Date post: | 14-Dec-2015 |
Category: |
Documents |
Upload: | johnathon-holes |
View: | 214 times |
Download: | 1 times |
© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicTrustSec 1
Solving (not only) L2 Security Problems
Petr Růžička, CSE
CCIE #20166
© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicTrustSec 2
Evolution to Network Access ControlTopology Aware to Role Aware
Network Address-based Access Control ACL, VACL, PACL, PBACL etc
Network Admission Control (NAC) Posture validation endpoint policy compliance
Cisco TrustSec Network-wide role-based access control Network device access control Consistent policies for wired, wireless
and remote access
Identity-Based Access Control Flexible authentication options:
802.1x, MAB, WebAuth, FlexAuth Comprehensive post-admission control options:
dACL, VLAN assignment, URL redirect, QoS…
© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicTrustSec 3
Authorized
Port Enabled
Port Status
Campus Access SecurityVulnerability & Countermeasure
Authenticator
ACSWall Jack in
Conference RoomOr Cubical Area
Wiring Closet Switch
Campus LAN
Authentication Server
EAPOL Start
EAP Request
Port Status
Un-Authorized
EAP Response (w/ Credentials)
Relay Credentials to AAA via RADIUS
RADIUS-Accept
Supplicant
Miscreant User Can Spoof MAC Address of the Authenticated User and gain network access undetected
802.1AE/SAP Enabled
Authenticator
ACSWall Jack in
Conference RoomOr Cubical Area
Wiring Closet Switch
Campus LAN
Authentication Server
EAPOL StartEAP RequestEAP Response (w/ Credentials)
Relay Credentials to AAA via RADIUS
RADIUS-Accept (w/ PMK)
802.1AE/SAPCapable
SupplicantMiscreant User Can’t Spoof MAC Address of encrypted packets, if encryption is not enable the user’s packets don’t contain integrity information (SA or ICV) and are blocked.
PMK used to initiate 4-Way SAP exchange
Authorized
Encrypted Port Enabled
Port Status
Cisco TrustSec (CTS)Cisco TrustSec (CTS)• Extends 802.1X to provide continuous data protection
Holistic Prevention of:• MiM, Spoofing, Tampering & Replay Attacks • Prevents Shadow Hosts Attacks
Port Status
Un-Authorized
CountermeasureCountermeasureTrustSec (802.1AE/SAP)TrustSec (802.1AE/SAP)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicTrustSec 4
Benefits of Hop-by-Hop Link Encryption In Campus
Secure Hop-by-hop Communications Preserves IT Tools For Network Management
Layer 3+ end-to-end encryption for IP traffic and payload No packet visibility => Prevents IT IDS, Network analysis tools Doesn’t prevent layer 2 attacks (e.g. MAC spoofing, stealing)
E2E
Hop-by-hop security prevents layer 2 attacks IT has network control, using familiar network tools (IDS, anti-virus, …) Allows incremental deployment over most vulnerable domains
HxHLinkSec LinkSec
© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicTrustSec 5
Cipher Data In the Clear Cipher Data In the Clear Cipher Data
Link Layer Encryption
TrustSec /802.1AE Encrypted
TrustSec /802.1AE Encrypted
TrustSec /802.1AE Encrypted
Hop-by-Hop packet confidentiality and integrity via IEEE 802.1AE “Bump-in-the-wire” model
Packets are encrypted on egress
Packets are decrypted on ingress
Packets are in the clear in the device
Allows the network to continue to perform all the packet inspection features currently used
Can be incrementally deployed depending on link vulnerability
Decrypt OnIngress
Interface
Decrypt IncryptEncrypt OnEgress Interface
Packets in the Clear Inside the System
© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicTrustSec 6
InternetInternet
EnterpriseEnterpriseCampusCampus
Example Authorization Rule:
Authorization Rule : if ((user Role = CRM) then apply SGT = ConfidentialAuthorization Rule : if ((user Role = Finance) then apply SGT = ConfidentialAuthorization Rule : if ((user Role = Portal Y) then apply SGT = UnrestrictedAuthorization Rule : if ((user Role = Portal Z) then apply SGT = UnrestrictedAuthorization Rule : if ((user Role = Intranet Portal) then apply SGT = SensitiveAuthorization Rule : if ((user Role = ERP) then apply SGT = ConfidentialAuthorization Rule : if ((user Role = Portal Y) then apply SGT = UnrestrictedAuthorization Rule : if ((user Role = Campus Edge) then apply SGT = Ent. CampusAuthorization Rule : if ((user Role = Internet Edge) then apply SGT = InternetAuthorization Rule : if ((user Role = Storage Class A) then apply SGT = Data Confidential
Dynamic SGT & SGACL Assignment
Finance FinanceCRM EPRPortal YStorage Class A
IntranetPortal
Portal Z
D UC C C C C C C C SDU
I
EE
2. Link Up or Port Enabled – Initiates Endpoint Authentication & Authorization
3. Host Identity Acquired (802.1X, MAB or Pre-provisioned Identity to Port Mapping (IPM)) and relayed via RADIUS to ACS
Pre-provisioned Identity to Port Mapping (IPM)
802.1X, MAB or IPM
4. Identity credentials are authenticated and then Authorization Rules are processed, SGTs assigned and SGACLs applied
Legend
Unauthenticated Campus to DC
Port Identity = Campus Edge
Port Identity = Internet Edge
Server Identity = *
1. Ensure Identities are pre-provisioned (host and or port mapping)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicTrustSec 7
InternetInternetI
