In Short, the MAC Address Is Not a Good Identifier

Inside Cisco IT - ISE and Device Posture: How we Secure Access at Cisco

Adam Cobbsky, Senior IT Engineer Shyam Chudasama, IT Project Manager

BRKCOC-1145 Cisco Webex Teams

Questions? Use Cisco Webex Teams to chat with the speaker after the session How 1 Find this session in the Cisco Events Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space

• Intro: Security, ISE & Posture at Cisco

• End User Device Posture Challenges: • Unique Device Identity • ISE Posture • Appropriate Access & Remediation • Keeping Users Informed

• Change Management

• Monitoring & Scale of Impact

• Summary

Employee Distribution Global Cisco Distribution

Corporate Engineering APJC Functions 16% 26% 34% 3,879 5,946 73,000 Routers LAN Switches 100+ Employees Countries 21% 133,000 57% Connected 480+ Stakeholders 17% Offices

Customer EMEAR Experience 29% Sales & 13,834 Americas Marketing Unified Computing Billion DNS System Servers requests per day

31,144 63,132 ~527k PB 49,500 6.39M TelePresence Virtual Machines Managed End Overall Usable Webex Meetings Internet Threats Units Devices Storage per Day Blocked Per Day

CISCO SUPPLIED BYOD

73,828 50,022 129,775 60,753 50,729 CISCO MOBILE SUPPLIED DEVICES DEVICES 10,731 5,218

Visibility & Attribution Integration

Consistency Centralization

Access Control Real-Time Defense

Automation & Simplification

• Disruption to Business Models • Castle Analogy: Moat & Drawbridge no longer enough • Mobile Workforces • Allow appropriate access only when • Increasing number of security threats you can verify the who and the what • Limited resource & budgets

• The need for greater control with less effort

Unlikely to start with a blank canvas – requires a hybrid model

Complex environment – systems not designed to work together

How do you iterate & mitigate risk?

Posture Assessment

Measure and check against Security configuration of the device Company requirements

Option 1 Device Manager Access Policy

Option 2 AnyConnect + ISE Posture

1. Device Registration

2. Anti-Malware

3. Encryption (Cisco Data)

4. Minimum OS

5. Software Patching

6. Remote Wipe (Cisco Data)

7. Password/Screen-lock Enforcement

8. Hardware/Software Inventory

9. Rooted Device Detection (Mobile Only)

• Secure Enablement: Don’t stop users working

• Minimise the Impact: Avoid disrupting workflows

• Remediation: Automate and/or simplify

• Expect Complexity: There’s always something hidden!

A centralized security solution that enables context-aware access control and shares contextual data

Identity Profiling and Posture Access Policy Network Resources Threat Group Based Traditional Vulnerability Policies NetworkWho Guest Access Door What BYOD Access When Role-Based Where Access How Threat Containment ISE pxGrid Controller  Compliant Context

Guest Net (Internet)

468 WLC; ~200K EP

ISEISE 2.6/2.1, 2.6, 24 24VMs, VMs, 8 DCs 8 DCs 26K CVO x 2; ~60K EP

70 ASA; ~90K EP

2K SW; ~200K EP 1.79 Million profiled Corporate Access “Endpoints” 75 Sites; ~125K EP WLAN, CVO, VPN, LAN Max ~450K Concurrent “Endpoints”

Single Global ISE Deployment 24 ISE Nodes 20 PSNs; 8 DC (Node Groups)

AER ALN MTV TYO RTP HKG BGL

SNG

Primary ISE PAN/M&T

Secondary ISE PAN/M&T

ISE PSNs

HA NAD Configuration HA SLB Configuration ISE Product Evolution

Modularity Primary -> Secondary PSN PSN PSN PSN Automatic Failover MTV-WLAN PSN1 MTV-LAN MTV-VIPs RTP-VIPs PPAN SPAN MTV-VPN PSN2 MTV-CVO PSN Load Balancer VIP by Service User-probe Auth ALN-VIPs Is PSN Authenticating? PSN3 PMnT SMnT • Interval = 10 sec MTV ALN • Down Time = 30 sec • Retries = 3 Primary, Secondary RADIUS Servers NADs Proximity

