Cisco Day 2016

20.4.2016

Hotel Mons

Wednesday

György Ács

IT Security Consulting Systems Engineer

20 April 2016

Why Identity is so important ? - Identity Services Engine update

ISE Champion

• Best Practices, Tips and Tricks on these selected topics:

• Hardware, infrastructure review

• Authentication and Authorization Policies

• Certificates

• Guest, Profiling, Posture

• pxGrid, Fire & ISE

• TACACS+

• REST API

Agenda

Hardware, infrastructure review

• Determining Minimum Appliance Quantity and Platform

Type

5

Scaling by Deployment/Platform/Persona

Persona Deployment

• All Personas running on single or redundant nodes

• Administration and Monitoring co-located on single or redundant nodes

• Dedicated Policy Service nodes

• Dedicated Administration node(s) • Dedicated Monitoring node(s) • Dedicated Policy Service nodes

Max Nodes by Type

• 2 Admin+MnT+PSN nodes

• 2 Admin+MnT nodes • 5 Policy Service nodes

• 2 Admin nodes • 2 MnT nodes • 40 Policy Service nodes (3495s) • 50 Policy Service nodes (3595s)

Max Endpoints for Entire Deployment

• 5k with SNS-3415 • 7.5k with SNS-3515 • 10k with SNS-3495 • 20k with SNS-3595

• 5k with SNS-3415 PAN+MnT • 7.5k with SNS-3515 PAN+MnT • 10k with SNS-3495 PAN+MnT • 20k with SNS-3595 PAN+MnT

• 250k with SNS-3495 for PAN and MnT • 500k with SNS-3595 for PAN and MnT

PAN MnT PSN

PAN MnT

PSN PAN MnT PSN

Note: Max Endpoints = Max Active Sessions; ISE supports 1M Endpoints in DB

Determining Minimum Appliance Quantity and Platform Type

• Max Endpoints Per Appliance for Dedicated PSN

Policy Service Node Sizing

6

• Physical and Virtual Appliance Guidance

Form Factor

Platform Size Appliance Maximum Endpoints

Physical

Small SNS-3415 5,000

Large SNS-3495 20,000

Small (New) SNS-3515 * 7,500

Large (New) SNS-3595 * 40,000

Virtual S/L VM *5,000-40,000

General VM appliance sizing

guidance:

1) Select physical appliance

that meets required

persona and scaling

requirements

2) Configure VM to match or

exceed the ISE physical

appliance specifications * Under ISE 2.0.x, scaling for Small & Large 35x5 appliance same as Small & Large 34x5 appliance.

ISE VM Provisioning &

Disk IO Guidance

• VMotion officially supported in ISE 1.2

• Thin Provisioning officially supported in ISE 1.3 (recommend Thick Provisioning for MnT)

• Hyper-Threading not required, but can TPS

• IO Performance Requirements:

Read 300+ MB/sec

Write 50+ MB/sec

• Recommended disk/controller:

10k RPM+ disk drives

Caching RAID Controller

RAID mirroring

(Slower writes using RAID 5*)

*RAID performance levels: http://www.datarecovery.net/articles/raid-level-comparison.html

http://docs.oracle.com/cd/E19658-01/820-4708-13/appendixa.html

• Starting in ISE 1.3: No more storage media and file system restrictions. For example, VMFS is not required and NFS is allowed provided storage is supported by VMware and meets ISE IO performance requirements.

• Customers with VMware expertise may choose to disable resource reservations and over-subscribe, but do so at own risk.

7

8

ISE Bandwidth Calculator (Multi-Site)

Now available to customers @ https://communities.cisco.com/docs/DOC-64317

Note: Bandwidth required for RADIUS traffic is not included. Calculator is focused on inter-ISE node bandwidth requirements.

• Authorize User Access to the Network Based on Their

Location

Location Based Authorization

ISE 2.0

MSE 8.0

UI to Configure MSE

I have Location Data Campus:Building:Floor:Zone

• Track Movement of the endpoint after authentication using MAC address

• Query MSE every 5 minutes to verify current location.

– If no change, do nothing

– If change, update endpoint info and issue CoA.

• Best Practice: Do NOT track every session!

– Limit tracking to critical access based on location.

