1 / 0

Cisco TrustSec Security Solution Overview

Cisco TrustSec Security Solution Overview. Nicole Johnson Systems Engineer Cisco. Agenda. Movement from Location-Based to Identity-Based Security Strategy Cisco TrustSec Approach 802.1x MacSec (802.1ae) encryption Security Group Tags

iona
Download Presentation

Cisco TrustSec Security Solution Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cisco TrustSecSecurity SolutionOverview

    Nicole Johnson Systems Engineer Cisco
  2. Agenda Movement from Location-Based to Identity-Based Security Strategy Cisco TrustSec Approach 802.1x MacSec (802.1ae) encryption Security Group Tags Identity Services Engine (ISE) and it’s role in the network Network Control System Introduction on how to manage the lifecycle of both wired and wireless devices in your network Q & A Next Steps
  3. Policy Evolving with Borderless Network Borderless Networks Anyone The RIGHT Person Any Device An approved Device Anywhere In The Right Way Anytime
  4. Introducing Cisco TrustSec Enables Business Productivity Devices Devices Wireless User VPN User Remote VPN User Delivers Security & Risk Management VLANs Guest Access Identity-enabled infrastructure Profiling dACLs Posture SGTs Scalable Enforcement Policy-Based Access & Services Improves IT Operational Efficiency Data Center Intranet Security Zones Internet
  5. What is TrustSec?
  6. 1 2 3 4 Why Identity Is Important Authentication Who are you? 802.1X (or supplementary method) authenticates the user Keep the Outsiders Out Keep the Insiders Honest Authorization Where can you go? Based on authentication, user is placed in correct VLAN Personalize the Network What service level to you receive? The user can be given per-user services (ACLs today, more to come) Increase Network Visibility Accounting What are you doing? The user’s identity and location can be used for tracking and accounting
  7. What does Identity allow you to do? Ensure that only allowed types of user and machine connect to key resources Provide guest network access in a controlled and specific manner Deliver differentiated network services to meet security policy needs, for examples like: Ensure compliance requirements (PCI, etc.) for user authentication are met Facilitate voice/data traffic separation in the campus Ensure that only employees with legitimate devices access classified systems Ensure that contractors/business partners get appropriate access Provide user and access device visibility to network security operations
  8. Why 802.1X? Industry-standard approach to identity Most secure user/machine authentication solution Complements other switch security features Provides foundation for additional services (e.g., posture) Easier to deploy 8
  9. How Does 802.1X Work? Authenticator Switch, router, WAP Identity Store/Management Active directory, LDAP Authentication Server RADIUS server Supplicant Layer 3 Layer 2 Identity StoreIntegration Request for Service(Connectivity) Back-End AuthenticationSupport
  10. Who (or What) Can Be Authenticated? Device Authentication User Authentication alice host\XP2 Enables Devices To Access Network Prior To (or In the Absence of) User Login Enables Critical Device Traffic (DHCP, NFS, Machine GPO) Is Required In Managed Wired Environments Enables User-Based Access Control and Visibility If Enabled, Should Be In Addition To Device Authentication
  11. Various Authorization Mechanisms 802.1X provides various authorization mechanisms for policy enforcement. Three major enforcement / segmentation mechanisms: Dynamic VLAN assignment – Ingress Downloadable per session ACL – Ingress Security Group Access Control List (SGACL) - Egress Three different enforcement modes: Monitor Mode Low Impact Mode (with Downloadable ACL) High-Security Mode Session-Based on-demand authorization: Change of Authorization (RFC3576 RADIUS Disconnect Messages)
  12. Cisco Switches with 802.1X A Systems Approach: Fully Planned, Tested, and Vetted SYSTEM for identity The many business units have all worked together to form a full System-Based approach to ensure the most capable / fully functional & proven identity system in the industry. Consistent across all switch platforms! Same Features Same Code Multi-Auth Deployment Modes Pre-Emptive Dead Server Detection Critical Vlan DACL per Host
  13. MACsec (802.1AE) Overview
  14. Quick Review of MACsec (802.1AE)
