Cisco Self Defending Network
Mai 2007
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1 Intelligent Networking Using the Network to Enable Business Processes Cisco Network Strategy Utilize the Network to Unite Isolated Layers and Domains to Enable Business Processes Connectivity Intelligent Networking
Business Networked Processes Infrastructure • Active participation in application and service delivery • A systems approach integrates Resilient technology layers to reduce Integrated complexity Adaptive • Flexible policy controls adapt this intelligent system to your Applications business though business rules and Services
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2 When it comes to information security, what are the objectives? Adaptive On Demand Agile Align security practice Organization Organization and policy to business requirements. Security that’s a business enabler, not an inhibitor. Keep costs appropriate: It’s not necessarily about reducing costs, but rather, spending where it counts the most • The network touches all Reduce complexity of parts of the infrastructure the overall environment • It is uniquely positioned to Control and contain threats so help solve these issues they don’t control you
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3 Self-Defending Network Defined
Efficient Security Management, Control, Operational Management and Response and Policy Control
Advanced technologies and security services to Threat Control Secure • Mitigate the effects and Containment Transactions of outbreaks • Protect critical assets Confidential Communications • Ensure privacy
Secure Network Network as Platform Platform
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4 Self-Defending Network – “Le réseau peut identifier, s’adapter et ..... répondre aux attaques”
Succursale Les 3 Pilliers du SDN: Intégration Collaboraton MARS & CSM Réaction PCs
Détection D’Intrusion WAAS CSA – Cisco Security “Distribution automatique Agent des signatures”
Wan avec SONA chiffrement Prévention Cisco Commutateurs Routeur Pare-Feu ISR d’Intrusion NAC ASA WAAS FW FW Serveurs IPS VPN VPN IPS “Vision limitée, Anti-X précision limitée CSA
Prévenir la propagation de
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential virus et des vers 5 Programme
Authentification Internet Intranet Qui peut accéder le réseau L’impact de la téléphonie 802.1x, les visiteurs, Web Base . Authentification La conformité des postes au moment de la connexion Si Si Sur le LAN, en VPN, etc... Les bonnes pratiques pour le contrôle des usagers connectés au Si Si réseau Fonctions de sécurité présentent dans les commutateurs Cisco QoS déployée? Cisco Securité Agent (CSA) La surveillance et la configuration du réseau
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6 Cisco Self Defending Network Authentification et Autorisation
802.1q
802.3 - (Sans étiquette 802.1q)
802.3 - (Sans étiquette 802.1q)
Bande passante Réservée
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7 IEEE 802.1x
Standard set by the IEEE 802.1 working group Is a framework designed to address and provide port-based access control using authentication Primarily 802.1x is an encapsulation definition for EAP over IEEE 802 media—EAPOL (EAP over LAN) is the key protocol Layer 2 protocol for transporting authentication messages (EAP) between supplicant (user/PC) and authenticator (switch or access point) Assumes a secure connection Actual enforcement is via MAC-based filtering and port-state monitoring
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8 Some IEEE Terminology
IEEE Terms Normal People Terms
Supplicant Client
Authenticator Network Access Device
Authentication Server AAA/RADIUS Server
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9 802.1x Port Access Control Model
Authenticator Identity Store/Management • Switch • MS AD • Router • LDAP • WLAN AP • NDS • ODBC
Request for Service Backend Authentication Identity Store (Connectivity) Support Integration
Supplicant Authentication Server • Desktop/laptop • IAS • IP phone • ACS • WLAN AP • Any IETF RADIUS server • Switch
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10 A Closer Look: 802.1x, STP
Port Unauthorized Cisco IOS
aaa authentication dot1x default group radius aaa authorization network default group radius
radius-server host 10.100.100.100 radius-server key cisco123
dot1x system-auth-control
interface GigabitEthernet1/0/1 dot1x port-control auto CatOS
set radius server 10.100.100.100 set dot1x system-auth-control enable
set port dot1x 3/1 port-control auto
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11 A Closer Look: 802.1x, STP
Port Unauthorized EAPOL-Start EAP-Identity-Request EAP-Identity-Response
802.1x
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12 A Closer Look: 802.1x, STP
Port Unauthorized EAPOL-Start EAP-Identity-Request EAP-Identity-Response EAP—Method Dependent EAP-Auth Exchange Auth Exchange w/AAA Server EAP-Success/Failure Authentication Successful/Rejected
802.1x RADIUS
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13 A Closer Look: 802.1x, STP
Port Unauthorized EAPOL-Start EAP-Identity-Request EAP-Identity-Response EAP—Method Dependent EAP-Auth Exchange Auth Exchange w/AAA Server EAP-Success/Failure Authentication Successful/Rejected Port Authorized Policy Instructions
802.1x RADIUS
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14 A Closer Look: 802.1x, STP
Port Unauthorized EAPOL-Start EAP-Identity-Request EAP-Identity-Response EAP—Method Dependent EAP-Auth Exchange Auth Exchange w/AAA Server EAP-Success/Failure Authentication Successful/Rejected Port Authorized Policy Instructions Port Unauthorized EAPOL-Logoff
802.1x RADIUS
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15 A Closer Look: 802.1x, STP
Port Unauthorized EAPOL-Start EAP-Identity-Request EAP-Identity-Response EAP—Method Dependent EAP-Auth Exchange Auth Exchange w/AAA Server EAP-Success/Failure Authentication Successful/Rejected Port Authorized Policy Instructions Port Unauthorized EAPOL-Logoff Actual Authentication Conversation Is Between Client and Auth Server Using EAP; the Switch Is an EAP Conduit, but Aware of What’s Going on 802.1x RADIUS
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16 802.1x: Default Operation No EAPOL 802.1x Process
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17 802.1x: Default Operation No EAPOL EAPOL-Request (Identity) 802.1x Process X D = 01.80.c2.00.00.03 1 Upon Link Up
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18 802.1x: Default Operation No EAPOL EAPOL-Request (Identity) 802.1x Process D = 01.80.c2.00.00.03 1 Upon Link Up X EAPOL-Request (Identity) 2 30 Seconds X D = 01.80.c2.00.00.03
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19 802.1x: Default Operation No EAPOL EAPOL-Request (Identity) 802.1x Process D = 01.80.c2.00.00.03 1 Upon Link Up X EAPOL-Request (Identity) 30 Seconds D = 01.80.c2.00.00.03 2 X EAPOL-Request (Identity) 3 30 Seconds X D = 01.80.c2.00.00.03
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20 802.1x: Default Operation No EAPOL EAPOL-Request (Identity) 802.1x Process D = 01.80.c2.00.00.03 1 Upon Link Up X EAPOL-Request (Identity) 30 Seconds D = 01.80.c2.00.00.03 2 X EAPOL-Request (Identity) 3 30 Seconds X D = 01.80.c2.00.00.03
Any 802.1x-enabled switch port will send EAPOL identity-request frames on the wire (whether a supplicant is there or not) Switch defaults to no supplicant being on the wire based on no EAPOL response to its requests No network access is given Transient state; whole process restarts after a hold timer Process can start again if a supplicant appears on the port
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21 802.1x with Guest VLAN No EAPOL 802.1x Process
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 22 802.1x with Guest VLAN No EAPOL EAPOL-Request (Identity) 802.1x Process X D = 01.80.c2.00.00.03 1 Upon Link Up
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23 802.1x with Guest VLAN No EAPOL EAPOL-Request (Identity) 802.1x Process D = 01.80.c2.00.00.03 1 Upon Link Up X EAPOL-Request (Identity) 2 30 Seconds X D = 01.80.c2.00.00.03
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24 802.1x with Guest VLAN No EAPOL EAPOL-Request (Identity) 802.1x Process D = 01.80.c2.00.00.03 1 Upon Link Up X EAPOL-Request (Identity) 30 Seconds D = 01.80.c2.00.00.03 2 X EAPOL-Request (Identity) 3 30 Seconds √ D = 01.80.c2.00.00.03
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25 802.1x with Guest VLAN No EAPOL EAPOL-Request (Identity) 802.1x Process D = 01.80.c2.00.00.03 1 Upon Link Up X EAPOL-Request (Identity) 30 Seconds D = 01.80.c2.00.00.03 2 X EAPOL-Request (Identity) 3 30 Seconds √ D = 01.80.c2.00.00.03 CatOS set port dot1x 5/1 guest-vlan 10 IOS dot1x guest-vlan 10 Any 802.1x-enabled switch port will send EAPOL-Identity-Request frames on the wire (whether a supplicant is there or not) Port is moved to guest VLAN after step three above; instead of transitioning to disconnected, the port immediately transitions to a state of authorized and the auth-SM state is authenticated
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 26 802.1x with Guest VLAN
Default timeout is 30 seconds with three retries; total timeout period is 90 secs by default A device is deployed to guest VLAN based on lack of response to switch’s EAPOL-Identity-Request frames (which can be thought of as 802.1x hellos) No further security or authentication to be applied It is exactly like the administrator deconfigured 802.1x, and hard-set the port into a determined VLAN No machines that speak 802.1x (or who can indeed respond to the switch via EAPOL) should ever go into the guest VLAN
Guest
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27 802.1x with Auth Fail VLAN No EAPOL EAPOL-Request (Identity) MAX Attempts 1–3 D = 01.80.c2.00.00.03 1 EAPOL-Request (Identity) D = 01.80.c2.00.00.03 2 EAPOL-Request (Identity) 3 √ D = 01.80.c2.00.00.03
