BRKSEC-1010
Protecting the Device: Cisco Trustworthy Systems & Embedded Security
David Lapier Stephen Lynn Senior Product Manager Consulting Architect [email protected] [email protected] CCIE 5507 (R&S/WAN/Security) @LapierDee CCDE 2013::56 @netw0rkStlynn Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
How 1. Find this session in the Cisco Live Mobile App 2. Click “Join the Discussion” 3. Install Spark or go directly to the space 4. Enter messages/questions in the space
cs.co/ciscolivebot#BRKSEC-1010
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public David lives in Palo Alto CA
Likes to sailboat race. Reads too much Sci Fi.
Stephen Live in Washington DC
Like skiing and scuba diving.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Abstract Malware installed on network devices is a real threat. This presentation addresses how Cisco builds trust into its products to mitigate attacks on the infrastructure. We also introduce best practices for the network administrator for “securing the device”
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Security Landscape “How do we trust the network and devices? How do we verify it?”
DDoS TAm Secure Storage Chip Guard
Secure Asset Transfer Remote Attestation MACsec Security
Image Signing BIOS / Boot Loader Protection Protocol Security Secure Boot IPC Authentication
Run time Defense Certifications Detection and Recovery
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 Agenda
Anatomy of an Attack
Trustworthy Systems . Built-In Security and Trust . Cisco Cloud Offerings
Trustworthy Technologies . Image Signing and Secure Boot . Trust Anchor Module . Hardware Authenticity Check . Integrity Verification . Secure Zero-Touch Deployment . Best Practices . Runtime Defenses . Quality Crypto
Summary Anatomy of an Attack Anatomy of An Attack
Data Recon Infiltration Compromise Cleanup Exfiltration
Attacker looks Attacker uses Network device Data is acquired Attacker cleanup for weakness info from recon is accessed from target evidence of to exploit the devices compromise network device
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 The Attack – IOS Modifications
Malware: 6 Observed Variants Incident 3 Incident 4 Synful Incident 0 Incident 1 Incident 2 Runtime Runtime Knock infection infection Static Static Runtime Static C&C; data exfil. infection infection infection C&C infection multi-arch data exfil. Crypto Crypto C&C Line cards ROMMON C&C; modular (DH keys) (DH keys) data exfil. modular
✖ ✖ ✖ ✖ ✖ ✖
2011 2012 2013 2014 2015 2016
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 Today’s Products for Todays Threats Risk . Nation-State . Criminal Attackers are Professional . Political . Insider
Staff Related . Social Engineering Physical Isolation Breaches Grow . Outsourcing Locked Cabinets Limited staff access . Internet Physical Barriers Proprietary HW & SW . Cloud Break Down . Virtualization . Open-Source 10 Years Ago Today
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 Trustworthy Systems “Security is and will remain one of our absolute highest priorities.”
Chuck Robbins, CEO Cisco Systems
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Cisco Trustworthy Systems Levels
Device Level Attack Protection Solution Level Attack Protection
DHCP Snooping Port Security uRPF Intrusion IP Source Guard
Network Detection ACLs TrustSec ISE Stealthwatch FnF Protect the Protect
Hardware Secure Image Counterfeit Runtime OS Modern Secure Device Trust Boot Signing Protections Defenses Validation Crypto Onboarding
Anchor
Integrity Platform
Open Product Supply Chain Security Threat PSIRT Source Security Management Training Modeling Advisories
Registration Baseline
Culture Security
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 Trust for Cisco Cloud Offerings
SaaS
IaaS PaaS Users Data Apps
HQ Roaming user Branch
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 Cloud Services Vulnerability Attack Types The first line of defense against threats on the Internet wherever users go
Web based attacks – XSS, CSRF, Unprotected API’s, Misconfigured ACL XSS Web Front Ends Remote Code Execution Backdoors through unknown service Backdoors Command Injections accounts or hardcoded default credentials.
Command Injection through input validation weakness.
