Cisco TrustSec Security Solution Overview

Cisco Confidential 1© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco TrustSecSecurity Solution OverviewNicole Johnson

Systems Engineer

Cisco

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Agenda

•Movement from Location-Based to Identity-Based Security Strategy •Cisco TrustSec Approach

• 802.1x• MacSec (802.1ae) encryption• Security Group Tags

•Identity Services Engine (ISE) and it’s role in the network

•Network Control System• Introduction on how to manage the lifecycle of both wired and

wireless devices in your network•Q & A•Next Steps


The RIGHT Person

An approved Device

In The Right Way

Anyone

Any Device

Anywhere

Anytime

Policy Evolving with Borderless Network

Borderless Networks


Introducing Cisco TrustSec

Improves IT Operational Efficiency

Delivers Security & Risk Management

Enables Business Productivity

VLANs

dACLs

Guest Access

Profiling

DevicesRemote VPN User

Wireless User

VPN User Devices

Data Center

Posture

Identity-enabled infrastructure

SGTs

Intranet

Policy-Based Access & Services

Scalable Enforcement

Internet Security Zones


What is TrustSec?


Why Identity Is ImportantWho are you?

802.1X (or supplementary method) authenticates the user

1 Keep the Outsiders Out

Where can you go?Based on authentication, user is

placed in correct VLAN2

Keep the Insiders Honest

What service level to you receive?The user can be given per-user

services (ACLs today, more to come)3

Personalize the Network

What are you doing?The user’s identity and location can be used for tracking and accounting

4 Increase Network Visibility

Authentication

Authorization

Accounting


What does Identity allow you to do? Ensure that only allowed types of user and machine connect to key resources

Provide guest network access in a controlled and specific manner

Deliver differentiated network services to meet security policy needs, for examples like:

Ensure compliance requirements (PCI, etc.) for user authentication are met

Facilitate voice/data traffic separation in the campus

Ensure that only employees with legitimate devices access classified systems

Ensure that contractors/business partners get appropriate access

Provide user and access device visibility to network security operations


Why 802.1X?

8

Industry-standard approach to

identity

Most secure user/machine authentication

solution

Complements other switch

security featuresEasier to deploy

Provides foundation for additional services (e.g.,

posture)


Request for Service(Connectivity)

Back-End AuthenticationSupport

Identity StoreIntegration

AuthenticatorSwitch, router, WAP

Layer 2

How Does 802.1X Work?

Layer 3

Identity Store/ManagementActive directory, LDAP

Supplicant

Authentication ServerRADIUS server


Who (or What) Can Be Authenticated?

alice

User Authentication Device Authentication

host\XP2

• Enables Devices To Access Network Prior To (or In the Absence of) User Login

• Enables Critical Device Traffic (DHCP, NFS, Machine GPO)

• Is Required In Managed Wired Environments

• Enables User-Based Access Control and Visibility

• If Enabled, Should Be In Addition To Device Authentication


Various Authorization Mechanisms• 802.1X provides various authorization

mechanisms for policy enforcement.

• Three major enforcement / segmentation mechanisms:

• Dynamic VLAN assignment – Ingress• Downloadable per session ACL – Ingress• Security Group Access Control List (SGACL) - Egress

• Three different enforcement modes:• Monitor Mode• Low Impact Mode (with Downloadable ACL)

• High-Security Mode

• Session-Based on-demand authorization:• Change of Authorization (RFC3576 RADIUS Disconnect Messages)


Cisco Switches with 802.1X• A Systems Approach:

Fully Planned, Tested, and Vetted SYSTEM for identity

The many business units have all worked together to form a full System-Based approach to ensure the most capable / fully functional & proven identity system in the industry.

• Consistent across all switch platforms! Same Features

Same Code

Multi-Auth

Deployment Modes

Pre-Emptive Dead Server Detection

Critical Vlan

DACL per Host


MACsec (802.1AE) Overview


Quick Review of MACsec (802.1AE)


Confidentiality and IntegritySecuring Data Path with MACSec

* National Institute of Standards and Technology Special Publication 800-38D

&^*RTW#(*J^*&*sd#J$%UJ&(

• Provides “WLAN / VPN equivalent” encryption (128bit AES GCM) to LAN connection

• NIST approved* encryption (IEEE802.1AE) + Key Management (IEEE802.1X-2010/MKA or Security Association Protocol).

• Allows the network to continue to perform auditing (Security Services)

Media Access Control Security (MACSec)

802.1X

Supplicantwith

MACSec

Guest User

MACSec Capable Devices

TrustSec™ provides encrypted data path regardless your access methods (WLAN, Remote Access, and LAN!)

&^*RTW#(*J^*&*sd#J$%UJWD&(

Data sent in clear

MACSec Link

Encrypt DecryptAuthenticated User

Note: Cat3750-X currently supports MACSec on downlink only


MACSec Benefits and Limitations

Benefits LimitationsConfidentialityStrong encryption at Layer 2 protects data.