CatOS set port dot1x 5/1 auth-fail vlan 5 IOS dot1x auth-fail vlan 5 Any 802.1x-enabled switch port will send EAPOL-Identity-Request frames on the wire (whether a supplicant is there or not) Port is moved to auth fail VLAN after step three above; instead of transitioning to disconnected, the port immediately transitions to a state of authorized and the auth-SM state is authenticated Requires correct supplicant behavior
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 28 802.1x with VVID
Multi-VLAN Access Ports (MVAP) With Multi-VLAN Access Ports, a port can belong to two VLANs, while still allowing the separation of voice/data traffic while enabling you to configure 802.1x An access port able to handle two VLANs Native or Port VLAN Identifier (PVID) Auxiliary or Voice VLAN Identifier (VVID) Hardware set to dot1q trunk Tagged 802.1q
Untagged 802.3
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 29 802.1x with VVID
For Each 802.1x Switch Port, the Switch Creates Two Virtual Access Points at Each Port
The Controlled Port Is Open Only When the Device Connected to the Port Has Been Authorized by 802.1x
Controlled
EAPOL CDP Uncontrolled EAPOL+CDP
Uncontrolled Port Provides a Path for ExtensibleExtensible Authentication Authentication Protocol Protocol over over LAN LAN (EAPOL) (EAPOL)and TrafficCDP Traffic ONLYonly
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 30 802.1x with VVID
A dot1x-vvid port is an MVAP, that has dot1x configured The PC has to authenticate before getting access to the data VLAN The IP phone (without dot1x supplicant implementation) can get access to the voice VLAN after sending proper CDP packets, CatOS regardless of the dot1x set vlan 2 5/1 state of the port set port auxiliaryvlan 5/1 12 set port dot1x 5/1 port-control auto VVID IOS Guest switchport mode access PVID switchport access vlan 2 switchport voice vlan 12 dot1x port-control auto
• Unauthenticated voice VLAN (VVID) access Authenticated data VLAN (PVID) access This allows 802.1x and VoIP to coexist at the same time
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 31 802.1x with VVID: Previous Limitations
1 Port Already Authenticated
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 32 802.1x with VVID: Previous Limitations If an End-User Disconnects, the Port Remains Authorized by 802.1x
2 PC Leaves X √? 3 Port Remains Authorized
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 33 802.1x with VVID: Previous Limitations
4 Illegitimate User √? 3 Port Remains Authorized
An illegitimate user can now gain access to the port by spoofing the authenticated MAC address, and bypass 802.1x completely— security hole In an attempt to workaround this, some customers have enabled periodic reauthentication of end-devices This is not the reason to enable reauthentication We need to deal with the fact that any machine can disappear from the network and the switch (and 802.1x) does not know about it explicitly (i.e. link doesn’t go down)
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 34 802.1x with VVID: Previous Limitations
1 Port Already Authenticated
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 35 802.1x with VVID: Previous Limitations If an End User Disconnects, the Port Remains Authorized by 802.1x
2 PC Leaves X √? 3 Port Remains Authorized
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 36 802.1x with VVID: Previous Limitations
4 Legitimate User X 5 Security Violation
A legitimate user may now attempt to gain access to the port by way of 802.1x However, assuming MAC addresses are different, now the switch may treat this as a security violation In an attempt to workaround this, some customers have enabled periodic reauthentication of end-devices This is not the reason to enable reauthentication Overall, same issue as previous slides
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 37 802.1x with VVID: EAPOL-Logoff
1 Port Already Authenticated
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 38 802.1x with VVID: EAPOL-Logoff
2 PC Leaves X X 3 EAPOL-Logoff Transmitted
If an end-user disconnects, an IP phone transmits an EAPOL-logoff frame to the switch SA = PC MAC address DA = 01-80-C2-00-00-03 (PAE group address) Two basic functions needed from phone Monitor the PAE group address to determine who and where supplicant is Actually transmit the EAPOL-logoff frame
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 39 802.1x with VVID: EAPOL-Logoff
√
4 New Authenticated Session The switch thinks it is a standard EAPOL-logoff frame transmitted by a supplicant indicating end of service This closes the current security hole, and promotes subsequent mobility
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 40 802.1x with VVID: Deployment Issues
No EAPOL 802.1x Process EAPOL-Request (Identity) 1 Upon Link Up D = 01.80.c2.00.00.03 EAPOL-Request (Identity) X 2 30 Seconds D = 01.80.c2.00.00.03 X EAPOL-Request (Identity) 3 30 Seconds √ D = 01.80.c2.00.00.03
Assuming no supplicant on the wire, a port will be deployed into the guest VLAN after step three above, if guest VLAN is configured
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 41 802.1x with VVID: Deployment Issues
Supplicant 802.1x Process EAPOL-Request (Identity) 1 Upon Link Up D = 01.80.c2.00.00.03 EAPOL-Request (Identity) X 2 30 Seconds D = 01.80.c2.00.00.03 X EAPOL-Request (Identity) 3 30 Seconds √ D = 01.80.c2.00.00.03
If any user plugs into a phone, 802.1x is now totally dependent on how their supplicant is configured to operate By default, Microsoft Windows supplicants do not send EAPOL- starts; you will want to know why 802.1x works when you plug into a switch, and why it doesn’t work when you plug into a phone
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 42 MAC Authentication Bypass (MAB)
Client Dot1x/MAB RADIUS EAPOL-Request (Identity) 1 Upon link up D = 01.80.c2.00.00.03 EAPOL-Request (Identity) X 30-seconds D = 01.80.c2.00.00.03 2 XEAPOL-Request (Identity) 30-seconds D = 01.80.c2.00.00.03 3 X EAPOL-Timeout 30-seconds ? Initiate MAB 4 Learn MAC 5 Variable RADIUS-Access ? 6 Request RADIUS-Access 7 Accept √√ 8 Port Enabled CatOS 00.0a.95.7f.de.06 Console> set port mac-auth-bypass 5/1 enable IOS Switch(config-if)# dot1x mac-auth-bypass
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 43 Web Based Proxy Authentication No EAPOL 802.1x Process RADIUS Process
802.1x Timeouts 1 Client Initiates Connection—Activates Port Authentication State Machine 2 Switch Port Filters Traffic Limiting It to HTTP, HTTPS, DNS and DHCP 3 Switch Port Relays DHCP Address from DHCP Server 4 User Starts Web Browser and Initiates Web Connection 5 Switch Port Redirects URL and Presents HTTP Form Prompting for Userid/Pwd 6 User Enters Credentials—They Are Checked Against RADIUS DB—If Authenticated Then Switch Port Opened for Normal Network Access 7
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 44 Demonstrations
1) Authentification avec 802.1x 2) Le téléphone ferme la session 802.1x 3) Authentification dans le vlan visiteur avec Web Base Authentification
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 45 Operating System Implementations
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 46 Windows Boot Cycle Overview
Inherent Assumption of Network Connectivity
Power Up Load NDIS DHCP Setup Secure Update GPOs Apply Present GINA Drivers Channel to DC Computer (Ctrl-Alt-Del) GPOs Login
If We Wait for 802.1x User Authentication We Break Microsoft Assumption
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 47 Windows Boot Cycle Overview
Power Load 802.1x DHCP Setup Secure Update GPOs Apply Present GINA Up NDIS Authenticate Channel to DC Computer (Ctrl-Alt-Del) Drivers as Computer GPOs Login
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 48 Microsoft and Machine Authentication
What is machine authentication? The ability of a Windows workstation to authenticate under its own identity, independent of the requirement for an interactive user session What is it used for? Machine authentication is used at boot time by Windows OSes to authenticate and communicate with Windows domain controllers in order to pull down machine group policies Why do we care? Pre-802.1x this worked under the assumption that network connectivity was a given; post-802.1x the blocking of network access prior to 802.1x authentication breaks the machine-based group policy model— UNLESS the machine can authenticate using its own identity in 802.1x
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 49 Windows Login Procedure
User Authentication Setup Load Apply Windows 802.1x Power Secure Update Present NDIS DHCP Computer Domain User Up Channel GPOs GINA Drivers GPOs Auth Auth to DC * No Connectivity to Domain Controller Until User Logs In Machine Authentication Setup Load 802.1x Apply Windows Power Secure Update Present NDIS Machine DHCP Computer Domain Up Channel GPOs GINA drivers Auth GPOs Auth to DC * 802.1x Early in Boot Process User + Machine Authentication Setup Load 802.1x Apply Windows 802.1x Power Secure Update Present NDIS Machine DHCP Computer Domain User DHCP Up Channel GPOs GINA Drivers Auth GPOs Auth Auth to DC * Users Can Be Individually Authenticated Network Connectivity
Point of 802.1x Authorization
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 50 Different Modes of Authentication in Microsoft Environments
Controlled by registry keys Authentication by machine only No need for user authentication if machine authentication is successful Authentication by user only No machine authentication taking place at all— be careful, this breaks group and system policies Authentication by user and machine Uses authentication of both user and machine; switches contexts when going from one to the other
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 51 How Do You Enable Machine Auth?