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 Trustworthy Cloud
From Product to Service Hosting Infrastructure DevOps Model Continuous Security Share responsibilities Scale & Responsiveness Ongoing operations Automate Security
Build, operate, and monitor with trust
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 Continuous Security – Validate Regularly
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 Cisco Meraki Trust
https://meraki.cisco.com/trust
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 Administrative Tools & Best Practices
. Two Factor Authentication for Admin Access
. Password strengthening
. Role Based Access
. Alerting on configuration change
. Audit of configuration and logging
. SSL Certificate verification
. Idle Timeouts
. Security Rewards Program
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23 Image Signing and Secure Boot Software Modification on Network Elements
“In a troubling new development, threat actors looking for different ways to break into and remain undetected on enterprise networks appear to have begun targeting routers connecting businesses to the Internet.”
• Jay Vijajan, DARKReading.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Mitigations at Boot Time
Malware: 6 Observed Variants Incident 3 Incident 4 Synful Incident 0 Incident 1 Incident 2 Runtime Runtime Knock infection infection Static Static Runtime Static infection infection infection C&C; data exfil. C&C infection data exfil. Crypto multi-arch C&C; modular Crypto C&C ROMMON (DH keys) Line cards (DH keys) data exfil. modular
✖ ✖ ✖ ✖ ✖ ✖
2011 2012 2013 2014 2015 2016
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 26 Mitigations at Boot Time
Malware: 6 Observed Variants Incident 3 Incident 4 Synful Incident 0 Incident 1 Incident 2 Runtime Runtime Knock infection infection Static Static Runtime Static infection infection infection C&C; data exfil. C&C infection data exfil. Crypto multi-arch C&C; modular Crypto C&C ROMMON (DH keys) Line cards (DH keys) data exfil. modular
✖ ✖ ✖ ✖ ✖ ✖
2011 2012 2013 2014 2015 2016
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 27 Mitigations at Boot Time
Malware: 6 Observed Variants Incident 3 Incident 4 Synful Incident 0 Incident 1 Incident 2 Runtime Runtime Knock infection infection Static Static Runtime Static infection infection infection C&C; data exfil. C&C infection data exfil. Crypto multi-arch C&C; modular Crypto C&C ROMMON (DH keys) Line cards (DH keys) data exfil. modular
✖ ✖ ✖ ✖ ✖ ✖
2011 2012 2013 2014 2015 2016
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 28 . Persistent malware that relies on stolen admin credentials to install cunning backdoor SynFul Knock . Gaining access to the ROMMON boot loader allows the malware to persist through reboots
. Modified image allows hacker to install independent executables on routers
. Attacker manipulates infected device behavior via HTTP C&C packets sent to the targeted device
. Found on ISR G1 • 1841/2811/3825
Synful . Static Infection to modify Cisco IOS. Knock
https://www.talosintelligence.com/scanner
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 29 Image Signing: How It Works Signing
Hash Function 0100010 1110011
Signing Hash With Embed Signature Cisco Private Key to the Software
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 30 Image Signing: How It Works Verification
0100010 Hash Function 1110011
Hash is Compared to Verify Authenticity
0100010 1110011 Verify Signature Hash With Cisco Public Key
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 31 Generic Boot Sequence
Bootloader Operating System
Fetch Hardware Instruction set. Start-up Initialize Basic Operating System Input/Output System (BIOS)
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32 Infection Points to Generic Boot Sequence
Bootloader Operating System
Fetch Hardware Instruction set. Start-up Initialize Basic Operating System Input/Output System (BIOS)
. Changing the boot interface . Booting from alternate device . Bypassing Integrity checks . Adding persistent code
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 33 Secure Boot Starts from Protected Code Hardware Instruction Set (Boot Code) must be protected against an unauthorized modification from outside
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 34 Trust Anchor for Secure Boot
. Stores the initial instructions securely
. Point of trust where validation can begin.