AuthC (automate-tester) Service Disruption

 NOT Detected Access-Reject X X EEM Synthetic AuthC (test user) Service Disruption  Access-Reject Detected  Access-Accept X  Allow AuthC Access Restore Temp.  EEM EEM  BRKCOC-1145 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 Challenge: Understanding Access Authentication (AuthC) & Authorization (AuthZ)

Authentication - “The Process of Verifying the User” (example: User Authentication dot1x – User Endpoints on Wireless or Wired) Active Directory, SSO, Duo, AnyConnect VPN • Dot1x Globally deployed and enabled Wired & Wireless

• Active Directory Identity Store

• MAB Process for non-suplicant devices

Authorization - “The Process of Verifying what you have access to” (example: Differentiated Network Access based on Device Posture) ACLs, Trustsec, Barcode, Duo Lazy Egg, AnyConnect Posture

Failed AuthC No Internet Access/Remediation/re-direct Failedauth

IoT / MAB Internet Access / Appropriate Access

Quarantine No Internet Access/re-direct ISE Quarantine

Quarantine Remediation/re-direct ISE Quarantine Remediation

Dot1x AuthC Internet/Remediation

Posture AuthZ Corporate Access/Internet/Remediation

BRKCOC-1145 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 Challenge: Unique Identity Uncertain Identities • Wired MAC Address • Wireless MAC Address • Docking station MAC Address • Microsoft Workstation • Random MAC Address

X X Windows • Windows VM X • Thunderbolt MAC • Spoofed MAC Address • Apple Device X X MAC X Need to know: • Android Device X • What device? • Which DM?

Mobile • Apple Device • iPhone • iPad

BRKCOC-1145 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 27 Switch to UDID as key Unique Device Identifier (UDID) What are we solving? UDID MAC Address(s) Compliance Open seating environments with docking stations for PCs and Ethernet dongles for Apple Macs pose 01669b65...05ee93 00:1a:00:1a:11:11 a challenge because the same MAC address is 00:1a:00:1a:22:22 used by various people over the course of a week or a month. In short, the MAC address is not a good identifier. How do we solve it? ISE can now perform authorization for managed end-points regardless to their MAC address, even when MAC address is not persistent. 00:1A:00:1A:11:11 00:1A:00:1A:22:22 Prerequisites ISE 2.6, AnyConnect 4.7

• Doesn’t rely on MAC address

• Readable by ISE

• Unique to the OS on the device

• Covers Windows & Mac UDID is tied to the OS

• Consistent ID across all Network Adapters (Static/Random/Shared)

• UDID is persistent following an application remove/re-install

• UDID is persistent through a Major OS upgrade

• UDID likely to change with Motherboard/HDD swap (Process)

• VMs TBD

Active/Live/Realtime checks

• File/Registry conditions • Query Service conditions • Application conditions • AV/AM conditions

Detection of Management Agent after device start-up

PWR Windows Startup

AnyConnect Posture SCCM Service not Check detected. NOT COMPLIANT !

Device Management Platform

IF Windows – SCCM query Mac address > SCCM Device Management

IF Mac – JMF query Mac Address > JAMF SCCM Device Management

IF Mobile Device – query Mac Address > Meraki Mobile Device Management

Device Management Trusted Endpoint Platform Conditions

Screen Saver P/W ? ✓ Device is Compliant Disk Encrypted SCCM ✓ AV/AM ✓ Checked in X days ✓

Screen Saver P/W ✓ JMF Disk Encrypted ✓ AV/AM ✓ Device is Non-Compliant Checked in X days 

PIN Lock Not JailBroken/Rooted AV/AM ? Checked in X days ? On Prem Desktop Posture ISE External Datasource Condition

UDID Device Management Trusted Endpoint AnyConnect Platform Conditions

Screen Saver P/W ✓ ? Disk Encrypted Custom Script(s) SCCM ✓ AV/AM ✓ Checked in X days ✓

Active Directory Compliance Database

Screen Saver P/W ✓ UDID JMF Disk Encrypted ✓ Compliance Status = X AV/AM ✓ UDID Checked in X days  AnyConnect ?