Make sure the computer is a member of the domain If using TLS, make sure the computer gets a cert— either through auto-enrollment or manually If using EAP-FAST, PEAP or EAP-TLS make sure that the CA cert is in the local machine store; typically added if CA is up when machine is added to the domain; if not, you can force via auto-enrollment too Click the check box for the “authenticate as computer when computer information is available” in the authentication tab of the local-area connection properties window
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52 Machine Auth Using PEAP or TLS
Machine authentication using PEAP Uses account information for the computer created at the time the machine is added to the domain Computer must be a member of the domain If doing mutual authentication, the computer must trust the signing CA of the RADIUS server’s cert Machine authentication using EAP-TLS Authenticates the computer using certs The computer must have a valid cert If doing mutual authentication, the computer must trust the signing CA of the RADIUS server’s cert Easiest way to deploy is using MS-CA and Windows GPOs
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 53 Microsoft Issues with DHCP DHCP Is a Parallel Event, Independent of 802.1x Authentication With wired interfaces a successful 802.1x authentication does not force an DHCP address discovery (no media- connect signal) This produces a problem if not properly planned DHCP starts once interface comes up If 802.1x authentication takes too long, DHCP may time out
802.1x Auth—Variable Timeout
DHCP—Timeout at 62 Seconds
DHCP Power Up Load NDIS Setup Secure Present GINA Drivers Channel (Ctrl-Alt-Del) Login to DC
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 54 How to Address DHCP Timeout with 802.1x?
Use machine authentication—this allows the initial machine authentication to obtain an IP address Supplicant behavior has been addressed by Microsoft Windows XP: install service pack 1a + KB 826942 Windows 2000: install service pack 4 Updated supplicants trigger DHCP IP address renewal Successful authentication causes client to ping default gateway (three times) with a subsecond timeout Lack of echo reply will trigger a DHCP IP renew Successful echo reply will leave IP as is Prerenewal ping prevents lost connections when subnet stays the same but client may be WLAN roaming
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 55 Microsoft Fixes Windows XP: Install Service Pack 1a + KB 826942 Windows 2000: Install Service Pack 4
Supplicant Authenticator Authentication Server
Login Req. Send Credentials Forward Credentials to ACS Server
Accept Auth Successful (EAP—Success)
ICMP Echo (x3) for Default GW VLAN Assignment from “Old IP” as Soon as EAP-Success Frame Is Rcvd DHCP-Request (D=255.255.255.255) (After Pings Have Gone Unanswered) DHCP-NAK (Wrong Subnet) DHCP-Discover (D=255.255.255.255) At This Point, DHCP Proceeds Normally
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 56 802.1x and Machine Access Restriction on
i Machine boots up Interface becomes active (not authenticated) 802.1x authentication starts Machine sends its credential
e Authenticat EAP-TLS „Machine Certificate“ PEAP-MS-Chapv2 „Windows AD shared secret EAP-FAST with CTA 2.0 supplicant Machin machine authentication name prefix „host/“ on i • If user logs on to machine, machine sends EAPOL-start message to notify the access point or switch that a new authentication is being performed • Following EAP-TLS, PEAP-MS-Chapv2, EAP-FAST authentication will be done with users credential User Authenticat Note: Those Are Two Independent Authentications
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 57 802.1x and Machine Access Restriction
If machine authentication fails or is not enabled, a user can still successfully access the network So machine authentication does not prevent users from accessing the network with a unregistered machine
on • If user logs on to machine, machine sends i EAPOL-log-off message to notify the access point or switch that previous authentication is no longer valid anymore • Following EAP-TLS, PEAP-MS-Chapv2, EAP- FAST authentication will be done with users credential
User Authenticat • Host/name format of the authentication request triggers MAR check
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 58 802.1x and Machine Access Restriction
User authentication is only successful after a previous successful machine authentication EAP-FAST, PEAP with EAP-MS-CHAPv2 and EAP-TLS only Allows to use machine authentication as a condition for user authorization This provides a way to deny authentication for a user because machine authentication to the network was not completed prior to a login attempt Machine authentication by itself does not prevent users from accessing the network with an unregistered machine; to enforce this restriction, ACS now only completes a user authentication if the MAC address associated with the attempt was previously included in a successful machine authentication
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 59 802.1x Supplicant Support
802.1x requires client side code (supplicant code) Growing support for supplicants in the industry Microsoft—native in Win2K, XP, and 2003 Meetinghouse—support for WinNT, Win2K, WinXP, Win98, WinME, Solaris, Red Hat Linux Opensource—Open1x xsupplicant for UNIX/Linux platforms Apple—native OS X support Cisco ACU: wireless client CTA: wired client
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 60 Supplicant Considerations
Microsoft Windows User and machine authentication DHCP request time out Machine authentication restriction Default methods : MD5, PEAP, EAP-TLS Unix/Linux considerations Open source : xsupplicant Project (University of Utah) Available from http://www.open1x.org Supports EAP-MD5, EAP-TLS, PEAP/MSCHAPv2, PEAP/EAP-GTC Native Apple supplicant support in OS X 10.3 802.1x is turned off by default! Default parameters—TTLS, LEAP, PEAP, MD5 supported Support for airport and wired interfaces Single sign on can be accomplished w/Applescripts Commercial products MEETINGHOUSE http://www.mtghouse.com/ AEGIS supplicant
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 61 Authorization
Authorization is the embodiment of the ability to enforce policies on identities Typically policies are applied using a group methodology—allows for easier manageability The goal is to take the notion of group management and policies into the network The most basic authorization in 802.1x and IBNS is the ability to allow or disallow access to the network at the link layer Other forms of authorization include VLAN assignment, ACL assignment, QoS policy assignment, 802.1x with ARP inspection, etc.
