The Changing Landscape of Identity

© 2013 Cisco and/or its affiliates. All rights reserved.

The Changing Landscape of Identity: Is 802.1X Enough?

Aaron T. Woland, Cisco Systems


• This session will explore the evolution of Identity and access control in a network. Where 802.1X makes sense, where it needs to be extended and how IT can create and use contextual identity, apply and enforce granular access control regardless of origin of access.


How Do I Control Who Gains Access to the Network?


Employee

Production

Servers

VDI Servers

Policy

RADIUS 802.1X

• 802.1X Provides the User or Device

Credential

• User allowed to Connect to Network

• Enforcement may be VLAN or ACL

• Who:

• Employee / Contractor

• Guest?


802.1X

(Identity)

Late

1990’s


• Quarantine VLAN for Remediation • Extend 802.1X Capabilities to Check:

• Identity (Who)

• Anti-X, Patches (What)

Desktop

Authentication and policy check of client

Quarantine VLAN

Remediation

Client attempts connection

SiSi


802.1X

(Identity)

Anti-X

Patches

(NAC)

2001 2004

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8

BYOD NEXT GENERATION

WORKFORCE DEVICE

PROLIFERATION

DEVICE PROLIFERATION

that Will Be

Connecting to Your Network

On Average Every Person Has

that Connects to the Network

Are Bringing

Their



WORKFORCE DEVICE

PROLIFERATION

NEXT GENERATION WORKFORCE

Work Is No Longer a

Place You Go to Work

People Are Willing to Take a

Pay Cut as Long as They

Are Able to Work from Home

70% percent of end users

admit to breaking IT policy

to make their lives easier



WORKFORCE DEVICE

PROLIFERATION

BYOD

BYOD is Personal

“Allow me to use the device(s) that

make me more productive for you!”

People identify with the devices they

use, and pride themselves on being

productive with them.



TYPICAL DEPLOYMENT SCENARIO

Multitude of Devices on the Network, Wired and Wireless

Need to Have Policy Control for Each Device Type

Device Proliferation

and Identification for

Policy Enforcement

The Challenge TYPICAL USE CASES

• Visibility

• Differentiating Policy


802.1X

(Identity)

Identity

and

Device Type

(Profiling) Anti-X

Patches

(NAC)

2001 2004 2007


My Machine can Authenticate… My User can Authenticate…


Employee

Production

Servers

VDI Servers

Policy

RADIUS 802.1X

• Allows User and Machine Identities to

be Authenticated and Authorized

• How:

• User Succeed / Mach Failed

• User and Machine Succeed

• User Failed / Mach Succeed

• User and Machine Failed

CorpAsset

802.1X RADIUS

Machine

User


• IETF working group is in process of standardizing on Tunneled EAP (TEAP).

• Next-Generation EAP method that provides all benefits of current EAP Types.

• Also provides EAP-Chaining.

• http://datatracker.ietf.org/doc/draft-ietf-emu-eap-tunnel-method/?include_text=1

19


70% organizations have a formalized BYOD

program or plan to

15 Billion Network Connected Devices by 2015

50% allow executives to bring their own device

with or without restrictions


Mobile devices are profiled as they access network

Is Device Managed by MDM or is it Guest Device?

Policy server queries MDM Disk Encryption | Jail broken?

Device is assigned network access based on MDM results

MDM

Policy


802.1X

(Identity)

MDM Integration

JailBroken?

Encryption?

EAP-Chaining? Identity

and

Device Type

(Profiling) Anti-X

Patches

(NAC)

2001 2004 2007 2013



802.1X

(Identity)

MDM Integration

JailBroken?

Encryption?

EAP-Chaining? Identity

and

Device Type

(Profiling) Anti-X

Patches

(NAC)

Location

GeoLocation

Badged-In?

