Upload
cisco-turkey
View
175
Download
2
Tags:
Embed Size (px)
Citation preview
Transforming Secure Access for Unified Enterprise Networks
Håkan Nohre
Consulting Systems Engineer
Cisco and/or its affiliates. All rights reserved. Cisco Public
How to Succeed with Secure Access
Understand that it is not just an “ISE project....”
Network
Devices
Active
Directory
Desktop
Management
PKI
Other Assets : Printers
Security Cameras
IoE
Unified
Communications
Firewalls
Legal
Mobile Device
Management
Security I
S
E
3
Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda
Why Secure Access?
Use Cases
– Corporate Devices
– BYOD
– Guests
– Other Devices
Segmenting the Network
Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Access is Good from a Risk Management Perspective
Increased Security
Reduced Workload, More Automation
Increased Flexibility and Agility - mobile devices, contractors, guests, mobility
Cost
Benefit Determine your optimal requirements
5
Cisco and/or its affiliates. All rights reserved. Cisco Public
Integrated Defense Across the Attack Continuum
BEFORE Discover
Enforce
Harden
DURING Detect
Block
Defend
AFTER Scope
Contain
Remediate
Attack Continuum
Visibility and Automation
Identity Services + NAC pxGrid + TrustSec
ISE Provides Visibility, Context, and Control Across the Entire Continuum
6
Cisco and/or its affiliates. All rights reserved. Cisco Public
I S
E
Adding Identity Awareness to the Network
M G R
M G R
Access wired
wireless
VPN
Data
Center
Nexus
ASA
…….
more
Core
Where?
Who?
What?
8
Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE works within a System
M G R
M G R
Active Directory
Access wired
wireless
VPN
Data
Center
Nexus
ASA
Core
Where?
Who?
What?
I S
E
MDM
3rd party Security Systems
SIEM, IPS etc pxGrid
9
Other Security
Systems
Cisco and/or its affiliates. All rights reserved. Cisco Public
I have NBAR info! I need identity…
Talos
I have location! I need identity…
I have MDM info! I need location…
I have app inventory info! I need posture…
I have identity & device-type! I need app inventory & vulnerability…
I have firewall logs! I need identity…
I have threat data! I need reputation…
I have sec events! I need reputation…
I have NetFlow! I need entitlement…
I have reputation info! I
I have application info! I need location & auth-group…
pxGrid Context
Orchestration
Single Protocol for Securing Info Access
ISE 1.3: pXGrid = Information Sharing
10
Cisco and/or its affiliates. All rights reserved. Cisco Public
Visibility: FireSIGHT Discovers
Host 10.1.19.4
OS
User
Apps
Vulnerabilities
100 0111100 011 1010011101 1000111010011101 10001110 10011 101 010011101 1100001110001110 1001 1101 1110011 0110011 101000
0110 00
john
...automatically
Hosts, OS, Logged in Users, Applications, Vulnerabilities
11
Active Directory
Cisco and/or its affiliates. All rights reserved. Cisco Public
pxGrid: Discovering Identities for Other Devices
Host 10.1.19.4
OS
User
Apps
Vulnerabilities
Device authenticates to network (802.1X)
Cisco ISE shares info with pxGrid
Works even if device is not in Active Directory
I S
E
john
pxGrid
New
12
Cisco and/or its affiliates. All rights reserved. Cisco Public
pxGrid: Automated Responses
Use pre-defined or custom script to initiate automatic actions
E.g, Quarantine device by changing VLAN, ACL or SGT
Indications Of Compromise
- IPS event impact 1
- Malware
- Communication with BOTNET
QUARANTINE
I S
E
change
VLAN or
SGT
New
13
Cisco and/or its affiliates. All rights reserved. Cisco Public
Employees with Corporate Computers
M G R
M G R
Access wired
wireless
VPN
Data
Center
HR
Finance
802.1X
RADIUS
joe HR
I S
E
Joe is member of HR
and is using corporate
computer with cert
Authorization/Segmentation
- VLAN, ACL or SGT..
14
ISE 1.3
Support
Multiple ADs
Cisco and/or its affiliates. All rights reserved. Cisco Public
Posture Checking
M G R
M G R
Active Directory
Access wired
wireless
VPN
Data
Center
AV
Update
Finance
802.1X
RADIUS
joe HR
I S
E
Joe is member of HR
and is using corporate
computer with cert
but does not have
updated AntiVirus
Authorization/Segmentation
- VLAN, ACL or SGT..
