BRKSEC-2067 - Securing Government Networks

#CLUS BRKSEC-2067 - Securing Government Networks

• Defense in Depth Security Architecture Review • Cisco Next Generation Encryption • Nation State Actions • Layered Encryption Techniques • Crypto Diversity • Impacts of Quantum Computing • Tearing apart TLS and Encrypted Analytics

Questions? Use Cisco Webex Teams to chat with the speaker after the session How 1 Find this session in the Cisco Live Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space

Webex Teams will be moderated cs.co/ciscolivebot#BRKSEC-2067 by the speaker until June 16, 2019.

Andrew Benhase - Architect BRKSEC-2067

#CLUS Quick Housekeeping and Advisement • There is nothing classified in this briefing • This is a session heavily focused on the US Government – although practices may well also apply elsewhere • There is nothing that is designated as ITAR • There is nothing that is US Export Controlled • There are references to US Government Intelligence Agencies • All Information conveyed here can be discussed openly • All information is PUBLIC in nature • This is probably NOT the Cisco Live briefing you’re used to…

• Federal Security Architect • At Cisco 20 years, supporting US Federal customers • 28 years primarily supporting Public Sector, US Defense and Intelligence Communities • Deep focus on defensive cyber operations, advanced encryption, making security work! • My first Networkers was in 1996 or 1997…it gets kind of fuzzy… • https://newsroom.cisco.com/the-history-of-cisco-live

• Things I do outside of work: Security Research, Big Game Hunting, Camping, Hiking, Boy Scouts with my sons (father of an Eagle Scout)

#CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 #CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 Cisco Live San Diego: Security Tip of the Day #1 From the Miami Herald: [Ivanovich] stated that when another agent put Zhang’s thumb-drive into his computer, it immediately began to install files, a “very out- of-the-ordinary” event that he had never seen happen before during this kind of analysis. The agent had to immediately stop the analysis to halt any further corruption of his computer, Ivanovich said.

#CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 Cisco Live San Diego: Security Tip of the Day #2 #CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 If you see one of these…

Bad Guys don’t follow our Rules!

OUR CERTIFICATION, ACCREDITATION , ACQUISITION AND DEPLOYMENT CYCLES”

#CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 #CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 #CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 #CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 Defense in Depth? Circa…2008

#CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23 #CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 External Screening Router Standard Perimeter Stateful Firewall Flow Inspection Application Inspection Policing / Rate Limiting Security Model v2.1 Protocol Inspection

Content Inspection

SPA Firewall/IDS Access N Audit and Management Server Control Configuration Control

MX Record Owner External IDS Email Content Inspection

Virtual Sensor A

VL AN A VLAN A https://www.* http://www.* B LAN VLAN B V URL Authorization VLAN C Decrypted SSL N C VLA Virtual Sensor C VPN Termination

Primary Site Address Record Owner

SPA Split-DNS N

Internal IDS

WAN Screening Router Secondary Site Address Stateful Firewall Internal Screening Router Record Owner Application Inspection Stateful Firewall Policing / Rate Limiting Application Inspection Policing / Rate Limiting

#CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 Internal Screening Router Stateful Firewall Standard Campus Application Inspection NAC PROFILER Policing / Rate Limiting Unmanaged Device Control Security Model v2.1 Endpoint Analysis

NAC MANAGER Security Policy Engine Switchport Control API Interface from Profiler

Endpoint Security Access Audit and Management Control Configuration Control

Endpoint Secuirty Endpoint Security Endpoint Security Endpoint Security Endpoint Security Endpoint Security Endpoint Security Endpoint Security

#CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 27 External Screening Router Stateful Firewall Standard Perimeter Application Inspection Policing / Rate Limiting Security Model v2.2

MX Record Owner Email Content Inspection

Primary Site Address Malicious Code Inspection Virtual Sensor A Record Owner Mail Services

VLAN A Split-DNS

IPSec or SSL VPN VLAN B Termination VLAN C

Secondary Site Address Virtual Sensor C Primary Outside Firewall Record Owner DNS Services

Admission Control

Remote Access VPN

https://www.* http://www.* URL Authorization Decrypted SSL

Primary Inside Firewall Code Inspection Virus/Malware/Tunneling

HTTP/HTTPS Audit and Inspection

WAN Screening Router Stateful Firewall Application Inspection Policing / Rate Limiting SPA N

