TechWiseTV Workshop: Cisco TrustSec

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Simplifying Network Security with TrustSec

Kevin ReganAugust 17, 2016

[email protected]

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 2

Reduce IT burden

Take more control of environment

Deal with dynamic threat landscape

Pace of technological change

Possible reasons for watching today?

Reduce error prone

admin

Manage complexity

ReduceOpEx

More consistent security policy

Reduced time to implement

changes

Deal with Security challengesTo Implement policy for things like

Acquisitions andpartnerships

Cloud

Internet of Things

Digitization

BYOD

Global operations

Mobility

3© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

…Or Because Segmentation is Important“Eataly’s network segmentation prevented a POS compromise at one store from compromising systems at the chain’s 26 other locations across the globe”

“Network segmentation… is one of the most effective controls an agency can implement to mitigate the second stage of a network intrusion, propagation or lateral movement”“Effective network

segmentation… reduces the extent to which an adversary can move across the network”


Classification Based on Context

Any user, any device using with this IP

Rich context awarenessPoor context awareness

Role-based group assignment

? ??

ISE

Result Result

Who

What

When

Threat

Compliance

How

Where

IP Address 192.168.1.51

Unknown

Unknown

Unknown

Unknown

Unknown

Unknown

Bob (Employee)

Tablet

11:00 AM EST on April 10th

Building 200, 2nd floor

Wireless

Yes

Monitored by IPS, anomaly detection


Manual, time-consumingsecurity and maintenance

IP-based security policy tied to network topology results in:

Traditional Segmentation - ACL and VLAN Complexity


Employee Info

Development Servers

Policy inconsistencies across devices and networks

Enterprise Network

InternetFinancial ServersComplicated

access management

More policies using more VLANs

GuestVLANs

EmployeeVLANs

DeveloperVLANs

NonCompliant

VLANs

2

Locations

GuestVLANs

EmployeeVLANs

DeveloperVLANs

NonCompliant

VLANs

1

GuestVLANs

EmployeeVLANs

DeveloperVLANs

NonCompliant

VLANs

3


TrustSec simplifies security management


Deny Employee to Financial ServerPermit Developer to Developer ServerPermit Guest to WebPermit Developer to Developer Server

Consistent Policy Anywhere

KeyEmployee Tag

Developer Tag

Voice Tag

Non-Compliant Tag

SGACLsEmployee Info Developer Server

Simplified Access Management

AcceleratedSecurity Options

Scalable and agile segmentation technology in over 40 different Cisco product families, enabling dynamic, role-based policy enforcement anywhere on your network

Simplified Access ManagementManage policies using plain language and maintain compliance by regulating

access based on business role

Rapid Security AdministrationSpeed-up adds, moves, and changes, simplifying firewall

administration to speed up server onboarding

HTTPFinancial Server

Consistent Policy AnywhereControl all network segments

centrally, regardless of whether or not devices are wired, wireless or on VPN

Enterprise Network

Guestendpoint

Employeeendpoint

Developerendpoint

NonCompliantendpoint

8

Employee Info Tag

Developer Server Tag

Financial Server Tag

HTTP Tag


TrustSec Concepts

• Classification of systems/users based on context (user role, device, location etc.)

• Context (role) expressed as Security Group Tag (SGT)

• Firewalls, routers and switches use SGT to make filtering decisions

• Classify once – reuse SGT multiple times anywhere on network, or….

