Embed Size (px)
Citation preview
Top trends in the networks today
Trends
Challenges Growing Attack Surface Dynamic Threat Landscape Complexity & Fragmentation
Bring Your Own Device Cloud Services Internet of Things
Anatomy of a Breach
Reconnaissance
Victim clicks phishing email link
Malware dropped via backdoor
Lateral Movement to find Admin
Escalate Privilege to become Admin
Data Exfiltration using Admin privilege
Information monetized after breach
Users
DC ServersUsers
DC Servers
East to West
LateralMovement
Users
DC, Application
Servers
North to South
Need dynamic, effective segmentation today
Next-Gen
SegmentationLogical Isolations Dynamic Segmentation Monitor Violations
Traditional
MethodsSet and forget OPEX heavy Inefficient
Network as a Sensor, Network as an EnforcerTwo major solution with the integration
Cisco ISECisco SW
Effective Segmentation
Use of ISE and Stealthwatch to
profile assets, classify, model,
segment and monitor policies
Threat Containment
Controlled access on posture
compliance, analyze behavior,
quarantine on anomaly
SYSLOG
PxGRID
Effective Segmentation
“Effective network segmentation… restricts communication between networks
and reduces the extent to which an adversary can move across the network.”
US-CERT
TrustSec Simplifies Network Segmentation
Access Layer
Enterprise
Backbone
Voice
VLAN
Voice
Data
VLAN
Employee
Aggregation Layer
Supplier
Guest
VLAN
BYOD
BYOD
VLAN
Non-Compliant
Quarantine
VLAN
VLAN
Address
DHCP Scope
Redundancy
Routing
Static ACL
VACL
Security Policy based on TopologyHigh cost and complex maintenance
Voice
VLAN
Voice
Data
VLAN
Employee Supplier BYODNon-Compliant
Use existing topology and automate security policy to reduce OpEx
ISE
No VLAN Change
No Topology Change
Central Policy Provisioning
Micro/Macro Segmentation
Employee Tag
Supplier Tag
Non-Compliant Tag
Access Layer
Enterprise
Backbone
DC Firewall / Switch
DC Servers
Policy
TrustSecTraditional Segmentation
EnforcementClassification Propagation
TrustSec in Action
Routers
ISE
DC Firewall
ApplicationServers
Wireless
RemoteAccess
SwitchDC Switch Application
Servers
Directory
Users
Network5 SGT
8 SGT
7 SGT
Propagation Options
WAN(GETVPN
DMVPN
IPSEC)
Sw itch Router Router Firew all DC Sw itch vSw itch ServerUser
SGT over Ethernet SGT over EthernetSGT over VPN
Classif icationSGACLClassif ication
WAN
Sw itch Router Router Firew all DC Sw itch vSw itch ServerUser
Classif icationSGFWClassif ication
SXP SXP
Heterogeneous
Network
Support
TrustSec
Fully Supported
Network
https://datatracker.ietf.org/doc/draft-smith-kandula-sxp/https://wiki.opendaylight.org/images/6/6c/SXP_Specification_and_Architecture_v00.pdf
SXP/SGToEthernet are on
Internet Draft
Implementing effective segmentation
12
Discover and Classify Assets
Understand Behavior
Enforce Policy
Active Monitoring
Network
Segmentation
Design and Model Policy
1- Discover and Classify Assets
13
Network
Segmentation
Cisco ISE
(Identity Services Engine)
Profile Assets with ISE
Profile Assets with NetFlow and StealthWatch
Identity Groups
User & Device Authentications
Host GroupsServices, applications and host discovery
ISE Provides Device Visibility via ProfilingActive Endpoint
ScanningIntegrated Profiling: Visibility in Scale
Network infrastructure provides
local sensing function
Device Feed —Identity in Scale
Manufacturers and ecosystem provide
constant updates to new devices
Active Scanning: Enhanced Accuracy
Cisco® ISE augments passive
network insight with active
endpoint data
Cisco
ISE
CDP/LLDP
DHCP
RADIUS
DNS
SNMP
NetFlow
HTTP
NMAP
Device Feed*
Cisco Device Sensor(Network Based)
Context build, summarize, exchange
Directory
Services
Vulnerability
Scanners
System
managers
Threat
Intelligence
Mobility
Services Engine
Mobile Device
Managers
ENDPOINTS
CISCO ISE
Visibility and Access ControlISE builds context and applies access control restrictions to users and devices
Context Reuseby eco-system partners for analysis & control
Security Group
Who
What
When
Where
How
Posture
Threat
Vulnerability
STEALTHWATCH
FIREPOWER SERVICES
WEB SECURITY
+ 3rd PARTY PARTNERS
• pxGrid
• REST API
• Syslog
Visibility through NetFlow
10.1.8.3
172.168.134.2
InternetFlow Information Packets
SOURCE ADDRESS 10.1.8.3
DESTINATION
ADDRESS172.168.134.2
SOURCE PORT 47321
DESTINATION PORT 443
INTERFACE Gi0/0/0
IP TOS 0x00
IP PROTOCOL 6
NEXT HOP 172.168.25.1
TCP FLAGS 0x1A
SOURCE SGT 100
: :
APPLICATION NAMENBAR SECURE-
HTTP
RoutersSwitches
NetFlow provides• Trace of every conversation in your network• An ability to collect record everywhere in
your network (switch, router, or firewall)• Network usage measurement• An ability to find north-south as well as
east-west communication• Light weight visibility compared to SPAN
based traffic analysis• Indications of Compromise (IOC)• Security Group Information
2- Understand Behavior
17
Network
Segmentation
Understand Applications, services and protocol behavior:
during time of day per site from-to critical assets, etc.