Internal IDS

Firewall/IDS Access Audit and Admission Control Management Server Control Configuration Control Managment Remote Sites Internal Screening Router Security Management Stateful Firewall Application Inspection Policing / Rate Limiting #CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28 External Screening Router Stateful Firewall Application Inspection Policing / Rate Limiting

MX Record Owner Email Content Inspection

Primary Site Address Malicious Code Inspection Virtual Sensor A Record Owner Mail Services

VLAN A Split-DNS

IPSec or SSL VPN VLAN B Termination VLAN C

Secondary Site Address Virtual Sensor C Primary Outside Firewall Record Owner DNS Services

Admission Control

Remote Access VPN

https://www.* http://www.* URL Authorization Decrypted SSL

Primary Inside Firewall Code Inspection Virus/Malware/Tunneling

HTTP/HTTPS Audit and Inspection

WAN Screening Router Stateful Firewall Application Inspection Policing / Rate Limiting SPA N

Internal IDS

Firewall/IDS Access Audit and Admission Control Management Server Control Configuration Control Managment Remote Sites

Perimeter Security Management

Internal Screening Router Stateful Firewall Application Inspection Policing / Rate Limiting NAC PROFILER Unmanaged Device Control Endpoint Analysis

Audit and Endpoint Security Access NAC MANAGER Configuration Management Control Security Policy Engine Control Switchport Control API Interface from Profiler Campus Security Management

Endpoint Secuirty Endpoint Security Endpoint Security Endpoint Security Endpoint Security Endpoint Security Endpoint Security Endpoint Security

Active/Active Failover Active/Active Failover

#CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29 Defence in Depth – Evolved Architectures (circa 2018) External Screening Router Stateful Firewall Application Inspection Policing / Rate Limiting

MX Record Owner Email Content Inspection

Primary Site Address Malicious Code Inspection Virtual Sensor A Record Owner Mail Services

VLAN A Split-DNS

IPSec or SSL VPN VLAN B Termination VLAN C

Secondary Site Address Virtual Sensor C Primary Outside Firewall Record Owner DNS Services

Admission Control

Remote Access VPN

https://www.* http://www.* URL Authorization Decrypted SSL

Primary Inside Firewall Code Inspection Virus/Malware/Tunneling

HTTP/HTTPS Audit and Inspection

WAN Screening Router Stateful Firewall Application Inspection Policing / Rate Limiting SPA N

Internal IDS

Firewall/IDS Access Audit and Admission Control Management Server Control Configuration Control Managment Remote Sites

Perimeter Security Management

Internal Screening Router Stateful Firewall Application Inspection Policing / Rate Limiting NAC PROFILER Unmanaged Device Control Endpoint Analysis

Audit and Endpoint Security Access NAC MANAGER Configuration Management Control Security Policy Engine Control Switchport Control API Interface from Profiler Campus Security Management I don’t have a new version of this

Endpoint Secuirty Endpoint Security Endpoint Security Endpoint Security Endpoint Security Endpoint Security Endpoint Security Endpoint Security

Active/Active Failover Active/Active Failover

• Simply put, it is a crafted (custom) packet used to illicit or identify a compromised device across the Internet

• Compromised devices will be used as entry point to run additional software on the device

• Literally acts like a virus to the compromised device, one its gain access it can run additional things, collect information, act as launching point

• Attackers can trigger the backdoor by completing a specially constructed, non-compliant TCP handshake. Once this handshake has been completed, the attacker can use a special backdoor username to log in to an unrestricted console, as well as upload new attack modules. As documented in the original post, the client specifically sends a TCP SYN packet to hosts on port 80 where the difference between the TCP sequence number and acknowledgement number is 0xC123D. Per the original FireEye post, the infected router responds with a SYN+ACK packet with the following characteristics:

• The client's acknowledgement number is copied to the router's initial sequence number. Typically the router would generate a random 32-bit sequence number.

• The urgent pointer is set to 0x0001, but the urgent flag is not set. Per the TCP specification, the urgent pointer only has meaning when the urgent flag is set.

• The following TCP options are statically set: 02 04 05 b4 01 01 04 02 01 03 03 05

• The client then finishes the handshake by sending a specially crafted ACK packet where the PUSH and ACK flags are set, the ASCII string "text" is present at 0x62 in the TCP packet and contains the command to execute.