Users, Devices

Switch Router DC FW DC Switch

Dev Servers

Enforcement

SGT Propagation

Prod Servers SGT = 4

SGT = 10

ISE DirectoryClassification

SGT:5

RADIUS


TrustSec – Simple Starting Points

• Distribute SGT information directly from ISE to specific devices

• Minimal config effort

Users, Devices

Switch Router DC FW DC Switch

HR Servers

Enforcement

SGT Propagation Fin Servers SGT = 4

SGT = 10

ISE Directory

Classification

SGT:5SGT:5

RADIUS


TrustSec Functions to Enable

Endpoint

Group tag management

Group policy management

SecurityGroupTags

Enforcement

Enforcement Threat Defense

Propagation

Inline tagging or Data Plane(many options)

Classification

Staticclassification

Endpoint identification

Dynamicclassification

SGT-enabled network

Central management

Software-Defined Segmentation

Heterogeneous environment

Control plane(SXP or pxGrid)

Switch

Router

Firewall



Endpoint



SecurityGroupTags

Enforcement


Propagation

Inline tagging or Data Plane(many options)

Classification




SGT-enabled network

Central management

Software-Defined Segmentation



Switch

Router

Firewall


Printer 1 Printer 2

Use security groups to demote common roles & policy requirements

Security Group Tag Management

• Business-based groupings to provide consistent policy and access independent of network topology

• Leverage attributes such as location and device type to define group assignments

SGT_Guest SGT_BuildingManagement

SGT_Employee

Guest 1

Guest 2

Guest 3 Guest 4

Employee 1 Employee 2 Employee 3

Employee 4

SGT_FinanceServer SGT_Printers

Fin 1 Fin 2

Temperature Device 1

Temperature Device 2

SurveillanceDevice 1

SurveillanceDevice 2

50°

50°


Security Group Management in ISE


Getting Group Info to Network Devices• Network devices need to be

defined in ISE to get group information downloads :-• At periodic intervals• On demand from ISE “Push”

• Device ID and password here needs to match the ‘cts credential id’ in the network device


Groups in Network Devices• Group information appears in network

devices as “Environment Data”

• ISE is the single source of truth for Group information

IOS#show cts environment-data CTS Environment Data====================

Security Group Name Table: 0001-22 : 7-98 : 80 -> Network_Admin_User 6-98 : 80 -> Full_Access 5-98 : 80 -> Production 4-98 : 80 -> Dev 3-98 : 80 -> BYOD 2-98 : 80 -> Device_SGT unicast-unknown-98 : 80 -> Unknown Any : 80 -> ANY




TrustSec Functions to enable

Enforcement


SGT-enabled networkSoftware-defined segmentation


Propagation

Inline tagging(many options)


Switch

Router

Firewall

Classification


SecurityGroupTags

Endpoint




Flexible Classification MethodsDynamic mechanisms

Static mechanisms

VPN

V. Port Profile

IP Address

VLANsSubnets

L3 Interface Port

ACI (App-Centric)

Ideal for users and mobile devices

User endpoints

Internal IT infrastructure and topology-based policy

Internal resources

External partners and 3rd party connections

Partner & externalSta

ticD

ynam

ic

SGT #1

SGT #2

SGT #3

SGT #4

Virtual Systems

Passive ID (Easy Connect)

MAB,Profiling

802.1X.WebAuth

pxGrid & REST APIs


Assigning SGTs to Users: ISE Authorization Rules


Assigning SGTs to Extranet Connections

BusinessPartners

Suppliers

• Complex supply chain – many third party connections• Many groups need access to specific production areas• L3 interface maps allow supplier networks to change without impact

Press & Weld

Paint Shop

Assembly Shop

Routes learned andSGTs applied to them by L3 interface

SGTs applied to internal subnets


Managing Static Classifications in ISE

Mappings pushed to device configurations using SSH

Mappings propagated over SXP from ISE to SXP devices (see next section)




Central management

TrustSec Functions to enable

Endpoint

SecurityGroupTags

Propagation


Classification







Switch

Router

Firewall

Enforcement



Policy Enforcement – Security Group ACL (SGACL)

Application Servers

Database Servers

FIB LookupDestination MAC/Port

SGT 30 Destination ClassificationApp_Svr: SGT 20DB_Svr: SGT 30

End user authenticatedEmployee: SGT 5

DestinationSource

App_Servers (20)

DB_Servers(30)

