agentless Asset MAC: F5 AB 8B 65 00 D4
Francois Didier Consultant HQ—Strategy Remote Access 6 p.m.
Access Scenarios
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Trustsec
TrustSec Authentication
Overview
IEEE 802.1X Standard for link layer authentication and access control Components: supplicant (client), authenticator (switch), and AAA server Uses Extensible Authentication Protocol (EAP) to transport authentication info.
MAC Auth Bypass (MAB) Authenticate using the client’s MAC address For devices that don’t support 802.1X (no supplicant), such as printers.
Web Authentication For clients that don’t support 802.1X (no supplicant), but are capable for
interactive HTTP authentication
IEEE
802.1X
MAC
Authentication
Web
Authentication
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
EAP Credentials Sent & Validated
Port Authorized
25
Wired Flexible Authentication
One Configuration Fits All
EAP 1X
MAB
URL
• One configuration addresses all use cases, all host modes • Controllable sequence of access control mechanisms, with flexible failure and fallback authorization
• Support for IP Telephony
• Support single-host and multi-auth scenarios
802.1x times out or fails`
WEB
802.1X Client
IP Phone
Guest User
Employee Partner
Faculty
Sub Contractor
Network Printer
Guest User
802.1X Client
IP Phone
Known MAC - Access Accept
Port Authorized
Host Change
ISE
Unknown MAC Access Accept
Port Authorized w/ URL Redirect
MAB
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Profiling Technology
• Why Classify?
‒ Originally: identify the devices that cannot authenticate and automagically build
the MAB list.
i.e.: Printer = Bypass Authentication
‒ Today: Now we also use the profiling data as part of an authorization policy.
i.e.: Authorized User + i-Device = Internet Only
The Ability to Classify Devices
26
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Local Edition
All those devices
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
PCs Non-PCs
UPS Phone Printer AP
PCs Non-PCs
UPS Phone Printer AP
How?
ISE Profiling
• What ISE Profiling is:
‒ Dynamic classification of every device that connects to network using the infrastructure.
‒ Provides the context of “What” is connected independent of user identity for use in access policy
decisions
What Profiling is NOT:
‒ An authentication mechanism.
‒ An exact science for device classification.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Profiling Technology
Visibility Into What Is On the Network
29
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Profiling Non-User Devices
Dynamic Population of MAB Database Based on Device Type
30
Access Switch
Management
ISE
UPS =
Management_Only
dACL
Cameras = Video
VLAN
Printers = Printer
VLAN
Value-Add
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Profiling User Devices
Differentiated Access Based on Device Type
31
WLAN
Controller
Internet
Kathy
Marketing
Kathy + Personal
Tablet / Smartphone
= Limited Access
(Internet Only)
ISE
Kathy
Marketing
Kathy + Corp Laptop =
Full Access to
Marketing VLAN
Named ACL = Internet_Only
VLAN = Marketing
Corp
Guest
Value-Add
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Understanding ISE Profiling
• All Endpoints are uniquely identified by their
MAC Address
‒ One workstation connected to both Wired & Wireless
= 2 devices in ISE
• Some probes collect data based on IP address
only. If ISE is not L2 adjacent, then IP-to-MAC
Address binding required.
‒ This means other probes must be in place and
working to collect IP-to-MAC data.
• Collection methods that bypass MAC-IP
requirement:
‒ HTTP (URL-Redirected traffic)
‒ IOS Sensor
IP to MAC Address is Critical
32
DNS
IOS Sensor
DHCP
NMAP
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Feed Service
• Automatic Updates
• Feeds OUIs, Profiles, Posture,
Bootstraps, and Agents
• Has approval / publish process
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Local Edition
Where has this device been doing?
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Posture Assessment
• Posture = the state-of-compliance with the company’s security policy.
‒ Is the system running the current Windows Patches?
‒ Anti-Virus Installed? Is it Up-to-Date?
‒ Anti-Spyware Installed? Is it Up-to-Date?
‒ Screensaver enabled? Password Protected?
‒ Personal Firewall Enabled?
• User / System Identity is extended to include their Posture Status.