Endpoint SupportNot all endpoints support MACSec

IntegrityIntegrity checking ensures data cannot be modified in transit

Network SupportLine-rate encryption typically requires updated hardware on the access switch

FlexibilitySelectively enabled with centralized policy

Technology IntegrationMACSec may impact other technologies that connect at the access edge (e.g. IP Phones)

Network Intelligence Hop-by-hop encryption enables the network to inspect, monitor, mark and forward traffic according to your existing policies.


Cisco TrustSec• Security Group Tags Unique 16 bit (65K) tag assigned to unique role Represents privilege of the source user, device, or entity Tagged at ingress of TrustSec domain Provides topology-independent policy Flexible and scalable policy based on user role Centralized policy management for dynamic policy provisioning

• Hop-by-hop encryption (802.1AE)Provides confidentiality and integrity while still allowing for inspection of traffic between endpoints


Layer 2 SGT Frame Format

are the L2 802.1AE + TrustSec overhead Frame is always tagged at ingress port of SGT capable device Tagging process prior to other L2 service such as QoS No impact IP MTU/Fragmentation L2 Frame MTU Impact: ~ 40 bytes = less than baby giant frame (~1600 bytes

with 1552 bytes MTU)

Cisco Meta Data

DMAC SMAC 802.1AE Header 802.1Q CMD ETYPE PAYLOAD ICV CRC

Version LengthCMD EtherType SGT Opt Type SGT Value Other CMD Options

EncryptedAuthenticated

802.1AE Header CMD ICV

Ethernet Frame field


Identity Services Engine (ISE)


Define network policy as an extension of business goals

Policy-Based AccessIdentity Services Engine Delivers “Business Policy”

Finance Manager

Corporate issued laptop

Personal iPad

Product Bookings

SalesForce.com

X

Customer Data

Policy extends to all access types (wired, wireless, VPN)

Optional encryption-based Policies for Security-conscious users

Lifecycle Services Integration – guest, profiling, posture


Non-User Devices• How do I discover

non-user devices?• Can I determine what

they are?• Can I control their

access?• Are they being spoofed?

Identity Services EngineISE: Policies for people and devices

• Can I allow guests Internet-only access?

• How do I manage guest access?

• Can this work in wireless and wired?

• How do I monitor guest activities?

Guest Access• How can I restrict access

to my network?• Can I manage the risk of

using personal PCs, tablets, smart-devices?

• Access rights on premises, at home, on the road?

• Devices are healthy?

Authorized Access


A Practical Example of Policies

Internet

Campus Network

“Printers should only ever communicate

internally”

“Employees should be able to access everything but have limited access on personal

devices”

“Everyone’s traffic should be encrypted” Internal

Resources

Cisco WirelessLAN Controller

Cisco® Identity Services EngineCisco

Access Point

Cisco Switch


NAC Manager NAC Server

NAC Profiler

NAC Guest Server

Device Profiling & Provisioning + Identity

Monitoring

Identity & Access Control + Posture

Guest Lifecycle Management

NAC CollectorStandalone appliance or licensed as a module on

NAC Server

Identity & Access Control

Access Control System

Let’s Start With What We KnowPrevious Cisco TrustSec Solution Portfolio

NAC Agent

AnyConnect


NAC Manager NAC Server

NAC Profiler

NAC Guest Server

Device Profiling & Provisioning + Identity

Monitoring

Identity & Access Control + Posture

Guest Lifecycle Management

NAC CollectorStandalone appliance or licensed as a module on

NAC Server

Identity & Access Control

Access Control System

Introducing Identity Services EngineNext Generation Solution Portfolio

ISE

AnyConnect

NAC Agent

Identity Service Engine


Benefits of Identity Services EngineConsolidated Services,

Software Packages

Simplify Deployment & Admin

ACS

NAC Profiler

NAC Guest

NAC Manager

NAC Server ISE

Location

User ID Access Rights

Visibility

Track Active Users & Devices

Flexible Service Deployment

Optimize Where Services Run

AdminConsole

Distributed Policy servers

MonitoringAll-in-One HA Pair

Guest

Manage Guests & Sponsors

Manage Security Group Access

Keep Existing Logical Design

System-wide Monitoring & Troubleshooting

Consolidate Data, Three-Click Drill-In

SGT Public Private

Staff

Guest

Permit

Deny

Permit

Permit

Device (& IP/MAC)


Identity & Context-AwarenessLeveraging your Infrastructure Network

NetworkDevice

802.1X

IP Phones

Authorized Users

Cisco®

Catalyst® Switch

Guests

MAB & Profiling

Web Auth

Consistent identity features supported on all Catalyst switch models authenticates authorized users (802.1X), devices (MAB/profiling) and guests (Web Auth)

Monitor Mode Flex Authentication Sequence

Delivers visibility by authenticating users/devices

(without enforcement)