Employees (5) BYOD (10)

Unknown (0)

10.1.100.100SGT: 20

10.1.101.100SGT: 30

SRC: 10.1.10.100DST: 10.1.100.100SGT: 5

5


Egress Policy Matrix (SGACL)

deny icmp deny udp src dst eq domain deny tcp src dst eq 3389 deny tcp src dst eq 1433 deny tcp src dst eq 1521 deny tcp src dst eq 445 deny tcp src dst eq 137 deny tcp src dst eq 138 deny tcp src dst eq 139 deny udp src dst eq snmp deny tcp src dst eq telnet deny tcp src dst eq www


Dynamic SGACL Downloads• New User/Device/Server provisioned• Switch requests policies for assets they

protect• Policies downloaded & applied dynamically

Dev_Server(SGT=10)

Prod_Server(SGT=7)

Dev_ServersProd_Servers

Switches request policies for assets they protect

SG

T=3

SG

T=4

SG

T=5

Switches pull down only the policies

they need

• Result: Software-Defined Segmentation• All controls centrally managed• Security policies de-coupled from network

topology• No switch-specific security configs needed• One place to audit network-wide policies


Policy Enforcement in Firewalls: ASA

Can still use Network Object (Host, Range, Network (subnet), or FQDN)

AND / OR the SGT

Security Group definitions from ISE

Trigger FirePower services by SGT matches


Converting Firewalls to Use SGT-based rules

Real ASA Configuration

• Before conversion: 99,000 lines

• Converts to:

• IP-SGT mapping file: 3,897 lines

• ACL_INSIDE file: 10,493 lines

• ACL_OUTSIDE file: 4,954 lines

• Total 19,344 lines 80% Reduction Rule table size

020000400006000080000

100000120000

Using IP rulesUsing SGT-based rules




Central management


Endpoint

SecurityGroupTags

Enforcement


Classification






Propagation



Switch

Router

Firewall


Carrying Security Group Tags in the data plane

Inline Tagging

Interface GigabitEthernet1/5 mtu 9216 cts manual policy static sgt 2 trusted

Branches

Inline taggingUntagged

ISE• Enable hop-by-hop with ‘cts manual’ interface command• Cat. 3560X, 3750X, 3x50• Cat 4500, 6x00 Sup2T• Nexus 7/6/5/1000V • IE 4000/5000• ISR G2, ISR4k, ASR1000• ASA • ‘trusted’ option means trust

tag values from peer


Control Plane SGT Propagation

FirepowerNGFW

SXP

pxGrid

SXP IP-SGT BindingsIP Address SGT SRC

10.1.100.98 50 Local

ISE

Ecosystem vendor

products• Security appliances

subscribe to pxGrid topics

• IP-SGT bindings then published by ISE

pxGrid

• Propagate from ISE or access-layer devices to any enforcement point

SXP

www

WSARouter 2

Router 1

Switch 1ANY network

device ISE supports

IP addre

ss

Generate IP-SGT mappings from ISE

Send IP-SGT mappings to SXP & pxGrid peers


ISE SXP Configuration

Generate IP-SGT from ISERADIUS-based classifications will create IP-SGT mappings & sent to SXP peers

IP-SGT can be generated with 3rd party access-layer

Routers Firewall Switches

SXP

ISE

RADIUS


pxGrid Configuration• ISE “Session” info. available via

pxGrid

• pxGrid clients can subscribe to the ‘TrustSec topic’ for SGT bindings

• Bindings received over SXP can also be published via pxGrid

W ww

Firepower Threat DefenseCheckPoint

ISE

RADIUS

Web Security Appliance

Any pxGrid ecosystem vendore.g. Infoblox

pxGrid


SXP Domains in ISE (2.1)

SXP

SXP IP-SGT Binding TableIP Address SGT SRC

10.1.100.98 50 Local

ISE

IP-SGT mappings to SXP peers shared within SXP Domain 1

Inline Tagging IP-SGT mappings shared within SXP Domain 2

Inline Tagging

SGT carried in data plane removes need to exchange IP-SGT mappings between SXP domains