Updated
15
Cisco and/or its affiliates. All rights reserved. Cisco Public
NAC Agent/ISE Posture Agent now in AnyConnect
ISE Posture Agent (previous NAC Agent now part of AnyConnect)
– AnyConnect 4.0
– ISE 1.3
– ASA 9.2.1 for ASA enforcement
Better user experience!
ISE is Single Point of Management for Posture for Wired, Wireless, VPN
No need for Inline Posture Node (IPN)
New
16
Cisco and/or its affiliates. All rights reserved. Cisco Public
Employee with BYOD (802.1X)
M G R
M G R
Active Directory
Access wired
wireless
VPN
Data
Center
HR
Finance
web
I S
E
Joe is member of HR
but is using his iPAD
authenticating with
password
802.1X
RADIUS
Authorization/Segmentation
- VLAN, ACL or SGT..
17
Cisco and/or its affiliates. All rights reserved. Cisco Public
Quiz Time!
When being presented with the security warning about an untrusted server certificate, the average user will
18
Reject the certificate, since he cares deeply about security
A)
Accept the certificate, since he wants to get access to the network B)
a)
b)
Cisco and/or its affiliates. All rights reserved. Cisco Public
One (of many) possible attacks…
19
SSID = Corporate (802.1X)
Phishing Toolbox • AP broadcasting SSID
• RADIUS server
(configured to negotiate
PEAP-GTC…, saves
cracking MSCHAPv2)
User: hacke
Password: 34Ng”!#flsfkl45
Cisco and/or its affiliates. All rights reserved. Cisco Public
Problem with Passwords (PEAP)
Username/Password based authentication
Inherits severe issues with passwords
- How to control that they are not shared… Phishing attacks etc
- How to control that they are changed frequently
What if we could provision client certificates to the device?
20
#$$$@@@!!
I know the password, but I still
cannot get access to the
network
Cisco and/or its affiliates. All rights reserved. Cisco Public
Provisioning Certificates to BYOD
M G R
M G R
Active Directory
Access wired
wireless
VPN
Data
Center
HR
Finance
web
I S
E
Joe is member of HR
but is using his iPAD
authenticating with
password – provision
certificate
New!
CA in ISE
21
Cisco and/or its affiliates. All rights reserved. Cisco Public
I S
E
Employee with BYOD (MDM-Integration)
M
G
R
M
G
R
Access wired
wireless
Data
Center
HR
Finance
web
joe HR
Is Device Known by
MDM?
Is Device Compliant?
22
MDM
Cisco and/or its affiliates. All rights reserved. Cisco Public
Automated Device Security Posture Assessment and Compliance Check
MDM Integration
Corporate and Personal Device Posture Check and MDM Remediation
MDM Policy Check
Device registration status
Device compliance status
Disk encryption status
Pin lock status
Jailbreak status
Manufacturer
Model
IMEI
Serial number
OS version
Phone number
Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE Integration with Meraki MDM (Systems Manager Enterprise) New!
24
Cisco and/or its affiliates. All rights reserved. Cisco Public
Profiling Non-802.1X Capable Devices
M G R
M G R
Access wired
wireless
Data
Center
HR
MAC Database
?
Initial ACL/VLAN
Network Behaviour:
MAC address
DHCP parameters
Info from SNMP
Info from Netflow
HTTP User-Agent
DNS
Nmap
….
Finance
Surveillance I
S
E
Behaves like a Surveillance
Camera, update our MAC
Database
25
Cisco and/or its affiliates. All rights reserved. Cisco Public
I
S
E
ISE Profiling
M G R
M G R
Access wired
wireless
Data
Center
HR
MAC Database
Finance
Surveillance
Authorization/Segmention
VLAN or SGT controls access
26
Cisco and/or its affiliates. All rights reserved. Cisco Public
Case Study : Problem solved by ISE
Security Conscious Enterprise
Each branch had computers, printers, surveillance cameras, room booking systems
Static port configuration, e.g :
- port 1-16 computers
- port 17-20 printers
- port 21-24 cameras
Error prone when adding new devices (connect to wrong port..)