. Cryptographically validates the integrity of ROMMON
. Ensures integrity for the boot sequence
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 35 Cisco Secure Boot Anchors Secure Boot in Hardware to Create a Chain of Trust Cisco Secure Boot Boot Code Integrity Anchored in Hardware Software Authenticity: Step 1 Step 2 Step 3 Step 4
. Only authentic signed Cisco software boots up on a Cisco platform Hardware CPU CPU CPU Anchor . The boot process stops if any Microloader Bootloader OS step fails to authenticate Microloader . IOS “show software Microloader Bootloader OS launched authenticity” command checks checks OS illustrates the results bootloader
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 Cisco Secure Boot and UEFI Secure Boot
Hardware-anchored Secure Boot UEFI
Step 1 Step 2 Step 3 Step 4
*
Hardware CPU CPU Anchor CPU Microloader Bootloader OS Microloader
Microloader Bootloader OS launched checks checks OS Bootloader
Cisco Secure Boot Unified Extensible Firmware Interface (UEFI)
• Anchors Secure Boot process to hardware • Not anchored in hardware • Resists supply chain and physical possession-based • Nothing validates Bootloader firmware tampering attacks - Susceptible to Bootloader rootkits - More difficult to modify hardware than software - Susceptible to easy modifications in supply chain or with - More expensive physical possession - Hardware modification is more visible
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37 Trust Anchor Module (TAm) Cisco Trust Anchor Module (TAm)
Integrity Applications • HW Authenticity Check • Secure PnP TAM Services Libraries • Integrity Verification
Crypto Functions • Anti-Tamper Chip Design Tamper-Proof Storage • Built-In Crypto Functions • Secure Storage Boot SUDI Measurements
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 39 Platform Integrity: TPM and TAm Compared TPM & TAm Capabilities
Non-volatile Anti-tamper Crypto engine secure storage
Random Policy & Key storage number Configuration generation
Cisco Trust Anchor Module Trusted Platform Module (TPM)
. Hardware designed to provide both end- . Typically focused on providing end- user and supply chain protections user capabilities . Ideal for specialized network devices . Ideal for general purpose computing
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 40 Secure Unique Device Identification (SUDI)
. Tamperproof ID for the device
. Binds the hardware identity to a key pair in a cryptographically secure X.509 certificate PID during manufacturing
. Connections with the device can be authenticated by the SUDI credential
. IEEE 802.1AR Compliant
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 41 Uses for SUDI
. Internal checks in the box . Authentication Bootstrap Identity . Remote Attestation
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 42 Cisco Trust Anchor Module
Tamper Hardware Proof Authenticity Storage Check
Applications Built-In Integrity Security Verification Embedded Secure Crypto Zero-Touch Functions Provisioning
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43 Hardware Authenticity Check Integrity Verification Counterfeiting is Real
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Cisco Secure Boot and Trust Anchor Module Validating the Authenticity of Software Followed by Hardware
Step 5 Step 6 Step 1 Step 2 Step 3 Step 4 Trust Anchor Trust Anchor module module
*
CPU CPU CPU CPU CPU
Microloader Bootloader OS OS OS
Microloader Microloader Bootloader OS launched Authenticity and checks Bootloader checks OS license checks
* The first instructions that run on a CPU are either stored in immutable hardware so that they cannot be tampered with or are validated by the hardware * Hardware authenticity check Software authenticity check
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 47 Verifying that I can trust the device
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Boot Integrity Visibility Store Boot Measurements
Step 1 Step 2 Step 3 Step 4
Hardware CPU CPU CPU Anchor Microloader Bootloader OS
Microloader Microloader Bootloader OS launched checks checks OS bootloader
Write Measurements TAm Tamper Proof Storage
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 50 Boot Integrity Visibility = Remote Attestation Report Results Securely
Client TAm Integrity Verification App Request SUDI [Nonce]… Crypto Functions … SUDI is. Tamper-Proof Storage Known Good Values (KGV) Request Integrity Measures… Boot SUDI Measurements … Values Are.