• We specifically sent packets to hosts on port 80 with the sequence number set to 0xC123D, and the acknowledgement number set to zero. To identify implanted devices, we look for non-compliant responses where the sequence number is set to zero, the urgent flag is unset, and the urgent pointer is set to 0x0001. We do not respond with an ACK packet, and instead send a RST, closing the connection. This does not exploit the vulnerability, attempt a login, or complete the handshake. However, this does allows us to discern implanted from non-implanted routers, since a non-implanted router should not set the urgent pointer, and has only a 1 in 232 chance of selecting zero as the sequence number.

Donetsk

Tehran United Nations Syria Netanz Lebanon

https://www.wired.com/story/russian-hackers-attack-ukraine/

#CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 42 INSIDE THE CUNNING, UNPRECEDENTED HACK OF UKRAINE'S POWER GRID https://www.wired.com/2016/03/inside-cunning- unprecedented-hack-ukraines-power-grid/

#CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 44 It is likely that large scale US sanctions against Russia has changed the cyber playing field. Known actors are being actively targeted now by US Offensive Cyber Operations (OCO) as well as a highly personalized campaign of financial sanctions, with the targeting of known actors. Both financial impacts to the Russian State as well as the individual threat actors are forcing a likely re-evaluation of current and past tactics. One should assume that more distributed, less easily attributable operations have begun. Those operations will likely be within the target areas of interest for reasons of deniability. Nation State Offensive Cyber Operations in these areas will become akin to the green suited soldiers of the Crimea. Nationless. Anonymous. No attributable indications or markings.

Locally actioned, nation state sanctioned and funded, highly suspect but impossible attribution, with nation state plausible deniability.

• Highly skilled operators are very good at inserting clues that lead to adversaries, not the perpetrators

• Code re-use in attack campaigns have made it impossible to attribute based on software markers alone

• Disclosures and unauthorized releases of classified tool archives have opened a pandoras box of possibilities for less skilled adversaries

#CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 50 “Taken were 614 gigabytes of material relating to a closely held project known as Sea Dragon, as well as signals and sensor data, submarine radio room information relating to cryptographic systems…”

• Small population, low GDP countries will be extremely challenged to find capable Cyber Defenders, able to stand up against a Nation State sponsor

• Defensive Cyber Operations will have to rely on Cloud Based Analytics as a mechanism to defend against well funded adversaries

• Attacks against Critical Infrastructure and highly focused Social Media disinformation campaigns are the disruptive tools of Nation States

• Direct effect of disclosure from ShadowBrokers

• Critical Infrastructure systems impacted across the globe

• 150 Countries, 100,000 organizations impacted

ETERNALBLUE targets a vulnerability in server message block (SMB) protocol (used primarily for providing shared access to files, printers, and serial ports, etc.) that was specifically addressed by critical Microsoft update MS17-010

Credit: New York Times

Reconnaissance Operations Takedown Operations

• Remote Mapping of networks • Remote Detonation events

• Targeted Phishing of Senior • Immediate Encryption of Remote Leadership Assets post-detonation

• Complete Denial of Compute • Electronic Collection of known Operations targets • Goal for Country wide disruptions • Coercion of existing personnel of Energy, Traffic, (insider threat) Communications, Defense

• The benefits of Rapid Deployment also includes some risk assumption for cloud based security technologies • Large scale Enterprise-Level Security deployments can take very long periods of time to complete • Architectures that take 12-18 months to roll out – represent huge risk windows for todays network operations

Immediate Deployment

Identification, Containment and Protection within 30 days of Acquisition

Assessment and Planning Implementation Monitor and Triage • Assessment of Critical • Terminate all • Seal off remaining leaks Assets / Networks unauthorized IAPs through flow based analytics • Identification and Control • Implement OTP / MFA for of all IAPs all administrative • Plan for DDoS against functions country routers • Identification of all DNS assets • Secure all Email ingress • Closely monitor • Identification of any workstation based exposed cloud surfaces • Deploy Endpoint Security attacks – lateral spread for remote workloads • Deploy DNS security for • Strict enforcement of • Control of all BGP country all IAPs / deny Egress Policy for all routes unauthorized DNS networks