  15. Confidentiality and IntegritySecuring Data Path with MACSec * National Institute of Standards and Technology Special Publication 800-38D Media Access Control Security (MACSec) Provides “WLAN / VPN equivalent” encryption (128bit AES GCM) to LAN connection NIST approved* encryption (IEEE802.1AE) + Key Management (IEEE802.1X-2010/MKAor Security Association Protocol). Allows the network to continue to perform auditing (Security Services) TrustSec™ provides encrypted data path regardless your access methods (WLAN, Remote Access, and LAN!) Guest User Data sent in clear Encrypt Decrypt Authenticated User 802.1X &^*RTW#(*J^*&*sd#J$%UJWD&( &^*RTW#(*J^*&*sd#J$%UJ&( Supplicant with MACSec MACSec Capable Devices MACSec Link Note: Cat3750-X currently supports MACSec on downlink only
  16. MACSec Benefits and Limitations
  17. Cisco TrustSec Security Group Tags Unique 16 bit (65K) tag assigned to unique role Represents privilege of the source user, device, or entity Tagged at ingress of TrustSec domain Provides topology-independent policy Flexible and scalable policy based on user role Centralized policy management for dynamic policy provisioning Hop-by-hop encryption (802.1AE) Provides confidentiality and integrity while still allowing for inspection of traffic between endpoints
  18. CRC 802.1Q ETYPE PAYLOAD CMD EtherType Version Length SGT Opt Type SGT Value Other CMD Options Layer 2 SGT Frame Format Authenticated Encrypted ICV CMD SMAC 802.1AE Header DMAC Cisco Meta Data Ethernet Frame field are the L2 802.1AE + TrustSec overhead Frame is always tagged at ingress port of SGT capable device Tagging process prior to other L2 service such as QoS No impact IP MTU/Fragmentation L2 Frame MTU Impact: ~ 40 bytes = less than baby giant frame (~1600 bytes with 1552 bytes MTU) ICV 802.1AE Header CMD
  19. Identity Services Engine (ISE)
  20. Policy-Based Access Identity Services Engine Delivers “Business Policy” Define network policy as an extension of business goals Product Bookings Corporate issued laptop Customer Data Policy extends to all access types (wired, wireless, VPN) Finance Manager SalesForce.com X Personal iPad Lifecycle Services Integration – guest, profiling, posture Optional encryption-based Policies for Security-conscious users
  21. Identity Services Engine ISE: Policies for people and devices Guest Access Non-User Devices Authorized Access Can I allow guests Internet-only access? How do I manage guest access? Can this work in wireless and wired? How do I monitor guest activities? How can I restrict access to my network? Can I manage the risk of using personal PCs, tablets, smart-devices? Access rights on premises, at home, on the road? Devices are healthy? How do I discover non-user devices? Can I determine what they are? Can I control their access? Are they being spoofed?
  22. A Practical Example of Policies “Employees should be able to access everything but have limited access on personal devices” Internet “Everyone’s traffic should be encrypted” Internal Resources Campus Network “Printers should only ever communicate internally” Cisco Switch Cisco® Identity Services Engine Cisco Wireless LAN Controller Cisco Access Point
  23. Let’s Start With What We Know Previous Cisco TrustSec Solution Portfolio Identity & Access Control Access Control System AnyConnect Identity & Access Control + Posture NAC Server NAC Manager NAC Agent Device Profiling & Provisioning + Identity Monitoring NAC Collector NAC Profiler Standalone appliance or licensed as a module on NAC Server Guest Lifecycle Management NAC Guest Server
  24. Introducing Identity Services Engine Next Generation Solution Portfolio ISE Identity & Access Control Access Control System AnyConnect Identity & Access Control + Posture NAC Server NAC Manager NAC Agent Device Profiling & Provisioning + Identity Monitoring Identity Service Engine NAC Profiler NAC Collector Standalone appliance or licensed as a module on NAC Server Guest Lifecycle Management NAC Guest Server
  25. Benefits of Identity Services Engine Consolidated Services, Software Packages Visibility Flexible Service Deployment ACS Access Rights User ID NAC Manager Monitoring Admin Console All-in-One HA Pair NAC Profiler NAC Server Distributed Policy servers NAC Guest Location Device (& IP/MAC) Simplify Deployment & Admin Track Active Users & Devices Optimize Where Services Run ISE Manage Security Group Access System-wide Monitoring & Troubleshooting Guest SGT Public Private Permit Permit Staff Guest Deny Permit Keep Existing Logical Design Consolidate Data, Three-Click Drill-In Manage Guests & Sponsors