Classification Propagation Enforcement

TrustSec Functions and Platform Support

Catalyst 2960-S/-C/-Plus/-X/-XRCatalyst 3560-E/-C/-XCatalyst 3750-E/-X

Catalyst 4500E (Sup6E/7E)Catalyst 4500E (Sup8)Catalyst 6500E (Sup720/2T)

Catalyst 3850/3650WLC 5760

Wireless LAN Controller 2500/5500/WiSM2

Nexus 7000

Nexus 5500

Nexus 1000v (Port Profile)

ISR G2 Router, CGR2000

Catalyst 2960-S/-C/-Plus/-X/-XRCatalyst 3560-E/-C/, 3750-ECatalyst 3560-X, 3750-XCatalyst 3850/3650Catalyst 4500E (Sup6E)Catalyst 4500E (7E, 8), 4500XCatalyst 6500E (Sup720)Catalyst 6500E (2T), 6800WLC 2500, 5500, WiSM2WLC 5760Nexus 1000vNexus 6000/5600 Nexus 5500/22xx FEXNexus 7000/22xx FEX ISRG2, CGS2000 ASR1000ASA

SXP

SXP

IE2000/3000, CGS2000

ASA5500 (VPN RAS)

SXP SGT

SXP

SXP SGT

SXP

SXP SGT

SXP

SGT

SXP

SXP SGT

SXP SGT

SXP SGT

SXP

GETVPN. DMVPN, IPsec

• Inline SGT on all ISRG2 except 800 series:

Catalyst 3560-CX (IA only)Catalyst 3560-XCatalyst 3750-X

Catalyst 4500-XCatalyst 4500E (7E)Catalyst 4500E (8E)Catalyst 6500E (2T)Catalyst 6800

Catalyst 3850/3650WLC 5760

Nexus 7000/7700

Nexus 5600

Nexus 1000v

ISR G2 Router, CGR2000ISR 4000

ASA 5500 FirewallASAv FirewallWeb Security Appliance

ASR 1000 RouterCSR-1000v Router

SXP

SGT

SGFW

SGFW

SGFW

SGACL

SGACL

SGACL

SGACL

SGACL

SGACL

SXP SGT

SXP SGT

Nexus 6000

Nexus 6000 Nexus 5500Nexus 5600

SXP SGT

SGT

GETVPN. DMVPN, IPsec

SGT

www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/trustsec_matrix.html

http://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/trustsec_matrix.html


Data Center Segmentation

Campus and Branch Segmentation

User to Data Center Access Control

Most Common Deployment Scenarios


User to Data Center Access Control

Building 3 WLAN Data VLAN

TrustSec-enabled data center

Main Building Data VLAN

Employee DeveloperVoice

ISE

Router

EmployeeNon

Compliant

Employee Tag

Developer Tag

Guest Tag

Non-Compliant Tag

Guest

Employee

TS-enabled

DC Remediation Internet

Employee

Developer

Guest

Non-Compliant

✓ X ✓ ✓

X X ✓ ✓

X X ✓ X

Non CompliantEmployee

Non Compliant

SwitchSwitch

• Enterprise-wide, role-based access control• Automated BYOD access control• End-to-end regulatory and compliance

requirements such as PCI and HIPAA

✓ ✓ ✓ ✓

Voice

TrustSec supports:

Policy in action:

TrustSec Policy DomainProd server

Dev server

ACI policy domain

ACI Data Center

APICDC

Dev server

Prod server


Enabling TrustSec-ACI Integration

Web App DBACI Fabric

Data CenterAPIC Policy DomainAPIC

ACI Policy Domain

• Sharing Groups between TrustSec and ACI domains with ISE 2.1• Allow TrustSec security groups to be used in ACI policies• Allow ACI EndPoint Groups to be used in policies in TrustSec domain