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 62 802.1x with VLAN Assignment AV Pairs Used—All Are IETF Standard [64] Tunnel-type—“VLAN” (13) [65] Tunnel-medium-type—“802” (6) [81] Tunnel-private-group-ID—
Marketing
CatOS RADIUS attributes received in CatOS are automatically implemented if 802.1x is enabled. IOS aaa authorization network default group radius VLAN name must match switch configuration Mismatch results in authorization failure
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 63 802.1x with VLAN Assignment
Dynamic VLAN assignment based on identity of group, or individual, at the time of authentication VLANs assigned by name—allows for more flexible VLAN management Allows dynamic VLAN policies to be applied to groups of users (i.e., VLAN QoS, VLAN ACLs, etc.) Tunnel attributes used to send back VLAN configuration information to authenticator Tunnel attributes are defined by RFC 2868 Usage for VLANs is specified in the 802.1x standard
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 64 802.1x with ACL Assignment
Vendor-specific attributes used for RADIUS [026]—vendor specific [009]—vendor ID for Cisco [001]—refers to the VSA number Attribute used for predefined ACLs [11]—filter ID
permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255 deny ip 10.1.1.0 0.0.0.255 10.3.3.0 0.0.255 permit ip any 209.165.201.5
CatOS RADIUS attributes received in CatOS are automatic implemented if 802.1x is enabled. IOS aaa authorization network default group radius
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 65 802.1x with ACLs
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 66 802.1x with QoS Policy
Vendor-specific attributes used for RADIUS [026]—vendor specific [009]—vendor ID for Cisco [001]—refers to the VSA number
set qos acl ip ACL dscp 7 any
CatOS RADIUS attributes received in CatOS are automatica implemented if 802.1x is enabled. IOS aaa authorization network default group radius
Use to enable the automatic QoS provisioning of users In this example, RADIUS will send down a QoSPACL name along with an accept packet Policy converted into ACEs and installed on this switch
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 67 802.1x with QoS Policy
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 68 802.1x and Authorization Failure
The switch will fail and authentication to a client if authorization from the authentication server cannot be applied to the switch For example, vlan = employee and there is no vlan named employee on the switch Issue is exacerbated with NAC2 since CTA pop up says healthy, ACS says healthy, the switch fails the authentication, and client shows a failed authentication
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 69 Inaccessible Authentication Bypass
CatOS set port dot1x 5/1 critical 10 IOS Dot1x critical radius-server x.x.x.x username test password test Interface gigabitethernet 1/0/1 dot1x critical dot1x critical vlan 10 Port Unauthorized X
EAPOL-Start EAP-Identity-Request EAP-Identity-Response X √ Auth Exchange w/AAA Server EAP-Success/Failure • Port authorized • Move to access VLAN (first authentication) • Or keep existing VLAN (re-authentication)
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 70 IBNS Reporting and Monitoring
Major components to IBNS monitoring RADIUS accounting NAD logs RADIUS logs NAD CLI Major components of IBNS reporting Correlated log reports (MARS)
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 71 802.1x with RADIUS Accounting
Supplicant 802.1x Process RADIUS Process 1 Authenticate
2 EAPOL-Success 2 Access-Accept
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 72 802.1x with RADIUS Accounting
Supplicant 802.1x Process RADIUS Process 1 Authenticate
2 EAPOL-Success 2 Access-Accept
3 Accounting Request
4 Accounting Response
Accounting-request packets Contains one or more AV pairs to report various events and related information to the RADIUS server Tracking user-level events are used in the same mechanism
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 73 802.1x with RADIUS Accounting
Similar to other accounting and tracking mechanisms that already exist using RADIUS Can now be done through 802.1x Increases network session awareness Provide information into a management infrastructure about who logs in, session duration, support basic billing usage reporting, etc. Provides a means to map the information of authenticated Identity, Port, MAC, Switch Identity IP = IP, Port, MAC, Switch Switch + Port = Location
CatOS set dot1x radius-accounting enable IOS aaa accounting dot1x default start-stop group radius
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 74 Demonstrations
Authentification avec 802.1x 1) Assignation dynamique du vlan 2) Déployment de la QoS sur le port du commutateur (avec et sans worm...) 3) Log Accounting sur le serveur Radius 4) Si possible, username dans la description du port
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 75 Programme
Authentification Internet Intranet Qui peut accéder le réseau L’impact de la téléphonie 802.1x, les visiteurs, Web Base . Authentification La conformité des postes au moment de la connexion Si Si Sur le LAN, en VPN, etc... Les bonnes pratiques pour le contrôle des usagers connectés au Si Si réseau Fonctions de sécurité présentent dans les commutateurs Cisco QoS déployée? Cisco Securité Agent (CSA) La surveillance et la configuration du réseau
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 76 What Is Network Admission Control? Using the network to enforce policies ensures that incoming devices are compliant.
Who is the user? Is s/he authorized? US What role does s/he get? PL identity
Please enter username: P
L
U
S device network security NACNAC security Is MS patched? Does A/V or A/S exist? Is policy established? Is it running? Are non-compliant Are services on? devices quarantined? Do required files exist? Si Si Is remediation required? Is remediation available?
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 77 Make Access Contingent on Compliance First, establish ACCESS POLICIES. Then: Authenticate & Authorize Quarantine & Enforce Enforces authorization Isolate non-compliant devices policies and privileges from rest of network Supports multiple MAC and IP-based quarantine user roles effective at a per-user level
Scan & Evaluate Update & Remediate Agent scan for required Network-based tools versions of hotfixes, AV, etc for vulnerability and threat remediation Network scan for virus and worm infections and Help-desk integration port vulnerabilities NO COMPLIANCE = NO NETWORK ACCESS
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 78 NAC Means Better Criteria for Security What System Is It? Windows, Mac or Linux Laptop or Desktop or PDA Printer or Other Corporate Asset Who Owns It? Company Employee Contractor Guest Unknown Where Is It Coming From? VPN LAN WLAN WAN
What’s On It? Anti-Virus, Anti-Spyware Is It Running? Personal Firewall Patching Tools
What’s The Preferred Pre-Configured Checks Way To Check/Fix It? Customized Checks Self-Remediation or Auto-Remediation Third-Party Software
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 79 Four Key Capabilities of Cisco NAC
Securely Enforce Quarantine Configure Identify Consistent and and Device and User Policy Remediate Manage
What It Associate Users Assess Devices; Isolate and Fix Create and Means to Devices Enforce Policies Non-compliant Manage Devices Policies Easily
Why It Is Associating Users Enforcement at Quarantine Critical Policies That Are Important with Devices the Network to Halt Spread of Easy to Create Enables Granular Reduces Reliance Vulnerabilities; and Maintain Enforcement of on the Integrity of Remediation Lead to Better Policies by Role the Endpoint Addresses Root System or group Cost Drivers Operations and Adherence
A Comprehensive NAC Solution Must Have All Four Capabilities: The Absence of Any One Weakens the Solution
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 80 Cisco NAC Is Widely Deployed Today
NAC Appliance has 1500+ customers worldwide Managed LAN/ Unmanaged/ VoIP Users Guest LAN Users Mid-market and large enterprises Financial services Healthcare/Manufacturing Public Sector All use cases One Product Remote Access for Wireless/Guest All Use Cases Campus LAN
"Cisco.. is unrivaled as a market leader in the NAC appliance space, holding Wireless LAN VPN/Remote/ over 45% of the market." Users WAN Users -- Frost & Sullivan, 11/06
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 81 NAC Appliance Components
Cisco Clean Access Manager Centralizes management for administrators, support personnel, and operators Cisco Clean Access Server Serves as enforcement point for network access control Cisco Clean Access Agent Optional lightweight client for device-based registry scans in unmanaged environments Rule-set Updates Scheduled automatic updates for anti-virus, critical hot-fixes and other applications
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 82 NAC Appliance Use Cases Branch Compliance Campus LAN Compliance Branch access only for LAN network access only for compliant devices Wireless Compliance compliant devices Secure network access only for compliant wireless devices REMOTE BRANCH
CAMPUS BUILDING 1
802.1Q Intranet Access Compliance Ensure hosts are hardened prior to WIRELESS BUILDING 2 connecting to ERP, HRIS, BPM, etc.
Guest Compliance Restricted access only for guest users VPN User Compliance Intranet access only for compliant remote access users INTERNET IPSec CONFERENCE ROOM IN BUILDING 3
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 83 Cisco NAC Appliance Overview THE GOAL
1. End user attempts to access a Web page or uses an optional client Network access is blocked until wired or wireless end user provides login Authentication information Server
Cisco Clean Access Manager 2. User is Cisco Clean redirected to a login page Access Server Intranet/ Network Clean Access validates username and password, also performs device and network scans to assess vulnerabilities on the device 3b. Device is “clean” 3a. Device is noncompliant Quarantine Machine gets on “certified or login is incorrect Role devices list” and is User is denied access and assigned granted access to network to a quarantine role with access to online remediation resources
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 84 End User Experience: Web-based Scan is performed (types of checks depend on user role/OS)
Login Screen
Click-through remediation
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 85 End User Experience: Web-based
Flash Demo - cca_agentless_swf_v3.swf
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 86 End User Experience: with Agent Login Screen Scan is performed (types of checks depend on user role)
Scan fails Remediate
4.