– Excessive tracking can lead to lookup failures. (Max 150 TPS)

Tracking Location in Authorization Policy • Limit Location Tracking to Critical Locations and Resource Access

Authentication, Authorization Policies Optimization

Search Speed Test

• Find the object where…

– Total stars = 10

– Total green stars = 4

– Total red stars = 2

– Outer shape = Red Circle

12

• Avoid Unnecessary External Store Lookups

AuthZ Policy Optimization

13

Example of a Poor Rule: Employee_MDM • All lookups to External Policy and ID Stores

performed first, then local profile match!

• Policy Logic: o First Match, Top Down o Skip Rule on first negative

condition match • More specific rules generally at top • Try to place more “popular” rules

before less used rules.

• Rule Sequence and Condition Order is Important!

AuthZ Policy Optimization

(Good Examples)

14

Example #1: Employee 1. Endpoint ID Group 2. Authenticated using AD? 3. Auth method/protocol 4. AD Group Lookup

Example #2: Employee_CWA 1. Location (Network Device Group) 2. Web Authenticated? 3. Authenticated via LDAP Store? 4. LDAP Attribute Comparison

• DNS servers in ISE nodes must have all relevant AD records (A, PTR, SRV)

• Ensure NTP configured for all ISE nodes and AD servers

• Configure AD Sites and Services

(with ISE machine accounts configured for relevant Sites)

• Configure Authentication Domains (Whitelist domains used) (ISE 1.3)

• Use UPN/fully qualified usernames when possible to expedite use

lookups

• Use AD indexed attributes* when possible to expedite attribute lookups

• Run Diagnostics from ISE Admin interface to check for issues.

15

AD Integration Best Practices

(from 1.3)

Microsoft AD Indexed Attributes: http://msdn.microsoft.com/en-us/library/ms675095%28v=vs.85%29.aspx http://technet.microsoft.com/en-gb/library/aa995762%28v=exchg.65%29.aspx

*

Authorization Policies Pro Tip:

Combining AND & OR

Combining AND with OR in AuthZ Policies

Cannot Mix??

• Advanced Editing

Combining AND with OR in AuthZ Policies

Advanced Editor

Simple Conditions

• Advanced Editing

Combining AND with OR in AuthZ Policies

Certificates

• Import All Certificates in Trust Path, One at-a-Time

Pro Tip: Always Add the Root & Sub CA’s

Root CA

Subordinate CA

ISE Cert

If you must use a PKCS chain, it needs to be in PEM format (not DER)

Subordinate CA

• In 1.3+: Sponsor Portal and My Devices

Portal must be accessed via a user-

friendly URL and selectable port.

• Ex: http://mydevices.company.com

Automatic redirect to https://fqdn:port

• FQDN for URL must be added to DNS

and resolve to the Policy Service

node(s) used for Guest Services.

• Recommend populating Subject

Alternative Name (SAN) field of PSN

local cert with this alternative FQDN or

Wildcard to avoid SSL cert warnings due

to name mismatch.

Simple URL for My Devices

& Sponsor Portals

• Certificate Warning - Name Mismatch

ISE Certificate without SAN

ISE-PSN-3

ISE-PSN-2

ISE-PSN-1

SPONSOR

Load Balancer

http://sponsor.company.com

https://sponsor.company.com:8443/sponsorportal

DNS Lookup = sponsor.company.com

DNS Response = 10.1.99.5

http://sponsor.company.com

100.1.99.5

100.1.100.5

100.1.100.6

100.1.100.7

Name Mismatch! Requested URL = sponsor.company.com

Certificate Subject = ise-psn-3.company.com

DNS

Server

ISE-PSN-3

ISE-PSN-2

ISE-PSN-1

100.1.100.5

100.1.100.6

100.1.100.7

• No Certificate Warning

ISE Certificate with SAN

Load Balancer

http://sponsor.company.com

https://sponsor.company.com:8443/sponsorportal

DNS Lookup = sponsor.company.com

DNS Response = 10.1.99.5

http://sponsor.company.com

100.1.99.5

Certificate OK! Requested URL = sponsor.company.com Certificate SAN = sponsor.company.com

DNS

Server

SPONSOR

ISE Certificate with SAN

CN must also exist in SAN

Other FQDNs as “DNS Names”

IP Address is also option

Wildcard Certificates are used to identify any secure web site that is part of the domain:

e.g.: *.woland.com works for:

www.woland.com

mydevices.woland.com

sponsor.woland.com

AnyThingIWant.woland.com

“Traditional” Wildcard Certificates

!= psn.[ise].woland.com

Position in FQDN is fixed

Use of all portals & friendly URL’s without Certificate Match Errors.

