Cisco Support Community Expert Series Webcast · and ASDM Cisco Web Security Wired Network Devices...

Cisco Support Community Expert Series Webcast

Vaibhav Katkade Product Manager, Enterprise Networking Group, Cisco

April 1, 2014

Fortify Your LAN with Cisco Catalyst Switching

Cisco Confidential 2 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Today’s featured expert is Product Manager, Vaibhav Katkade

Ask questions now about switching security

Vaibhav Katkade

Product Manager

Enterprise Networking Group


Hariprasad Holla

Technical Marketing Eng

NOSTG

Gokul Nair

Product Manager

NOSTG

Kural Arangasamy

Technical Marketing Eng

Services

Panel of Experts


Today’s presentation will include audience polling questions.

We encourage you to participate!


If you would like a copy of the presentation slides, click the PDF file link in the chat box on the right or go to:

https://supportforums.cisco.com/document/12160016/fortify-your-lan-cisco-catalyst-switching















What is your role?

a. IT end customer – Network centric

b. IT end customer – Security centric

c. End customer IT consumer – Network and Security centric

d. Cisco-employee / Partner

e. Other


What is your level of familiarity with Cisco Catalyst switches?

a. Familiar with routing/switching and security on Catalyst

b. Familiar with routing/switching only on Catalyst

c. Not quite familiar with Catalyst switching products

d. Other

Use the Q & A panel to submit your questions and the panel of experts will respond.

Submit Your Questions Now!

Vaibhav Katkade

Product Manager, Enterprise Networking Group, Cisco

April 1, 2014

Fortify Your LAN with Cisco Catalyst

Switching


Overview

Identity Based Networking Services

Cisco TrustSec

MACsec

Behavioral Based Threat Detection

First Hop Security



Cisco Catalyst Switches – From Access to Backbone New Products Across the Complete Range

Flexible, scalable,

feature-rich

modular access

Enterprise

backbone

optimized for

10/40/100G

LOWER

TCO

END-TO-END

SECURITY

APPLICATION

VISIBILITY

INVESTMENT

PROTECTION

PERFORMANCE

& SCALE

Smart, simple,

green & secure

wired access

Catalyst 2960-X

Advanced fixed

switching with

Unified Access

Jul 2013

Jan/Jun 2013 Aug 2013 Dec 2013

Catalyst 3850/3650 Catalyst 4500E with SUP8-E

Catalyst 6500/6800


End-User Behaviors IT Trends • Over 15 billion devices by 2015, with

average worker with 3 devices

• New workspace:

anywhere, anytime

• 71% of Gen Y workforce

do not obey policies

• 60% will download sensitive data on a

personal device

• Must control the multiple devices and

guests

• Security: Top concern for BYOD

• Mobile malware has

doubled (from 2010 to 2011)

• Consolidation of multiple physical

networks on single IP infrastructure

Reduce

Security Risk

Improve End-User

Productivity

Increase Operation

Efficiency


Cisco Prime™ Cisco® ISE

Third-Party

MDM Appliance

MDM Manager

Cisco WLAN

Controller

Cisco ASA Firewall and IPS

Cisco CSM and ASDM

Cisco Web Security

Wired Network Devices

Cisco Catalyst® Switches

Cisco AnyConnect® Cisco AnyConnect Cisco AnyConnect

Office Wired Access Office Wireless Access Remote Access


Comprehensive Network Security Services

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 Uncompromised Network Security and Access Control

WHAT WHERE HOW WHEN WHO

IDENTITY

CONTEXT AWARE

NETWORK ACCESS SEGMENTATION SECURE NETWORK

Identify and Profile Devices with

Device Sensor

Provide Authenticated Network

Access with industry’s best 802.1X

Guest Access with

WebAuth, dACL, VLAN-assignment

Role-Based Access Control with

TrustSec Security Group Tagging

Role-Based

Topology-Independent

Segmentation using

TrustSec

Layer 3 Network Segmentation with

MPLS / VRF-Lite / EVN

Hardware Based

Control Plane Policing

IPv4/IPv6 First Hop Security

Network Device Authentication

(NDAC)

MACSec Encryption


Where are you with Network Access Control in your network?