  26. Identity & Context-AwarenessLeveraging your Infrastructure Network Authorized Users Consistent identity features supported on all Catalyst switch models authenticates authorized users (802.1X), devices (MAB/profiling) and guests (Web Auth) 802.1X Cisco® Catalyst® Switch IP Phones MAB & Profiling Network Device Web Auth Guests Identity Feature Differentiators VDI Deployment Support Monitor Mode Flex Authentication Sequence IP Telephony Interoperability Features like multi-domain auth and link state provides authentication for IP telephony environments, or users behind VoIP devices Most flexible authentication in the market automates ports for rolling authentication with a flexible sequence Multi-authentication feature enables authentication of multiple MAC addresses behind a single port Delivers visibility by authenticating users/devices (without enforcement)
  27. ISE Lifecycle ServicesISE Posture Ensures Endpoint Health before Network Access Non-Compliant Wired, wireless, VPN user Employee Policy: Microsoft patches updated McAfee AV installed, running, and current Corp asset checks Enterprise application running Temporary Limited Network Access until remediation is complete
  28. ISELifecyle Services ISE Guest Service for managing guests Provision: Guest accounts via sponsor portal Internet Web Auth Guests Manage: Sponsor privileges, guest accounts and policies, guest portal Notify: Guests of account details by print, email, or SMS Guest Policy: Wireless or wired access Internet-only access Report: On all aspects of guest accounts
  29. Identity and Context-AwarenessISE Profiling for Non-Authenticating Devices “What is on my Network” Reduces MAB effort by identifying more than 90 device categories Create policy for users and endpoints – “Limited access by employee on IPAD” Confidence-match based on multiple attributes Future “template feed”
  30. ISE Device Profiling Capabilities Smart Phones Minimum Confidence for a Match MultipleRules to Establish Confidence Level Gaming Consoles Workstations
  31. ISE Device Profiling Example - iPad Once the device is profiled, it is stored within the ISE for future associations: ISE Is the MAC Address from Apple? Does the Hostname Contain “iPad”? Is the Web Browser Safari on an iPad? Apple iPad
  32. Cisco ISE Provides Policy for Wired and Wireless LANs Unified wired and wireless policy (ISE) and management (NCS). Centralized Monitoring of Wired and Wireless Networking, Users and Endpoints ISE NCS Central Point of Policy for Wired and Wireless Users and Endpoints
  33. TrustSec Deployment Options Monitor Mode Low Impact Mode High Security Mode Primary Features Open mode Multi-Auth Flex Auth (Optional) Benefits Unobstructed Access No Impact on Productivity Gain Visibility AAA Logs Primary Features Open mode Multi-Domain Port & dACLs Benefits Maintain Basic Connectivity Increased Access Security Differentiated Access Primary Features Traditional Closed Mode Dynamic VLANs Benefits Strict Access Control
  34. Supplicant Provisioning RADIUS Setup Switch Setup Deployment Overview Typical TrustSec deployment Scenario Plan in advance and keep user experience impact as minimum as possible Planning Proof of Concept Pilot Deployment (Size: 1 segment or 1 floor) No Enforcement (Monitor Mode) Review & Adjust Expansion Enforcement (Low Impact Mode) Review & Adjust (Size: Multi-Floor, Bldg.) Services
  35. Why Cisco TrustSec Architecture One Policy for wired, wireless and VPN Integrated lifecycle services (posture, profiling, guest) Differentiated identity features (monitor mode, flex auth, multiauth.. ) Phased approach to deployments – i.e. monitor mode Flexible and scalable authorization options Encryption to protect communications and SGT tags
  36. Trustsec.cisco.com www.cisco.com/go/trustsec
  37. 802.1x Resources http://www.cisco.com/en/US/products/ps6662/products_ios_protocol_option_home.html http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns171/CiscoIBNS-Technical-Review.pdf http://en.wikipedia.org/wiki/IEEE_802.1X http://www.networkworld.com/news/2010/0506whatisit.html http://www.ieee802.org/1/pages/802.1x.html
  38. MACsec Resources http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750x_3560x/software/release/15.0_1_se/configuration/guide/swmacsec.html https://videosharing.cisco.com/vportal/VideoPlayer.jsp?ccsid=C-9323e79a-0395-475c-9c65-27f6e6afff3b:1# http://en.wikipedia.org/wiki/IEEE_802.1AE http://www.ieee802.org/1/pages/802.1ae.html http://www.networkworld.com/details/7593.html
More Related