Derive normal and abnormal traffic patterns.
Understanding behavior with StealthWatch
18
Full list of all hosts talking with Web Servers:Who, What, When, Where and How
Cisco ISE provides context to Stealthwatch
Cisco ISEMitigation Action
Context Information
Cisco SW
Network as a SensorDemo
3- Design and Model Policy
21
Network
Segmentation
Classify Objects into Security Groups
• Directory server search / group mapping
• Device Profiling (Device type certainty)
• Other attributes: Access Time, Location, Method, etc.
Design Policy
• Leverage group definitions from profiling activities
• Monitor mode deployment
Model Policy with StealthWatch
• Passively model policy
The SGACL enforcement policy
22
BRKCRS-2891
Design and Model PolicyMonitor Mode:
23
Catalyst® Switches (3K/4K/6K)
Users,Endpoints
PCI Server
Production Server
N7K
SRC \ DSTPCI Serv er
(2000)
Prod Serv er
(1000)
Dev Server
(1010)
Employees (100) Permit all Permit all Permit all
PCI User (105) Permit all Permit all Permit all
Unknown (0) Permit all Permit all Permit all
Monitor Mode: Irrespective of authentication status (pass/fail), endpoints gets IP address.
Successful authentication gets specific SGTs and failures will be classified as ‘Unknown’ SGT
CampusNetwork
Monitor Mode
Tagged traffic traverses the network allowing monitoring and validation that:
Assets are correctly classified
Traffic flows to assets are as predicted/expected
Development Server
Policy Enforcement
ISE
Campus
NetworkWAN
• SGACL Policy CoA (Change of Authorization) to push policy change from ISE to appropriate devices
Supported platforms
• Catalyst Switches (See Link Below)
• WLC 8.4
• Nexus 7K (7.2+)
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/trustsec-platform-matrix.pdf
CoA
4- Enforce Policy
25
Network
Segmentation
Move to active policy enforcement
• Strategic rollout
• Security Group Access Control Lists
• Firewall policy
cts role-based enforcement
cts role-based enforcement vlan-list <VLANs>
For SGT policy enforcement, if switch has to access control
Push and enforce Security policies from ISE
Enforce Policy
26
Catalyst® Switches (3K/4K/6K)
Users,Endpoints
PCI Server
Production Server
N7K
SRC \ DSTPCI Serv er
(2000)
Prod Serv er
(1000)
Dev Server
(1010)
Employees (100) Permit all Permit all Permit all
PCI User (105) Permit all Permit all Permit all
Unknown (0) Permit all Permit all Permit all
When you know you wont disrupt any legitimate access, enable enforcement for real
CampusNetwork
Tagged traffic traverses the network allowing monitoring and validation that:
Assets are correctly classified
Traffic flows to assets are as predicted/expected
Development Server
SRC \ DSTPCI Serv er
(2000)
Prod Serv er
(1000)
Dev Server
(1010)
Employees (100) Deny all Deny all Permit all
PCI User (105) Permit all Permit all Permit all
Unknown (0) Deny all Deny all Permit all
Policy Enforcement
Use Destination SGT received
from Switches connected to
destination
Use Network Object (Host, Range,
Network (subnet), or FQDN)
SGT Defined in the ISE or locally
defined on ASA
Trigger IPS/CX based on
SGT
BRKCRS-2891
5- Active Monitoring
28
Network
SegmentationMonitor Network Activity
• Detect suspicious and malicious activity
• Network Behaviour and Anomaly Detection
• Policy Violations
• Monitor Policy configuration and misconfiguration
• Monitor for business continuity
Adaptive Network Control
• Identify and remediate threats
• Dynamically segment network threats
Segmentation monitoring with Stealthwatch
29
WAN
Rule name and
description
DGTSGT
Trigger on traffic in both directions;
Successful or unsuccessful
Custom event
triggers on traffic
condition
Threat Containment
Using ‘NetFlow’ to detect anomalies
Host
Reputation
Change
Inside Host Potentially
Compromised
Denial of
Service
SYN Half Open; ICMP/UDP/Port
Flood
Stealthwatch can detect
Botnet
Detection
When Inside Host Talks to Outside
C&C Server
Fragmentation
Attack
Host Sending Abnormal # Malformed Fragments
Worm
Propagation
Worm Infected Host Scans, etc.