Most Importantly: Ability to host the exact same certificate on all ISE PSNs for EAP authentications

•Why, you ask?.......

Wildcard Certificates –

Why use with ISE?

Clients Misbehave!

• Example education customer:

– ONLY 6,000 Endpoints (all BYOD style)

– 10M Auths / 9M Failures in a 24 hours!

– 42 Different Failure Scenarios – all related to

clients dropping TLS (both PEAP & EAP-TLS).

• Supplicant List:

– Kyocera, Asustek, Murata, Huawei, Motorola, HTC, Samsung, ZTE, RIM, SonyEric, ChiMeiCo,

Apple, Intel, Cybertan, Liteon, Nokia, HonHaiPr, Palm, Pantech, LgElectr, TaiyoYud, Barnes&N

• 5411 No response received during 120 seconds on last EAP message sent to the client

– This error has been seen at a number of Escalation customers

– Typically the result of a misconfigured or misbehaving supplicant not completing the EAP process.

Recreating the Issue

Clients Misbehave:

Apple Example

Apple iOS & MacOS

SSID

NAD

ISE-1 ISE-2

1

WiFi Profile

5

• Multiple PSNs • Each Cert signed by Trusted Root • Apple Requires Accept on all certs!

• Results in 5411 / 30sec retry

1. Authentication goes to ISE-1 2. ISE-1 sends certificate 3. Client trusts ISE-1 4. Client Roams 5. Authentication goes to ISE-2 6. Client Prompts for Accept

Cert Authority ise1.ise.local ise2.ise.local

Solution: Common Cert, Wildcard in SAN

Allows anything ending with The Domain Name. - Same EXACT Priv / Pub Key May be installed on all PSNs

Coining a New Term

Solution: Common Cert, Wildcard in SAN

Apple iOS & MacOS

SSID

NAD

ISE-1 ISE-2

1

WiFi Profile

5

• CN= psn.ise.local • SAN contains all PSN FQDNs

psn.ise.local *.ise.local

• Tested and works with: comodo.com CA SSL.com CA Microsoft 2008 CA • Failed with: GoDaddy CA -- they don’t like * in SAN -- they don’t like non-* in CN

psn.ise.local

1. Authentication goes to ISE-1 2. ISE-1 sends certificate 3. Client trusts ISE-1 4. Client Roams 5. Authentication goes to ISE-2 6. Client Already Trusts Cert

Cert Authority

Already Trusted

psn.ise.local

Scaling Guest

• Device/user logs in to hotspot or credentialed portal

• MAC address automatically registered into GuestEndpoint group

• Authz policy for GuestEndpoint ID Group grants access until device purged

Scaling Web Authentication • “Remember Me” Guest Flows

Prior to ISE 1.3, can “chain” CWA+DRW or NSP to auto-register web auth users, but no auto-purge

35

Endpoint Purging Examples

36 On Demand Purge

Matching Conditions Purge by: # Days After

Creation # Days Inactive Specified Date

Best Practices for Profiling

• Use Device Sensor on Cisco switches & Wireless Controllers to optimize data collection.

• Ensure profile data for a given endpoint is sent to a single PSN (or maximum of 2)

– Sending same profile data to multiple PSNs increases inter-PSN traffic and contention for endpoint

ownership.

– For redundancy, consider Load Balancing and Anycast to support a single IP target for RADIUS or profiling

using…

– DHCP IP Helpers

– SNMP Traps

– DHCP/HTTP with ERSPAN (Requires validation)

• Ensure profile data for a given endpoint is sent to the same PSN

– Same issue as above, but not always possible across different probes

• Use node groups and ensure profile data for a given endpoint is sent to same node group.

– Node Groups reduce inter-PSN communications and need to replicate endpoint changes outside of node

group.

• Avoid probes that collect the same endpoint attributes

– Example: Device Sensor + SNMP Query/IP Helper

• Enable Profiler Attribute Filter

ISE Profiling Best Practices • Whenever Possible…

38

Do NOT send profile data to multiple PSNs !

DO send profile data to single and same PSN or Node Group !

DO use Device Sensor !

DO enable the Profiler Attribute Filter !

• HTTP Probe:

– Use URL Redirects instead of SPAN to centralize collection and reduce traffic load related to SPAN/RSPAN.

– Avoid SPAN. If used, look for key traffic chokepoints such as Internet edge or WLC connection; use

intelligent SPAN/tap options or VACL Capture to limit amount of data sent to ISE. Also difficult to provide HA

for SPAN.

