PowerPoint Presentation

Simplifying Network Security with TrustSecKevin ReganAugust 17, 2016kregan@cisco.com

2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicThis cover slide should be updated with current information and left on screen as people log in. - Replace Topic, Guest Speaker , Date1

Reduce IT burden

Take more control of environment

Deal with dynamic threat landscape

Pace of technological change

Possible reasons for watching today?

Reduce error prone adminManage complexityReduceOpExMore consistent security policy Reduced time to implement changes

Deal with Security challenges

To Implement policy for things like

Acquisitions andpartnershipsCloudInternet of ThingsDigitizationBYODGlobal operationsMobility

2

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public2

Or Because Segmentation is Important

Eatalys network segmentation prevented a POS compromise at one store from compromising systems at the chains 26 other locations across the globe

Network segmentation is one of the most effective controls an agency can implement to mitigate the second stage of a network intrusion, propagation or lateral movement

Effective network segmentation reduces the extent to which an adversary can move across the network

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialOrganizations world-wide are recognizing the value of network segmentation for maintaining security.

Effective network segmentation reduces the capacity in which malicious threats can move across the network by preventing the second stage of a network intrusion, and propagation or lateral movement of threats.

For Eataly, the largest Italian marketplace in the world, network segmentation helped to prevent the spread of a Point-of-Sale compromise from one location to the chains 26 other locations worldwide.

T: But traditional methods of segmentation can be tedious and time-consuming.

3

Classification Based on Context

Any user, any device using with this IP Rich context awarenessPoor context awarenessRole-based group assignment

?

?

?

ISEResultResult

Who

What

When

ThreatCompliance

How

WhereIP Address 192.168.1.51UnknownUnknownUnknownUnknownUnknownUnknown

Bob (Employee)Tablet11:00 AM EST on April 10th Building 200, 2nd floorWirelessYesMonitored by IPS, anomaly detection

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

4

Manual, time-consumingsecurity and maintenanceIP-based security policy tied to network topology results in: Traditional Segmentation - ACL and VLAN Complexity5 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Employee Info

Development Servers

Policy inconsistencies across devices and networks

Enterprise NetworkInternet

Financial Servers

Complicated access management

More policies using more VLANsGuestVLANsEmployeeVLANsDeveloperVLANsNonCompliantVLANs

2

LocationsGuestVLANsEmployeeVLANsDeveloperVLANsNonCompliantVLANs

1

GuestVLANsEmployeeVLANsDeveloperVLANsNonCompliantVLANs

3

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialThe traditional method of network segmentation involves putting everything on your network into VLANs. While this method is effective in the technical sense, it proves to be an extreme management burden.

Each time a new business role is acquired, more VLANs are needed. In each floor, of each building in each location where the role needs to be available, administrators need to define new IP subnets, DHCP scopes and upstream routed interfaces as well as configure the VLAN itself. This manual, time-consuming security and maintenance is added complexity that growing organizations simply cant afford.

Controlling access based on an assets IP address often results in large firewall rule tables, which are difficult to understand and manage. IP-address-based ACLs are simple to deploy, but require ongoing management. This may not be problematic for simple role structures, however, as the number of access roles increases it can become difficult to manage the required ACLs. Not only this, but using an assets IP address offers no context into the endpoints characteristics.

T: Ciscos TrustSec offers a more simple and scalable solution.

5

TrustSec simplifies security management

6 2016 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialDeny Employee to Financial ServerPermit Developer to Developer ServerPermit Guest to WebPermit Developer to Developer Server

Consistent Policy AnywhereKeyEmployee Tag

Developer Tag

Voice Tag

Non-Compliant Tag

SGACLs

Employee InfoDeveloper Server

Simplified Access ManagementAcceleratedSecurity Options

Scalable and agile segmentation technology in over 40 different Cisco product families, enabling dynamic, role-based policy enforcement anywhere on your networkSimplified Access ManagementManage policies using plain language and maintain compliance by regulating access based on business role

Rapid Security AdministrationSpeed-up adds, moves, and changes, simplifying firewall administration to speed up server onboarding

HTTP

Financial Server

Consistent Policy AnywhereControl all network segments centrally, regardless of whether or not devices are wired, wireless or on VPN

Enterprise Network

GuestendpointEmployeeendpointDeveloperendpointNonCompliantendpoint

8

Employee Info Tag

Developer Server Tag

Financial Server Tag

HTTP Tag

# 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialThe true value of Cisco TrustSec is to simplify and accelerate network access control efforts through dynamic, software-defined segmentation, and role-based policy enforcement. This means:

With Simple role creation and provisioning users can define access policies using plain language and automatic rules, instead of complex ACLs and firewall instructions. This lets you distinguish employers from developers, guests versus data devices and what they are allowed to do in your network.