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 51 Cisco Development Cycle Boot Integrity Visibility Attestation of the Identity and Boot Status
Software Known Good Value Development Collection
Network Device Integrity Verification CCO App Extract & Sign Decrypt & Verify Measurements Measurements with SUDI “Nonce” to prevent re-play attacks Verifies: • Identity of the device Secure • running authenticate Cisco SW Boot Measure- • on authentic Cisco HW. ments Trust Anchor
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 52 Integrity Verification Demo Secure Zero-Touch Deployment Step 1: SUDI unique device identifier and serial number installed at manufacturing
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Step 2: Secure boot of signed images at start-up verifies platform integrity
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Step 3: Verification of device authenticity and integrity
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Step 4: Network device sends its credentials to the Plug and Play server
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Step 5: Plug and Play server verifies the identity of the device to be provisioned
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Step 6: Two-way trust and secure communications established
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Step 7: Secure provisioning of Cisco network device
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Cisco SD-WAN Platform for Digital Transformation
Cloud Delivered Analytics Automation Virtualization
USERS
Cloud IoT SDWAN .…
DC
DEVICES APPLICATIONS Cisco SD-WAN IaaS Fabric SaaS
SECURE vDC THINGS SCALE OPEN
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 63 Cisco SD-WAN Zero Touch Provisioning Certificate-Based Trust
Administrator Signed . Bi-directional certificate-based trust between all Defined vEdge List Controllers elements - Public or Enterprise PKI
vManage . White-list of valid vEdges and controllers - Certificate serial number as unique identification
vBond vSmart
vEdge
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 64 Best Practices Best Practices For Securing Infrastructure Devices
. Monitor Cisco Security Advisories and Responses . Strength Login credential by leveraging Authentication, Authorization, and Accounting (AAA) . Centralized Log Collection and Monitoring
. Establish baseline and instrument the network to gain traffic visibility with NetFlow . Control Plane & Management Plane Hardening
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public PSIRT Cisco Security Advisories and Response
Vulnerability Management Incident Response Proactive Engagement
Evaluate and drive resolution Assist customers with network- Provide feedback and of Cisco product & Cloud impacting security events influence product design Services vulnerabilities
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 68 Cisco PSIRT Openvuln API Stay informed about security vulnerabilities
https://developer.cisco.com/site/PSIRT/
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 69 A Modern Approach to Security Open Source Tools Vulnerability Disclosures
This API allows technical staff and programmers Access our GitHub Repository and open to build tools that help them do their job more effectively. In this case, it enables them to easily source tools at: keep up with security vulnerability information https://github.com/CiscoPSIRT/openVulnAPI specific to their network. https://developer.cisco.com/site/PSIRT
CISCO PSIRT OPENVULN API Community Support Cisco Security Center
Collaborate, learn, share and interact Access numerous security resources, with Cisco PSIRT and other industry white papers, vulnerability reports, blog experts at the Cisco PSIRT posts, RSS feeds, and other Developer Community: information at: http://cs.co/psirt_community https://cisco.com/security
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 70 Phishing for login credentials
“Attackers Use Stolen Credentials to Hack Cisco Networking Devices” SecurityWeek August 13, 2015
“65 percent of companies expect to suffer a breach due to compromised credentials” 2016, Cloud Security Alliance