What are we solving? Employee goes on 2 week holiday. When the Updates are needed on employee returns, they may not be on-line for your computer before you very long due to things such as customer can join the network appointments. An employee may not have their system updated to the current patch level for much longer than just the time on holiday given cycle times measured in days for systems such as JAMF & SCCM How do we solve it? Increased grace period flexibility provides two customizable end-user warning notification time periods & a customizable message Prerequisites ISE 2.6, AnyConnect 4.7

Device Management Trusted Endpoint Platform Conditions

Screen Saver P/W ✓ Disk Encrypted Custom Script(s) SCCM ✓ AV/AM ✓ Checked in X days ✓

Active Directory Compliance Database

Screen Saver P/W ✓ UDID JMF Disk Encrypted ✓ Compliance Status = X AV/AM ✓ Checked in X days 

PIN Lock Not JailBroken/Rooted AV/AM Checked in X days

Device Management Trusted Endpoint Platform Conditions ?

IF Custom Attribute Managed By = Meraki PIN Lock ✓ Not JailBroken/Rooted ✓ Check Posture Status AV/AM ✓ Checked in X days ✓ Full Network Access ?

MAC Address ISE Custom Attribute Managed by Meraki Add Custom Attribute – Managed by Meraki eStore ?

Access “Access to the internal resources to allow remediation” (Allow Access to SCCM, AD, JAMF) "Deny Access to internal resources Confidential and above" (Deny Access to HR, Finance)

Messaging “Notification to the User that they have limited network access - provide information to allow remediation and elevation of network access”

Failed AuthC No Internet Access/Remediation/re-direct Failedauth

IoT / MAB Internet Access / Appropriate Access

Quarantine No Internet Access/re-direct ISE Quarantine

Quarantine Remediation Remediation

Dot1x AuthC Internet/Remediation

Posture AuthZ Corporate Access/Internet/Remediation

Messaging Access

Internet Plus Internet Remediation + “Access to the internal resources to allow Messaging Remediation Services remediation” (SCCM, AD, JAMF etc)

Quarantine Re-direct to No Access "Quarantine" Notification to User Quarantine URL "How do I Remediate?"

Quarantine Plus Quarantine Remediation Services "Quarantine" Notification to User Messaging Access to Remediation

ACLs have size limitations Max 4000 ASCII characters (Switch) Max 64 lines (WLC) More apparent when we consider remediation

• ACL Lines to allow Access to Remediation (450+ Lines – IP address/Range per port) • Active Directory, SCCM, JAMF, Satelite, Bitlocker

• ACL Lines to allow Shared Windows Hosts to access Active Directory

• ACL Lines to allow client application background tasks to check in on Port 80 & 443 (e.g. SCCM, JAMF)

• Easer ongoing maintenance and management

TrustSec - Access

• Provides granular level access to Active Directory.

• Provides per port access to all background Remediation Services

• Provides consistent Access across Wired, Wireless, CVO, VPN.

• Provides appropriate access for Quarantine Remediation

• Future Automation & Compatibility with SDA/Cisco DNA-C

• Trustsec provides flexibility across today’s Legacy and tomorrow’s SDA/Cisco DNA-C networks

• Trustsec allows ACL complexity to be Our different access levels

• It’s ok, We’re still learning too!

• Meet the Engineer (MTE)

WHAT’S THE CHALLENGE? WHY DO WE CARE?

• Adds time & complexity to • Lots of grey areas the solution • Open, Campus-like Culture • IT are enablers! • Self-Service IT • No longer just block or allow • User Transparency • Minimise Support & Cases • How do we tell users?

• A pop up message is all well and good…but what happens after that?...

• Scenario: User with non-compliant device, forgets about it…

Your device is not authorized for full corporate access.

Please click on the button below to fix this, or use your browser back button to return.ad

Fix Now

• User device needs to be able to get baseline connectivity (internet plus) once user authenticates.

• For baseline connectivity a user device will only be required to have native device software. i.e. no software or agent pre-requisites such as AnyConnect, Flexera etc.