With Centralized management, policies are defined once independent of VLANs, regardless of what mix of devices and users you have, segmentation management and access control across networks can be done much faster and with fewer resources.

Finally, TrustSec delivers dynamic control and scalability. Controls are defined simply using endpoint roles, not IP address, so policy changes can be made without redesigning the network.

And this provides you with some significant competitive advantages, including:

Faster threat containment than your competitorsDeeper and more fluid policy segmentationSimplified policy managementEasier BYOD and mobility access control andStronger compliance adherence (such as PCI requirements)

T: And it all begins by properly enabling software-defined segmentation with TrustSec.

6

TrustSec Concepts Classification of systems/users based on context (user role, device, location etc.)Context (role) expressed as Security Group Tag (SGT) Firewalls, routers and switches use SGT to make filtering decisionsClassify once reuse SGT multiple times anywhere on network, or.

Users, Devices

SwitchRouterDC FWDC SwitchDev ServersEnforcementSGT Propagation

Prod Servers

SGT = 4

SGT = 10ISEDirectory

Classification

SGT:5

RADIUS7

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

717/08/16Cisco Live 2014

TrustSec Simple Starting Points Distribute SGT information directly from ISE to specific devicesMinimal config effort

Users, DevicesSwitchRouterDC FWDC SwitchHR Servers

EnforcementSGT Propagation

Fin Servers

SGT = 4

SGT = 10ISEDirectoryClassification

SGT:5

SGT:5

RADIUS

8

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

817/08/16Cisco Live 2014

TrustSec Functions to Enable

Endpoint

Group tag managementGroup policy managementSecurityGroupTags

EnforcementEnforcementThreat Defense

PropagationInline tagging or Data Plane(many options)

Classification

StaticclassificationEndpoint identificationDynamicclassification

SGT-enabled network

Central management

Software-Defined Segmentation

Heterogeneous environment

Control plane(SXP or pxGrid)

SwitchRouterFirewall9

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public9

TrustSec Functions to Enable

Endpoint

Group tag managementGroup policy managementSecurityGroupTags

EnforcementEnforcementThreat Defense

PropagationInline tagging or Data Plane(many options)

Classification

StaticclassificationEndpoint identificationDynamicclassification

SGT-enabled network

Central management

Software-Defined Segmentation

Heterogeneous environment

Control plane(SXP or pxGrid)

SwitchRouterFirewall

10

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public10

Printer 1Printer 2Use security groups to demote common roles & policy requirementsSecurity Group Tag ManagementBusiness-based groupings to provide consistent policy and access independent of network topology

Leverage attributes such as location and device type to define group assignments

SGT_Guest SGT_BuildingManagementSGT_Employee

Guest 1

Guest 2

Guest 3

Guest 4

Employee 1

Employee 2

Employee 3

Employee 4

SGT_FinanceServerSGT_Printers

Fin 1Fin 2

Temperature Device 1Temperature Device 2SurveillanceDevice 1

SurveillanceDevice 2

50

50

11

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public11

Security Group Management in ISE

12

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Live 201617/08/1612

Getting Group Info to Network DevicesNetwork devices need to be defined in ISE to get group information downloads :-At periodic intervalsOn demand from ISE PushDevice ID and password here needs to match the cts credential id in the network device

13

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Live 201617/08/1613

Groups in Network Devices

Group information appears in network devices as Environment DataISE is the single source of truth for Group informationIOS#show cts environment-data CTS Environment Data====================

Security Group Name Table: 0001-22 : 7-98 : 80 -> Network_Admin_User 6-98 : 80 -> Full_Access 5-98 : 80 -> Production 4-98 : 80 -> Dev 3-98 : 80 -> BYOD 2-98 : 80 -> Device_SGT unicast-unknown-98 : 80 -> Unknown Any : 80 -> ANY