“81% of hacking-related breaches leveraged either stolen and/or weak passwords” 2017 Verizon Data Breach Investigations Report Prevent Unauthorized Access Better and Stronger Authentication • Better / stronger Password Using enable secret (single factor)
• Public/private key (single factor)
• One Time Password/Token System(2-factor)
• CAC/smartcard with X.509v3 certificate RFC 6187 (2-factor)
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 72 CAC/smartcard with X.509v3 SSH Authentication
Pragma Cisco Fortress SSH Cisco CL Server ACS SSH Client Feature (AAA)
X.509 Authentication User Authorization SSH Session Establishment
CAC card reader . Government Certified . Most secure access to command line . Standard RFC-6187 . Two-factor authentication . First End-to-end solution with Cisco and . X.509v3 certificate & PIN Pragma Systems
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 73 Gain visibility and intelligence of your network
Network as a Sensor
Leverage information from other solutions to gain Stealthwatch complete network visibility and security analytics
Provides unique visibility into what’s happening across your entire Company Host Access Audit Posture Detect network
Detects anomalies and threats faster Everything Know Record Understand Get alerted to must touch every host every what’s normal change with real-time analysis and the network conversation advanced forensics capabilities
Generates notifications automatically when anomalies are detected on the network Stealthwatch
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 74 Hardening the Device
. Enable SSH and Disable Telnet hostname
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 75 Hardening the Device
. Enable Data at Rest Protection with AES-128 Algorithm service password-encryption password encryption aes
. Disable Unused Services no service pad no service config no ip source-route no ip gratuitous-arps no service dhcp no ip http server no ip http secure-server no ip source-route no ip gratuitous-arps no ip bootp server
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 76 Hardening the Device
. Protect routed interfaces from spoofing and probing no ip proxy arp no ip unreachable no ip redirects ip verify unicast source reachable-via rx no ipv6 unreachables no ipv6 redirects ipv6 verify unicast source reachable-via rx
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 77 Hardening the Device
. Use SNMPv3 to secure access to devices by authenticating and encrypting data packets snmp-server group
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 78 Runtime Defenses Vulnerabilities in Running Software
• Attacker wants to exploit the Operating System when the software is running.
• Build software so that the possibility for exploitation is reduced.
• Use Compiler, kernel, and HW capabilities to provide protections
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Mitigations at Runtime
Malware: 6 Observed Variants Incident 3 Incident 4 Synful Incident 0 Incident 1 Incident 2 Runtime Runtime Knock infection infection Static Static Runtime Static infection infection infection C&C; data exfil. C&C infection data exfil. Crypto multi-arch C&C; modular Crypto C&C ROMMON (DH keys) Line cards (DH keys) data exfil. modular
✖ ✖ ✖ ✖ ✖ ✖
2011 2012 2013 2014 2015 2016
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 81 Heartbleed: Buffer Overflow Attack
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 84 Computer Scientists Take Over Electronic Voting Machine
. Return Oriented Programming Attack
. Overrun data buffers to bypass normal execution
. Method of “Code Reuse Attack”
. Use libc “gadgets” to manipulate the system
UC San Diego, August 11, 2009 Stephen Checkoway, Ph.D. BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 85 Cisco Runtime Defenses
Object-Size Checking Address Space Layout Randomization (ASLR) X-Space
Hardware, Operating System, Compiler, and Development Best Practices To protect against Buffer-Overflow and Return-Oriented Programming Attacks