TrustSec Policy Domain

TrustSec domain

Voice Employee Supplier BYOD

Campus / Branch / Non-ACI DCTrustSec Policy Domain

VoiceVLAN

DataVLAN


Configuring TrustSec-ACI Integration


TrustSec Groups Shared with ACI


ACI Groups Shared with TrustSec Domain


Employee Developer Data center Internet

Employee

Developer

Building Mgmt

Non-Compliant

TrustSec supports:

Campus and Branch Segmentation

RouterEmployee Tag

Developer Tag

Building Mgmt Tag

Non-Compliant TagSwitch

Switch

Building 3 WLAN Data VLAN Main Building Data VLAN

Branch - 3 WLAN Data VLAN

✓ X X ✓

X X X ✓

X X X X

✓ ✓ ✓ ✓

HQ Data Center

Policy in action: Switch

Non Compliant

Non Compliant

Non Compliant DeveloperVoiceVoice

Employee

EmployeeEmployeeBuildingMgmt

• Role-based segmentation across multiple locations

• End-to-end regulatory and compliance requirements such as PCI and HIPAA

• Restriction of lateral threat movement


Campus and Branch SegmentationEnforcementWired

Access

WirelessAccess

Distribution Core

SGACL segmentation available on :-

• Catalyst 3560-X, 3750-X

• Catalyst 3650, 3850

• Catalyst 4500E S7E, S8, 4500X

• Catalyst 6500(2T)/6800

• WLC 5760

• Cat 3560CX

• IE 4000, IE 5000

• Nexus 7000

• Extending to latest ISR4k and ASR


Wireless User – User Policy Enforcement

Permit

Deny

WLAN

Controller

interface Vlan2 ip local-proxy-arp ip route-cache same-interface!cts role-based enforcementcts role-based enforcement vlan-list 2

6500

ISE

Vlan 2

SXP

• Apply user-user policies as defined in ISE on traffic from the WLC


Breaches & Lateral Movement

enterprise network

Attacker

Perimeter(Inbound)

Perimeter(Outbound)

Research targets(SNS)

1

C2 Server

Spear Phishing([email protected])

2

http://welcome.to.jangle.com/exploit.php

Victim clicks link unwittingly 3

Bot installed, back door established and receives commands from C2 server

4

Scan LAN for vulnerable hosts to exploit & find privileged users

5

Privileged account found. 6

Admin Node

Data exfiltrated7

System compromised and data breached. 8

Lateral Movement(Scanning, Pivoting, Privilege Escalation, Brute Force, etc.)

www


Blocking Lateral MovementEmployee

NonCompliant

Employee

Block Lateral Movement SGACL deny icmp deny udp src dst eq domain deny tcp src dst eq 3389 deny tcp src dst eq 1433 deny tcp src dst eq 1521 deny tcp src dst eq 445 deny tcp src dst eq 137 deny tcp src dst eq 138 deny tcp src dst eq 139 deny udp src dst eq snmp deny tcp src dst eq telnet deny tcp src dst eq www deny tcp src dst eq 443 deny tcp src dst eq 22 deny tcp src dst eq pop3 deny tcp src dst eq 123 deny tcp match-all -ack +fin -psh -rst -syn -urg deny tcp match-all +fin +psh +urg permit tcp match-any +ack +syn

• SGT dynamically assigned or statically mapped to a VLAN

• SGACL applied statically via CLI or dynamically downloaded from ISE

• Lateral Movement and Privilege Escalation Blocked

Employee


Acting on Potentially Compromised Hosts

WLANController

Quarantine is based on MAC Address preventing compromised device accessing from other location / access methods

FW

PolicyServer

Business DataApp / Storage

CompromisedEndpoint

10.10.10.10 (aa:bb:cc:dd:ee:ff)

