Post on 26-Mar-2020
transcript
Cisco Day 2016
20.4.2016
Hotel Mons
Wednesday
György Ács
IT Security Consulting Systems Engineer
20 April 2016
Why Identity is so important ? - Identity Services Engine update
ISE Champion
• Best Practices, Tips and Tricks on these selected topics:
• Hardware, infrastructure review
• Authentication and Authorization Policies
• Certificates
• Guest, Profiling, Posture
• pxGrid, Fire & ISE
• TACACS+
• REST API
Agenda
Hardware, infrastructure review
• Determining Minimum Appliance Quantity and Platform
Type
5
Scaling by Deployment/Platform/Persona
Persona Deployment
• All Personas running on single or redundant nodes
• Administration and Monitoring co-located on single or redundant nodes
• Dedicated Policy Service nodes
• Dedicated Administration node(s) • Dedicated Monitoring node(s) • Dedicated Policy Service nodes
Max Nodes by Type
• 2 Admin+MnT+PSN nodes
• 2 Admin+MnT nodes • 5 Policy Service nodes
• 2 Admin nodes • 2 MnT nodes • 40 Policy Service nodes (3495s) • 50 Policy Service nodes (3595s)
Max Endpoints for Entire Deployment
• 5k with SNS-3415 • 7.5k with SNS-3515 • 10k with SNS-3495 • 20k with SNS-3595
• 5k with SNS-3415 PAN+MnT • 7.5k with SNS-3515 PAN+MnT • 10k with SNS-3495 PAN+MnT • 20k with SNS-3595 PAN+MnT
• 250k with SNS-3495 for PAN and MnT • 500k with SNS-3595 for PAN and MnT
PAN MnT PSN
PAN MnT
PSN PAN MnT PSN
Note: Max Endpoints = Max Active Sessions; ISE supports 1M Endpoints in DB
Determining Minimum Appliance Quantity and Platform Type
• Max Endpoints Per Appliance for Dedicated PSN
Policy Service Node Sizing
6
• Physical and Virtual Appliance Guidance
Form Factor
Platform Size Appliance Maximum Endpoints
Physical
Small SNS-3415 5,000
Large SNS-3495 20,000
Small (New) SNS-3515 * 7,500
Large (New) SNS-3595 * 40,000
Virtual S/L VM *5,000-40,000
General VM appliance sizing
guidance:
1) Select physical appliance
that meets required
persona and scaling
requirements
2) Configure VM to match or
exceed the ISE physical
appliance specifications * Under ISE 2.0.x, scaling for Small & Large 35x5 appliance same as Small & Large 34x5 appliance.
ISE VM Provisioning &
Disk IO Guidance
• VMotion officially supported in ISE 1.2
• Thin Provisioning officially supported in ISE 1.3 (recommend Thick Provisioning for MnT)
• Hyper-Threading not required, but can TPS
• IO Performance Requirements:
Read 300+ MB/sec
Write 50+ MB/sec
• Recommended disk/controller:
10k RPM+ disk drives
Caching RAID Controller
RAID mirroring
(Slower writes using RAID 5*)
*RAID performance levels: http://www.datarecovery.net/articles/raid-level-comparison.html
http://docs.oracle.com/cd/E19658-01/820-4708-13/appendixa.html
• Starting in ISE 1.3: No more storage media and file system restrictions. For example, VMFS is not required and NFS is allowed provided storage is supported by VMware and meets ISE IO performance requirements.
• Customers with VMware expertise may choose to disable resource reservations and over-subscribe, but do so at own risk.
7
8
ISE Bandwidth Calculator (Multi-Site)
Now available to customers @ https://communities.cisco.com/docs/DOC-64317
Note: Bandwidth required for RADIUS traffic is not included. Calculator is focused on inter-ISE node bandwidth requirements.
• Authorize User Access to the Network Based on Their
Location
Location Based Authorization
ISE 2.0
MSE 8.0
UI to Configure MSE
I have Location Data Campus:Building:Floor:Zone
• Track Movement of the endpoint after authentication using MAC address
• Query MSE every 5 minutes to verify current location.
– If no change, do nothing
– If change, update endpoint info and issue CoA.
• Best Practice: Do NOT track every session!
– Limit tracking to critical access based on location.