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 87 End User Experience: with Agent
Flash Demo - cca_inline_agent_sso_swf_v1.swf
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 88 Cisco NAC Appliance Partnerships Cisco NAC is committed to protecting customer’s investments in partner applications
NAC Appliance Supports Policies for 300+ Applications, Including these Vendors:
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 89 Corporate/Employee Posture Assessment
Corporate Asset Tag Unique registries inserted into corporate devices Corporate PKI certificates installed in corporate devices Microsoft Hotfixes: Critical hot-fixes checks (provided via Cisco automated updates) SUS/WUS running or AU Options (can force setting) Patch Management SW running (can launch qualified .exe) Security Applications: HIDS (CSA) or Personal Firewall installed and running AV installed, running and latest DAT (can launch AV) Anti-Spyware installed and running Encryption software installed and running
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 90 NAC Decision Tree for Employee
Corp Asset No access, call HelpDesk Internet only, SUS/SMS runs Tag Quarantine
No access, start service Internet Only, launch AV SUS/ SMS/ CSA
AV/AS Hotfixes UptoDate Access
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 91 Cisco Clean Access for Corporate LAN
Central Site Campus Building Corporate Users Multi-Hop IP
CCA
802.1q L2TPv3
Campus Building Campus Building Guest Users Corporate Users
FEATURES BENEFITS
Supports 802.1q trunking Enables central deployment mode Supports both L3 multi-hop and L2 End user devices can be several hops away Supports L2TPv3 tunneling Extends enforcement to campus buildings Supports both inband and out-of-band Leverages AD SSO
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 92 Cisco Clean Access for Remote Users
Central Site Supply Partner Extranet IPSec VPN
CCA
Multi-Hop IP SSL Tunnel VPN Account Manager Mobile User
IPSec VPN CCA Home Office Branch Office Unmanaged Desktop Corporate Users
FEATURES BENEFITS Extends policy enforcement and compliance to Supports IPSec and SSL Tunnel VPNs remote access and VPN users Supports site-to-site VPNs Extends enforcement to site-to-site VPN Supports VPN user sign-on partners Leverages VPN sign-on for single-sign-on
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 93 End User Experience: Remote Access
Flash Demo - cca_ssl_vpn_swf_v1.swf
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 94 Cisco Clean Access for Wireless Users
Central Site
Wireless Network 802.1q CCA WLSM Guest LWAPP GRE Users
Wireless Network 802.1q LWAPP Users Campus Building Wireless Users
FEATURES BENEFITS
Supports 802.1q trunking Enables central deployment mode Support L2TPv3 or GRE tunneling End user devices can be several hops away Supports thin or thick wireless 802.11 APs Extends enforcement to any wireless networks Supports Wireless user sign-on Leverages EAP sign-on for single-sign-on
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 95 NAC Appliance Process Flow Out-Of-Band Access
CAM
Switch VLAN 10 Network
Laptop with CCA Agent VLAN 10
VLAN 110 CAS
1. End user attaches a laptop to network 2. Switch sends MAC address via SNMP-based notification to CAM
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 96 NAC Appliance Process Flow Out-Of-Band Access CCA Manager
Switch VLAN 10 Network
VLAN 110 Host with CCA Agent VLAN 10
VLAN 110 CCA Server
3. CAM verifies if laptop is on the “OOB online” or “Certified devices” lists. • If the laptop is not in the “OOB online” or “Certified devices” list, the CAM instructs switch to assign port to authentication VLAN. • DHCP addressed is assigned as DHCP/DNS traffic traverses the CAS using VLAN mapping.
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 97 NAC Appliance Process Flow Out-Of-Band Access
CCA Manager
VLAN 110 Switch VLAN 10 Network
VLAN 10 Host with CCA Agent 4. CAS is on same authentication VLAN as laptop. CAS enforces network access restriction. 5. Laptop is challenged for credentials to determine “role” VLAN 110 CCA Server • CCA Agent receives compliance “checks” from CAS based on “role.” • CCA Agent guides host through a step by step remediation process. • User allowed access to remediation sites enforced by CAS.
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 98 NAC Appliance Process Flow Out-Of-Band Access
7. CAM instructs switch to put port onto “access” VLAN based on CCA Manager port mapping or the role assignment.
VLAN 10 Switch Network VLAN 10
Host with CCA Agent VLAN 10
VLAN 110 6. CAS informs CAM that host is now CCA Server “certified.”
8. Laptop is now allowed access to the production network.
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 99 NAC Appliance Process Flow Out-Of-Band Access
Flash Demo - cca_oob_agent_sso_swf_v1.swf
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 100 Programme
Authentification Internet Intranet Qui peut accéder le réseau L’impact de la téléphonie 802.1x, les visiteurs, Web Base . Authentification La conformité des postes au moment de la connexion Si Si Sur le LAN, en VPN, etc... Les bonnes pratiques pour le contrôle des usagers connectés au Si Si réseau Fonctions de sécurité présentent dans les commutateurs Cisco QoS déployée? Cisco Securité Agent (CSA) La surveillance et la configuration du réseau
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 101 S2
Catalyst Access Control Lists What It Does: Allows or denies access based on the source or destination address. Restricts users to designated areas of the network, blocking unauthorized access to all other applications and information. Benefits: Prevents unauthorized access to servers and applications. Allows designated users to access specified servers.
PACL - Provides granular control for limited access by the access port of the device RACL - Controls traffic on Layer 2 and 3 interfaces. VACL - Provides granular control for limited access within a VLAN or subnet. Time-Based ACL – ACL becomes active at certain time of the day
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 102 Protecting against Worms – 1 How It Works: The ACL provide a mechanism to protect servers, users and applications against worms by determining what traffic streams or users can access what ports. Port 1434 Internal Network
Using ACLs, the virus or worm is not able to replicate from its hosts.
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 103 Time-Based ACLs
How It Works: Controls the switching of data based on the time of day.
OKOK toto UseUse ServerServer 11 NotNot OKOK toto UseUse ServerServer 22 OKOK toto UseUse ServerServer 33 NotNot OKOK toto UseUse ServerServer 44
ACL goes on ACL goes off at 8:00 AM at 5:00 PM
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 104 Keeping Neighbors Separated
Problem: Neighbors on the same switch can view each others traffic, including logon ID and passwords. Enforcing policy on how traffic is passed between workgroups
Solution: Private VLAN Edge to block Layer 2 traffic between the users in same VLAN
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 105 Raising the Bar on Surveillance Attacks MAC Flooding Attacks
00:0e:00:aa:aa:aa 00:0e:00:bb:bb:bb Only 3 MAC Addresses Allowed on the Port: Shutdown 132,000 Bogus MACs
“Script Kiddie” hacking tools enable attackers flood switch Port security limits MAC flooding CAM Tables with bogus macs; attack and locks down port and sends turning the VLAN into a “hub” and an SNMP trap eliminating privacy Switch CAM Table supports a limited # of Mac Addresses
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 106 Port Security What It Does: Limits the number of MAC addresses that are able to connect to a switch and ensures only approved MAC addresses are able to access the switch. Benefit: Ensures only approved users can log on to the network.
11 MACMAC AddressAddress √√ XX AdditionalAdditional MACMAC AddressAddress
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 107 Notification for Intrusion
Network Administrator Alert! Unauthorized MAC Address Notification User Identified Alerts network administrators if unauthorized users come on to the network.
Unauthorized User
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 108 DHCP Snooping DHCP DHCP Snooping Enabled Server What It Does: t Si Trusted Switch forwards only DHCP s e u requests from untrusted q D e H access ports, drops all other R C P P types of DHCP traffic. Allows C A H Untrusted XX C D K only designated DHCP ports or uplink ports trusted to relay √√ DHCP Messages Builds a DHCP binding table containing client IP address, client MAC address, port, DHCP VLAN number Client Rogue Benefit: Server Eliminates rogue devices from behaving as the DHCP server
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 109 Dynamic ARP Inspection
Dynamic ARP Inspection Gateway = 10.1.1.1 Si Protects against ARP MAC=A Poisoning • Uses the DHCP snooping binding table • Tracks MAC to IP from DHCP transactions
Gratuitous ARP 10.1.1.50=MAC_B • Rate-limits ARP requests from client ports; stop port scanning
Gratuitous ARP 10.1.1.1=MAC_B • Drop BOGUS ARP’s; prevents ARP poisoning/MIM attacks
Attacker = 10.1.1.25 Victim = 10.1.1.50 MAC=B MAC=C
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 110 IP Source Guard Protection against Spoofed IP Addresses
Si Gateway = 10.1.1.1 IP Source Guard Protects against spoofed IP Addresses • Uses the DHCP snooping binding table • Tracks IP address to port
Hey, I’m 10.1.1.50 ! associations • Dynamically programs port ACL to drop traffic not originating from IP address assigned via DHCP
Attacker = 10.1.1.25 Victim = 10.1.1.50
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 111 Private VLAN How it Works: Default Gateway Default Gateway A common subnet is sub-divided into multiple private-VLANs. Hosts on given Private VLAN can only communicate with default gateway — NOT with other hosts on network.