Bears awoke from winter slumber

19• NovemberTargeted 2018 DNC

Experts• Spearphishing believe that the recentto spear establish phishing activity initial may beingress caused by the Russian APT group Cozy Bear that may have become active once again. Last week, CrowdStrike and FireEye cybersecurity companies published• Lateral warnings spread referencing using a widespread privilege phishing campaignescalation that affected and several Kerberos industry sectors. access The campaign implemented tactics and techniques that resembled the ones of Cozy Bear, aka APT29. across Microsoft Windows Enterprise Believed Cozy Bear is now associated with Russian intelligence and considered responsible for hacking the Democratic• Powershell National Committeescript along execution with another Russian APT group Fancy Bear back in 2016 at the time of U.S. elections. Not a long ago, the threat actor has been accused of targeting Norwegian and Dutch ministries and U.S.-based think tanks and NGOs, still it had seemingly remain in hibernation in 2018. CrowdStrike’s Vice President• Use ofof Intelligence TOR andAdam Meyersdomain said that fronting the campaign to was hide detected C2 by traffichis firm on destinationsNov. 14.

The malicious emails “purported to be from an official with the U.S. Department of State and contained links to a compromised legitimate website.” The officials of FireEye commented that the attackers “compromised the email server of a hospital and the corporate website of a consulting company in order to use their infrastructure to send phishing emails.”

#CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65 Next Generation Encryption CNSA – (aka Suite B) Commercial National Security Algorithm Suite The following documents provide guidance for using CNSA cryptography with internet protocols: • IPsec using the Internet Key Exchange Version 2 (IKEv2): "Suite B Profile for Internet Protocol Security (IPsec)," RFC 6380

• SSH: "Suite B Cryptographic Suites for Secure Shell (SSH),” RFC 6239

• TLS: "Suite B Profile for Transport Layer Security (TLS)," RFC 6460

• Enrollment over Secure Transport," RFC 7030

• S/MIME: "Suite B in Secure/Multipurpose Internet Mail Extensions (S/MIME)," RFC 6318 Source: https://www.iad.gov/iad/programs/iad-initiatives/cnsa-suite.cfm

#CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 67 What are DoD Suite B standards? © 2009 SPYRUS, Inc. • NSA (National Security Agency) oversees and sets standards for DoD and other federal organizations

• NSA defines Suite B – a set of cryptographic algorithms

• Suite B for IPsec VPN is defined in RFC 4869

• Chart shows NSA’s recommendation of algorithms to be used to protect data at different levels

Authenticated AES-128/256-GCM Encryption HMAC-SHA- Authentication 256/384/512

Key Establishment ECDH-P256/384/521

Digital Signatures ECDSA-P256/384/521

Hashing SHA-256/384/512

Entropy SP800-90

ECDSA- AES-256-GCM ECDH-P521 P521 SHA-512

AES-192-GCM ECDH-P384 ECDSA-P384 SHA-384 Suite B mLoS 192 Encryption AES-128-GCM ECDH-P256 ECDSA-P256 SHA-256 Suite B Data Authentication mLoS 128

Key Establishment

Signatures

Hashing

IOS Site to Site IPsec VPN

Layer 2 Wireless Encryption- 802.11 / AES-CBC / AES-GCM

EAP-TLS Suite B Compatibility - RFC 5430

AnyConnect v4.6 Suite B IKEv2/ECC AES-GCM

TRANSPORT NETWORK

Outer VPN Inner VPN Outer VPN Inner VPN

TRANSPORT NETWORK

. Government encryption devices are replaced with approved high assurance commercial encryption . Two layers of encryption with cryptography diversity are required (Outer & Inner Tunnel)

#CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 76 What is this CSfC stuff? #CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 78 #CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 79 Cryptographic Domain Isolation General Concept of Operation

Current HAIPE Operations GOVT GOVT CRYPTO CRYPTO

TRANSPORT NETWORK

Outer VPN Inner VPN Outer VPN Inner VPN TRANSPORT NETWORK

. Government encryption devices are replaced with approved high assurance commercial encryption . Two layers of encryption with cryptography diversity are required (Outer & Inner Tunnel)

REF: NSA IAD Multi-Site CP

https://www.nsa.gov/Portals/70/documents/resources/everyone/csfc/capability-packages/MSCCPv1.1_20180626.pdf

#CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 84 Credit: US National Security Agency #CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 85 Unique Requirements for Mobile Access

REF: https://www.nsa.gov/Portals/70/documents/resources/everyone/csfc/capability-packages/MACPv2_1.pdf

#CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 86 Enterprise Gray Networks “To make CSfC really work and scale – Gray Side Services must adopt a Federated approach to gain the advantages for economies of management scale across the entire Enterprise VPN overlay”

Federated Gray

Federated Red

#CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 91 #CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 92 Cryptographic Diversity Todays Forecast: Soupy and Unclear

