Cisco Confidential 1© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco TrustSecSecurity Solution OverviewNicole Johnson
Systems Engineer
Cisco
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Agenda
•Movement from Location-Based to Identity-Based Security Strategy •Cisco TrustSec Approach
• 802.1x• MacSec (802.1ae) encryption• Security Group Tags
•Identity Services Engine (ISE) and it’s role in the network
•Network Control System• Introduction on how to manage the lifecycle of both wired and
wireless devices in your network•Q & A•Next Steps
Cisco Confidential 3© 2010 Cisco and/or its affiliates. All rights reserved.
The RIGHT Person
An approved Device
In The Right Way
Anyone
Any Device
Anywhere
Anytime
Policy Evolving with Borderless Network
Borderless Networks
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Introducing Cisco TrustSec
Improves IT Operational Efficiency
Delivers Security & Risk Management
Enables Business Productivity
VLANs
dACLs
Guest Access
Profiling
DevicesRemote VPN User
Wireless User
VPN User Devices
Data Center
Posture
Identity-enabled infrastructure
SGTs
Intranet
Policy-Based Access & Services
Scalable Enforcement
Internet Security Zones
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
What is TrustSec?
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Why Identity Is ImportantWho are you?
802.1X (or supplementary method) authenticates the user
1 Keep the Outsiders Out
Where can you go?Based on authentication, user is
placed in correct VLAN2
Keep the Insiders Honest
What service level to you receive?The user can be given per-user
services (ACLs today, more to come)3
Personalize the Network
What are you doing?The user’s identity and location can be used for tracking and accounting
4 Increase Network Visibility
Authentication
Authorization
Accounting
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
What does Identity allow you to do? Ensure that only allowed types of user and machine connect to key resources
Provide guest network access in a controlled and specific manner
Deliver differentiated network services to meet security policy needs, for examples like:
Ensure compliance requirements (PCI, etc.) for user authentication are met
Facilitate voice/data traffic separation in the campus
Ensure that only employees with legitimate devices access classified systems
Ensure that contractors/business partners get appropriate access
Provide user and access device visibility to network security operations
Cisco Confidential 8© 2010 Cisco and/or its affiliates. All rights reserved.
Why 802.1X?
8
Industry-standard approach to
identity
Most secure user/machine authentication
solution
Complements other switch
security featuresEasier to deploy
Provides foundation for additional services (e.g.,
posture)
Cisco Confidential 9© 2010 Cisco and/or its affiliates. All rights reserved.
Request for Service(Connectivity)
Back-End AuthenticationSupport
Identity StoreIntegration
AuthenticatorSwitch, router, WAP
Layer 2
How Does 802.1X Work?
Layer 3
Identity Store/ManagementActive directory, LDAP
Supplicant
Authentication ServerRADIUS server
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Who (or What) Can Be Authenticated?
alice
User Authentication Device Authentication
host\XP2
• Enables Devices To Access Network Prior To (or In the Absence of) User Login
• Enables Critical Device Traffic (DHCP, NFS, Machine GPO)
• Is Required In Managed Wired Environments
• Enables User-Based Access Control and Visibility
• If Enabled, Should Be In Addition To Device Authentication
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Various Authorization Mechanisms• 802.1X provides various authorization
mechanisms for policy enforcement.
• Three major enforcement / segmentation mechanisms:
• Dynamic VLAN assignment – Ingress• Downloadable per session ACL – Ingress• Security Group Access Control List (SGACL) - Egress
• Three different enforcement modes:• Monitor Mode• Low Impact Mode (with Downloadable ACL)
• High-Security Mode
• Session-Based on-demand authorization:• Change of Authorization (RFC3576 RADIUS Disconnect Messages)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Cisco Switches with 802.1X• A Systems Approach:
Fully Planned, Tested, and Vetted SYSTEM for identity
The many business units have all worked together to form a full System-Based approach to ensure the most capable / fully functional & proven identity system in the industry.
• Consistent across all switch platforms! Same Features
Same Code
Multi-Auth
Deployment Modes
Pre-Emptive Dead Server Detection
Critical Vlan
DACL per Host
Cisco Confidential 13© 2010 Cisco and/or its affiliates. All rights reserved.
MACsec (802.1AE) Overview
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Quick Review of MACsec (802.1AE)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Confidentiality and IntegritySecuring Data Path with MACSec
* National Institute of Standards and Technology Special Publication 800-38D
&^*RTW#(*J^*&*sd#J$%UJ&(
• Provides “WLAN / VPN equivalent” encryption (128bit AES GCM) to LAN connection
• NIST approved* encryption (IEEE802.1AE) + Key Management (IEEE802.1X-2010/MKA or Security Association Protocol).
• Allows the network to continue to perform auditing (Security Services)
Media Access Control Security (MACSec)
802.1X
Supplicantwith
MACSec
Guest User
MACSec Capable Devices
TrustSec™ provides encrypted data path regardless your access methods (WLAN, Remote Access, and LAN!)