Benefit: xx xx xx xx Simplified mechanism of Community Community Isolated traffic management while ‘A’ ‘B’ Ports conserving IP address space Primary VLAN Community VLAN Community VLAN Isolated VLAN
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 112 Catalyst Integrated Security Features Summary IOS IP Source Guard ip dhcp snooping ip dhcp snooping vlan 2-10 Dynamic ARP Inspection ip arp inspection vlan 2-10 ! DHCP Snooping interface fa3/1 Port Security switchport port-security switchport port-security max 3
Port Security prevents MAC flooding switchport port-security violation restrict attacks switchport port-security aging time 2 DHCP snooping prevents client switchport port-security aging type inactivity attack on the switch and server ip arp inspection limit rate 100 Dynamic ARP Inspection adds security to ARP using DHCP ip dhcp snooping limit rate 100 snooping table ! IP Source Guard adds security to IP Interface gigabit1/1 source address using DHCP snooping table ip dhcp snooping trust All features work on switchports ip arp inspection trust
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 113 Cisco Security Agent: Host Based Intrusion Prevention
Endpoint + Network = Effective Collaborative Security
Novembre 2006
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 114 Zero-Day Protection
Cisco defines Host-Based Intrusion Prevention as the ability to stop Zero Day malicious code without reconfiguration or update. CSA has effectively stopped Zero Day exploits, worms, and viruses over past 6 years: 2001 – Code Red, Nimda (all 5 exploits), Pentagone (Gonner) 2002 – Sircam, Debploit, SQL Snake, Bugbear, 2003 – SQL Slammer, So Big, Blaster/Welchia, Fizzer 2004 – MyDoom, Bagle, Sasser, JPEG browser exploit (MS04-028), RPC- DCOM exploit (MS03-039), Buffer Overflow in Workstation service (MS03- 049) 2005 – Internet Explorer Command Execution Vulnerability, Zotob 2006 – Internet Explorer textrange vulnerability
No signatures, reconfiguration or binary updates required
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 115 Intercepting Operating System Calls
The Cisco Security Agent intercepts application OS calls and invokes an allow/deny response Interceptors monitor calls for resource access: File system Network (inbound/outbound) Registry Execution (process creation, library access, executable invocation) “Zero Update” architecture – behavior based control means you don’t need a new signature to stop the next attack
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 116 Correlation HTTP (80) CONNECT() System Call Browser OPEN(WRITE) System Call
Port 6667 CONNECT() System Call Open Command Shell Downloaded Content Modify Registry Run Keys Overwrite System Files
Malicious behavior is most accurately identified in context. Cisco Security Agent correlation does this automatically – no configuration required.
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 117 Malicious Behavior
• Ping addresses 0Rapidly mutating • Scan ports 0Continual • Guess passwords signature • Guess mail users updates • Mail attachments 0Inaccurate • Buffer overflows Probe • ActiveX controls 1 • Network installs 2 Penetrate • Compressed messages • Backdoors Target 3 Persist • Create new files • Modify existing files 4 Propagate • Weaken registry 5 security settings Paralyze • Mail copy of attack • Web connection • Install new services • IRC • Register trap doors • Delete files • FTP • Modify files • Infect file shares • Drill security hole 0Most damaging • Crash computer 9 Changes very slowly • Denial of service • Steal secrets 9 Inspiration for the CSA solution
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 118 Global Correlation
Agent Agent Correlation on Agent • Higher accuracy • Fewer “False Positive” Agent events
Correlation on Manager • Higher accuracy • Fewer “False Negative” Management events Center • Stops attack before it reaches targets Agent Agent Example: Distributed Cisco Security Agent offers “Ping Scans”, Network Worm propagation unique agent and management level correlation
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 119 CSA Policy Control
Some types of behavior are not malicious, but are undesired because they violate Acceptable Use policy Music sharing via Peer-to-Peer (p2p) applications Instant messaging using non-corporate IM servers Protecting sensitive organizational data Configuration lockdown during end of year reporting period Which devices cannot be used (USB memory, multimedia devices) Use of unauthorized applications, or unauthorized versions of apps CSA policy control modules include Data Theft Prevention policy Instant Messenger Control policy Music Download Prevention policy Network Lockdown policy
Provide user feedback via pop-up query and audit to demonstrate compliance
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 120 Quality of Service (QoS) as a Solution
QoS Benefits QoS Challenges DURING DISASTER Trust boundary generally ends at the access switch Mission critical data still gets through Lengthy configuration process based on addresses and ports Latency sensitive applications will not be affected Many applications don’t have QoS functionality
IN GENERAL Cheaters can skew service delivery Cost savings – especially on WAN links Entirety of QoS responsibility rests with network ops
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 121 CSA + IPS Collaboration with Cisco Network IPS Version 6.0
- Enhanced contextual analysis of endpoint - Ability to use CSA inputs to influence IPS actions - Correlation of info. contained in CSA watch list Management Console - Host Quarantining
Service Provider
Elevate Risk Rating Deny 10.1.10.1
OS = WindowsXP
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 122 CSA + IPS Collaboration with Cisco Network IPS Version 6.0
- Enhanced contextual analysis of endpoint - Ability to use CSA inputs to influence IPS actions - Correlation of info. contained in CSA watch list Management Console - Host Quarantining
CSA Watch List 10.1.10.1
Service Provider
Elevate Risk Rating Deny 10.1.10.1
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 123 CSA + IPS Collaboration with Cisco Network IPS Version 6.0
- Enhanced contextual analysis of endpoint - Ability to use CSA inputs to influence IPS actions - Correlation of info. contained in CSA watch list Management Console - Host Quarantining
Service Provider
Port Scan from IP not in Watch List: Source 10.1.10.2 Alarm Only initiates a port scan destined for internal servers
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 124 CSA + IPS Collaboration with Cisco Network IPS Version 6.0
- Enhanced contextual analysis of endpoint - Ability to use CSA inputs to influence IPS actions - Correlation of info. contained in CSA watch list Management Console - Host Quarantining
Service Provider
Port Scan from IP on Watch List: Drop Packet
Watch List Source 10.1.10.1 initiates a port scan destined for internal servers
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 125 How does Cisco Security Agent investigation work?
What do I have?
What do I use?
Is it at risk or malicious?
How do I control it?
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 126 What Do I Have? Which known and unknown apps are installed?
Which hotfixes are installed? Reports where Spyware may have been installed
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 127 What Do I Use? Not all installed apps are actually used CSA can track which ones are and how they communicate Reports unnecessary apps (servers that listen on a port but don’t accept connections)
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 128 Is it at Risk? CSA monitors all file, Registry, COM, and Network behavior
Unknown apps can be easily investigated, even when the agent is remote
Suspicious No network access – apps can be this probably is not a verified to be big risk malicious or safe, from central location
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 129 How Do I Control It?
Cisco Security Agent policy fine grained control: Disallow execution of the app Allow execution, but block the bad behavior Use Query messages to let the user know that what they are doing is being audited Cisco Security Agent offers a behavior-based feedback loop so that you can actively understand and control what is happening on end points
Feedback Loop helps control identified behavior and refine default policies, without visiting the endpoint
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 130 Trusted Boot No CSA running Boot to non- BIOS Update primary disk NAC Posture: QUARANTINE NAC CSA State: INSECURE BOOT Boot to primary disk NAC Posture: REMEDIATE
Dynamic Policy Change
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 131 CSA 5.2 - Wireless Control
Per-application QoS Prioritization
Restrict wireless communication when wired NIC is active
Connection restrictions - certain SSIDs, encryption, ad-hoc
Require VPN connection when out of the office
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 132 Wireless Controls
Variable based on interface properties and other strings Implemented as both NACL option and system state
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 133 Additional Wireless Benefits
Trunked NICs may show up as multiple virtual NICs Separation of Voice and Data VLAN at the endpoint Broadband cards can be restricted using PPP
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 134 Endpoint Security Landscape
Client Security Suites Cisco Security Agent
Anti- Personal Acceptable Application Anti-Virus Host IPS Spyware Firewall Use Policy Analysis Cisco’s Integration of NAC Endpoint and Network security Trusted QoS improves security and enhances Increased IPS network Accuracy - services Rapid containment
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 135 Programme
Authentification Internet Intranet Qui peut accéder le réseau L’impact de la téléphonie 802.1x, les visiteurs, Web Base . Authentification La conformité des postes au moment de la connexion Si Si Sur le LAN, en VPN, etc... Les bonnes pratiques pour le contrôle des usagers connectés au Si Si réseau Fonctions de sécurité présentent dans les commutateurs Cisco QoS déployée? Cisco Securité Agent (CSA) La surveillance et la configuration du réseau
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 136 Cisco Security Manager Overview
Superior Usability VPN Administration
VPN wizard setup site-to-site, hub-and-spoke, Administer policies and full-mesh VPNs visually on tables or with a few mouse clicks topology map Configure remote-access Policy Administration Jumpstart help: an extensive VPN, DMVPN, and Easy animated learning tool VPN Devices Firewall Administration Centrally provision Flexible management views: policies for firewalls, VPNs, and IPSs IPS Administration – Policy-based Configure policies for ASA, Very scalable – Device-based Cisco® PIX® Firewall, – Map-based FWSM, and Cisco ® Automatic updates to the Policy Inheritance IOS Software – VPN-based IPS Sensors feature enables Single rule table for all consistent policies platforms Support for Outbreak across enterprise Intelligent analysis of Prevention Services Powerful device grouping policies options Sophisticated rule table editing Compresses the number of access rules required
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 137 Slide 137
BH9 need to fix triple spacing of bullets in second column Bonnie Hupton, 12/3/2006 Cisco Security Manager Key Differentiation Value
Offers a single, integrated application for managing security across Cisco® security devices Provides multiple views to suit operational needs Scales to many hundreds of remote sites Enforces corporate rules and provides best-practice guidelines Reduces the complexity of different device classes through device abstraction Enables SecOps and NetOps to work together Controls who can do what on which device Offers efficiency in distributing changes to always-on and intermittently on devices
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 138 Cisco Security Configuration Focus Focuses on configuration management of security polices in the network Usability is critical – Provides multiple views to fit the operational needs – Offers easy-to-use, visually appealing user interface – Provides wizards to reduce complexity – Offers advanced tools for the sophisticated user Core differentiating concepts – Policy sharing and inheritance – Domains-based policy enforcement – Decision support workflow for NetOps and SecOps – Role-based access control for scaled operations – Distributed large-scale deployment
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 139 Cisco Security Manager “It has to be easy to use and flexible.”