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 86 Quality Cryptography Why Quality Crypto Matters Compatibility
Privacy Efficient
Drivers
Secure Cryptography Simplification Data Protection Enablers Secure Storage
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 88 Quality Crypto - CiscoSSL
OpenSSL
Feature Certification Support Hardened Crypto Enhancements Library
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 89 Quality Crypto - CiscoSSL
Hardened Crypto Library Feature Enhancements Certification Support
industry best practices improving security and usability compliance for public sector
. RC4 TLS cipher suites • Improved ECC performance with • FIPS Object Module Support disabled FEC deprecation • FIPS mode • International ECC support • Includes support for • IETF Curve25519 . GOST ciphers disabled updated NIST • Deterministic ECDSA enhancements requirements to improve security posture. • Common Criteria Support . SP800-90A DRBG enabled by • Side-channel attack mitigation for default ECDSA signature generation • CC mode • Entropy Enhancements • Alignment with new • RDRAND support NIAP and Protection . SSLv2 and SSLv3 are disabled • 800-90A DRBG Profile requirements
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 90 Quality Crypto - CiscoSSL
Hardened Crypto Library Feature Enhancements Certification Support
industry best practices improving security and usability compliance for public sector
. RC4 TLS cipher suites . Improved ECC performance with . FIPS Object Module Support disabled FEC deprecation . FIPS mode . International ECC support . Includes support for . IETF Curve25519 . GOST ciphers disabled updated NIST . Deterministic ECDSA requirements enhancements to improve security posture. . Common Criteria Support . SP800-90A DRBG enabled by default . Side-channel attack mitigation for . CC mode ECDSA signature generation . Alignment with new . Entropy Enhancements NIAP and Protection . SSLv2 and SSLv3 are . RDRAND support Profile requirements disabled . 800-90A DRBG
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 91 Quality Crypto - CiscoSSL
Hardened Crypto Library Feature Enhancements Certification Support
industry best practices improving security and usability compliance for public sector
. RC4 TLS cipher suites . Improved ECC performance with . FIPS Object Module Support disabled FEC deprecation . FIPS mode . International ECC support . Includes support for . IETF Curve25519 . GOST ciphers disabled updated NIST . Deterministic ECDSA requirements enhancements to improve security posture. . Common Criteria Support . SP800-90A DRBG enabled by default . Side-channel attack mitigation for . CC mode ECDSA signature generation . Alignment with new . Entropy Enhancements NIAP and Protection . SSLv2 and SSLv3 are . RDRAND support Profile requirements disabled . 800-90A DRBG
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 92 Summary Direct attacks on network devices are a real threat
Keep Malware Out Block Tampering Stop Counterfeiting
SYNful Knock
• Exploit the Network • Money Laundering • Attack Customers • Steal Intellectual Property • Insider Trading • Ransomware • Steal Customer Data • Identity Theft • Brand Damage
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 94 Trustworthy Systems
Holistic Built for Evidence Security Expertise Approach Today’s Threats of Trust and Innovation
Organizations require a secure, resilient network foundation for digitization
https://trust.cisco.com
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 95 Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
How 1. Find this session in the Cisco Live Mobile App 2. Click “Join the Discussion” 3. Install Spark or go directly to the space 4. Enter messages/questions in the space
cs.co/ciscolivebot#BRKSEC-1010
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public • Please complete your Online Complete Your Online Session Evaluations after each session Session Evaluation • Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt • All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Tech Circle
• Meet the Engineer 1:1 meetings
• Related sessions