a. Already have an implementation or have an undergoing project

b. Planning to have in the next 12-18 months

c. Do not plan to have it anytime soon

d. Other



BYOD Users get safely on the Internet fast

and easy

Guest Access It is easy to provide

guests limited-time and limited-

resource access

Secure Access on

Wired and Wireless Network

and VPN Control with one policy across wired, wireless, and remote infrastructure

Cisco TrustSec®

Network Policy Rules written in business terms control

access


Access Point

Printer Policy

[place on VLAN X]

IP Phone

Policy [VoIP QoS Policy

VLAN Y]

Device Sensor Automated Device Classification Using Cisco Infrastructure

CDP LLDP DHCP MAC

Printer IP Phone ISE

CDP LLDP DHCP MAC

DEVICE PROFILING

For wired and wireless networks

Deployment Scenario With Cisco Device Sensors COLLECTION Switch Collects Device Related Data and Sends Report to ISE

CLASSIFICATION ISE Classifies Device, Collects Flow Information and Provides Device Usage Report

AUTHORIZATION ISE Executes Policy Based on User and Device

Efficient Device Classification

Leveraging Infrastructure

The Solution

Cisco Innovation

Supported Platforms:

IOS 15.0(1)SE1 for Cat 3K

IOS 15.1(1)SG for Cat 4K

ISE 1.1.1

POLICY


Secure BYOD with 802.1X

Authentication Features

Cisco Catalyst®

Switch

Network

Device IP

Phones

Authorized

Users

Guests Tablets

Monitor Mode Unobstructed Access

No Impact on Productivity

Gain Visibility

MAC Based Authentication

Flexible Authentication Sequence Enables single configuration for most use cases

Flexible fallback mechanism and policies

Identity Differentiators

802.1X | MAB | WebAuth

Rich and Robust 802.1X

IP Telephony Support for Virtual Desktop Environments

Critical Data/Voice Authentication Business Continuity in case of failure

Single Host Mode

Multi-Host Mode

Multi-Auth Mode

Multi-Domain Authentication


Network Access Visibility 802.1X Monitor Mode

Cisco Catalyst® Switch

Network

Device

IP Phones Authorized Users Guests

Authentication Features

802.1X MAB WebAuth

Tablets

Monitor Mode

Unobstructed Access

No Impact on Productivity

Gain Visibility

MAC Based Authentication

Flexible Authentication Sequence

Enables single configuration for most use cases

Flexible fallback mechanism and policies

Easily Authenticate Every Device/User

Cat3k: 12.2(58)SE

Cat4K: 15.0(2)SG, 3.2.0SG

Full Network Access Visibility, Zero Disruption


template identity-template

switchport access vlan 201

switchport mode access

ip access-group PREAUTH in

authentication periodic

authentication timer reauthenticate server

access-session host-mode single-host

access-session port-control auto

access-session control-direction in

mab

dot1x pae authenticator

dot1x timeout tx-period 5

spanning-tree portfast

service-policy type control subscriber POLICY

!

Policy Aware – Identity Based Networking Services

22

.

interface FastEthernet2/0/1

source template identity-template

!



!



!



end

.

.

.

For Every Interface Global (once)

Remaining Identity Config

New Policy Model

Common Config

REFERENCE

TE

MP

LA

TE

policy-map type control subscriber POLICY

event session-started match-all

10 class always do-until-failure

10 authenticate using dot1x retries 2 retry-time 0 priority 10

.

.

PO

LIC

Y


Policy Aware – Identity Based Networking Services Template Assignment - Similar to Applying a Port ACL via filter-id

23

Switch RADIUS

• Can also be triggered via RADIUS CoA

• Service-Templates activation can be a local Control Policy action

• If it doesn’t exist, it can be downloaded like an dACL

Access-Accept

AV-Pair “subscriber:service-name=TEMPLATE”

Access-Request

username=jdoe EAPoL

Enforce

DEFINED ON SWITCH service-template TEMPLATE

access-group PERMIT-ANY

vlan 100

inactivity-timer 360


Which best describes your network segmentation architecture?