– Excessive tracking can lead to lookup failures. (Max 150 TPS)
Tracking Location in Authorization Policy • Limit Location Tracking to Critical Locations and Resource Access
Authentication, Authorization Policies Optimization
Search Speed Test
• Find the object where…
– Total stars = 10
– Total green stars = 4
– Total red stars = 2
– Outer shape = Red Circle
12
• Avoid Unnecessary External Store Lookups
AuthZ Policy Optimization
13
Example of a Poor Rule: Employee_MDM • All lookups to External Policy and ID Stores
performed first, then local profile match!
• Policy Logic: o First Match, Top Down o Skip Rule on first negative
condition match • More specific rules generally at top • Try to place more “popular” rules
before less used rules.
• Rule Sequence and Condition Order is Important!
AuthZ Policy Optimization
(Good Examples)
14
Example #1: Employee 1. Endpoint ID Group 2. Authenticated using AD? 3. Auth method/protocol 4. AD Group Lookup
Example #2: Employee_CWA 1. Location (Network Device Group) 2. Web Authenticated? 3. Authenticated via LDAP Store? 4. LDAP Attribute Comparison
• DNS servers in ISE nodes must have all relevant AD records (A, PTR, SRV)
• Ensure NTP configured for all ISE nodes and AD servers
• Configure AD Sites and Services
(with ISE machine accounts configured for relevant Sites)
• Configure Authentication Domains (Whitelist domains used) (ISE 1.3)
• Use UPN/fully qualified usernames when possible to expedite use
lookups
• Use AD indexed attributes* when possible to expedite attribute lookups
• Run Diagnostics from ISE Admin interface to check for issues.
15
AD Integration Best Practices
(from 1.3)
Microsoft AD Indexed Attributes: http://msdn.microsoft.com/en-us/library/ms675095%28v=vs.85%29.aspx http://technet.microsoft.com/en-gb/library/aa995762%28v=exchg.65%29.aspx
*
Authorization Policies Pro Tip:
Combining AND & OR
Combining AND with OR in AuthZ Policies
Cannot Mix??
• Advanced Editing
Combining AND with OR in AuthZ Policies
Advanced Editor
Simple Conditions
• Advanced Editing
Combining AND with OR in AuthZ Policies
Certificates
• Import All Certificates in Trust Path, One at-a-Time
Pro Tip: Always Add the Root & Sub CA’s
Root CA
Subordinate CA
ISE Cert
If you must use a PKCS chain, it needs to be in PEM format (not DER)
Subordinate CA
• In 1.3+: Sponsor Portal and My Devices
Portal must be accessed via a user-
friendly URL and selectable port.
• Ex: http://mydevices.company.com
Automatic redirect to https://fqdn:port
• FQDN for URL must be added to DNS
and resolve to the Policy Service
node(s) used for Guest Services.
• Recommend populating Subject
Alternative Name (SAN) field of PSN
local cert with this alternative FQDN or
Wildcard to avoid SSL cert warnings due
to name mismatch.
Simple URL for My Devices
& Sponsor Portals
• Certificate Warning - Name Mismatch
ISE Certificate without SAN
ISE-PSN-3
ISE-PSN-2
ISE-PSN-1
SPONSOR
Load Balancer
http://sponsor.company.com
https://sponsor.company.com:8443/sponsorportal
DNS Lookup = sponsor.company.com
DNS Response = 10.1.99.5
http://sponsor.company.com
100.1.99.5
100.1.100.5
100.1.100.6
100.1.100.7
Name Mismatch! Requested URL = sponsor.company.com
Certificate Subject = ise-psn-3.company.com
DNS
Server
ISE-PSN-3
ISE-PSN-2
ISE-PSN-1
100.1.100.5
100.1.100.6
100.1.100.7
• No Certificate Warning
ISE Certificate with SAN
Load Balancer
http://sponsor.company.com
https://sponsor.company.com:8443/sponsorportal
DNS Lookup = sponsor.company.com
DNS Response = 10.1.99.5
http://sponsor.company.com
100.1.99.5
Certificate OK! Requested URL = sponsor.company.com Certificate SAN = sponsor.company.com
DNS
Server
SPONSOR
ISE Certificate with SAN
CN must also exist in SAN
Other FQDNs as “DNS Names”
IP Address is also option
Wildcard Certificates are used to identify any secure web site that is part of the domain:
e.g.: *.woland.com works for:
www.woland.com
mydevices.woland.com
sponsor.woland.com
AnyThingIWant.woland.com
“Traditional” Wildcard Certificates
!= psn.[ise].woland.com
Position in FQDN is fixed
Use of all portals & friendly URL’s without Certificate Match Errors.