• Can be extended to Mobile Devices
‒ MobileIron, AirWatch, Citrix, Afaria, SAP
‒ Device Registration, Wipe, Lock
Does the Device Meet Security Requirements? Posture
35
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE – Posture Policies
Wired Wireless VPN
Employees Contractors/Guests
Employee Policy: • Microsoft patches updated
• Trend Micro AV installed,
running, and current
• Corp asset checks
• Enterprise application
running
Contractor Policy: • Any AV installed,
running, and current
Guest Policy: Accept AUP (No posture - Internet Only)
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Local Edition
Authorization and Segmentation
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network Segmentation
• Primary Network Segmentation Methods
Ingress port dynamic VLAN assignment
Ingress port ACLs
Downloadable ACLs (dACLs)
Named ACLs (filter-id)
Egress port ACLs (Security Group ACLs, or SGACLs)
• Complementary Technologies and Segmentation Methods
Virtual Route Forwarding (VRF)
Generic Route Encapsulation (GRE)
Virtual Private Networking (VPN)
Policy-Based Routing (PBR)
Other tunneling / path isolation technologies
‒ (L2TPv3, MPoE, QinQ, WDM, etc)
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
VLANs and dACLs
VLANs • Authorization policy dynamically sets port VLAN • VLAN assignment based on user compliance or role; for example:
• Quarantine/Remediation VLAN • Guest VLAN • Employee VLAN
• Infrastructure is responsible for isolating or securing traffic on VLAN such as ACLs, Firewalls, and/or path isolation (VRFs, tunnels, etc).
• Typically requires IP change, thus often disruptive to user access with potential delays and/or conflicts with other endpoint processes.
dACLs • Authorization policy dynamically sets port ACL to limit device access • ACL source (any) automatically converted to specific host address • Resource limits per switch on ACE count per ACL, thus intended for course-grained
access restrictions • No IP address change required, thus typically less disruptive to endpoint and
improved user experience.
802.1X/MAB/Web Auth
VLAN Assignment
ACL Download
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Authorization
Switch/Controller is the Enforcement Point
41
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Authorization
Switch/Controller is the Enforcement Point
42
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
What Makes this Work
• CoA allows an enforcement device (switchport, wireless controller, VPN
device) to change the VLAN/ACL/Redirection for a device/user without
having to start the entire process all over again.
• Without it: Manually remove the user from the network & then have the
entire AAA process begin again.
‒ Example: disassociate wireless device & have to join wireless again.
• RFC 3576 and 5176
Change of Authorization (CoA)
43
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
RADIUS Change of Authorization (CoA)
Quarantine VLAN CORP
VLAN
1 Endpoint fails Posture Assessment and gets assigned to Quarantine VLAN
2 Endpoint remediates itself and is reported: Posture=Compliant
3 ISE issues RADIUS CoA to re-authenticate
4 Client is re-authenticated and assigned to CORP VLAN
44
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
RADIUS Change of Authorization (CoA)
Quarantine VLAN CORP
VLAN
1 Endpoint fails Posture Assessment and gets assigned to Quarantine VLAN
2 Endpoint remediates itself and is reported: Posture=Compliant
3 ISE issues RADIUS CoA to re-authenticate
4 Client is re-authenticated and assigned to CORP VLAN
Dynamic session control from a Policy server
Re-authenticate session
Terminate session
Terminate session with port
bounce
Disable host port
Session Query
For Active Services
For Complete Identity
Service Specific
Service Activate
Service De-activate
Service Query
45
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Power On
Kernel Loading Windows HAL Loading Device Driver Loading
CoA Benefit Native Supplicant or EAP-Chaining with AnyConnect
Obtain Network Address (Static, DHCP)
Determine Site and DC (DNS, LDAP)
Establish Secure Channel to AD
(LDAP, SMB)
Kerberos Authentication (Machine Account)
Computer GPOs Loading (Async)
GPO based Startup Script Execution
Certificate Auto Enrollment Time Synchronization Dynamic DNS Update
GINA
Components that depend on network connectivity
Kerberos Auth (User Account)
User GPOs Loading (Async)
GPO based Logon Script Execution (SMB)
Machine Authentication
User Authentication
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Authorization Challenges
Ingress Access Control
47
• Can I create / manage the new VLANs or IP Address scope?