EnterpriseEnterpriseCampusCampus
Example 1: Bi-Directional Enterprise Campus & Unrestricted Servers
Finance FinanceCRM EPRPortal YStorage Class A
IntranetPortal
Portal Z
• All packets entering the data center from the campus edge are tagged as Ent. Campus
• Packets from Portal Y server are tagged as Unrestricted
Legend
Unauthenticated Campus to DC
D UC C C C C C C C SDU
EE
© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicTrustSec 8
Unauthenticated Campus to DC
InternetInternet
Finance FinanceCRM EPRPortal YStorage
Confidential
IntranetPortal
Portal Z
I
EE
EnterpriseEnterpriseCampusCampus
DU
• All packets entering the data center from the campus edge are tagged as Ent. Campus
• Egress Filtering for Storage Array is tagged Data Confidential and the policy (SGACL) denies access from Ent. Campus
• All illustrated; communication from Ent. Campus are Denied to Data Confidential
Example 2: Enterprise Campus to Data Confidential
Legend
C C C C D UC C C C S
© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicTrustSec 9
IntraDC Use Case
InternetInternet
Finance FinanceCRM EPRPortal YStorage
Confidential
IntranetPortal
Portal Z
I
EE
EnterpriseEnterpriseCampusCampus
• All packets from Portal Z are classified as Unrestricted
• Egress Filtering for Storage Array is tagged Data Confidential and the policy (SGACL) denies access from Unrestricted
• All illustrated; communication from Ent. Campus are Denied to Data Confidential
Example 3: Unrestricted to Data Confidential
Legend
D UC C C C C C C C SDU
© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicTrustSec 10
Data Center Use Case
InternetInternet
Finance FinanceCRM EPRPortal YStorage
Confidential
IntranetPortal
Portal Z
I
EE
EnterpriseEnterpriseCampusCampus
• All packets from Storage Confidential are classified as Data Confidential
• Egress Filtering on the Internet tagged/filtered port denies access from Data Confidential
Example 4: Data Confidential to Internet
Legend
D UC C C C C C C C SDU
© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicTrustSec 11
Source: Ken Hook
Comparison of encryption modelsComparison of encryption models
Traffic Visibility & Network Manageability
• Single SA per Link - No Complex Key Management Server Required• Hop-by-hop security – Prevents layer 2 attacks• Transparent to hosts, applications and servers• Packets remain in the clear inside the box preserving the Intelligent Information Network• IT has network control, using familiar network tools (IDS, anti-virus, …)• Allows incremental deployment over most vulnerable domains
• Layer 3+ end-to-end encryption for IP traffic and payload• No packet visibility => Prevents IT IDS, Network analysis tools• Doesn’t prevent layer 2 attacks (e.g. MAC spoofing, stealing)• Complex Security Association maintenance
E2E*E2E*
HxH*HxH*
• Host to Server IPSec Host to Server IPSec Negatively ImpactsNegatively Impacts::
• Deep Packet Inspection
• Extended ACLs (port/protocol)
• Full Netflow (port/protocol)
• Limits QoS (ports)
• Dramatic reduction of Content & SLB capabilities
• Increased Network Latency
• Increased Host/Server CPU/Memory utilization for Header insertion/removal & SAs
• Weighted Fair Queuing (WFQ) - priority & other flow-based traffic prioritization
• Breaks NAT (Requires NAT-T)
Core Network
Core Network
LinkSec
CatalystCatalyst CatalystCatalystCatalystCatalyst
TrustSec NetworkTrustSec Network
LinkSec
LinkSec LinkSec
Cisco TrustSec preserves IT tools for network management
* E2E = End-to-End, HxH = Hop-by-Hop
© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicTrustSec 12
Data CenterConfidentiality & Integrity CTS - Network Device Admission Control (NDAC)
Mutual Device Authentication (EAP-FAST)
Confidential & Authenticated Data Communications
CTSCTSData CenterData Center
EAP-Fast EAPOL Start
EAP_Fast EAPoL Request
EAP Response (w/ Device Credentials)
Relay Cre
dentials to
AAA via R
ADIUS
RADIUS-A
ccept (w/ E
nv Data
& P
MK)
PMK used to initiate 4-Way SAP exchange
Authorized
Encrypted Port Enabled
Port Status
ACS 5.0
EAPOL StartEAPoL RequestEAP Response (w/ Host Credentials)PMK used to initiate 4-Way SAP exchange
Servers w/ 802.1AE NICs
Relay Credentials to AAA via RADIUS
RADIUS-Accept (w/ PMK)
Port Status
Un-Authorized
Server w/ 802.1AE NICs
CTS - Endpoint Admission Control (EAC)– 802.1X Machine Authentication
– Confidential & Authenticated Data Communications
© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicTrustSec 13
Cisco TrustSec Overview
Identification andAuthorization
L2/L3 TrustSecConfidentialityand Integrity
Scalable Topology Independent Access
Control
Builds a Trusted Network Infrastructure with NetworkDevice Admission Control (NDAC)
Extends IBNS and NAC by adding Topology IndependentIngress Security Group Assignment
Wire-rate Encryption and Data Integrity on L2 EthernetSwitch Ports
Preserves all network based accounting, deep packet inspection, and intelligent services
Uniform encryption—transparent to application, protocols, etc.
Centralized Access Control Policy Administration
Consistent Policy for Wired, Wireless and Remote Access VPNs
Network Access Control Policy is decoupled from Network Topology providing unparalleled scale