14

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Live 201617/08/1614

Group tag managementGroup policy management

TrustSec Functions to enable

EnforcementEnforcementThreat Defense

SGT-enabled network

Software-defined segmentation

Heterogeneous environment

PropagationInline tagging(many options)

Control plane(SXP or pxGrid)

SwitchRouterFirewall

ClassificationStaticclassification

SecurityGroupTags

Endpoint

Endpoint identificationDynamicclassification

15

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public15

Flexible Classification Methods

Dynamic mechanisms

Static mechanisms

VPNV. Port ProfileIP AddressVLANsSubnetsL3 InterfacePortACI (App-Centric)

Ideal for users and mobile devices User endpointsInternal IT infrastructure and topology-based policyInternal resourcesExternal partners and 3rd party connectionsPartner & externalStaticDynamic

SGT #1SGT #2SGT #3SGT #4

Virtual Systems

Passive ID (Easy Connect)MAB,Profiling802.1X.WebAuthpxGrid & REST APIs

16

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public16

Assigning SGTs to Users: ISE Authorization Rules

17

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Live 201617/08/1617

Assigning SGTs to Extranet Connections

BusinessPartners

SuppliersComplex supply chain many third party connectionsMany groups need access to specific production areasL3 interface maps allow supplier networks to change without impact

18

Press & Weld

Paint ShopAssembly Shop

Routes learned andSGTs applied to them by L3 interface

SGTs applied to internal subnets

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Live 201417/08/1618

Managing Static Classifications in ISE

Mappings pushed to device configurations using SSHMappings propagated over SXP from ISE to SXP devices (see next section)

19

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Live 201617/08/1619

Group tag managementGroup policy management

Central management

TrustSec Functions to enable

Endpoint

SecurityGroupTags

PropagationInline tagging(many options)

Classification

StaticclassificationEndpoint identificationDynamicclassification

SGT-enabled network

Software-defined segmentation

Heterogeneous environment

Control plane(SXP or pxGrid)

SwitchRouterFirewall

EnforcementEnforcementThreat Defense

20

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public20

Policy Enforcement Security Group ACL (SGACL)

Application ServersDatabase Servers

FIB LookupDestination MAC/Port SGT 30Destination ClassificationApp_Svr: SGT 20DB_Svr: SGT 30

End user authenticatedEmployee: SGT 5

DestinationSourceApp_Servers (20)DB_Servers(30)Employees (5)BYOD (10)Unknown (0)

10.1.100.100SGT: 2010.1.101.100SGT: 30

SRC: 10.1.10.100DST: 10.1.100.100SGT: 5

5

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

21

22Egress Policy Matrix (SGACL)

deny icmp deny udp src dst eq domain deny tcp src dst eq 3389 deny tcp src dst eq 1433 deny tcp src dst eq 1521 deny tcp src dst eq 445 deny tcp src dst eq 137 deny tcp src dst eq 138 deny tcp src dst eq 139 deny udp src dst eq snmp deny tcp src dst eq telnet deny tcp src dst eq www

2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicDynamic SGACL DownloadsNew User/Device/Server provisionedSwitch requests policies for assets they protectPolicies downloaded & applied dynamically

Dev_Server(SGT=10)Prod_Server(SGT=7)

Dev_Servers

Prod_Servers

Switches request policies for assets they protect

SGT=3SGT=4SGT=5

Switches pull down only the policies they needResult: Software-Defined SegmentationAll controls centrally managedSecurity policies de-coupled from network topologyNo switch-specific security configs neededOne place to audit network-wide policies

23

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Live 201617/08/1623

Policy Enforcement in Firewalls: ASA

Can still use Network Object (Host, Range, Network (subnet), or FQDN)AND / OR the SGT

Security Group definitions from ISETrigger FirePower services by SGT matches

24

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Live 201417/08/1624

25Converting Firewalls to Use SGT-based rulesReal ASA Configuration Before conversion: 99,000 lines Converts to:IP-SGT mapping file: 3,897 linesACL_INSIDE file: 10,493 lines ACL_OUTSIDE file: 4,954 lines Total 19,344 lines80% Reduction

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

2517/08/16Cisco Live 2016

Group tag managementGroup policy management

Central management

TrustSec Functions to Enable

Endpoint

SecurityGroupTags

EnforcementEnforcementThreat Defense

Classification

StaticclassificationEndpoint identificationDynamicclassification

SGT-enabled network

Software-defined segmentation

Heterogeneous environment

PropagationInline tagging(many options)