Ref: NSA MACP v2.1

#CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 94 #CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 95 Into the weeds we go…

IOS ASA

I O A S S A

F F F F T T T T D D D D

Cryptographic Sourcefire Functions System (SNORT) LINA (ASA) KVM (Hypervisor)

QEMU (Emulator)

Wind River LINUX Kernel

CPU Memory Storage (Cores)

Network

Cryptographic Sourcefire Functions System M (SNORT) LINA (ASA) KVM (Hypervisor)

QEMU (Emulator)

Wind River Kernel

CPU Memory Storage (Cores)

1 2 3 4 5 6 7 8 M

Cryptographic Functions

LINA (ASA)

Wind River LINUX Kernel

CPU Memory Storage (Cores)

Network

Cryptographic Functions M

Sourcefire LINA System (ASA) (SNORT)

Wind River Kernel

CPU Memory Storage (Cores)

1 2 3 4 5 6 7 8 M

ASA Lina application 1 core, 4GB DRAM System total: 4 cores 8GB DRAM SNORT System

Sourcefire image using 3 cores

KVM running as system process on top of Kernel system

Lina Application running as system process Qemu/KVM running as system process

SFR SFR

KVM Hypervisor

Intel Lynnfield Processor I7 Quad Core

#CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 107 [Make your own locally determined risk acceptance decisions based on vendor supplied information regarding cryptographic diversity]

#CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 108 Secured Mobility #CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 110 Mobile Device

Each Secure Application runs within App App a Security Container. Policy controls for each 1 2 Device Level VPN is container are applied. Security Security provisioned. Forms the Container Container outer layer tunnel for all Individual Container secured app container based VPNs secures Container VPN Container VPN traffic the wrapped app traffic Device Level VPN Android Firewall Policy insures that only VPN Android Firewall and control plane traffic leave the device SE Android WIFI Media Layer encryption may be Security Enhanced applied, but is not WIFI 3G/4G Android provides a required as part of the trusted OS solution

App App App App App App 1 1 1 1 1 1

Container Security Device Level Security

• The same black/gray/red, inner/outer VPN & PKI nomenclature is also referenced in the MA CP

• TLS Server/Client - Application specific TLS encryption components

• SRTP - Secure Real Time Protocol deployed to encrypt voice and video

• VPN EUD - End user device that uses the VPN client and VPN gateway components

• TLS EUD - End user device that uses the TLS/SRTP client and TLS/SRTP gateway components

• Outer/Gray/Inner Firewall - The MA CP introduces a firewall to the black/gray/red boundaries

REF: https://www.nsa.gov/Portals/70/documents/resources/everyone/csfc/capability-packages/MACPv2_1.pdf

*Could be either ASA or IOS/XE Outer Firewall ASA 5500-X

Outer Tunnel – IPSec *ASA 5500-X Suite B/NGE AnyConnect (TLS Server) IPSec VPN (SRTP)

Transport TLS/SRTP

*IOS/XE

Inner Tunnel TLS/SRTP Inner Firewall TLS Encryption for Call-Control & Signaling ASA 5500-X SRTP Encryption for Media

REF: https://www.nsa.gov/ia/_files/MA_CP_v1.0.pdf #CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 118 Remote Access VPN with WLAN as Black Transport Advanced Secure Remote Enclave Enhanced Assurance

Site to Site IPSec Tunnel Screening ACL

Screening Only accepts encrypted traffic + Screening ACL control plane ACL

HTT HTT IPSEC IPSEC P P HTT HTT IPSEC IPSEC P P HTT HTT IPSEC IPSEC P P HTT IPSEC SCREENING TUNNEL IPSEC

SECONDARY年 TUNNEL P

IPSEC IPSEC

IPSEC Site to Site IPSec Tunnel Accepts limited traffic types based on profile

Client Based IPSec Tunnel Client Encryption Extends from Remote Client to Enclave ASA

No Server Encryption

Layer 3 Techniques Layer 2-ish Techniques MPLS L2TPv3 802.1q IPnIP VxLAN LISP SGT NSH FabricPath (IPSec)

Insert your favorite encapsulation/tagging method

#CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 125 Why do I need Tagging? Firewall Insertion in to the DC Fabric Network Connections • Multichassis Etherchannel (MEC) Core Core • MEC ensures all active links utilised IP1 IP2 (eliminates blocked STP links)

