Transforming Secure Access for Unified Enterprise · PDF fileTransforming Secure Access for...

Transforming Secure Access for Unified Enterprise Networks

Håkan Nohre

Consulting Systems Engineer

Cisco and/or its affiliates. All rights reserved. Cisco Public

How to Succeed with Secure Access

Understand that it is not just an “ISE project....”

Network

Devices

Active

Directory

Desktop

Management

PKI

Other Assets : Printers

Security Cameras

IoE

Unified

Communications

Firewalls

Legal

Mobile Device

Management

Security I

S

E

3


Agenda

Why Secure Access?

Use Cases

– Corporate Devices

– BYOD

– Guests

– Other Devices

Segmenting the Network


Secure Access is Good from a Risk Management Perspective

Increased Security

Reduced Workload, More Automation

Increased Flexibility and Agility - mobile devices, contractors, guests, mobility

Cost

Benefit Determine your optimal requirements

5


Integrated Defense Across the Attack Continuum

BEFORE Discover

Enforce

Harden

DURING Detect

Block

Defend

AFTER Scope

Contain

Remediate

Attack Continuum

Visibility and Automation

Identity Services + NAC pxGrid + TrustSec

ISE Provides Visibility, Context, and Control Across the Entire Continuum

6


I S

E

Adding Identity Awareness to the Network

M G R

M G R

Access wired

wireless

VPN

Data

Center

Nexus

ASA

…….

more

Core

Where?

Who?

What?

8


ISE works within a System

M G R

M G R

Active Directory

Access wired

wireless

VPN

Data

Center

Nexus

ASA

Core

Where?

Who?

What?

I S

E

MDM

3rd party Security Systems

SIEM, IPS etc pxGrid

9

Other Security

Systems


I have NBAR info! I need identity…

Talos

I have location! I need identity…

I have MDM info! I need location…

I have app inventory info! I need posture…

I have identity & device-type! I need app inventory & vulnerability…

I have firewall logs! I need identity…

I have threat data! I need reputation…

I have sec events! I need reputation…

I have NetFlow! I need entitlement…

I have reputation info! I

I have application info! I need location & auth-group…

pxGrid Context

Orchestration

Single Protocol for Securing Info Access

ISE 1.3: pXGrid = Information Sharing

10


Visibility: FireSIGHT Discovers

Host 10.1.19.4

OS

User

Apps

Vulnerabilities

100 0111100 011 1010011101 1000111010011101 10001110 10011 101 010011101 1100001110001110 1001 1101 1110011 0110011 101000

0110 00

john

...automatically

Hosts, OS, Logged in Users, Applications, Vulnerabilities

11

Active Directory


pxGrid: Discovering Identities for Other Devices

Host 10.1.19.4

OS

User

Apps

Vulnerabilities

Device authenticates to network (802.1X)

Cisco ISE shares info with pxGrid

Works even if device is not in Active Directory

I S

E

john

pxGrid

New

12


pxGrid: Automated Responses

Use pre-defined or custom script to initiate automatic actions

E.g, Quarantine device by changing VLAN, ACL or SGT

Indications Of Compromise

- IPS event impact 1

- Malware

- Communication with BOTNET

QUARANTINE

I S

E

change

VLAN or

SGT

New

13


Employees with Corporate Computers

M G R

M G R

Access wired

wireless

VPN

Data

Center

HR

Finance

802.1X

RADIUS

joe HR

I S

E

Joe is member of HR

and is using corporate

computer with cert

Authorization/Segmentation

- VLAN, ACL or SGT..

14

ISE 1.3

Support

Multiple ADs


Posture Checking

M G R

M G R

Active Directory

Access wired

wireless

VPN

Data

Center

AV

Update

Finance

802.1X

RADIUS

joe HR

I S

E

Joe is member of HR

and is using corporate

computer with cert

but does not have

updated AntiVirus



Updated

15


NAC Agent/ISE Posture Agent now in AnyConnect

ISE Posture Agent (previous NAC Agent now part of AnyConnect)

– AnyConnect 4.0

– ISE 1.3

– ASA 9.2.1 for ASA enforcement

Better user experience!

ISE is Single Point of Management for Posture for Wired, Wireless, VPN

No need for Inline Posture Node (IPN)

New

16


Employee with BYOD (802.1X)

M G R

M G R

Active Directory

Access wired

wireless

VPN

Data

Center

HR

Finance

email

web

I S

E

Joe is member of HR

but is using his iPAD

authenticating with

password

802.1X

RADIUS



17


Quiz Time!

When being presented with the security warning about an untrusted server certificate, the average user will

18

Reject the certificate, since he cares deeply about security

A)

Accept the certificate, since he wants to get access to the network B)

a)

b)


One (of many) possible attacks…

19

SSID = Corporate (802.1X)

Phishing Toolbox • AP broadcasting SSID

• RADIUS server

(configured to negotiate

PEAP-GTC…, saves

cracking MSCHAPv2)

User: hacke

Password: 34Ng”!#flsfkl45


Problem with Passwords (PEAP)

Username/Password based authentication

Inherits severe issues with passwords

- How to control that they are not shared… Phishing attacks etc

- How to control that they are changed frequently

What if we could provision client certificates to the device?

20

#$$$@@@!!

I know the password, but I still

cannot get access to the

network


Provisioning Certificates to BYOD

M G R

M G R

Active Directory

Access wired

wireless

VPN

Data

Center

HR

Finance

email

web

I S

E

Joe is member of HR

but is using his iPAD

authenticating with

password – provision

certificate

New!