Feature-rich front end TopologyTopology V Vieieww Different views for different administration preference – Device view PoPoliclicyy Vie Vieww – Topology view – Policy view
One-stop shop for VPN DeviceDevice View View creation and customization Unified service management
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 140 Device-Centric View
•• StartStart with with single single device device •• ClCloneone and and replicate replicate •• RapidlyRapidly deploy deploy the the device device settingssettings
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 141 Policy-Centric View
•• CentralizedCentralized policypolicy managementmanagement •• PowerfulPowerful scalabilityscalability throughthrough inheritance,inheritance, reuse,reuse, assignment,assignment, andand sharingsharing
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 142 Topology-Centric View
•• PutPut devices devices on on customizable customizable mapsmaps and and image image backd backdrropsops •• BuildBuild VPNs VPNs with with right right click click •• LaunchLaunch firmware firmware rules rules and and configureconfigure •• BuildBuild maps maps within within maps maps to to scalescale
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 143 VPN – Wizard-Based Configuration
Wizard-based 11 configuration Three steps to create a VPN 22
11 Æ Choose VPN topology and technology. 33 22 Æ Choose participants.
33 Æ Customize protected traffic if needed.
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 144 Slide 144
BH10 some of the bullets aren't seen Bonnie Hupton, 12/3/2006 Multiple VPN Topologies Site-to-Site, DMVPN, RA VPN, and Easy VPN
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 145 Power Tools : Configuration Archive
RetrieveRetrieve and and compare compare delta delta configurationsconfigurations for for deployment deployment CanCan roll roll back back to to “golden” “golden”oror “last “last knownknown good” good”configurationconfiguration CompareCompare among among previously previously deployedeployedd configurations configurations
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 146 Power Tools – FlexConfig
FlexConfigFlexConfig Convert UsersUsers Can Can Create Create Custom Custom CLI CLI custom CLI to andand Deploy Deploy as as Jobs Jobs to to Device(s) Device(s) polices. Enable feature velocity. Rapidly add new feature support to devices.
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 147 Policy Sharing and Inheritance Model “Scalable policy definition, set once, deploy to many” What Is It? Remote Branch Decoupled devices form polices Example Policy Share common policies across device groups for – Branch firewall Policy – Site-to-site VPN – Device administration Remote Branch Policy Corporate mandatory policies – No Napster traffic, period – Allow SSH and SSL Remote Branch Benefit Reduced complexity for administrators Optionally Override Central Policy at Do more with fewer resources Local Level
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 148 Domain-Based Policy Enforcement “Fine-grain control of what traffic flows where” Interface Groups Interfaces related to a domain Marketing User customizable
Example Engineering Define policy to control traffic between domains
Benefit Sales Enforce policies based on organizational needs
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 149 Workflow “Enable different management teams to work together”
What Is It? Structured process for Security change management that Operations Create/Edit Review/ Approve/ Policy Definition complements your • Policy Submit Commit operational environment Undo Example Who can set policies GeGeneraneratete// ApprovApprovee Who can approve them DepDeplloyoy SubmitSubmit JobJob Job Who can approve Policy Deployment Job deployment and when Network Rollback Who can deploy them Operations Policy Deployment Benefit Firewall, VPN, and IPS Services Enables teamwork and collaboration between NetOps and SecOps Provides scope of control
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 150 Role-Based Access Control
What Is It? Cisco • Authenticates administrator’s IOS®Soft access to management system ware
• Determines who has access to specific devices and policy Cisco Security Manager functions Cisco PIX® Firewall Example and • Verifies administrator and Cisco associate administrators to ASA AAA specific roles as to who can do what Remote Access Benefit Cisco Secure ACS • Enables delegation of administrator tasks to multiple operators
Home • Provides appropriate Office separation of ownership and controls
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 151 Slide 151
BH11 Yellow labels need to be fixed because with edits the words don't fit in allocated spaces. cannot use CS Manager. Bonnie Hupton, 12/3/2006 Scalable Distributed Deployment
Extranet Self-Managed What Is It? ROBO Telecommuter • Simplified distributed deployment method for thousands of remote devices Internet Example • Updates large numbers of remote firewalls, which may have dynamic addresses, intermittent links, or NAT addresses Update • Updates both configurations Appliance ® and software images Cisco CNS-CE DMZ • Devices self-updated whenever they come online
• Scales through Web technologies Enterprise Benefit • Helps customers with thousands Update Intranet of teleworkers and remote Servers locations with minimal technical Cisco CNS-CE staff at the remote site
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 152 Cisco Security Manager 3.1 New Features • Native IPS • VPN discovery • SSL VPN support • Rule table enhancements, folders, and local rules • Rule combiner • Advanced Cisco IOS® Software interface and platform settings discovery • xDM (Cisco®ASDM, SDM, IDM, and IEV) cross launch • Native Cisco Catalyst® 6000, RACL • VACL on Cisco Catalyst 6000 • Inventory report with device status • Management protocol connectivity test • Detailed Activity report • High availability
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 153 Cisco Security Manager 3.1 IPS Highlights
Full IPS management integration into Cisco® Security Manager 3.1 Support of IPS 5.1, 6.0, and Cisco IOS® IPS 12.4(11)T1 Signature Update wizard that allows insight and editing of signatures before deployment with insight into MySDN. Automatic policy-based IPS sensor software and signature updates IPS subscription licensing provisioning Role-based access control, policy rollback, configuration archive, deployment manager, cloning and creation of signatures, policy sharing, and inheritance
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 154 Cisco Security Manager 3.1 – IPS Device- Centric Signature View
Sort or Hide Columns Rapidly Edit Signatures Multiselect Signatures Assign Actions Named Filtering Action Menus Clone and Replicate
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 155 Cisco Security Manager 3.1 – Policy- Centric Signature View
Quick Assignments Copy Policy Signature Inheritance Named Filtering Action Menus
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 156 Cisco Security Manager 3.1 – Signature and System Update Wizard
Select Update Type (Signature or System) Check for Updates Preview of Available Updates
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 157 Slide 157
BH12 pls make sure parentheses are correct Bonnie Hupton, 12/3/2006 Cisco Security Manager 3.1 VPN Discovery
Choose what topology you want to discover. Choose where to discover (from live devices or configuration files). Choose technology used. Choose the VPN participant devices. Start the discovery.
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 158 Cisco Security Manager 3.1 SSL VPN Wizard Wizard is provided to guide users through essential steps to create functional SSL VPN. Wizard provides a quick and easy way for novice users to set up SSL VPN.
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 159 Cisco Security Manager 3.1 SSL VPN Policy
Advanced users can use SSL VPN polices to fully customize every supported SSL VPN attribute.
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 160 Cisco Security Manager 3.1 Rule Combiner
Optimize the rule table and dramatically reduce the number of firmware rules.