Active • Leverages DC redundancy technologies Standby

• Validated design to provide segmentation, threat protection, visibility

• Transparent (recommended) and routed modes

Virtual Switch Virtual Switch • Works with both Active/Standby and Hypervisor Hypervisor Active/Active failover

EPG Web EPG App EPG DB

EP EP EP EP EP EP Contract Contract

EP EP EP EP EP EP

• EPG = Grouping of devices based on function • Devices within an Endpoint group can communicate (Unless Intra EPG Segmentation is Enabled) • Communication between EPG is, by default, not permitted

#CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 128 Segmentation with End Point Groups Whitelist policy = Requires explicitly configured contract between EPG’s allowing traffic

TRUST BASED ON LOCATION ZERO TRUST ARCHITECTURE (Traditional DC Switch) (Next-Gen DC with SDN)

1 2 3 4

EPG 1 EPG 2 1 2 3 4 “WEB” “APP”

 Automated and scalable L4-L7 EPG service insertion EPG1 Policy-based Redirection 2  Packet match on a redirection rule Application Admin Chain sends the packet into a service graph “FW_ADC 1”  Service Graph can be one or more

service nodes pre-defined in a series Begin Stage 1 Stage 2 End  Service graph simplifies and scales service operations

Service Load Balancer Admin NGFW

NGIPS FW_ADC FW_ADC 1

• IP in IP (Protocol 4): IP in IPv4/IPv6 (requires a smart firewall)

• SIT/IPv6 (Protocol 41): IPv6 in IPv4/IPv6

• GRE (Protocol 47): Generic Routing Encapsulation

• OpenVPN (UDP port 1194): Openvpn

• SSTP (TCP port 443): Secure Socket Tunneling Protocol (requires a proxy)

• IPSec (Protocol 50 and 51): Internet Protocol Security

• L2TP (Protocol 115): Layer 2 Tunneling Protocol

• PPTP (TCP Port 1723): RFC 2637

• VXLAN (UDP port 4789): Virtual Extensible Local Area Network

• LISP udp port 4341 encapsulated user data

• LISP udp port 4342 control plane packets

• OTV: tcp/udp 8472 (per the RFC, but practically is IP/47)

#CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 132 Practical Separation Techniques #CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 134 Coalition Enclave Services - Today

WWW

File Sharing Collaboration Messaging Web Pages Single Compute Enclave Single Storage Enclave

Coalition Coalition Coalition Endpoint Endpoint Endpoint

Enclave Protection Enclave Protection Enclave Protection

WWW WWW WWW

Web Pages Web Pages Web Pages

Messaging Collaboration File Sharing Messaging Collaboration File Sharing Messaging Collaboration File Sharing

WWW

Messaging Collaboration Web Pages Central Authentication Database

Service Enclave Protection

File Sharing Security Group TAGs

File Sharing Network Access Control File Sharing

Security Group TAGs

Coalition Coalition Coalition Role Based Assignment Endpoint Endpoint Endpoint

WWW

Messaging Collaboration Web Pages Central Authentication Database

Service Enclave Protection

Security Group TAGs

Network Security Group TAGs Access Control

Security Group TAGs

Coalition Coalition Coalition Role Based Assignment Endpoint Endpoint Endpoint

#CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 141 Impacts of Quantum Computing #CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 143 #CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 144 First….a little math and K/F conversions

1 Kelvin = -457.87 Fahrenheit HEAT WAVE or -272.15 Celsius

0 Kelvin = -459.67 Fahrenheit SUPER COLD or -273.15 Celsius

In Networks (and computers) we primarily care about these two things

Ref:http://www.fnal.gov/pub/inquiring/matter/madeof/index.html

Modern computers operate in a state of finite bit positions of: 0 or 1

Electrons and photons are our standard method of conveyance and state

Quantum bits (Qubits) operate in a state known as a Superposition

All states at the same time

800 mKELVIN -458.23F 100 mKELVIN -459.49F

15 mKELVIN -459.643F

• FLOP = Floating Point Operations per standard second

• 1 Gigaflop = 1,000,000,000 (109)floating point operations per second

• 1000 GigaFLOPS = 1 TeraFLOP or (1012) 1,000,000,000,000

• 10 TeraFLOPS = 10,000,000,000,000

#CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 150 A 30 qubit quantum computer would equal the processing capacity of a current computer operating at 10 Teraflops (trillions of floating point operations per second)