a. Using NAC (802.1X or related) and ACLs/Firewalls/Routing-Switching

b. Mostly with routing/switching – VLAN/PVLAN/VRF/MPLS only

c. Mostly with Firewalls and ACLs only

d. Do not have any segmentation today, but would like to

e. No plans to do network segmentation

f. Other



Improved Access Control with Security Group

Voice Employee Suppliers Guest Non-Compliant

Employee Tag

Supplier Tag

Guest Tag

Non-Compliant Tag

Data Center

Firewall

Voice

Building 3

WLAN Data VLAN

Campus Core

Data Center

Main Building

Data VLAN

Employee Non-Compliant

Regardless of topology or

location, policy (Security

Group Tag) stays with users,

devices, and servers

TrustSec simplifies ACL

management for intra/inter-

VLAN traffic Access Layer


Network Segmentation based on User / Device Role

Voice Employee Guest Suspicious

Employee Tag

Supplier Tag

Guest Tag

Suspicious Tag

Data Center

Firewall

Voice

Building 3

Data VLAN

Campus Core

Data Center

Main Building

Data VLAN

Employee Suspicious

Enforcement is based on

Security Group, even for

communication in same

VLAN

Access Layer

Employee


Campus Segmentation in Action

Cat6800/Sup2T

Catalyst

3850

HR

10.1.10.101

(DHCP)

Nexus 5K Nexus 2K

Nexus1000v

ASR1000

ISR3900

ISR2900

ISR1900

ISR4451

ISE

ASA5500-X

Catalyst

3850

Nexus 2K

Nexus 7

000

ASA5500-X

Branch B

Branch C

Branch D

WAN

(GETVPN,

DMVPN,

FLEXVPN)

HR

10.1.10.102

(DHCP)

Wired

Finance

10.2.1.52

(DHCP)

Finance

10.2.1.51

(DHCP) BYOD-Guest

192.168. 1.10.20

(DHCP)

BYOD-HR

192.168. 50.103

(DHCP)

VLAN10

Catalyst

3850

SSID: Vender-net

SSID: Corp-net

SSID: Corp-net

HR

20.10.18.103

(DHCP)

VLAN18

HR

Finance

HR BYOD-

Corp

So

urc

e

Protected Assets

PERMIT

PERMIT

DENY

DENY

DENY

DENY

DENY

PERMIT

PERMIT

PERMIT BYOD-

Corp

Finance

BYOD-

Vendor

BYOD-

Vendor

PERMIT

PERMIT

PERMIT

DENY

DENY DENY


Securing Your BYOD with TrustSec

Segmentation using

Security Group,

independent from topology

Offload filtering to ASA for

rich and scalable policy

rule automation

Simplified network design,

lowering operational cost

WLC

CAPWAP Tunnel

Internet VLAN

BYOD Tag

POS Tag

Audit Tag

SGACL/FW

Device

ISE

BYOD Device Audit

DC-PCI-DB

DC-PCI-Web

Local PCI

Server

Payment System

Source Destination Action

IP Sec Group IP Sec Group Service Action

Campus

WLAN

BYOD

Device

Any Internet HTTP Allow

Any Payment

System

Any DC-PCI-Web,

Local PCI

Server

HTTPS Allow

Any Audit Any DC-PCI-DB TCP Allow

Any Any Any Any Any Deny

Single VLAN


WLAN

Controller

Quarantine is based on MAC Address

preventing compromised device accessing

from other location / access methods

Response based on Actionable Intelligence

FW

Policy

Server

Business Data

App / Storage

Compromised

Endpoint

10.10.10.10 (aa:bb:cc:dd:ee:ff)

Corp Network

Source Destination Action

IP SGT IP SGT Service Action

Any Employee Any Biz Server HTTPS Allow

Any Suspicious Any Biz Server Any Deny

Firewall Rules

NIDS SIEM Event: Reconnaissance

Source IP: 10.10.10.10/32

Response: Quarantine

OS Type: Windows 8

User: Mary

AD Group: Employee

Asset Registration: Yes

MAC Address: aa:bb:cc:dd:ee:ff

Policy Mapping SGT: Suspicious

PXGRID: EPS Quarantine: 10.10.10.10

Access Switch

Roadmap (ISE1.3)