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 161 Cisco Security Manager 3.1 Local Rules and Rule Table Sections
Local Rules – Easily specify local rules in addition to inherited rules. Rule Table Sections – Segregate rule table into folder- like sections.
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 162 Cisco Security Manager 3.1 Cisco ACE Import and Object Group in Real Time
Cisco® Application Control Engine (ACE) import and CLI paste – Quickly get CLI-based Cisco ACEs into Cisco Security Manager rule table either from manual type or from files. Object group in real time – Instantly create objects from the rule table source and destination addresses.
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 163 Cisco Security Manager 3.1 – xDM Cross Launch Cisco ASDM, SDM, IDM, and IEV
NoNo embedde embeddedd device device managemanagerr code code required required onon the the device device OpenOpen connection connection from from CiscoCisco Security Security Manager Manager serverserver t oto device device NoNo need need to to have have connectionconnection from from user user desktopdesktop to to the the device device MuchMuch faster faster startup startup
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 164 Cisco Security Manager 3.1 – xDM
K
UseUse device device manager manager logslogs to to cross cross launch launch to to policypolicy Use packet tracer in Use packet® tracer in CiscoCisco®AdaptiveAdaptive SecuritySecurity Device Device ManagerManager(ASDM)(ASDM)
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 165 Cisco Security Manager 3.1 – Native Cisco Catalyst 6000 Management Interfaces, VLANs, and VLAN Groups Natively manage Cisco Catalyst® 6500 and Cisco® 7600; no more launching CiscoView Device Manager (CVDM). Manage all the VLANs, interfaces, VLAN groups, and mappings. Comprehensive Summary page shows all the mappings.
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 166 Cisco Security Manager 3.1 – Cisco Catalyst 6500 RACL Management
Manage the Layer 3 access control list on MSFC of Cisco Catalyst® 6500 and Cisco® 7600. Use the same powerful rule table as other devices such as Cisco ASA 5500 Series Adaptive Security Appliances, Cisco PIX® Firewall, or Cisco Integrated Services Routers.
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 167 Cisco Security Manager 3.1 – Inventory Report Single View of All Critical Device Information
OneOne place place to to see see all all cr crititicalical inventoryinventory information information Device,Device, VPN VPN status status DeDeploymentployment status status WhatWhat p poolicieslicies assigned assigned StatusStatus f rfromom ext exteernalrnal sources sources
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 168 Cisco Security Manager 3.1 – Connectivity Test
TestTest Available Available from from DeviceDevice Properties Properties page page whenwhen adding adding a a device device
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 169 Slide 169
BH13 fix spacing between lines Bonnie Hupton, 12/3/2006 Cisco Security Manager 3.1 – Activity Report What Fields Changed; What Objects Changed
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 170 Cisco Security Manager 3.1 High Availability and Disaster Recovery Optional high-availability and disaster-recovery configurations Off-the-shelf hardware (servers, storage arrays) and software (Symantec/Veritas) plus specific customizations for Cisco® Security Manager Supports a wide variety of deployment options based on customer requirements – Single, dual-node cluster for high availability – Multiple geographically diverse clusters for disaster recovery – Fully automated failure detection and recovery – Shared local storage for zero data loss – Synchronous or asynchronous replication between sites for zero or near-zero data loss
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 171 Slide 171
BH14 Edits for blue area: single- or Array; Switch or Router singel- or
also need to fix spacing on final sub-bullet Bonnie Hupton, 12/3/2006 Self-Defending Network Components
Defense-in-depth Firewalls Proxies VPN Anti-virus Network IDS/IPS Host IDS/IPS Vulnerability Assessment Patch Management Policy Compliance Router Switch
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 172 Cisco Security Mitigation, Analysis, and Response System - Next-Generation SIM/STM
Leverage YOUR Existing Investment to Build Key Features: “Pervasive Security” Determines security incidents based on device Correlate Data from Across the Enterprise messages, events, and “sessions” NIDS, firewalls, routers, switches, CSA Incidents are topologically aware for visualization and replay Syslog, SNMP, RDEP, SDEE, NetFlow, endpoint event logs, multivendor Mitigation on L2 ports and L3 chokepoints Efficiently scales for real-time use across the Rapidly Locate and Mitigate Attacks Enterprise
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 173 CS-MARS – Topology Awareness
Firewall Log IDS Event Server Log Switch Log Firewall Cfg. AV Alert Gain Network Intelligence Switch Cfg. NAT Cfg. App Log Topology, traffic flow, Router Cfg. Netflow. VA Scanner device configuration, . and enforcement devices Isolated Events ContextCorrelation™
Correlates, reduces and categorizes events C Sessions o n r io r t Validates incidents e c la u t d io Rules e n R Verify
Valid Incidents
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 174 CS-MARS - Attack Path Visualization
1. Host A Port Scans Target X 2. Host A Buffer Overflow Attacks X Where X is behind NAT device and Where X is Vulnerable to attack 3. Target X executes Password Attacks Target Y located downstream from NAT Device
SureVector™ Analysis Visible and accurate attack path Drill-down, full incident and raw event details Pinpoint the true sources of anomalous and attack behavior More complete and accurate story
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 175 CS-MARS – Attack Mitigation Use control capabilities within your infrastructure Layer 2/3 attack path is clearly visible Mitigation enforcement devices are identified Exact mitigation command is provided Switch
Router
Firewall
]
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 176 CS-MARS - Compliance Reports
Popular reports with customization and distribution options Queries saved as rules or reports – intuitive framework (no SQL)
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 177 CS-MARS Device Support Networking Vulnerability Assessment Cisco IOS 11.x and 12.x, Catalyst OS 6.x eEye REM 1.x NetFlow v5/v7 Foundstone FoundScan 3.x NAC ACS 3.x Qualys Guard Extreme Extremeware 6.x Host Security Firewall/VPN Cisco Security Agent (CSA) 4.x Cisco PIX 6.x, 7.x, ASA, IOS Firewall/IPS, FWSM McAfee Entercept 2.5, 4.x 1.x, 2.3, VPN Concentrator 4.x ISS RealSecure Host Sensor 6.5, 7.0 CheckPoint Firewall-1 NG FPx, VPN-1 Symantec AnitVirus 9.x NetScreen Firewall 4.x, 5.x Host Log Nokia Firewall Windows NT, 2000, 2003 (agent/agent-less) IDS Solaris Cisco NIDS 4.x, 5.x, IDSM 4.x, 5.x Linux Enterasys Dragon NIDS 6.x Syslog ISS RealSecure Network Sensor 6.5, 7.0 Universal device support Snort NIDS 2.x Applications McAfee Intrushield NIDS 1.x Web servers (IIS, iPlanet, Apache) NetScreen IDP 2.x Oracle 9i, 10i database audit logs Symantec ManHunt 3.x Network Appliance NetCache
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 178 CS-MARS - Alerts
You have two options for learning about rules that have fired: – You can log in and view the appropriate pages in the HTML interface – You can have CS-MARS send alerts to external devices and users.
The CS-MARS supports seven types of alerts when a rule is fired. User can configure these alert as part of the rule: – E-Mail – Syslog – Page – SNMP – SMS – DTM – XML
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 179 Cisco Security Management Suite An Integrated Solution
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 180 Cisco Security MARS to Cisco Security Manager Policy Lookup
Aha! There is a permit rule from source 10.1.10.1 to any for IP. Better make the correction over in Cisco Security Manager and deploy to the device.
Integrating the log and policy views for fast remediation XML-based external integration of Incidents
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 181 Full Spectrum Product Line Global CS-MARS Model 20 50 100e 100 200 Controller Events/Sec 500 1,000 3,000 5,000 10,000 N/A Flows/Sec 15,000 25,000 75,000 150,000 300,000 N/A RAID Storage 120GB 120GB 750GB 750GB 1TB 1TB Rack Size 1 RU 1 RU 3 RU 3 RU 4 RU 4 RU
Installation takes minutes Agent-less Event Collection NO JRE Conflicts Layer 2/3 Network Topology and Mitigation Raid 1+0 NetFlow Oracle Embedded - No DBA Needed Drill down to MAC addresses
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 182 Cisco Self-Defending Network
Identify, Prevent and Adapt to Threats
INTEGRATED INDUSTRY SYSTEM LEVEL SECURITY COLLABORATION SOLUTION • Threat Defense • Network Admission • Dynamically identify, Control (NAC) Program prevent and respond • Secure Connectivity to threats • Collaboration with • Trust and Identity antivirus vendors • Security-aware infrastructure
Continuous Risk Assessment & Proactive Regulatory Compliance
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 183 Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 184