Your best Hadoop Cluster

Quantum Computation

#CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 156 #CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 157 Super…what does this mean for me? Credit: NSA IAD

Authenticated Authenticated AES-128/256-GCM Encryption Encryption AES- 256-GCM HMAC-SHA- HMAC-SHA- Authentication Authentication 256/384/512 512

Key Establishment ECDH-KeyP256/384/521 Establishment QRC Suites

Digital Signatures ECDSADigital-P256/384/521 Signatures ECDSA-P521

Hashing SHA-256/384/512Hashing SHA-512

Entropy SP800Entropy-90 TBD

https://tools.ietf.org/html/ draft-ietf-ipsecme-qr- ikev2-08

• Targeted collection of mobile data provides a unique context that is hard to achieve with bulk collection methods

• Context streams can be established as some data could be transmitted in the clear

• Can easily be stored for long periods of time

• Intended goal of either cryptanalytic attack pursuits or simply brute force effects over time / over technology advancements

• Corporate Executive traveling overseas • Travel itineraries planned for and resourced, VISAs issued • Collection efforts initiated upon arrival • Voice radio conversations are immediately decrypted and analysed • Data transmissions are likely encrypted using often weaker ciphers to accommodate reduced capabilities on mobile devices • TLS 1.1 / TLS 1.2 often used with RSA-1024/SHA-1 operations (or weaker) • Downgrade proxy attacks immediately employed to reduce data security posture for encrypted data • Poor mobile hygiene

Normal Registration and Communication to Intercept Proxy Cell Phone Tower

Tactical Collection and Analysis

Context Creation and Storage

Context Brute Force Creation and Decryption and Storage Cryptanalytic Attacks

Nation States, Global Crime Syndicates, Competitive Private Interests

#CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 168 Internet Darkening and Encrypted Traffic Analytics What is Internet Darkening and why is it happening? Post Disclosure Era

Network Traffic Today Network Traffic Two Years Ago

Encrypted Encrypte d Non- Encrypted

• Large increase in use of native encryption across all devices

• Visibility has been dramatically reduced

100% encryption

Limited to no visibility of plaintext

• What will you do when 95% of traffic is encrypted? • We are witnessing a huge shift in how security operations will be conducted in the future • Endpoint Visibility and Network Observation will be critical

• Packet count • Source IP address Usage From/To • Byte count • Destination IP address

Time • Start sysUpTime • Packet count Application • End sysUpTime • Byte count

Port • Input ifIndex • Next hop address Utilisation • Output ifIndex • Source AS number • Dest. AS number Routing and • Source prefix mask Peering • Type of Service • Dest. prefix mask QoS • TCP flags • Protocol

Key NetFlow Fields

#CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 176 flow exporter EXPORTER1 Setup Flow destination 172.16.1.100 source FastEthernet0/1 Exporter ! transport udp 2055 flow record RECORD1 ! match ipv4 tos Setup Flow ! match ipv4 protocol Record flow exporter EXPORTER2 match ipv4 source address destination 172.16.1.6 match ipv4 destination address source FastEthernet0/1 match transport source-port transport udp 2055 match transport destination-port ! match interface input ! match application name flow exporter EXPORTER3 collect routing destination as destination 172.16.1.11 collect routing next-hop address ipv4 source FastEthernet0/1 collect ipv4 dscp transport udp 2055 collect ipv4 ttl minimum ! collect ipv4 ttl maximum interface FastEthernet0/0 ! collect transport tcp flags ip address 172.16.1.1 255.255.255.0 flow exporter EXPORTER4 collect interface output ip wccp 90 redirect in destination 172.16.1.160 collect counter bytes ip nbar protocol-discovery ip flow monitor MONITOR1 input collect counter packets source FastEthernet0/1 ip flow monitor MONITOR1 output transport udp 2055 collect timestamp sys-uptime first speed auto Enable Flow on ! collect timestamp sys-uptime last full-duplex ! no mop enabled Interface flow exporter LIVEACTION-FLOWEXPORTER service-policy input MonitorUsingNbar_FA00_In description DO NOT MODIFY. USED BY LIVEACTION. destination 172.16.1.164 source FastEthernet0/0 transport udp 2055 option interface-table option application-table

flow monitor MONITOR1 Setup Flow record RECORD1 exporter EXPORTER4 Monitor exporter EXPORTER2 exporter EXPORTER1 cache timeout active 60