CORPORATE RESOURCES

Visibility into the flows for Security and QoS

policy enforcement Data Confidentiality

with Visibility

Hop by Hop L2 encryption

The Solution Typical Deployment Scenario

Packets in “Clear” Inside the Switch

Flows visible for

policy enforcement

~!@#$%^&*(*^%*&^%$@$#!~ ~!@#$%^&*(*^%*&^%$@$#!~ lorem ipsum dolor

sit amet

802.1AE Encrypted 802.1AE Encrypted

Decrypt on Ingress Encrypt on Egress

Cat3k: 15.0(1)SE

Cat4K: 15.1(1)SG, 3.3.0SG


How do you monitor your network for security threats?

a. Flexible NetFlow

b. Logging/SNMP

c. SPAN / Network Tapping

d. Do not monitor network for security threats



• Network troubleshooting

• StealthLabs + threat feeds

• Internal host reputation

• Firewall validation

Continuous Monitoring and Security Intelligence 1

2 • DDoS detection

• Malware

• APTs

• Insider threats

Rapidly Detect & Resolve Advanced Threats

3 Faster Incident Response & Forensic Investigations

• Situational awareness

• Identity awareness

• Reduce MTTK

• Records *ALL* traffic

4 Reduce Operational & Enterprise Risk

• Improve security risk posture

• Increase user accountability

• Improve compliance

• Enforce policy


Of the Thousands of Hosts on

the Network, What Are the Top

Offending Hosts on the Network

at Any Given Time? This Shows

a Stack-Ranked Ordering of

Those Hosts.

Watch Hosts on the Network: Security with NetFlow Lancope StealthWatch

• Traffic spikes

• Suspicious

conversations

• Malware patterns

• Communication with

botnet servers

Identify Top Offending Hosts

Strange

Ports

Lots of

Different IP

Addresses

and Ranges

Questionabl

e

Click on This Tab


Security Violations with Flexible NetFlow Plixer’s Scrutinizer

• Multicast violations

• ICMP destination

unreachable

• ICMP port unreachable

• Illegal IP addresses

• Internet threats

• DDoS violations

• Nefarious activity

• Breach attempt violations

Identify Security Issues


• Built-in packet sniffer for remote troubleshooting

• Real-time capture and decode on Sup7-E

• Capture and Display Data and Control Packets

• Storage options SD card or USB.

• Various display options

• Lightweight Text version “T-Shark”

S I M P L I F I E D T R O U B L E S H O O T I N G

Switch# show monitor capture file bootflash:nflow.pcap

detailed

Frame 2: 880 bytes on wire (7040 bits), 880 bytes captured

(7040 bits)

Arrival Time: Nov 2, 2011 03:21:13.992382490

Universal

<..SNIP..>

Frame Number: 2

Frame Length: 880 bytes (7040 bits)

Capture Length: 880 bytes (7040 bits)

<..SNIP..>

[Protocols in frame: eth:ip:udp:data]

Ethernet II, Src: c8:4c:75:b4:0f:7f (c8:4c:75:b4:0f:7f),

Dst: e0:00:0a:61:4e:1a (e0:00:0a:61:4e:1a)

Destination: e0:00:0a:61:4e:1a (e0:00:0a:61:4e:1a)

Address: e0:00:0a:61:4e:1a (e0:00:0a:61:4e:1a)

Features Components

Wireshark

Hosted Apps IOSd

Common Infrastructure / HA

Management Interface

Module Drivers

Kernel


Which levels of First-Hop Security have you implemented?