Most flexible authentication in the market automates ports for rolling authentication with

a flexible sequence

Identity Feature Differentiators

IP Telephony Interoperability

VDI Deployment Support

Features like multi-domain auth and link state provides

authentication for IP telephony environments, or users behind VoIP devices

Multi-authentication feature enables authentication of multiple MAC addresses

behind a single port


ISE Lifecycle ServicesISE Posture Ensures Endpoint Health before Network Access

Employee Policy:• Microsoft patches updated• McAfee AV installed, running, and

current• Corp asset checks• Enterprise application running

Temporary Limited Network Access until

remediation is complete

Non-CompliantWired, wireless, VPN user


ISE Lifecyle Services ISE Guest Service for managing guests

Provision: Guest accounts via sponsor portal

Notify: Guests of account details by print, email, or SMS

Manage: Sponsor privileges, guest accounts and policies, guest portal

Report: On all aspects of guest accounts

GuestsWeb Auth

Guest Policy:• Wireless or wired access• Internet-only access

Internet


Identity and Context-AwarenessISE Profiling for Non-Authenticating Devices

• Reduces MAB effort by identifying more than 90 device categories

• Create policy for users and endpoints – • “Limited access by employee on IPAD”

• Confidence-match based on multiple attributes

• Future “template feed”

“What is on my Network”


ISE Device Profiling CapabilitiesSmart

Phones

Gaming Consoles

Workstations

MultipleRules to Establish Confidence Level

Minimum Confidence for a

Match


• Once the device is profiled, it is stored within the ISE for future associations:

ISE Device Profiling Example - iPad

Is the MAC Address from Apple?

Does the Hostname Contain “iPad”?

Is the Web Browser Safari on an iPad?

ISE

Apple iPad


Cisco ISE Provides Policy for Wired and Wireless LANs

• Unified wired and wireless policy (ISE) and management (NCS).

NCS

Central Point of Policy for Wired and Wireless Users and Endpoints

Centralized Monitoring of Wired and Wireless Networking, Users and

EndpointsISE


TrustSec Deployment OptionsMonitor Mode Low Impact Mode High Security Mode

Primary Features Traditional Closed Mode

Dynamic VLANs

Benefits Strict Access Control

Primary Features Open mode

Multi-Auth

Flex Auth (Optional)

Benefits Unobstructed Access

No Impact on Productivity

Gain Visibility AAA Logs

Primary Features Open mode

Multi-Domain

Port & dACLs

Benefits Maintain Basic Connectivity

Increased Access Security

Differentiated Access


Services

Planning

Proof of Concept

Pilot Deployment

(Size: 1 segment or 1 floor)

No Enforcement (Monitor Mode)

Enforcement (Low Impact Mode)

Supplicant Provisioning RADIUS Setup Switch Setup

Expansion

Review & Adjust

Review & Adjust

(Size: Multi-Floor, Bldg.)

Typical TrustSec deployment ScenarioPlan in advance and keep user experience impact as minimum as possible

Deployment Overview


Why Cisco TrustSec Architecture

One Policy for wired, wireless and VPN Integrated lifecycle services (posture, profiling, guest)Differentiated identity features (monitor mode, flex auth,

multiauth.. ) Phased approach to deployments – i.e. monitor modeFlexible and scalable authorization optionsEncryption to protect communications and SGT tags


Trustsec.cisco.comwww.cisco.com/go/trustsec

http://www.cisco.com/go/trustsec


802.1x Resources

• http://www.cisco.com/en/US/products/ps6662/products_ios_protocol_option_home.html

• http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns171/CiscoIBNS-Technical-Review.pdf

• http://en.wikipedia.org/wiki/IEEE_802.1X

• http://www.networkworld.com/news/2010/0506whatisit.html

• http://www.ieee802.org/1/pages/802.1x.html

http://www.cisco.com/en/US/products/ps6662/products_ios_protocol_option_home.html





http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns171/CiscoIBNS-Technical-Review.pdf





http://en.wikipedia.org/wiki/IEEE_802.1X

http://en.wikipedia.org/wiki/IEEE_802.1X

http://www.networkworld.com/news/2010/0506whatisit.html

http://www.networkworld.com/news/2010/0506whatisit.html

http://www.ieee802.org/1/pages/802.1x.html

http://www.ieee802.org/1/pages/802.1x.html


MACsec Resources

• http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750x_3560x/software/release/15.0_1_se/configuration/guide/swmacsec.html

• https://videosharing.cisco.com/vportal/VideoPlayer.jsp?ccsid=C-9323e79a-0395-475c-9c65-27f6e6afff3b:1#

• http://en.wikipedia.org/wiki/IEEE_802.1AE

• http://www.ieee802.org/1/pages/802.1ae.html

• http://www.networkworld.com/details/7593.html

http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750x_3560x/software/release/15.0_1_se/configuration/guide/swmacsec.html




https://videosharing.cisco.com/vportal/VideoPlayer.jsp?ccsid=C-9323e79a-0395-475c-9c65-27f6e6afff3b:1




http://en.wikipedia.org/wiki/IEEE_802.1AE

http://en.wikipedia.org/wiki/IEEE_802.1AE

http://www.ieee802.org/1/pages/802.1ae.html

http://www.ieee802.org/1/pages/802.1ae.html

http://www.networkworld.com/details/7593.html

http://www.networkworld.com/details/7593.html

Date post:	25-Feb-2016
Category:	Documents
Upload:	iona
View:	208 times
Download:	13 times

Cisco TrustSec Security Solution Overview

Documents