2001 2004 2007 2013 ~2013

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 © 2012 Cisco and/or its affiliates. All rights reserved. 22

Example use of Contextual Identity Global Retailer


Security Policy

Attributes

Centralized Policy Engine

Business-Relevant

Policies

User and Devices

Dynamic Policy & Enforcement

APPLICATION

CONTROLS

MONITORING AND

REPORTING

SECURITY POLICY

ENFORCEMENT

WHEN WHAT

WHERE

HOW WHO

Identity


Systems Integration Nightmare…

FTP

Syslog

SDEE

SNMP SSH

HTTP

Problem 1: Many different transport mechanisms used to access security information

Real Time

On Demand

Weekly

Per Hour

Per Year

Events

Correlation

Results

Reports

Statistics State

Information

Configuration

Packet

Capture Access

Control

Network

Assessment

Policy

Configuration

Vulnerability

Assessment

Compliance

Network

Management

SIEM

Problem 2: Many different traffic characteristics Problem 3: Many different types of data contribute to security information Problem 4: Many different systems consume and produce security information

Problem 5: The data and methodology are still not effective in answering very basic questions

Is my network secure?

Are my systems compliant?

Have I been breached?

What does my network look like

right now?

Can I adapt to new technologies and

threats?

Is there anyway to make this easier?

Problem 6: The complexity and resultant costs are a huge problem


• Need an Industry Standard means of Securely and Efficiently Communicating Contextual Identity for Policy Enforcement Demands:

ecurity

change Ok, we need a

better name


Scalable Enforcement


L3 Distribution

VLAN Segmentation

L2 Access

Data VLAN Voice VLAN Quarantine VLAN

Subnet DHCP Scope IP Address

Design

STP HSRP VACL PBR

Traditional Ingress Authorizations

dACL based ingress Filtering

Distribution L2 Access

Data VLAN Voice VLAN

• Access topology independent (Source Substitution)

• Centrally managed policy (Dynamic assignment)

• All protected destination needs to be defined

• Challenge to support many ACEs in TCAM

• Need to keep up with all destination changes

permit ip any 10.1.100.0/24 deny udp any 192.1.23.0/24 eq 445 permit tcp any 192.1.23.0/24 eq 80 ….

• Standard based (vendor agnostic)

• Easy implementation

• Hidden implementation costs

• Need new VLANs to everywhere

• Policy definition point and ACLs are still static

• Need to keep up with all destination change


Adding destination Object

Adding source Object

ACL for 3 source objects & 3 destination objects

High OPEX Security Policy Maintenance

permit NY to SRV1 for HTTPS deny NY to SAP2 for SQL deny NY to SCM2 for SSH permit SF to SRV1 for HTTPS deny SF to SAP1 for SQL deny SF to SCM2 for SSH permit LA to SRV1 for HTTPS deny LA to SAP1 for SQL deny LA to SAP for SSH

Permit SJC to SRV1 for HTTPS deny SJC to SAP1 for SQL deny SJC to SCM2 for SSH permit NY to VDI for RDP deny SF to VDI for RDP deny LA to VDI for RDP deny SJC to VDI for RDP

A Global Bank dedicated 24 global resources

to manage Firewall rules currently

Complex Task and High OPEX continues

Traditional ACL/FW Rule

Source Destination

NY

SF

LA

DC-MTV (SRV1)

DC-MTV (SAP1)

DC-RTP (SCM2)

NY

10.2.34.0/24

10.2.35.0/24

10.2.36.0/24

10.3.102.0/24

10.3.152.0/24

10.4.111.0/24

…. SJC DC-RTP (VDI)

Production

Servers


Reduced OPEX in Policy Maintenance

Source SGT:

Employee (10)

BYOD (200)

Destination SGT:

Production_Servers (50)

VDI (201)

Permit Employee to Production_Servers eq HTTPS Permit Employee to Production_Servers eq SQL Permit Employee to Production_Servers eq SSH Permit Employee to VDI eq RDP

Deny BYOD to Production_Servers Deny BYOD to VDI eq RDP

Policy Stays with Users / Servers regardless of location or topology

Simpler Auditing Process (Low Opex Cost)

Simpler Security Operation (Resource Optimization)

(e.g. Bank now estimates 6 global resources)

Clear ROI in OPEX

Security Group

Filtering

NY

SF

LA

DC-MTV (SRV1)

DC-MTV (SAP1)

DC-RTP (SCM2) SJC DC-RTP (VDI)

Employee

Production

Servers

VDI Servers

BYOD


Mass adoption of TEAP for EAP-Chaining Capabilities

Standard approach to communicating the Contextual Identity

• Allowing services to make decision based on full context of endpoint

Standardize on Security Group Tagging or similar function

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31

All in Name of Improved Productivity!

Thank you


Questions ?

Date post:	08-Nov-2021
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times

The Changing Landscape of Identity

Documents