Policy Defined Segmentation with Cisco TrustSec Session ID 18PT Rob Bleeker – Consulting System Engineer CCIE #: 2926 Abstract . This session will explain how TrustSec Security Group Tagging can be used to simplify access controls and provide software-defined segmentation. We will cover how to extend context-aware controls from the access layer to data centers in order to reduce operational effort, support compliance initiatives and facilitate BYOD. The session is targeted at network and security architects who want to know more about Secure Access using the TrustSec solution. Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public 3 Agenda . TrustSec Overview . Classification . Transport . Enforcement . MACSec Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public . TrustSec Overview . Classification . Transport . Enforcement . MACSec Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public SANS - 20 Critical Security Controls… . Control # 1: Inventory of Authorized and Unauthorized devices Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access . Control # 7: Wireless Access Control The processes and tools used to track/control/prevent/correct the security use of wireless local area networks (LANS), access points, and wireless client systems. Control # 14: Controlled Access Based on the Need to Know The processes and tools used to track/control/prevent/correct secure access to critical assets (e.g., information, resources, systems) according to the formal determination of which persons, computers, and applications have a need and right to access these critical assets based on an approved classification. Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public The challenge with current access controls… . Protected assets are defined by their network connection – Policies are statically and manually configured – Rules are based on network topology (subnets, addresses) – IP Address does not provide user context or meaning . Method does not facilitate key Business / IT requirements like: . Frequent organizational changes . Mobile workforces . Device choice . Virtualization Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public Traditional Segmentation Steps replicated across floors, buildings and sites ACL Aggregation Layer VLAN Addressing DHCP Scope Redundancy Routing Static ACL Access Layer Quarantine Voice Data Suppliers Guest SimpleMore PoliciesSegmentation using morewith 2VLANs VLANs Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public 9 User to Data Center Access Control with TrustSec SGT . Regardless of Data Center Data Center topology or location, Firewall policy (Security Group Tag) stays Campus Core with users, devices and servers Access Layer Employee Tag Supplier Tag Guest Tag Quarantine Tag Voice Voice Employee Suppliers Guest Quarantine Building 3 Main Building WLAN Data VLAN Data VLAN Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public 10 Campus segmentation with TrustSec SGT . Enforcement is Data Center Data Center Firewall based on the Security Group Tag, Campus Core can control communication in same VLAN Access Layer Employee Tag Supplier Tag Guest Tag Quarantine Tag Voice Voice Employee Employee Guest Quarantine Building 3 Main Building Data VLAN (200) Data VLAN (100) Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public 11 High OPEX Security Policy Maintenance NY 10.2.34.0/24 10.2.35.0/24 NY 10.2.36.0/24 PCI 10.3.102.0/24 DC-PCI1 Servers SF 10.3.152.0/24 DC-PCI2 LA 10.4.111.0/24 DC-PCI3 SJC …. DC-RTP (VDI) Traditional ACL/FW Rule Source Destination permit NY to PCI1 for HTTPS deny NY to PCI2 for SQL deny NY to PCI3 for SSH permit SF to PCI1 for HTTPS deny SF to PCI2 for SQL ACL for 3 source objects & 3 destination objects deny SF to PCI3 for SSH permit LA to PCI1 for HTTPS deny LA to PCI2 for SQL deny LA to PCI3 for SSH Permit SJC to PCI1 for HTTPS deny SJC to PCI2 for SQL Adding source Object deny SJC to PCI3 for SSH permit NY to VDI for RDP deny SF to VDI for RDP Adding destination Object deny LA to VDI for RDP deny SJC to VDI for RDP Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public Reduced OPEX in Policy Maintenance NY DC-PCI1 PCI SF DC-PCI2 Servers LA DC-PCI3 Employee SJC DC-RTP (VDI) Security Group Filtering VDI Servers BYOD Source SGT: Destination SGT: Employee (10) PCI-Servers (50) Policy Stays with BYODUsers /(200) Servers regardless VDIof location (201) or topology Permit Employee to PCI-Servers eq HTTPS SimplerPermit AuditingEmployee Process to (Low PCI- ServersOpex Cost)eq SQL SimplerPermit Security Employee Operation to (Resource PCI-Servers