Large Outbound File Transfer VS.
Baseline
Data
Exfiltration
Network
Scanning
TCP, UDP, Port Scanning Across
Multiple Hosts
Stealthwatch
Endpoint
ConcentratorAnyConnect with
Network Visibility
Module
vzFlow
Attributing a flow to: • Process name• Process hash• Process account• Parent process name• Parent process hash• Parent process account
Extending flow analysis to endpoint process
Stealthwatch Deployment
NEW
Stealthwatch Packet Analyzer
Flow
Collector
Intelligent packet capture to complement flow analysis for added security context
Enterprise
Network
NetFlow
SPAN
Management
Console
Stealthwatch
Packet Analyzer
Flow Analysis
Pa
cke
t A
na
lysis
NEW
Stealthwatch Incident Response
SECURITYEVENTS (94 +)
ALARMCATEGORY RESPONSE
Addr_Scan/tcp
Addr_Scan/udp
Bad_Flag_ACK**
Beaconing Host
Bot Command Control Server
Bot Infected Host - Attempted
Bot Infected Host - Successful
Flow_Denied
.
.
ICMP Flood
.
.
Max Flows Initiated
Max Flows Served
.
Suspect Long Flow
Suspect UDP Activity
SYN Flood
.
Concern
Exfiltration
C&C
Recon
Data Hoarding
Exploitation
DDoS Target
Alarm Table
Host Snapshot
Syslog / SIEM
Mitigation
COLLECT AND
ANALYZE FLOWS
FLOWS
Mitigation
Quarantine from StealthWatch
Integrated Threat Defense (Detection & Containment)
Employee
Employee
Supplier
Quarantine
Shared
Server
Server
High Risk
Segment
Internet
Lancope
StealthWatch
Event: TCP SYN Scan
Source IP: 10.4.51.5
Role: Supplier
Response: Quarantine
ISE
Change Authorization
Quarantine
Network Fabric
Network as an EnforcerDemo
VRF-GUEST
Path selection based on SGT
EnterpriseWAN
Inspection Router
Router / Firewall
Network A
Policy-based
Routing based
on SGT
SGT-based VRF
Selection
User B
Suspicious
Redirect traffic from malware-infected hosts• Contain threats• Pass traffic through centralized analysis
and inspection functions
Security Example
To map different user groups to different WAN service
Other Example
User C
Guest
User A
Employee
Segment traffic to different VRFs based on context
Available Today: Cisco IOS XE Release 3.16S (ASR 1000) as well as ASA5500-X (9.5.1)
FirePOWER Services RedirectCreate service policy to forward
suspicious traffic to FirePOWER services
Rapid Threat Containment
Policy based Routing / QoS Restricted Access for Remediation
pxGrid: QUARANTINE
Malware activity Suspicious Behavior DoS attacks Rogue access
Other partners
Trustsec_Host_SGTQuarantined_Host_SGT
Network as a Sensor and Enforcer Overview
42
Network Sensor
(Stealthwatch)
Campus/DCSwitches/WLC
Cisco Routers / 3rd Vendor Devices
Threat
pxGRID
Network Sensors Network EnforcersPolicy & Context
Sharing
TrustSec
Software-Defined Segmentation
Cisco Collective
SecurityIntelligence
ConfidentialData
NGIPS
pxGRID
ISE
NGFW
Network as a Sensor-Enforcer on CCO:
http://www.cisco.com/c/en/us/solutions/enterprise-networks/enterprise-network-security/net-sensor.html
Cisco ISE Community
http://cs.co/ise-community
Resources