&^*RTW#(*J^*&*sd#J$%UJWD&(
Data sent in clear
MACSec Link
Encrypt DecryptAuthenticated User
Note: Cat3750-X currently supports MACSec on downlink only
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
MACSec Benefits and Limitations
Benefits LimitationsConfidentialityStrong encryption at Layer 2 protects data.
Endpoint SupportNot all endpoints support MACSec
IntegrityIntegrity checking ensures data cannot be modified in transit
Network SupportLine-rate encryption typically requires updated hardware on the access switch
FlexibilitySelectively enabled with centralized policy
Technology IntegrationMACSec may impact other technologies that connect at the access edge (e.g. IP Phones)
Network Intelligence Hop-by-hop encryption enables the network to inspect, monitor, mark and forward traffic according to your existing policies.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Cisco TrustSec• Security Group Tags Unique 16 bit (65K) tag assigned to unique role Represents privilege of the source user, device, or entity Tagged at ingress of TrustSec domain Provides topology-independent policy Flexible and scalable policy based on user role Centralized policy management for dynamic policy provisioning
• Hop-by-hop encryption (802.1AE)Provides confidentiality and integrity while still allowing for inspection of traffic between endpoints
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Layer 2 SGT Frame Format
are the L2 802.1AE + TrustSec overhead Frame is always tagged at ingress port of SGT capable device Tagging process prior to other L2 service such as QoS No impact IP MTU/Fragmentation L2 Frame MTU Impact: ~ 40 bytes = less than baby giant frame (~1600 bytes
with 1552 bytes MTU)
Cisco Meta Data
DMAC SMAC 802.1AE Header 802.1Q CMD ETYPE PAYLOAD ICV CRC
Version LengthCMD EtherType SGT Opt Type SGT Value Other CMD Options
EncryptedAuthenticated
802.1AE Header CMD ICV
Ethernet Frame field
Cisco Confidential 19© 2010 Cisco and/or its affiliates. All rights reserved.
Identity Services Engine (ISE)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Define network policy as an extension of business goals
Policy-Based AccessIdentity Services Engine Delivers “Business Policy”
Finance Manager
Corporate issued laptop
Personal iPad
Product Bookings
SalesForce.com
X
Customer Data
Policy extends to all access types (wired, wireless, VPN)
Optional encryption-based Policies for Security-conscious users
Lifecycle Services Integration – guest, profiling, posture
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Non-User Devices• How do I discover
non-user devices?• Can I determine what
they are?• Can I control their
access?• Are they being spoofed?
Identity Services EngineISE: Policies for people and devices
• Can I allow guests Internet-only access?
• How do I manage guest access?
• Can this work in wireless and wired?
• How do I monitor guest activities?
Guest Access• How can I restrict access
to my network?• Can I manage the risk of
using personal PCs, tablets, smart-devices?
• Access rights on premises, at home, on the road?
• Devices are healthy?
Authorized Access
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
A Practical Example of Policies
Internet
Campus Network
“Printers should only ever communicate
internally”
“Employees should be able to access everything but have limited access on personal
devices”
“Everyone’s traffic should be encrypted” Internal
Resources
Cisco WirelessLAN Controller
Cisco® Identity Services EngineCisco
Access Point
Cisco Switch
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
NAC Manager NAC Server
NAC Profiler
NAC Guest Server
Device Profiling & Provisioning + Identity
Monitoring
Identity & Access Control + Posture
Guest Lifecycle Management
NAC CollectorStandalone appliance or licensed as a module on
NAC Server
Identity & Access Control
Access Control System
Let’s Start With What We KnowPrevious Cisco TrustSec Solution Portfolio
NAC Agent
AnyConnect
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
NAC Manager NAC Server
NAC Profiler
NAC Guest Server
Device Profiling & Provisioning + Identity
Monitoring
Identity & Access Control + Posture
Guest Lifecycle Management
NAC CollectorStandalone appliance or licensed as a module on
NAC Server
Identity & Access Control
Access Control System
Introducing Identity Services EngineNext Generation Solution Portfolio
ISE
AnyConnect
NAC Agent
Identity Service Engine
Cisco Confidential 25© 2010 Cisco and/or its affiliates. All rights reserved.