Optimization) eq SSH Permit Employee to VDI eq RDP Deny BYOD Clear to ROI PCIin OPEX-Servers Deny BYOD to VDI eq RDP Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public Extensive Policy Enforcement Comprehensive Contextual Identity Comprehensive Secure Access Guest access Profiling Posture Who What Where When How CONTEXT Vicky Sanchez Personal iPad Employee, Marketing Employee Owned Wireless HQ Wireline Francois Didier 3 p.m. Consultant HQ - Strategy Frank Lee Security Camera Gateway Remote Access Guest Agentless Asset 6 p.m. Chicago Branch Wireless 9 a.m. IDENTITY IEEE 802.1X MAB WebAuth Cisco Switches, Routers, and Wireless Access Points Identity (IEEE 802.1X)-Enabled Network Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public Security Group Access . Unique 16 bit (65K) tag assigned to unique role Security Group Tag . Represents privilege of the source user, device, or entity . Tagged at ingress of TrustSec domain . Filtered (SGACL) at egress of TrustSec domain SGSG ACL . No IP address required in ACE (IP address is bound to SGT) . Policy (ACL) is distributed from central policy server (ACS) or configured locally on TrustSec device Customer Benefits . Provides topology independent policy . Flexible and scalable policy based on user role . Centralized Policy Management for Dynamic policy provisioning . Egress filtering results to reduce TCAM impact Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public 15 TrustSec In Action Classification ISE Directory Fin Servers SGT = 4 Enforcement Users, Device SGT:5 HR Servers SGT = 10 Switch Router DC FW DC Switch SGT Transport • TrustSec is a context-based firewall or access control solution: • Classification of systems/users based on context (user role, device, location, access method) • The context-based classification propagates using SGT • SGT used by firewalls, routers and switches to make intelligent forwarding or blocking decisions in the DC Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public . Overview . Classification . Transport . Enforcement . MACSec Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public Classification Identification and Classification Device Type: Apple iPAD User: Mary Classification Result: Group: Employee Personal Asset SGT Corporate Asset: No Along with authentication, ISE Profiling various data is sent to ISE for device profiling ISE (Identity Services Engine) SGT Security Group Policy ID & ID DC Resource Profiling Data Profiling Access Company NetFlow DCHPDNS asset HTTPOUI RADIUSNMAP SNMP AP Wireless LAN Controller Restricted Employee Internet Only Distributed Personal asset Enforcement based on Security Group Propagate Presentation_ID CiscoClassify and/or its affiliates. All rights reserved. EnforceCisco Public Classification How SGT is Assigned (Tagged)? ISE: Endpoint is classified with SGT SVI interface is Physical Server is mapped to SGT mapped to SGT Campus Access Distribution Core DC Core EOR DC Access Enterprise Backbone SRC: 10.1.100.98 Hypervisor SW VLAN is mapped WLC to SGT FW Virtual Machine is ISE: device is mapped to SGT classified with SGT Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public Classification summary Dynamic Classification Static Classification • IP Address • VLANs • Subnets 802.1X Authentication • L2 Interface SGT • L3 Interface Web Authentication • Virtual Port Profile • Layer 2 Port Lookup MAC Auth Bypass Common Classification for End Common Classification for Servers, Devices Topology-based policy, etc. Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public Dynamic Classification Process in Detail Supplicant Switch / WLC ISE Layer 2 Layer 3 00:00:00:AB:CD:EF EAPoL Transaction RADIUS Transaction EAP Transaction Authentication 1 Policy Authorized MAC: Authorization Evaluation SGT 0 00:00:00:AB:CD:EF Authorized SGT = 5 cisco-av-pair=cts:security-group-tag=0005 2 DHCP 3 DHCP Lease: ARP Probe IP Device Binding: 10.1.10.100/24 Tracking 00:00:00:AB:CD:EF = 10.1.10.100/24 SRC: 10.1.10.100 = SGT 5 3560X#show cts role-based sgt-map all details Make sure that IP Active IP-SGT Bindings Information Device Tracking IP Address Security Group Source ============================================= is TURNED ON 10.1.10.1 3:SGA_Device INTERNAL Presentation_ID 10.1.10.100Cisco and/or its affiliates. All rights reserved. 5:Employee Cisco PublicLOCAL Classification ISE as Centralized Policy Manager Employee Access Match Conditions: - Device Status = Registered Asset - SSID = Corporate-WiFi - Certificate-based Authentication
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages65 Page
-
File Size-