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 98 Thank you
Backup Slides Feature Support Feature Support
Feature Support ASR 1001-HX ASR 1002-HX ASR 1000-RP3 ASR 1001-X ASR 1002-X ASR 1000-RP2 Image Signing Yes Yes Yes Yes Yes Yes HW-Anchored Secure Boot Yes Yes Yes Yes Yes No Trust Anchor Module Yes Yes Yes Yes No No HW Authenticity Assurance Yes Yes Yes Yes Yes Yes Boot Integrity Visibility Yes Yes Yes Yes Yes No Runtime Defenses Yes Yes Yes Yes Yes Yes Simplified Factory Reset Yes (16.7.1) Yes (16.7.1) Yes (16.7.1) Yes (16.7.1) Yes (16.7.1) Yes (16.7.1) Secure Storage No No No No No No Secure Guest Shell Yes (16.7.1) Yes (16.7.1) Yes (16.7.1) Yes (16.7.1) Yes (16.7.1) Yes (16.7.1)
Solution Support SUDI authentication for Cisco Network PnP* Yes Yes Yes Yes No APIC EM Integrity Visibility App Support Yes Yes Yes Yes Yes
*See Release Notes for Network Plug and Play ** For specific models, see Cisco 800 Series Integrated Services Routers Software Configuration Guide
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 103 Feature Support
Feature Support ISR 4451-X ISR 4431 ISR 4351 ISR 4331 ISR 4321 ISR 4221 CSR 1000V ENCS-5400 Image Signing Yes Yes Yes Yes Yes Yes Yes Yes HW-Anchored Secure Boot Yes Yes Yes Yes Yes Yes No Yes Trust Anchor Module Yes Yes Yes Yes Yes Yes No Yes HW Authenticity Assurance Yes Yes Yes Yes Yes Yes No No Boot Integrity Visibility Yes Yes Yes Yes Yes Yes No No Runtime Defenses Yes Yes Yes Yes Yes Yes Yes No Simplified Factory Reset Yes (16.6.1) Yes (16.6.1) Yes (16.6.1) Yes (16.6.1) Yes (16.6.1) Yes (16.6.1) No No Secure Storage Yes (16.6.1) Yes (16.6.1) Yes (16.6.1) Yes (16.6.1) Yes (16.6.1) Yes (16.6.1) No No Secure Guest Shell Yes (16.5.1) Yes (16.5.1) Yes (16.5.1) Yes (16.5.1) Yes (16.5.1) Mar '18 (16.8.1) Nov '17 (16.7.1) No
Solution Support SUDI authentication for Cisco Network PnP* Yes Yes Yes Yes Yes Yes No Yes APIC EM Integrity Visibility App Support Yes Yes Yes Yes Yes Yes
*See Release Notes for Network Plug and Play
** For specific models, see Cisco 800 Series Integrated Services Routers Software Configuration Guide
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 104 Feature Support
Feature Support IR 809 ISR 819 ISR 829 ISR 840 ISR 860 ISR 880 ISR 890 ISR 1900 ISR 2900 ISR 3900 Image Signing Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes HW-Anchored Secure Boot Yes No Yes No No No No No No No Trust Anchor Module Yes No Yes No No No No No No No HW Authenticity Assurance Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Boot Integrity Visibility No No No No No No No No No No Runtime Defenses Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Simplified Factory Reset No No No No No No No No No No Secure Storage No No No No No Yes** Yes** No No No Secure Guest Shell No No No No No No No No No No
Solution Support SUDI authentication for Cisco Network PnP* No Yes No No No No No No No No APIC EM Integrity Visibility App Support
*See Release Notes for Network Plug and Play
** For specific models, see Cisco 800 Series Integrated Services Routers Software Configuration Guide
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 105 Feature Support & Roadmap
Feature Support Cat 9500 Cat 9400 Cat 9300 Cat 3850 Cat 3850 Fiber Cat 3650 Image Signing Yes Yes Yes Yes Yes Yes HW-Anchored Secure Boot Yes Yes Yes Yes Yes Yes Trust Anchor Module Yes Yes Yes Yes Yes Yes HW Authenticity Assurance Yes Yes Yes Yes Yes Yes Boot Integrity Visibility Mar '18 (16.8.1) Mar '18 (16.8.1) Mar '18 (16.8.1) Yes Yes Yes Runtime Defenses Yes Yes Yes Yes Yes Yes Simplified Factory Reset Mar '18 (16.8.1) Mar '18 (16.8.1) Mar '18 (16.8.1) Yes (16.6.1) Yes (16.6.1) Yes (16.6.1) Secure Storage Mar '18 (16.8.1) Mar '18 (16.8.1) Mar '18 (16.8.1) Mar '18 (16.8.1) Mar '18 (16.8.1) Mar '18 (16.8.1) Secure Guest Shell Yes (16.5.1) Yes (16.6.1) Yes (16.5.1) Yes (16.5.1) Yes (16.5.1) Yes (16.5.1)
Solution Support SUDI authentication for Cisco Network PnP* Yes Yes Yes Yes Yes Yes APIC EM Integrity Visibility App Support Yes Yes Yes Yes Yes Yes
*See Release Notes for Network Plug and Play