• DHCP Probe:

– Use IP Helpers when possible—be aware that L3 device serving DHCP will not relay DHCP for same!

– Avoid DHCP SPAN. If used, make sure probe captures traffic to central DHCP Server. HA challenges.

• SNMP Probe:

– Be careful of high SNMP traffic due to triggered RADIUS Accounting updates as a result of high re-auth (low

session/re-auth timers) or frequent interim accounting updates.

– For polled SNMP queries, avoid short polling intervals. Be sure to set optimal PSN for polling in ISE NAD

config.

– SNMP Traps primarily useful for non-RADIUS deployments like NAC Appliance—Avoid SNMP Traps

w/RADIUS auth.

• NetFlow Probe:

Use only for specific use cases in centralized deployments—Potential for high load on network devices and ISE.

ISE Profiling Best Practices • General Guidelines for Probes

39

Do NOT enable all probes by default !

Avoid SPAN, SNMP Traps, and NetFlow probes !

Best Practices for Posture

• Once Compliant, user may leave/reconnect multiple

times before re-posture

Posture Lease

41

7

• Scalability ≈ 30 Calls per second per PSN. – Cloud-Based deployment typically built for scale and redundancy

• For cloud-based solutions, Internet bandwidth and latency must be considered.

– Premise-Based deployment may leverage load balancing

• ISE 1.4+ supports multiple MDM servers – could be same or different vendors.

• Authorization permissions can be set based on MDM connectivity status:

– MDM:MDMServerReachable Equals UnReachable MDM:MDMServerReachable Equals Reachable

– All attributes retrieved & reachability determined by single API call on each new session.

MDM Scalability and Survivability

What Happens When the MDM Server is Unreachable?

42

pxGrid

FMC

pxGrid Bulk Downloads (peer-to-peer)

MnT

Controller

Splunk >

WWW

1. I need Bulk Session Data

2. Get it From MnT

3. Direct Data Transfer

ISE Node

ISE Node

FMC

pxGrid Topic Extensibility

MnT

Controller

Splunk >

WWW

Topic Publisher Subscribers

Session_Directory MnT Splunk, FMC, WSA ISE Admin

1. Req: Add New Topic:

“Vulnerable Hosts”

3. Publish Topic

4. Announce: New Topic Available

Vulnerable Hosts Rapid7

FMC

pxGrid Topic Extensibility

MnT

Controller

Splunk >

WWW

Topic Publisher Subscribers

Session_Directory MnT Splunk, FMC, WSA

Vulnerable Hosts Rapid7

ISE Admin

Vulnerable Hosts Rapid7 FMC

1. Subscribe Vulnerable

Hosts

2. Direct Transfer

FMC

How to we “Certificate-ify”

This Scenario?

MnT

Controller

Splunk >

WWW

1. Use a Single Certificate Authority

2. Each pxGrid Participant Trust That Certificate Authority

3. Each pxGrid Client use a ‘pxGrid’ Certificate from that CA

4. *Controller Must still Authorize the Communication

X.509

pxGrid

X.509

pxGrid

X.509

pxGrid

X.509

pxGridX.509

pxGrid

X.509

pxGrid

pxGrid Cert = Client Auth Policy Server Auth Policy

Instant Full Mesh Trust!

ISE and Fire

• Fully Supported on FMC 5.4 and ISE 1.3+

– Uses pxGrid + Endpoint Protection Services (EPS)

• Note: ANC is Next Gen version of the older EPS

• EPS functions are still there for Backward Compatibility

• Loads as a Remediation Module on FMC

– Remediation Module Takes Action via the EPS call through

pxGrid

Rapid Threat Containment

with Firepower Management Center and ISE

MnT

FMC

Rapid Threat Containment with Firepower

Management Center and ISE

Controller

WWW

NGFW

2. Correlation Rules Trigger Remediation

Action

3. pxGrid EPS Action: Quarantine + Re-Auth

1. Security Events / IOCs

Reported

i-Net

MnT

FMC

Rapid Threat Containment with

Firepower Management Center and ISE

Controller

WWW

NGFW

4. Endpoint Assigned Quarantine + CoA-

Reauth Sent

i-Net

Cisco StealthWatch: System Overview

(Earlier : Lancope)