Corp Network

Source Destination Action

IP SGT IP SGT Service Action

Any Employee Any Biz Server HTTPS Allow

Any Suspicious Any Biz Server Any Deny

Firewall Rules

NIDS SIM Event: ReconnaissanceSource IP: 10.10.10.10/32Response: Quarantine

PXGRID: EPS Quarantine: 10.10.10.10

WLAN Controller

OS Type: Windows 8User: FayAD Group: EmployeeAsset Registration: YesMAC Address: aa:bb:cc:dd:ee:ffPolicy Mapping SGT: Suspicious


Data Center Segmentation

Database Servers

Web Servers

Storage

Web Servers

TrustSec supports:

Policy in action:Switch

Middleware ServersWeb

ServersMiddleware

ServersDatabase Servers Storage

Web Servers

MiddlewareServers

Database Servers

Storage

✓ ✓ ✓ ✓

X ✓ ✓ ✓

X ✓ ✓ ✓

X ✓ X X

• Firewall rule simplification• Data center regulatory and compliance

requirements such as PCI and HIPAA• Server zoning• Micro-segmentation• Physical and virtual workload segmentation


• TrustSec is easy to enable and manage• Can start with specific use-cases with minimal platform dependencies• Non-disruptive deployments; SGACL enforcement can be enabled incrementally and

gradually via the policy matrix

• TrustSec can provide right now:• More effective segmentation – centrally managed• Reduce management effort compared to VLAN/dACL efforts and admin• Topology-independent security policies - policy managers/auditors do not need to

understand the topology or the underlying technology to use the policy matrix• Firewall rule simplification and OpEx reduction • Faster and easier deployment of new services – cuts the cost of change

Summary


Forrester: The Total Economic Impact of Cisco TrustSec

“Cisco TrustSec enabled the organizations interviewed to reduce operational costs by avoiding additional IT headcount, deploy new environments faster, and implement consistent and effective network segmentation resulting in lower downtime.”


For More Information• For everything TrustSec-related: http://www.cisco.com/go/trustsec

• TrustSec platform support matrixhttp://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/trustsec_matrix.html

• Case studieshttp://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/customer-case-study-listing.html

• Cisco IT Use of TrustSechttp://www.cisco.com/c/en/us/solutions/collateral/enterprise/cisco-on-cisco/i-en-02292016-Policies-to-Control-User-Access.pdf

• Gartner webcast on Software-Defined Segmentation and TrustSechttp://event.on24.com/r.htm?e=1124906&s=1&k=14EEFF1DFC42C2BE06E07DA934E47C45

• PCI Scope Reduction with Cisco TrustSec – QSA (Verizon) Validation:http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/trustsec_pci_validation.pdf

http://www.cisco.com/go/trustsec

http://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/trustsec_matrix.html

http://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/customer-case-study-listing.html

http://www.cisco.com/c/en/us/solutions/collateral/enterprise/cisco-on-cisco/i-en-02292016-Policies-to-Control-User-Access.pdf



http://event.on24.com/r.htm?e=1124906&s=1&k=14EEFF1DFC42C2BE06E07DA934E47C45

http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/trustsec_pci_validation.pdf


For More Information – Part 2• For our latest system bulletin covering validation testing that we do, please refer to: http

://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/trustsec-system-bulletin.pdf

• TrustSec DC Config Guide http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/trustsec-data-center-segmentation-guide.pdf

• Campus and Branch Segmentation Guidehttp://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/branch-segmentation.pdf

• Securing BYOD and using VPN with TrustSec http://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/trustsec/white-paper-c11-732290.html

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/trustsec-system-bulletin.pdf




http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/trustsec-data-center-segmentation-guide.pdf



http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/branch-segmentation.pdf



http://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/trustsec/white-paper-c11-732290.html




Thank you for watching.

Date post:	08-Jan-2017
Category:	Technology
Upload:	robb-boyd
View:	272 times
Download:	8 times

TechWiseTV Workshop: Cisco TrustSec

Technology