10.1.8.3 Switches Routers

Internet Flow Information Packets SOURCE ADDRESS 10.1.8.3 DESTINATION ADDRESS 172.168.134.2 NetFlow Provides SOURCE PORT 47321 • A trace of every conversation in your network DESTINATION PORT 443 • An ability to collect records everywhere in your INTERFACE Gi0/0/0 network (switch, router, or firewall) IP TOS 0x00 • Network usage measurements IP PROTOCOL 6 • An ability to find north-south as well as NEXT HOP 172.168.25.1 east-west communication TCP FLAGS 0x1A • Lightweight visibility compared to Switched Port Analyser (SPAN)-based traffic analysis SOURCE SGT 100 • Indications of compromise (IOC) : : NBAR SECURE- APPLICATION NAME • Security group information HTTP

Where

What Who When Who

• Highly scalable (enterprise-class) collection • High compression => long-term storage • Months of data retention

More context

Security group

Sequence of Packet Initial Data Packet Global Risk Map Lengths and Times

Make the most of the Who’s who of the Internet’s dark unencrypted fields side

C2 Message Data Exfiltration Broad behavioral information Self-Signed Certificate about the servers on the Internet.

Initial Data Packet

• HTTPS header contains several information-rich fields.

• Server name provides domain information. TLS Header • Crypto information educates us on TLS version

SNI (Server Name) TCP Header TCP

client and server behaviour and Header IP Ciphersuites application identity. Certificate • Certificate information is similar to whois Organization information for a domain. Issuer Issued • And much more can be understood when we Expires combine the information with global data. Initial Data Packet

Flow start Time

• Size and timing of the first packets allow us to estimate the type of data inside the encrypted channel. • We can distinguish video, web, API calls, voice, and other data types from one another and characterise the source within the class.

Malware in Cryptographic encrypted traffic compliance

Is the payload within the TLS How much of my business uses session malicious? strong encryption?

• End to end confidentiality • Audit for TLS policy violations • Channel integrity during inspection • Passive detection of Cipher suite • Adapts with encryption standards vulnerabilities • Continuous monitoring of network opacity

• Who’s who of the internet’s dark side

• Models use up to 20 features of 150 million malicious, risky, or otherwise security-relevant endpoints on the internet.

• These data features include domain data, whois data, TLS certificate data, usage statistics, and behavioral data for each server.

Image: http://census2012.sourceforge.net/images.html

#CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 187 Future of Network Security – Cloud Options Cisco Live San Diego: Security Tip of the Day #3 Cloud Analytics are coming… in one form or another Cloud Based, Rapid Deployment Elements

Insider Threat Secure Network / Continuous SOURCEFIRE Packet Malware Data Content DNS Security Access Software Defined Endpoint Monitoring FW/IPS Inspection Protection Center Security & Intelligence Control Segmentation Encryption

Stealthwatch NGFW Cisco Security AMP / Tetration Analytics Web Umbrella ISE TrustSec AnyConnect Threat Grid NGIPS Packet Security / Analyzer Email Security

COGNITIVE Analytics

ThreatTalos Intelligence

AMP EU Operations

Cognitive Analytics

EU DATA WAREHOUSE

MERAKI Development OpenDNS/UMBRELLA

BGP Intelligence

Overlay External Screening Router Standard Perimeter Stateful Firewall Flow Inspection Application Inspection Policing / Rate Limiting Security Model v2.1 Protocol Inspection

Content Inspection

SPA Firewall/IDS Access N Audit and Management Server Control Configuration Control

MX Record Owner External IDS Email Content Inspection

Virtual Sensor A

VL AN A VLAN A https://www.* http://www.* B LAN VLAN B V URL Authorization VLAN C Decrypted SSL N C VLA Virtual Sensor C VPN Termination

Primary Site Address Record Owner

SPA Split-DNS N

Internal IDS

Localized Packet Expansion and Collection and Detonation Analysis

Demos in the Walk-in labs Cisco campus

Meet the engineer Related sessions 1:1 meetings

#CLUS BRKSEC-2067 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 195 Complete your online session • Please complete your session survey after each session. Your feedback evaluation is very important.

• Complete a minimum of 4 session surveys and the Overall Conference survey (starting on Thursday) to receive your Cisco Live water bottle.

• All surveys can be taken in the Cisco Live Mobile App or by logging in to the Session Catalog on ciscolive.cisco.com/us.

Cisco Live sessions will be available for viewing on demand after the event at ciscolive.cisco.com.

#CLUS #CLUS