NetFlow / NBAR / NSEL

Network Devices

StealthWatch FlowCollector

• Collect and analyze • Up to 4,000 sources • Up to 240,000 FPS sustained

SPAN

StealthWatch FlowSensor

Generate NetFlow

Non-NetFlow Capable Device

• Management and reporting • Up to 25 FlowCollectors • Up 6 million FPS globally

StealthWatch Management

Console (SMC)

Network as a Sensor:

Cisco StealthWatch

pxGrid

Real-time visibility at all network layers • Data Intelligence throughout network • Assets discovery • Network profile • Security policy monitoring • Anomaly detection • Accelerated incident response

Cisco ISE

Mitigation Action

Context Information NetFlow

ISE pxgrid for Remediation

Device Admin

TACACS+

A long time ago in a development lab far,

far away…

AuthC Once + AuthZ Many

SSH to Network Device

REPLY (authentication) – request username

CONTINUE (authentication) – username

REPLY (authentication) – request password

CONTINUE (authentication) – password

REPLY (authentication) – Pass

START (authentication) – User trying to connect

Authentication

is Complete

TACACS+

REQUEST (authorization) – service = shell

RESPONSE (authorization) – PASS_ADD

REQUEST (accounting) – START / RESPONSE - SUCCESS

REQUEST (authorization) – service = command

RESPONSE (authorization) – Pass_ADD

# show run

EXEC is

Authorized

REQUEST (accounting) – CONTINUE / RESPONSE - SUCCESS

Command is

Authorized

AuthC

Shell AuthZ

Command AuthZ

• Policy Service Node for Protocol Processing

– Session Services (e.g. Network Access/RADIUS) On by default

– Device Admin Service (e.g. TACACS+)

MUST BE ENABLED

FOR DEVICE ADMINISTRATION!!

58

ISE Deployment Node

Configuration

• Different Policy Sets for IOS

than AireSpace OS

• Different for Security Apps

than Routers

• Different for ASA

• Differentiate based on

location of Device

Some Device Admin Best Practices

USE NDG’S!

Device Administration Policy Set

Policy Set Ordered List

Provides both Management AND Execution order

Condition For Policy Set

How Policy Set is engaged

Policy Set

Use Policy Sets Based on

Device Type

Cisco IOS Switches

Airespace WLCs

Best Practices for Policy Sets

Organization

• Optimal Size Mix for Policy Set breakdown in ISE 2.0:

– 6-10 Policy Sets

– 60-100 rules

• Divide Complete Policy into robust Silos representing Use

Cases

– e.g.

• By Device Type

• By Region

62

ISE Authorization Processing

Policy Set Selection Identity Selection Authorization Policy

Evaluation

Evaluation (Command Set or

Profile)

Reply

63

TACACS+ example:

Wireless LAN Controllers

TACACS+ example:

Cisco IOS

• Results are often specific to the NAD-Type.

– Different results for AirOS than IOS than NX-OS.

• Results are not differentiated in GUI by Default

Best Practice: Use Prefixes for Your Results

T+ Command Sets:

Wildcard vs. Regex

• A Permit Below will take priority

over a Deny above.

• Except with a Deny_Always

Command Sets May Be Stacked!

IOS-SecOps-NoConfig Deny_Always Config * Permit Everything Else IOS-PermitAllCommands Permit *

REST API

• Session API (from mnt node)

• REST API : – From ISE 1.0.4

– ISE 1.3 : added Guest

– ISE 2.0 : added TrustSec (SGT, SXP, SGACL), internal users

• Default : ERS is Not enabled

• XML based

ISE REST API :

ERS: External RESTfull Services

<activeSession> <user_name>sfadmin</user_name> <calling_station_id>sfadmin-10.1.1.66</calling_station_id> <framed_ip_address>10.1.1.66</framed_ip_address> </activeSession>

Supported resources :

• End points

• End point identity groups

• Guest users

• Identity groups

• Internal users

• Portals

• Profiler policies

• Network devices

• Network device groups

• Security groups

Currently : no Authentication /authorization policies

Enable ERS and Add

ERS Admin User

Admin or operator based on the READ/WRITE rights

Admin: Full access to all ERS

API requests such as GET, POST, DELETE, PUT

Operator: Read-only access to

ERS API, only GET

10.1.1.1.

GET internal users

• Best Practices, Tips and Tricks on these selected topics:

• Hardware, infrastructure review

• Authentication and Authorization Policies

• Guest, Profiling, Posture

• Certificates

• pxGrid, Fire & ISE

• TACACS+

• REST API

Summary

74

Questions ?