• Access restrictions should be notified to the user at the point where an untrusted device attempts to access protected resources

• Restriction notifications should be visible directly on the device in use through native channels (browsers, on device notifications etc). These should not be reliant on apps or comms channels on other devices.

• Access to remediation should be immediate directly from the device and step by step guided.

• Remediation should be offered on the same connectivity medium. i.e. not connecting to other SSIDs or plugging in to different ports.

• Remediation should be a self service, step by step guided process.

• Once completed, remediation will enable access to protected resources as soon as possible and in any case in no more than 2 minutes

Mobile Access Policy Mobile Device Management • Internet access by default • Access to additional identities • Apps over browsers • Enforce Trusted Requirements • Per App VPN & VPN Clients • Management as proxy for trust

Identifiers MDM Integration • AnyConnect UDID unavailable • Direct integration with ISE & MDM • Mac address can be randomized • Some scaling issues BUT does work • Other IDs protected • Relies on profiling & additional tagging

• COMMUNICATE EARLY: Not too early to avoid pointless comms

• INVOLVE THE RIGHT TEAMS: Align Security, Network, Devices, Support & Identity

• ESTABLISH SCOPE OF IMPACT: Make as many unknowns known to minimise disruption and ease the transition

• LEADERSHIP BUY-IN: If they don’t believe in it, no one will.

• ID Issues early • Deploy AnyConnect & Posture Module • DM Scripts to collect & store UDID • Understand who & what WHY? HOW? • XML file: Trigger a posture check • Adjust course • ISE Policy: Full Network Access • Prepare for go live • User Documentation

• Reduce the scale of impact • Correlate Data Sources • Fleet coverage & automate fixes • Define Filters DATA ACTION • Additional Change Campaigns • Confirm affected devices • Exceptions

Data Analysis More devices = Continue to monitor Increase scale but new problems maintain control

Adjust & Tweak Start As you learn, make changes to Finish improve the solution where Start slow & figure out your phases necessary Global Deployment & Enforcement

• Expect complexity unique to your organization

• Requires a cross-functional program, with all groups represented

• Set out with a set of principles that fit both your technical environment and your user culture

• Being able to uniquely identify a device is key

• Understand the different access levels so you know what you need to cover and how

• Build in remediation to minimise user disruption and make sure they know when they need to take action

• Start early & monitor

• Change Management: Culture & User behaviour

BRKCOC-1145 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 61 Cisco on Cisco Technical Breakout Sessions Hall 8 Session Code Session Title Speaker Date, Time & Room Adam Cobbsky BRKCOC-1145 Inside Cisco IT: ISE and the Cloud: How we Secure Access at Cisco 28 Jan, 11:00 AM Shyam Chudasama Session Room C129 Inside Cisco IT: Migration of On-prem (CUCM) video endpoints to the cloud Ervin Carrillo BRKCOC-2997 28 Jan, 02:30 PM CC8, (Webex) platform Jeff Barulich Room 8.19/8.20