Bad port usage... empty ports but still no "free" ports when if
need to connect another type of device.
27
Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE Guest Handling
Wireless or Wired or VPN
Internet Access and/or restricted access to internal resources
- consultants may need to access internal resources
Unique username/passwords, logs and reports
Sponsored Guests
Hotspot
Self Service
Self Service with SMS
28
Big
Improvements
in ISE 1.3
Cisco and/or its affiliates. All rights reserved. Cisco Public
M G R
M G R
Who?
What?
Where?
+ Well Proven and Widely Used
- Maintenance subnets, DHCP scopes..
- How convey VLAN to upstream Firewalls
- Peer-to-Peer Enforcement within VLAN
- IP refresh issue with non-802.1X
supplicants
I S
E
VLAN 100
VLAN 200
FW
?
Segmenting the Network #1: Using VLANs
29
Cisco and/or its affiliates. All rights reserved. Cisco Public
M G R
M G R
Where?
+ Well Proven and Widely Used
+ No changes to ip subnets
- How convey Security info to upstream Firewalls
- Consumes TCAM resources
I S
E
Same VLAN 100
ACL downloaded and
applied to switch port
Remark: ACL for Cameras
permit tcp any host 10.1.1.3 eq https
Remark: ACL for Corporate PCs
permit tcp any host 10.1.1.3 eq https
FW
Segmenting the Network #2: Downloadable ACLs
30
Cisco and/or its affiliates. All rights reserved. Cisco Public
M G R
M G R
Where?
I S
E
SGT and SGT ACL
downloaded
SGT Cameras
SGT Corporate PCs
Upstream security
devices can enforce
policy on SGT
Segmenting the Network #3 : Security Group TAGs
+ No changes to ip subnets, Security Policy decoupled
from ip addressing
+ Conveys Security Group to Upstream Firewalls
+ Does not consume TCAM resources
- Does not work with legacy switches
FW
31
Cisco and/or its affiliates. All rights reserved. Cisco Public
Firewall Old Style
Firewall Rules based on IP addresses
- no knowledge of identity
- firewall ruleset changes when network grows/changes
InsideNets100
10.1.1.0/24
10.1.9.0/24
192.168.3.0/24
Source Destination Service Action
FinanceServers
172.16.2.0/24
172.16.9.0/24
172.16.15.0/24
HTTPS
PERMIT
Cisco and/or its affiliates. All rights reserved. Cisco Public
Firewalls Today : Legacy Next Generation Firewall
Firewall Rule set Leverages Active Directory
- independent of IP addressing
- works for users logged into Active Directory Domain
- does not convey identity for iPADs, IP phones etc.
- does not convey other context such as posture, location...
Finance
Source Destination Application Action
HTTPS PERMIT
IT
SSH
Switches
10.0.99.0/24
PERMIT
Finance Servers
172.16.2.0/24
172.16.15.0/24
ANY
ANY DENY
Cisco and/or its affiliates. All rights reserved. Cisco Public
Security Group Tag Aware Firewall
Ruleset can utilize Security TAGs
- info on who, what device, posture, where
- also works for devices outside of AD domain
- also works for destinations/servers
Finance
Source TAG Destination Application Action
HTTPS PERMIT
FinanceServers
CleanMachine
SIP PERMIT
Phone Servers
IP Phones
Any
ICA PERMIT
FinanceVDI
financeIPAD
Cisco and/or its affiliates. All rights reserved. Cisco Public
Image: Gartner Magic Quadrant for Network Access Control 2013, Lawrence Orans, John Pescatore – 12 December 2013
THE NAC Innovation Leader
Pioneered NAC Technology
Developed NAC Standards
First to Launch in 2004
Positioned as a LEADER in Gartner Magic
Quadrant for Network Access Control
- Gartner December 2013, 2012, 2011
“Cisco TrustSec and Cisco ISE are
consistent with our view of identity-centric
end-to-end security that is both needed and
lacking in the enterprise today.”
- Forrester
2011
Industry Recognizes Cisco Leadership
35
Cisco and/or its affiliates. All rights reserved. Cisco Public
Conclusion
Increased Security
Reduced Workload, More Automation
Increased Flexibility and Agility - mobile devices, contractors, guests, mobility
Cost
Benefit Determine your optimal requirements
36