• How do I deal with DHCP refresh in new subnet?
• How do I manage ACL on VLAN interface?
• Does protocol such as PXE or WOL work with VLAN assignment?
• Any impact to the route summarization?
• Who’s going to maintain ACLs?
• What if my destination IP addresses are changed?
• Does my switch have enough TCAM to handle all request?
• Traditional access authorization methods leave some deployment concerns:
– Detailed design before deployment is required, otherwise…
• Not so flexible for changes required by today’s business
• Access control project ends up with redesign for entire network
• Access devices now being used at Security devices
802.1X/MAB/Web Auth
ACL
Download
VLAN
Assignment
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enter Secure Group Access
• Term describing use of:
‒ Secure Group TAGs (SGTs)
‒ Secure Group ACLs (SGACLs)
‒ When a user logs in they are assigned a TAG (SGT) that identifies their role
‒ The TAG is carried throughout the Network
• Removes concern TCAM Space for detailed Ingress ACLs
• Removes concern of ACE explosion on DC Firewalls
• Enforce that tag in the DataCenter or at the ASA Edge
• SGACLs are applied based on a matrix:
Topology Independent Access Control
SGT Public Private
Staff Permit Permit
Guest Permit Deny 48
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security Group-Based Access Control In Action
Security Group Based Access Control • Authorization policy dynamically sets egress port ACL (SGACL) to limit device access • ACL source (any) automatically converted to specific host address • Since ACL applied close to destination (protected resource), SGACLs intended for fine-grained access restrictions • SGA abstracts the network topology from the policy thus reducing the number of policy rules necessary for the
admin to maintain
802.1X/MAB/Web Auth
Finance (SGT=4)
HR (SGT=10)
I’m a contractor My group is HR
SGT = 100
Contactor & HR SGT = 100
SGACL
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
How is the Tag Assigned?
SGT Assignment Process:
1. A user (or device) logs into network via 802.1X
2. ISE is configured to send a TAG in the Authorization Result – based on the “ROLE” of the user/device
3. The Switch/Controller applies this TAG to the users traffic.
50
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security Group Based Access Control
SGA Allows Customers:
‒ To keep existing logical design at access layer
‒ To change / apply policy to meet today’s business requirement
‒ To distribute policy from central management server
Egress Enforcement
SGACL
SGT=100
I am an employee
My group is HR HR SGT = 100
HR (SGT=100)
Ingress Enforcement Finance (SGT=4)
802.1X/MAB/Web Auth
51
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security Group Based Access Control for Firewalls
Security Group Firewall (SGFW)
52
Source Tags Destination Tags
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Local Edition
More Good Stuff
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
MACSec and NDAC
• MACSec: Layer-2 Encryption (802.1AE)
‒ Industry Standard Extension to 802.1X
‒ Encrypts the links between host and switch and links between switches.
‒ Traffic in the backplane is unencrypted for inspection, etc.
‒ Client requires a supplicant that supports MACSec and the encryption key-exchange
• NDAC: Authenticate and Authorize switches entering the network
‒ Only honors SGTs from Trusted Peers
‒ Can retrieve policies from the ACS/ISE Server and “proxy” the trust to other devices.
Media Access Control Security and Network Device Admission Control
Encrypted Link
########
54
Encrypted Link
######## ######## Encrypted Link
SWITCHPORT SWITCHPORT
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Client MACSec in Action
Wiring Closet
Switch
1 User bob connects.
2 Bob’s policy indicates endpoint must encrypt.
3 Key exchange using MKA, 802.1AE encryption complete.
User is placed in corporate VLAN.
Session is secured.
4 User steve connects
User: bob
Policy: encryption
User: steve
Policy: encryption
5 Steve’s policy indicates endpoint must encrypt.
6 Endpoint is not MACSec enabled.
Assigned to guest VLAN.
802.1X-Rev Components
• MACSec enabled switches
• AAA server 802.1X-Rev aware
• Supplicant supporting MKA and 802.1AE encryption
Non-
MACSec
enabled
Campus Network
55
MACSec
enabled
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Register for Cisco Live - Orlando
Cisco Live - Orlando
June 23 – 27, 2013
www.ciscolive.com/us
56 56