Most Importantly: Ability to host the exact same certificate on all ISE PSNs for EAP authentications
•Why, you ask?.......
Wildcard Certificates –
Why use with ISE?
Clients Misbehave!
• Example education customer:
– ONLY 6,000 Endpoints (all BYOD style)
– 10M Auths / 9M Failures in a 24 hours!
– 42 Different Failure Scenarios – all related to
clients dropping TLS (both PEAP & EAP-TLS).
• Supplicant List:
– Kyocera, Asustek, Murata, Huawei, Motorola, HTC, Samsung, ZTE, RIM, SonyEric, ChiMeiCo,
Apple, Intel, Cybertan, Liteon, Nokia, HonHaiPr, Palm, Pantech, LgElectr, TaiyoYud, Barnes&N
• 5411 No response received during 120 seconds on last EAP message sent to the client
– This error has been seen at a number of Escalation customers
– Typically the result of a misconfigured or misbehaving supplicant not completing the EAP process.
Recreating the Issue
Clients Misbehave:
Apple Example
Apple iOS & MacOS
SSID
NAD
ISE-1 ISE-2
1
WiFi Profile
5
• Multiple PSNs • Each Cert signed by Trusted Root • Apple Requires Accept on all certs!
• Results in 5411 / 30sec retry
1. Authentication goes to ISE-1 2. ISE-1 sends certificate 3. Client trusts ISE-1 4. Client Roams 5. Authentication goes to ISE-2 6. Client Prompts for Accept
Cert Authority ise1.ise.local ise2.ise.local
Solution: Common Cert, Wildcard in SAN
Allows anything ending with The Domain Name. - Same EXACT Priv / Pub Key May be installed on all PSNs
Coining a New Term
Solution: Common Cert, Wildcard in SAN
Apple iOS & MacOS
SSID
NAD
ISE-1 ISE-2
1
WiFi Profile
5
• CN= psn.ise.local • SAN contains all PSN FQDNs
psn.ise.local *.ise.local
• Tested and works with: comodo.com CA SSL.com CA Microsoft 2008 CA • Failed with: GoDaddy CA -- they don’t like * in SAN -- they don’t like non-* in CN
psn.ise.local
1. Authentication goes to ISE-1 2. ISE-1 sends certificate 3. Client trusts ISE-1 4. Client Roams 5. Authentication goes to ISE-2 6. Client Already Trusts Cert
Cert Authority
Already Trusted
psn.ise.local
Scaling Guest
• Device/user logs in to hotspot or credentialed portal
• MAC address automatically registered into GuestEndpoint group
• Authz policy for GuestEndpoint ID Group grants access until device purged
Scaling Web Authentication • “Remember Me” Guest Flows
Prior to ISE 1.3, can “chain” CWA+DRW or NSP to auto-register web auth users, but no auto-purge
35
Endpoint Purging Examples
36 On Demand Purge
Matching Conditions Purge by: # Days After
Creation # Days Inactive Specified Date
Best Practices for Profiling
• Use Device Sensor on Cisco switches & Wireless Controllers to optimize data collection.
• Ensure profile data for a given endpoint is sent to a single PSN (or maximum of 2)
– Sending same profile data to multiple PSNs increases inter-PSN traffic and contention for endpoint
ownership.
– For redundancy, consider Load Balancing and Anycast to support a single IP target for RADIUS or profiling
using…
– DHCP IP Helpers
– SNMP Traps
– DHCP/HTTP with ERSPAN (Requires validation)
• Ensure profile data for a given endpoint is sent to the same PSN
– Same issue as above, but not always possible across different probes
• Use node groups and ensure profile data for a given endpoint is sent to same node group.
– Node Groups reduce inter-PSN communications and need to replicate endpoint changes outside of node
group.
• Avoid probes that collect the same endpoint attributes
– Example: Device Sensor + SNMP Query/IP Helper
• Enable Profiler Attribute Filter
ISE Profiling Best Practices • Whenever Possible…
38
Do NOT send profile data to multiple PSNs !
DO send profile data to single and same PSN or Node Group !
DO use Device Sensor !
DO enable the Profiler Attribute Filter !
• HTTP Probe:
– Use URL Redirects instead of SPAN to centralize collection and reduce traffic load related to SPAN/RSPAN.
– Avoid SPAN. If used, look for key traffic chokepoints such as Internet edge or WLC connection; use
intelligent SPAN/tap options or VACL Capture to limit amount of data sent to ISE. Also difficult to provide HA
for SPAN.