BRKCOC-2257 Inside Cisco IT: Enterprise Wireless Design and Assurance with Cisco IT Michael Combs 28 Jan, 05:00 PM Session Room A101 Dean Sanders BRKCOC-4263 Inside Cisco IT: Deploying SD-WAN and SDA at Scale 29 Jan, 08:30 AM Jamie McGregor Session Room C128 Bharath Malapaka BRKCOC-2995 Inside Cisco IT: Evolution of Cisco IT infrastructure with Cisco HyperFlex 29 Jan, 11:00 AM Joe DeSanto Session Room A106 Touseef Ahmed Gulgundi 29 Jan, 02:45 PM BRKCOC-2994 Inside Cisco IT: Cisco Multicloud Backbone - securely inter-connecting clouds Roel Bernaerts Session Room D134 Inside Cisco IT: DevOps to NoOps through AIOps - Realize through MindMeld & Rammesh Rajagopal BRKCOC-2101 29 Jan, 04:45 PM Webex Teams Jimil Patel Session Room D133 Colin Choo BRKCOC-2707 Inside Cisco IT: Cisco Contact Center's Channel Transformation Journey 29 Jan, 04:45 PM Mary Mazon Session Room D134 Inside Cisco IT: How to move to the cloud without making the news (for the Dave Jones BRKCOC-2384 30 Jan, 11:15 AM CC8, wrong reasons) Jason Freeth Room 8.21/8.22 Alben Cheung BRKCOC-1476 Inside Cisco IT: Identity-as-a-Service: beyond the hype 30 Jan, 02:45 PM Franky Saxena Session Room D136 Inside Cisco IT: Cognitive Collaboration - How Cisco IT is enabling the future of Mwiza Munyandamutsa BRKCOC-2236 31 Jan, 09:00 AM CC8, meetings today Arti Patel Room 8.21/8.22 Inside Cisco IT: Network Monitoring and Service Assurance in Cisco IT Data Curt Poage BRKCOC-2433 31 Jan, 11:30 AM Centers #CLUS John© 2019 Banner Cisco and/or its affiliates. All rights reserved.Session Cisco Room Public B115 Cisco on Cisco IT Booth Demos - Cisco Showcase @ World of Solutions Demo Name Demo Description SMEs

Come see how at Cisco IT we use our collaboration solutions in everyday workflows which Fernando Quintanilla Cognitive Collaboration allows us to seamlessly engage and add value globally at any given time. Come see and learn Erica Hughes The X-Factor of Cisco IT Workstreams how we manage the environment with Control Hub; Leverage Webex Meetings transcription, Yassin Raman Webex Teams Integrations with O365, Service, Concur and other Bots & Integrations. Vicky Dineshchandra

Learn how we're using the NextGen Firewall platform, Firepower Management Center (FMC), and Elena Bouza Cisco it’s Security Fabric managing our ACLs at our edge, in our core, in our DCs, everywhere. Learn how to protect Santosh Killekar Firepower, NGFW Duo Unified Access access to applications based on user’s Identity and trustworthiness and posture of the devices Tom Fincher with Duo MFA. Andrea Baldan

Cisco IT is embracing the cloud with speedy migration using ACI, a programmable network Nick Janes Embracing Cloud Native infrastructure (network, storage, compute), and focusing on operational excellence and network Brian Hogan Multicloud, ACI, Assurance assurance with CNAE. Learn how Cisco IT is using automation and modern day tools Curt Poage and platforms to deploy and run Data Center Network Fabrics. John Banner

Marianna Pittokopiti Showcase Cisco IT’s next-general full software-driven and controller-based network developed Jason Low Software-Defined Network as part of our acceleration towards intent-driven digital networks. We’ll show how the network Michael Combs DNA, DNAC, SDA, SDWAN, vManage, technology works and walk through high-level how we build and manage these using agile and Dean Sanders ISE, SDx software practices. Jamie Mcgregor

Learn how Cisco IT uses software-based methodologies and automation to digital manage and Balint Szmolka Automating Cisco IT's Network consume our network. We'll share our Secure Cloud Interconnect, allowing for fast and secure Alyssa Sandore DNAC, NSO, Cloud Interconnect & connections to AWS. You'll see how we leverage NSO for compliance checking and automation Touseef Ahmed Gulgundi Peering across our network functions. Tom Fincher

Come learn how Cisco IT is deploying, managing and using our own technologies inside Cisco. IT Corner We will have 30 minute workshops where you can get hands on explanations/lessons from IT Cisco IT SMEs Workshop and 1:1 area subject matter experts. This area can also be used for 1:1 peer to peer interactions with IT experts. #CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Complete your online session • Please complete your session survey survey after each session. Your feedback is very important. • Complete a minimum of 4 session surveys and the Overall Conference survey (starting on Thursday) to receive your Cisco Live t-shirt. • All surveys can be taken in the Cisco Events Mobile App or by logging in to the Content Catalog on ciscolive.com/emea.

Cisco Live sessions will be available for viewing on demand after the event at ciscolive.com.

Demos in the Walk-In Labs Cisco Showcase

Meet the Engineer Related sessions 1:1 meetings