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 106 Feature Support
Cat 6800 Cat 6800 Cat 4500 Cat 4500 Cat 4500 Feature Support Cat 3750-X Cat 3560-X Cat 3560-CX Sup6T Sup2T Sup8E Sup7E/LE Cat 4500-X Sup6E/LE Cat 2960-X Cat 2960-L Cat 2960-CX Yes - Image Signing Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes 15.3(1)E Yes HW-Anchored Secure Boot Yes Yes Yes Yes No Yes Yes Yes No Yes No Yes Trust Anchor Module Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No Yes HW Authenticity Assurance Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Boot Integrity Visibility No No No No No No No No No No No No Runtime Defenses Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Simplified Factory Reset No No No No No No No No No No No No Secure Storage No No No No No No No No No No No No Secure Guest Shell No No No No No No No No No No No No
Solution Support SUDI authentication for Cisco Network PnP* No No No No No Yes Yes Yes No No No No APIC EM Integrity Visibility App Support
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 107 Feature Support
Feature Aironet 1560 Aironet 1815 Aironet 2800 Aironet 3800 Aironet 1830 Aironet 1850 Image Signing Yes Yes Yes Yes Yes Yes HW-Anchored Secure Boot Yes Yes Yes Yes Yes Yes Trust Anchor Module Yes No Yes Yes No No HW Authenticity Assurance Yes No Yes Yes Yes Yes Boot Integrity Visibility No No No No No No Runtime Defenses No No No No No No
Solution Support SUDI authentication for Cisco Network PnP* No No No No No APIC EM Integrity Visibility App Support No No No No No
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 108 Feature Support
Feature 8500 Series WLC Cisco 5500 Series WLC Cisco 3504 WLC Cisco 2500 Series WLC Image Signing Yes Yes Yes Yes HW-Anchored Secure Boot No No No No Trust Anchor Module Yes Yes Yes Yes HW Authenticity Assurance Yes Yes Yes Yes Boot Integrity Visibility No No No No Runtime Defenses No No No No
Solution Support SUDI authentication for Cisco Network PnP* No No No APIC EM Integrity Visibility App Support Yes Yes Yes
*See Release Notes for Network Plug and Play
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 109 Feature Support
Features Cisco Cisco Email Cisco Adaptive Firepower AMP for Cisco Web Identity Security Security Security Networks Security Services Appliance Appliance (ASA) Appliances Appliance (WSA) Engine (ISE) (ESA) Image Signing Yes yes Yes for Most Yes Yes Yes Models++ Runtime Defenses Yes Yes Yes yes Yes Yes HW-Anchored Secure Boot ** No No Yes for Most 2100 Series No No Models++ Trust Anchor Module ** No Yes Yes for Most Yes No Yes Models++ HW Authenticity Check ** No Yes Yes Yes No Yes
** Applies to HW / Appliances only ++ Except 5525-X, 5545-X, 5555-X, and 5585-X
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 110 Feature Support Questions
• Ask your acct team
• Email “[email protected]”
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 111 Further Reading
• Cisco IOS Software Integrity Assurance
• Methods to compromise Cisco devices, best practices to protect against attempts to modify HW or SW
• http://www.cisco.com/c/en/us/about/security-center/integrity-assurance.html
• Cisco Guide to Harden Cisco IOS Devices
• http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html
• Telemetry Based Infrastructure Device Integrity Monitoring
• http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html
• Cisco Security Response Center Home
• https://tools.cisco.com/security/center/home.x
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 112 Further Reading
. Cisco Event Response: SYNful Knock Malware
. http://www.cisco.com/c/en/us/about/security-center/event-response/synful-knock.html
. Digitally Signed Cisco Software
. http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sys-image-mgmt/configuration/xe- 3s/sysimgmgmt-xe-3s-book/sysimgmgmt-dgtly-sgnd-sw.pdf
. Cisco IOS Software Integrity Assurance
. Methods to compromise Cisco devices, best practices to protect against attempts to modify HW or SW
. http://www.cisco.com/c/en/us/about/security-center/integrity-assurance.html
BRKSEC-1010 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 113