Control plane(SXP or pxGrid)

SwitchRouterFirewall26

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public26

Carrying Security Group Tags in the data planeInline Tagging

Interface GigabitEthernet1/5 mtu 9216 cts manual policy static sgt 2 trusted

BranchesInline taggingUntagged

ISE

Enable hop-by-hop with cts manual interface commandCat. 3560X, 3750X, 3x50Cat 4500, 6x00 Sup2TNexus 7/6/5/1000V IE 4000/5000ISR G2, ISR4k, ASR1000ASA trusted option means trust tag values from peer

27

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public27

Control Plane SGT Propagation

FirepowerNGFW

SXPpxGrid

SXP IP-SGT BindingsIP AddressSGTSRC10.1.100.9850Local

ISEEcosystem vendor productsSecurity appliances subscribe to pxGrid topicsIP-SGT bindings then published by ISE pxGridPropagate from ISE or access-layer devices to any enforcement point

SXP

wwwWSARouter 2Router 1Switch 1ANY network device ISE supports IP addressGenerate IP-SGT mappings from ISE

Send IP-SGT mappings to SXP & pxGrid peers28

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public28

ISE SXP Configuration

Generate IP-SGT from ISERADIUS-based classifications will create IP-SGT mappings & sent to SXP peers

IP-SGT can be generated with 3rd party access-layer

RoutersFirewallSwitchesSXPISE

RADIUS

29

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

2917/08/16Cisco Live 2014

pxGrid Configuration

ISE Session info. available via pxGrid pxGrid clients can subscribe to the TrustSec topic for SGT bindingsBindings received over SXP can also be published via pxGrid

W ww

Firepower Threat DefenseCheckPointISE

RADIUS

Web Security ApplianceAny pxGrid ecosystem vendore.g. InfobloxpxGrid30

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

3017/08/16Cisco Live 2014

SXP Domains in ISE (2.1)

SXP

SXP IP-SGT Binding TableIP AddressSGTSRC10.1.100.9850Local

ISE

IP-SGT mappings to SXP peers shared within SXP Domain 1Inline Tagging

IP-SGT mappings shared within SXP Domain 2Inline TaggingSGT carried in data plane removes need to exchange IP-SGT mappings between SXP domains

31

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

31

Classification

Propagation

EnforcementTrustSec Functions and Platform SupportCatalyst 2960-S/-C/-Plus/-X/-XRCatalyst 3560-E/-C/-XCatalyst 3750-E/-X

Catalyst 4500E (Sup6E/7E)Catalyst 4500E (Sup8)Catalyst 6500E (Sup720/2T)

Catalyst 3850/3650WLC 5760

Wireless LAN Controller 2500/5500/WiSM2

Nexus 7000Nexus 5500Nexus 1000v (Port Profile)

ISR G2 Router, CGR2000Catalyst 2960-S/-C/-Plus/-X/-XRCatalyst 3560-E/-C/, 3750-ECatalyst 3560-X, 3750-XCatalyst 3850/3650Catalyst 4500E (Sup6E)Catalyst 4500E (7E, 8), 4500XCatalyst 6500E (Sup720)Catalyst 6500E (2T), 6800WLC 2500, 5500, WiSM2WLC 5760Nexus 1000vNexus 6000/5600 Nexus 5500/22xx FEXNexus 7000/22xx FEX ISRG2, CGS2000 ASR1000ASASXPSXPIE2000/3000, CGS2000

ASA5500 (VPN RAS)SXPSGTSXPSXPSGTSXPSXPSGTSXPSGTSXPSXPSGTSXPSGTSXPSGTSXP

GETVPN. DMVPN, IPsecInline SGT on all ISRG2 except 800 series:Catalyst 3560-CX (IA only)Catalyst 3560-XCatalyst 3750-X

Catalyst 4500-XCatalyst 4500E (7E)Catalyst 4500E (8E)Catalyst 6500E (2T)Catalyst 6800Catalyst 3850/3650WLC 5760

Nexus 7000/7700Nexus 5600Nexus 1000v

ISR G2 Router, CGR2000ISR 4000ASA 5500 FirewallASAv FirewallWeb Security Appliance