a. Port Security

b. IPv4 First Hop Security

c. IPv6 First Hop Security

d. Other

e. None



F e a t u r e F H S h a r d e n s I P v6 L i n k O p e r a t i o n s

IPv6 First Hop

Security

• ND Inspection

• Address Glean (ND , DHCP) Intf IPv6 MAC VLAN State

g1/0/10 ::001A 001A 110 Active

g1/0/11 ::001C 001C 110 Stale

g1/0/16 ::001E 001E 200 Verifying

IPv6 Binding Table

Catalyst Switch

IP Source Guard IP Destination

Guard Device Tracking

Core Features –

1. RA Guard

2. DHCP Guard

3. IPv6 Snooping

4. DAD Proxy

Advanced Features –

1. Source/ Prefix Guard

2. Destination Guard

3K-X 3850

15.0(2)SE IOS XE

3.2.0SE

4500E 4500-X IOSXE

3.4.0SG

IOS XE

3.4.0SG

I a

m a

route

r


Pervasive End-to-End Security Secure Network at Every Layer

First Hop

Security

802.1AE

BGP MD5,

OSPFv3 Auth

CoPP, DAI,

DHCP Snooping

L2 Security,

Private VLAN,

Storm Control

MPLS

L2/L3 VPN

DHCP Snooping,

DAI, SGACL

PACL/VACL

802.1x

L3 SGT

Multicast VPN TrustSec

TrustSec


Identity Based Networking Services

http://www.cisco.com/c/en/us/products/ios-nx-os-software/identity-based-networking-services/index.html

IPv6 First Hop Security

http://www.cisco.com/c/en/us/products/ios-nx-os-software/ipv6-first-hop-security-fhs/index.html

































Use the Q & A panel to submit your questions and our expert will respond

Submit Your Questions Now!

If you have additional questions, you can ask Vaibhav. He will be answering from April 1 – April 11, 2014.

https://supportforums.cisco.com/event/12159981/ask-expert-fortify-your-lan-cisco-catalyst-switching

You can catch the video or read the Q&A five business days after this event.



















How does Cisco Catalyst affect your hospital visits?

a. Cisco Catalyst mirrors the same technology as bigger hospital machines such as MRI scanners.

b. The Cisco Catalyst Series has surpassed the competition in terms of deployments in hospitals.

c. The Cisco Catalyst is used in waiting rooms for easier access to web and mobile.

d. Hospitals are using Cisco Catalyst as a safe option for connectivity and productivity without excessive wires and Ethernet cables that can cause physical harm to patients and staff.


Wednesday, April 9

11:00 a.m. Brasilia City

3:00 p.m. West Lisbon

7:00 a.m. San Francisco

10:00 a.m. New York

Join Cisco Expert: Marcos Vinicius Ramos

During this live event, Cisco expert Marcos Ramos will explain the main concepts offered by Multiprotocol Label Switching (MPLS) networks.

Registration for this live webcast:

http://tools.cisco.com/gems/cust/customerSite.do?METHOD=E&LANGUAGE_ID=P&SEMINAR_CODE=S20297&PRIORITY_CODE=






Tuesday, April 15

12:00 p.m. Moscow Time

9:00 a.m. Brussels Time

Join Cisco Expert: Anton Tugai

During this live event, Cisco expert Anton Tugai will discuss trends in software-defined networking (SDN) and current Cisco SDN offerings and solutions.


http://tools.cisco.com/gems/cust/customerSite.do?METHOD=E&LANGUAGE_ID=R&SEMINAR_CODE=S19966&PRIORITY_CODE=

http://tools.cisco.com/gems/cust/customerSite.do?METHOD=E&LANGUAGE_ID=R&SEMINAR_CODE=S19966&PRIORITY_CODE

http://tools.cisco.com/gems/cust/customerSite.do?METHOD=E&LANGUAGE_ID=R&SEMINAR_CODE=S19966&PRIORITY_CODE


Tuesday, April 29

9:00 a.m. Pacific US, San Francisco

12:00 p.m. Eastern US, New York

5:00 p.m. London

6:00 p.m. Paris

Join Cisco Experts: Eric Vyncke and Andrew Yourtchenko

During this live event, Cisco experts Eric Vyncke and Andrew Yourtchenko will explain the security myths and issues in the IPv6 protocol.


http://tools.cisco.com/gems/cust/customerQA.do?METHOD=E&LANGUAGE_ID=E&SEMINAR_CODE=S20215&PRIORITY_CODE=

http://tools.cisco.com/gems/cust/customerQA.do?METHOD=E&LANGUAGE_ID=E&SEMINAR_CODE=S20215&PRIORITY_CODE

http://tools.cisco.com/gems/cust/customerQA.do?METHOD=E&LANGUAGE_ID=E&SEMINAR_CODE=S20215&PRIORITY_CODE


Topic: Cisco Data Center Virtual Machine Fabric Extender

Join Cisco Experts: Vishal Mehta & Ali Haider Learn and ask questions about Cisco Data Center Virtual Fabric Exenter (VM-FEX).