CA in ISE

21


I S

E

Employee with BYOD (MDM-Integration)

M

G

R

M

G

R

Access wired

wireless

Data

Center

HR

Finance

email

web

joe HR

Is Device Known by

MDM?

Is Device Compliant?

22

MDM


Automated Device Security Posture Assessment and Compliance Check

MDM Integration

Corporate and Personal Device Posture Check and MDM Remediation

MDM Policy Check

Device registration status

Device compliance status

Disk encryption status

Pin lock status

Jailbreak status

Manufacturer

Model

IMEI

Serial number

OS version

Phone number


ISE Integration with Meraki MDM (Systems Manager Enterprise) New!

24


Profiling Non-802.1X Capable Devices

M G R

M G R

Access wired

wireless

Data

Center

HR

MAC Database

?

Initial ACL/VLAN

Network Behaviour:

MAC address

DHCP parameters

Info from SNMP

Info from Netflow

HTTP User-Agent

DNS

Nmap

….

Finance

Surveillance I

S

E

Behaves like a Surveillance

Camera, update our MAC

Database

25


I

S

E

ISE Profiling

M G R

M G R

Access wired

wireless

Data

Center

HR

MAC Database

Finance

Surveillance

Authorization/Segmention

VLAN or SGT controls access

26


Case Study : Problem solved by ISE

Security Conscious Enterprise

Each branch had computers, printers, surveillance cameras, room booking systems

Static port configuration, e.g :

- port 1-16 computers

- port 17-20 printers

- port 21-24 cameras

Error prone when adding new devices (connect to wrong port..)

Bad port usage... empty ports but still no "free" ports when if

need to connect another type of device.

27


ISE Guest Handling

Wireless or Wired or VPN

Internet Access and/or restricted access to internal resources

- consultants may need to access internal resources

Unique username/passwords, logs and reports

Sponsored Guests

Hotspot

Self Service

Self Service with SMS

28

Big

Improvements

in ISE 1.3


M G R

M G R

Who?

What?

Where?

+ Well Proven and Widely Used

- Maintenance subnets, DHCP scopes..

- How convey VLAN to upstream Firewalls

- Peer-to-Peer Enforcement within VLAN

- IP refresh issue with non-802.1X

supplicants

I S

E

VLAN 100

VLAN 200

FW

?

Segmenting the Network #1: Using VLANs

29


M G R

M G R

Where?

+ Well Proven and Widely Used

+ No changes to ip subnets

- How convey Security info to upstream Firewalls

- Consumes TCAM resources

I S

E

Same VLAN 100

ACL downloaded and

applied to switch port

Remark: ACL for Cameras

permit tcp any host 10.1.1.3 eq https

Remark: ACL for Corporate PCs

permit tcp any host 10.1.1.3 eq https

FW

Segmenting the Network #2: Downloadable ACLs

30


M G R

M G R

Where?

I S

E

SGT and SGT ACL

downloaded

SGT Cameras

SGT Corporate PCs

Upstream security

devices can enforce

policy on SGT

Segmenting the Network #3 : Security Group TAGs

+ No changes to ip subnets, Security Policy decoupled

from ip addressing

+ Conveys Security Group to Upstream Firewalls

+ Does not consume TCAM resources

- Does not work with legacy switches

FW

31


Firewall Old Style

Firewall Rules based on IP addresses

- no knowledge of identity

- firewall ruleset changes when network grows/changes

InsideNets100

10.1.1.0/24

10.1.9.0/24

192.168.3.0/24

Source Destination Service Action

FinanceServers

172.16.2.0/24

172.16.9.0/24

172.16.15.0/24

HTTPS

PERMIT


Firewalls Today : Legacy Next Generation Firewall

Firewall Rule set Leverages Active Directory

- independent of IP addressing

- works for users logged into Active Directory Domain

- does not convey identity for iPADs, IP phones etc.

- does not convey other context such as posture, location...

Finance

Source Destination Application Action

HTTPS PERMIT

IT

SSH

Switches

10.0.99.0/24

PERMIT

Finance Servers

172.16.2.0/24

172.16.15.0/24

ANY

ANY DENY


Security Group Tag Aware Firewall

Ruleset can utilize Security TAGs

- info on who, what device, posture, where

- also works for devices outside of AD domain

- also works for destinations/servers

Finance

Source TAG Destination Application Action

HTTPS PERMIT

FinanceServers

CleanMachine

SIP PERMIT

Phone Servers

IP Phones

Any

ICA PERMIT

FinanceVDI

financeIPAD


Image: Gartner Magic Quadrant for Network Access Control 2013, Lawrence Orans, John Pescatore – 12 December 2013

THE NAC Innovation Leader

Pioneered NAC Technology

Developed NAC Standards

First to Launch in 2004

Positioned as a LEADER in Gartner Magic

Quadrant for Network Access Control

- Gartner December 2013, 2012, 2011

“Cisco TrustSec and Cisco ISE are

consistent with our view of identity-centric

end-to-end security that is both needed and

lacking in the enterprise today.”

- Forrester

2011

Industry Recognizes Cisco Leadership

35


Conclusion

Increased Security

Reduced Workload, More Automation

Increased Flexibility and Agility - mobile devices, contractors, guests, mobility

Cost

Benefit Determine your optimal requirements

36

Date post:	21-Mar-2018
Category:	Documents
Upload:	trinhduong
View:	223 times
Download:	2 times

Transforming Secure Access for Unified Enterprise · PDF fileTransforming Secure Access for...

Documents