ASR 1000 RouterCSR-1000v RouterSXPSGTSGFWSGFWSGFWSGACLSGACLSGACLSGACLSGACLSGACLSXPSGTSXPSGTNexus 6000

Nexus 6000Nexus 5500Nexus 5600SXPSGTSGTGETVPN. DMVPN, IPsecSGTwww.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/trustsec_matrix.html

32

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

32

Data Center Segmentation

Campus and Branch SegmentationUser to Data Center Access Control

Most Common Deployment Scenarios33

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public33

User to Data Center Access ControlBuilding 3 WLAN Data VLANTrustSec-enabled data centerMain Building Data VLAN

Employee

Developer

VoiceISERouter

EmployeeNon Compliant

Employee TagDeveloper TagGuest TagNon-Compliant Tag

GuestEmployeeTS-enabled DCRemediationInternetEmployeeDeveloperGuestNon-Compliant

X

XX

XXX

Non Compliant

EmployeeNon Compliant

SwitchSwitchEnterprise-wide, role-based access controlAutomated BYOD access controlEnd-to-end regulatory and compliance requirements such as PCI and HIPAA

Voice

TrustSec supports:Policy in action:

TrustSec Policy Domain

Prod serverDev server

ACI policy domainACI Data Center

APICDC

Dev serverProd server34

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public34

Enabling TrustSec-ACI Integration

WebAppDB

ACI FabricData CenterAPIC Policy Domain

APIC

ACI Policy DomainSharing Groups between TrustSec and ACI domains with ISE 2.1Allow TrustSec security groups to be used in ACI policiesAllow ACI EndPoint Groups to be used in policies in TrustSec domain

TrustSec Policy Domain

TrustSec domainVoice

EmployeeSupplier

BYOD

Campus / Branch / Non-ACI DCTrustSec Policy Domain

VoiceVLANDataVLAN

35

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Live 201417/08/1635

Configuring TrustSec-ACI Integration

36

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Live 201617/08/1636

TrustSec Groups Shared with ACI

37

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Live 201617/08/1637

ACI Groups Shared with TrustSec Domain

38

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Live 201617/08/1638

EmployeeDeveloperData centerInternetEmployeeDeveloperBuilding MgmtNon-Compliant

TrustSec supports:

Campus and Branch Segmentation

RouterEmployee TagDeveloper TagBuilding Mgmt TagNon-Compliant Tag

SwitchSwitchBuilding 3 WLAN Data VLANMain Building Data VLANBranch - 3 WLAN Data VLANXX

XXX

XXXX

HQ Data CenterPolicy in action:SwitchNon Compliant

Non Compliant

Non Compliant

Developer

VoiceVoice

Employee

Employee

Employee

BuildingMgmt

Role-based segmentation across multiple locationsEnd-to-end regulatory and compliance requirements such as PCI and HIPAARestriction of lateral threat movement

39

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public39

Campus and Branch Segmentation

Enforcement

WiredAccessWirelessAccessDistributionCoreSGACL segmentation available on :-Catalyst 3560-X, 3750-XCatalyst 3650, 3850Catalyst 4500E S7E, S8, 4500XCatalyst 6500(2T)/6800WLC 5760Cat 3560CX IE 4000, IE 5000Nexus 7000Extending to latest ISR4k and ASR

40

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Live 201417/08/1640

Wireless User User Policy Enforcement

Permit

DenyWLAN Controller

interface Vlan2 ip local-proxy-arp ip route-cache same-interface!cts role-based enforcementcts role-based enforcement vlan-list 26500ISEVlan 2SXPApply user-user policies as defined in ISE on traffic from the WLC

41

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

41

Breaches & Lateral Movement

enterprise network

AttackerPerimeter(Inbound)Perimeter(Outbound)Research targets(SNS)

1 C2 Server

Spear Phishing(you@gmail.com)

2

http://welcome.to.jangle.com/exploit.phpVictim clicks link unwittingly

3Bot installed, back door established and receives commands from C2 server

4

Scan LAN for vulnerable hosts to exploit & find privileged users

5

Privileged account found.

6

Admin Node

Data exfiltrated

7

System compromised and data breached.