• DHCP Probe:
– Use IP Helpers when possible—be aware that L3 device serving DHCP will not relay DHCP for same!
– Avoid DHCP SPAN. If used, make sure probe captures traffic to central DHCP Server. HA challenges.
• SNMP Probe:
– Be careful of high SNMP traffic due to triggered RADIUS Accounting updates as a result of high re-auth (low
session/re-auth timers) or frequent interim accounting updates.
– For polled SNMP queries, avoid short polling intervals. Be sure to set optimal PSN for polling in ISE NAD
config.
– SNMP Traps primarily useful for non-RADIUS deployments like NAC Appliance—Avoid SNMP Traps
w/RADIUS auth.
• NetFlow Probe:
Use only for specific use cases in centralized deployments—Potential for high load on network devices and ISE.
ISE Profiling Best Practices • General Guidelines for Probes
39
Do NOT enable all probes by default !
Avoid SPAN, SNMP Traps, and NetFlow probes !
Best Practices for Posture
• Once Compliant, user may leave/reconnect multiple
times before re-posture
Posture Lease
41
7
• Scalability ≈ 30 Calls per second per PSN. – Cloud-Based deployment typically built for scale and redundancy
• For cloud-based solutions, Internet bandwidth and latency must be considered.
– Premise-Based deployment may leverage load balancing
• ISE 1.4+ supports multiple MDM servers – could be same or different vendors.
• Authorization permissions can be set based on MDM connectivity status:
– MDM:MDMServerReachable Equals UnReachable MDM:MDMServerReachable Equals Reachable
– All attributes retrieved & reachability determined by single API call on each new session.
MDM Scalability and Survivability
What Happens When the MDM Server is Unreachable?
42
pxGrid
FMC
pxGrid Bulk Downloads (peer-to-peer)
MnT
Controller
Splunk >
WWW
1. I need Bulk Session Data
2. Get it From MnT
3. Direct Data Transfer
ISE Node
ISE Node
FMC
pxGrid Topic Extensibility
MnT
Controller
Splunk >
WWW
Topic Publisher Subscribers
Session_Directory MnT Splunk, FMC, WSA ISE Admin
1. Req: Add New Topic:
“Vulnerable Hosts”
3. Publish Topic
4. Announce: New Topic Available
Vulnerable Hosts Rapid7
FMC
pxGrid Topic Extensibility
MnT
Controller
Splunk >
WWW
Topic Publisher Subscribers
Session_Directory MnT Splunk, FMC, WSA
Vulnerable Hosts Rapid7
ISE Admin
Vulnerable Hosts Rapid7 FMC
1. Subscribe Vulnerable
Hosts
2. Direct Transfer
FMC
How to we “Certificate-ify”
This Scenario?
MnT
Controller
Splunk >
WWW
1. Use a Single Certificate Authority
2. Each pxGrid Participant Trust That Certificate Authority
3. Each pxGrid Client use a ‘pxGrid’ Certificate from that CA
4. *Controller Must still Authorize the Communication
X.509
pxGrid
X.509
pxGrid
X.509
pxGrid
X.509
pxGridX.509
pxGrid
X.509
pxGrid
pxGrid Cert = Client Auth Policy Server Auth Policy
Instant Full Mesh Trust!