Ends April 11

Topic: SAML Single Sign-On (SSO) for Cisco Unified Communications 10.x

Join Cisco Experts: A.M. Mahesh Babu & Sarthak Saksena Learn and ask questions about Security Assertion for Markup Language (SAML) Single Sign-On (SSO) for Cisco Unified Communications 10.x

Ends April 11

Join the discussion for these Ask The Expert Events:

https://supportforums.cisco.com/expert-corner/knowledge-sharing








Topic: Global Site Selector (GSS)

Join Cisco Experts: Swati Chopra Learn and ask questions about Global Site Selector.

Starts April 14

Join the discussion for these Ask The Expert Events:










https://supportforums.cisco.com


https://supportforums.cisco.com/expert-corner/top-contributors








http://www.facebook.com/CiscoSupportCommunity

http://twitter.com/#!/cisco_support

http://www.youtube.com/user/ciscosupportchannel

https://plus.google.com/110418616513822966153?prsrc=3#110418616513822966153/posts

http://www.linkedin.com/groups/CSC-Cisco-Support-Community-3210019

Newsletter Subscription

https://tools.cisco.com/gdrp/coiga/showsurvey.do?surveyCode=589&keyCode=146298_2&PHYSIC

AL%20FULFILLMENT%20Y/N=NO&SUBSCRIPTION%20CENTER=YES

http://itunes.apple.com/us/app/cisco-technical-support/id398104252?mt=8

https://play.google.com/store/apps/details?id=com.cisco.swtg_android

http://twitter.com/#!/cisco_support











https://tools.cisco.com/gdrp/coiga/showsurvey.do?surveyCode=589&keyCode=146298_2&PHYSICAL FULFILLMENT Y/N=NO&SUBSCRIPTION CENTER=YES

https://tools.cisco.com/gdrp/coiga/showsurvey.do?surveyCode=589&keyCode=146298_2&PHYSICAL FULFILLMENT Y/N=NO&SUBSCRIPTION CENTER=YES





Spanish https://supportforums.cisco.com/community/spanish

Portuguese https://supportforums.cisco.com/community/portuguese

Japanese https://supportforums.cisco.com/community/csc-japan

Russian https://supportforums.cisco.com/community/russian

New Chinese Community!

Chinese http://www.csc-china.com.cn/

https://supportforums.cisco.com/community/spanish

https://supportforums.cisco.com/community/portuguese

https://supportforums.cisco.com/community/csc-japan



https://supportforums.cisco.com/community/russian

http://www.csc-china.com.cn/






Now your ratings on documents, videos, and blogs count give points to the authors!!!

So, when you contribute and receive ratings you now get the points in your profile.

Help us to recognize the quality content in the community and make your searches easier. Rate content in the community..

https://supportforums.cisco.com/blog/154746




How does Cisco Catalyst affect your hospital visits?

a. Cisco Catalyst mirrors the same technology as bigger hospital machines such as MRI scanners.

b. The Cisco Catalyst Series has surpassed the competition in terms of deployments in hospitals.

c. The Cisco Catalyst is used in waiting rooms for easier access to web and mobile.

d. Hospitals are using Cisco Catalyst as a safe option for connectivity and productivity without excessive wires and Ethernet cables that can cause physical harm to patients and staff.

Answer: D

Hospitals, such as University Hospitals (UZ) Leuven in Belgium, are using Cisco Catalyst as a safer option for connectivity and productivity without excessive wires and Ethernet cables that can cause physical harm to patients and staff. This has helped the hospital comply with safety regulations while simultaneously creating a cost effective and manageable business model.

Thank you for Your Time!

Please take a moment to complete the evaluation

Thank you.

Date post:	27-Mar-2020
Category:	Documents
Upload:	others
View:	9 times
Download:	0 times

Cisco Support Community Expert Series Webcast · and ASDM Cisco Web Security Wired Network Devices...

Documents