8

Lateral Movement(Scanning, Pivoting, Privilege Escalation, Brute Force, etc.)www42

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Live 201617/08/1642

Blocking Lateral MovementEmployeeNonCompliantEmployee

Block Lateral Movement SGACL deny icmp deny udp src dst eq domain deny tcp src dst eq 3389 deny tcp src dst eq 1433 deny tcp src dst eq 1521 deny tcp src dst eq 445 deny tcp src dst eq 137 deny tcp src dst eq 138 deny tcp src dst eq 139 deny udp src dst eq snmp deny tcp src dst eq telnet deny tcp src dst eq www deny tcp src dst eq 443 deny tcp src dst eq 22 deny tcp src dst eq pop3 deny tcp src dst eq 123 deny tcp match-all -ack +fin -psh -rst -syn -urg deny tcp match-all +fin +psh +urg permit tcp match-any +ack +syn

SGT dynamically assigned or statically mapped to a VLAN

SGACL applied statically via CLI or dynamically downloaded from ISE

Lateral Movement and Privilege Escalation BlockedEmployee

43

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Live 201617/08/1643

Acting on Potentially Compromised HostsWLANControllerQuarantine is based on MAC Address preventing compromised device accessing from other location / access methods

FWPolicyServerBusiness DataApp / StorageCompromisedEndpoint10.10.10.10 (aa:bb:cc:dd:ee:ff)Corp Network

SourceDestinationActionIPSGTIPSGTServiceActionAnyEmployeeAnyBiz ServerHTTPSAllowAnySuspiciousAnyBiz ServerAnyDeny

Firewall Rules

NIDSSIM

Event: ReconnaissanceSource IP: 10.10.10.10/32Response: QuarantinePXGRID: EPS Quarantine: 10.10.10.10

WLAN Controller

OS Type: Windows 8User: FayAD Group: EmployeeAsset Registration: YesMAC Address: aa:bb:cc:dd:ee:ffPolicy Mapping SGT: Suspicious44

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Live 201617/08/1644

Data Center Segmentation

Database Servers

Web Servers

Storage

Web Servers

TrustSec supports:Policy in action:

Switch

Middleware Servers

Web ServersMiddleware ServersDatabase ServersStorageWeb ServersMiddlewareServers Database ServersStorage

X

X

XXX

Firewall rule simplificationData center regulatory and compliance requirements such as PCI and HIPAAServer zoningMicro-segmentationPhysical and virtual workload segmentation45

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public45

TrustSec is easy to enable and manageCan start with specific use-cases with minimal platform dependenciesNon-disruptive deployments; SGACL enforcement can be enabled incrementally and gradually via the policy matrixTrustSec can provide right now:More effective segmentation centrally managedReduce management effort compared to VLAN/dACL efforts and adminTopology-independent security policies - policy managers/auditors do not need to understand the topology or the underlying technology to use the policy matrixFirewall rule simplification and OpEx reduction Faster and easier deployment of new services cuts the cost of change

Summary46

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Live 201617/08/1646

Forrester: The Total Economic Impact of Cisco TrustSec

Cisco TrustSec enabled the organizations interviewed to reduce operational costs by avoiding additional IT headcount, deploy new environments faster, and implement consistent and effective network segmentation resulting in lower downtime.47

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Live 201617/08/1647

For More InformationFor everything TrustSec-related:http://www.cisco.com/go/trustsecTrustSec platform support matrixhttp://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/trustsec_matrix.htmlCase studieshttp://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/customer-case-study-listing.htmlCisco IT Use of TrustSechttp://www.cisco.com/c/en/us/solutions/collateral/enterprise/cisco-on-cisco/i-en-02292016-Policies-to-Control-User-Access.pdfGartner webcast on Software-Defined Segmentation and TrustSechttp://event.on24.com/r.htm?e=1124906&s=1&k=14EEFF1DFC42C2BE06E07DA934E47C45PCI Scope Reduction with Cisco TrustSec QSA (Verizon) Validation:http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/trustsec_pci_validation.pdf48

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

4817/08/16Cisco Live 2014

For More Information Part 2For our latest system bulletin covering validation testing that we do, please refer to: http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/trustsec-system-bulletin.pdfTrustSec DC Config Guide http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/trustsec-data-center-segmentation-guide.pdfCampus and Branch Segmentation Guidehttp://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/branch-segmentation.pdfSecuring BYOD and using VPN with TrustSec http://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/trustsec/white-paper-c11-732290.html49

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

4917/08/16Cisco Live 2014

Thank you for watching.

2016 Cisco and/or its affiliates. All rights reserved. Cisco Public