ISE and Fire
• Fully Supported on FMC 5.4 and ISE 1.3+
– Uses pxGrid + Endpoint Protection Services (EPS)
• Note: ANC is Next Gen version of the older EPS
• EPS functions are still there for Backward Compatibility
• Loads as a Remediation Module on FMC
– Remediation Module Takes Action via the EPS call through
pxGrid
Rapid Threat Containment
with Firepower Management Center and ISE
MnT
FMC
Rapid Threat Containment with Firepower
Management Center and ISE
Controller
WWW
NGFW
2. Correlation Rules Trigger Remediation
Action
3. pxGrid EPS Action: Quarantine + Re-Auth
1. Security Events / IOCs
Reported
i-Net
MnT
FMC
Rapid Threat Containment with
Firepower Management Center and ISE
Controller
WWW
NGFW
4. Endpoint Assigned Quarantine + CoA-
Reauth Sent
i-Net
Cisco StealthWatch: System Overview
(Earlier : Lancope)
NetFlow / NBAR / NSEL
Network Devices
StealthWatch FlowCollector
• Collect and analyze • Up to 4,000 sources • Up to 240,000 FPS sustained
SPAN
StealthWatch FlowSensor
Generate NetFlow
Non-NetFlow Capable Device
• Management and reporting • Up to 25 FlowCollectors • Up 6 million FPS globally
StealthWatch Management
Console (SMC)
Network as a Sensor:
Cisco StealthWatch
pxGrid
Real-time visibility at all network layers • Data Intelligence throughout network • Assets discovery • Network profile • Security policy monitoring • Anomaly detection • Accelerated incident response
Cisco ISE
Mitigation Action
Context Information NetFlow
ISE pxgrid for Remediation
Device Admin
TACACS+
A long time ago in a development lab far,
far away…
AuthC Once + AuthZ Many
SSH to Network Device
REPLY (authentication) – request username
CONTINUE (authentication) – username
REPLY (authentication) – request password
CONTINUE (authentication) – password
REPLY (authentication) – Pass
START (authentication) – User trying to connect
Authentication
is Complete
TACACS+
REQUEST (authorization) – service = shell
RESPONSE (authorization) – PASS_ADD
REQUEST (accounting) – START / RESPONSE - SUCCESS
REQUEST (authorization) – service = command
RESPONSE (authorization) – Pass_ADD
# show run
EXEC is
Authorized
REQUEST (accounting) – CONTINUE / RESPONSE - SUCCESS
Command is
Authorized
AuthC
Shell AuthZ
Command AuthZ
• Policy Service Node for Protocol Processing
– Session Services (e.g. Network Access/RADIUS) On by default
– Device Admin Service (e.g. TACACS+)
MUST BE ENABLED
FOR DEVICE ADMINISTRATION!!
58
ISE Deployment Node
Configuration
• Different Policy Sets for IOS
than AireSpace OS
• Different for Security Apps
than Routers
• Different for ASA
• Differentiate based on
location of Device
Some Device Admin Best Practices
USE NDG’S!
Device Administration Policy Set
Policy Set Ordered List
Provides both Management AND Execution order
Condition For Policy Set
How Policy Set is engaged
Policy Set
Use Policy Sets Based on
Device Type
Cisco IOS Switches
Airespace WLCs
Best Practices for Policy Sets
Organization
• Optimal Size Mix for Policy Set breakdown in ISE 2.0:
– 6-10 Policy Sets
– 60-100 rules
• Divide Complete Policy into robust Silos representing Use
Cases
– e.g.
• By Device Type
• By Region
62
ISE Authorization Processing
Policy Set Selection Identity Selection Authorization Policy
Evaluation
Evaluation (Command Set or
Profile)
Reply
63
TACACS+ example:
Wireless LAN Controllers
TACACS+ example:
Cisco IOS
• Results are often specific to the NAD-Type.
– Different results for AirOS than IOS than NX-OS.
• Results are not differentiated in GUI by Default
Best Practice: Use Prefixes for Your Results
T+ Command Sets:
Wildcard vs. Regex
• A Permit Below will take priority
over a Deny above.
• Except with a Deny_Always
Command Sets May Be Stacked!
IOS-SecOps-NoConfig Deny_Always Config * Permit Everything Else IOS-PermitAllCommands Permit *
REST API
• Session API (from mnt node)
• REST API : – From ISE 1.0.4
– ISE 1.3 : added Guest
– ISE 2.0 : added TrustSec (SGT, SXP, SGACL), internal users
• Default : ERS is Not enabled
• XML based
ISE REST API :
ERS: External RESTfull Services
<activeSession> <user_name>sfadmin</user_name> <calling_station_id>sfadmin-10.1.1.66</calling_station_id> <framed_ip_address>10.1.1.66</framed_ip_address> </activeSession>
Supported resources :
• End points
• End point identity groups
• Guest users
• Identity groups
• Internal users
• Portals
• Profiler policies
• Network devices
• Network device groups
• Security groups
Currently : no Authentication /authorization policies
Enable ERS and Add
ERS Admin User
Admin or operator based on the READ/WRITE rights
Admin: Full access to all ERS
API requests such as GET, POST, DELETE, PUT
Operator: Read-only access to
ERS API, only GET
10.1.1.1.
GET internal users
• Best Practices, Tips and Tricks on these selected topics:
• Hardware, infrastructure review
• Authentication and Authorization Policies
• Guest, Profiling, Posture
• Certificates
• pxGrid, Fire & ISE
• TACACS+
• REST API
Summary
74
Questions ?