Benefits of Identity Services EngineConsolidated Services,
Software Packages
Simplify Deployment & Admin
ACS
NAC Profiler
NAC Guest
NAC Manager
NAC Server ISE
Location
User ID Access Rights
Visibility
Track Active Users & Devices
Flexible Service Deployment
Optimize Where Services Run
AdminConsole
Distributed Policy servers
MonitoringAll-in-One HA Pair
Guest
Manage Guests & Sponsors
Manage Security Group Access
Keep Existing Logical Design
System-wide Monitoring & Troubleshooting
Consolidate Data, Three-Click Drill-In
SGT Public Private
Staff
Guest
Permit
Deny
Permit
Permit
Device (& IP/MAC)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Identity & Context-AwarenessLeveraging your Infrastructure Network
NetworkDevice
802.1X
IP Phones
Authorized Users
Cisco®
Catalyst® Switch
Guests
MAB & Profiling
Web Auth
Consistent identity features supported on all Catalyst switch models authenticates authorized users (802.1X), devices (MAB/profiling) and guests (Web Auth)
Monitor Mode Flex Authentication Sequence
Delivers visibility by authenticating users/devices
(without enforcement)
Most flexible authentication in the market automates ports for rolling authentication with
a flexible sequence
Identity Feature Differentiators
IP Telephony Interoperability
VDI Deployment Support
Features like multi-domain auth and link state provides
authentication for IP telephony environments, or users behind VoIP devices
Multi-authentication feature enables authentication of multiple MAC addresses
behind a single port
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
ISE Lifecycle ServicesISE Posture Ensures Endpoint Health before Network Access
Employee Policy:• Microsoft patches updated• McAfee AV installed, running, and
current• Corp asset checks• Enterprise application running
Temporary Limited Network Access until
remediation is complete
Non-CompliantWired, wireless, VPN user
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
ISE Lifecyle Services ISE Guest Service for managing guests
Provision: Guest accounts via sponsor portal
Notify: Guests of account details by print, email, or SMS
Manage: Sponsor privileges, guest accounts and policies, guest portal
Report: On all aspects of guest accounts
GuestsWeb Auth
Guest Policy:• Wireless or wired access• Internet-only access
Internet
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Identity and Context-AwarenessISE Profiling for Non-Authenticating Devices
• Reduces MAB effort by identifying more than 90 device categories
• Create policy for users and endpoints – • “Limited access by employee on IPAD”
• Confidence-match based on multiple attributes
• Future “template feed”
“What is on my Network”
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
ISE Device Profiling CapabilitiesSmart
Phones
Gaming Consoles
Workstations
MultipleRules to Establish Confidence Level
Minimum Confidence for a
Match
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
• Once the device is profiled, it is stored within the ISE for future associations:
ISE Device Profiling Example - iPad
Is the MAC Address from Apple?
Does the Hostname Contain “iPad”?
Is the Web Browser Safari on an iPad?
ISE
Apple iPad
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Cisco ISE Provides Policy for Wired and Wireless LANs
• Unified wired and wireless policy (ISE) and management (NCS).
NCS
Central Point of Policy for Wired and Wireless Users and Endpoints
Centralized Monitoring of Wired and Wireless Networking, Users and
EndpointsISE
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
TrustSec Deployment OptionsMonitor Mode Low Impact Mode High Security Mode
Primary Features Traditional Closed Mode
Dynamic VLANs
Benefits Strict Access Control
Primary Features Open mode
Multi-Auth
Flex Auth (Optional)
Benefits Unobstructed Access
No Impact on Productivity
Gain Visibility AAA Logs
Primary Features Open mode
Multi-Domain
Port & dACLs
Benefits Maintain Basic Connectivity
Increased Access Security
Differentiated Access
Cisco Confidential 34© 2010 Cisco and/or its affiliates. All rights reserved.
Services
Planning
Proof of Concept
Pilot Deployment
(Size: 1 segment or 1 floor)
No Enforcement (Monitor Mode)
Enforcement (Low Impact Mode)
Supplicant Provisioning RADIUS Setup Switch Setup
Expansion
Review & Adjust
Review & Adjust
(Size: Multi-Floor, Bldg.)
Typical TrustSec deployment ScenarioPlan in advance and keep user experience impact as minimum as possible
Deployment Overview
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Why Cisco TrustSec Architecture
One Policy for wired, wireless and VPN Integrated lifecycle services (posture, profiling, guest)Differentiated identity features (monitor mode, flex auth,
multiauth.. ) Phased approach to deployments – i.e. monitor modeFlexible and scalable authorization optionsEncryption to protect communications and SGT tags
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Trustsec.cisco.comwww.cisco.com/go/trustsec
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
802.1x Resources
• http://www.cisco.com/en/US/products/ps6662/products_ios_protocol_option_home.html
• http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns171/CiscoIBNS-Technical-Review.pdf
• http://en.wikipedia.org/wiki/IEEE_802.1X
• http://www.networkworld.com/news/2010/0506whatisit.html
• http://www.ieee802.org/1/pages/802.1x.html
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
MACsec Resources
• http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750x_3560x/software/release/15.0_1_se/configuration/guide/swmacsec.html
• https://videosharing.cisco.com/vportal/VideoPlayer.jsp?ccsid=C-9323e79a-0395-475c-9c65-27f6e6afff3b:1#
• http://en.wikipedia.org/wiki/IEEE_802.1AE
• http://www.ieee802.org/1/pages/802.1ae.html
• http://www.networkworld.com/details/7593.html