View
229
Download
2
Category
Preview:
Citation preview
Cisco Austria Partner Summit 2016
TrustSec in der PraxisThomas Vavra, Mondi & Manfred Brabec, Cisco
TrustSecMondi‘s Umstieg auf ein segmentiertes, globales, transportunabhängiges und sicheres WAN
Thomas Vávra, Manager Communication Networks, Mondi AGManfred Brabec, Consulting Systems Engineer Security, Cisco GSSO
● Introduction
● Mondi overview
● Mondi current network
● TrustSec fundamentals
● TrustSec in WAN
● Conclusion
3
Agenda
Mondi overview
5
Our history
1967 Founding of Mondi
1793• Founding of the Neusiedler paper mill, Austria
1881• Founding of the pulp and paper mill
Frantschach, Austria
1997• Acquisition of Świecie, one of Poland’s largest
paper mills
2000• Acquisition of majority of Frantschach• Acquisition of 50% of the Ružomberok UFP & pulp mill, Slovak Republic
• Acquisition of the kraft paper, industrial bags and extrusion coatings businesses of AssiDomän
• Start-up of Extrusion Coatings, Release Liner and Consumer Packaging
2002• Increased ownership of the Syktyvkar mill,
Russia, to over 90%
2010• Acquisition of the Western European
industrial and consumer bags businesses of Smurfit Kappa
• Completion of the extension and modernisation of Syktyvkar, Russia
2007• Demerger of the Mondi Group from Anglo
American plc• Acquisition of majority stake in
Tire Kutsan, Turkey
2009• Start of new lightweight recycled
containerboard machine ECO7 and corrugated box plant in Świecie, Poland
2012• Acquisition of
NORDENIA INTERNATIONAL AG• Acquisition of Duropack operations in
Germany and Czech Republic
2014• Acquisition of the industrial bags and kraft
paper business of Graphic Packaging International, USA
2013–2016• Over €500 million allocated to major strategic
capital projects
6
Expertise across markets
Food & BeveragesBuilding & Construction
Home & Personal Care
Office & Professional Printing Paper
Paper & Packaging Converting
7
Expertise across markets
Medical & Pharmaceutical Automotive Pet Care
Chemicals & Dangerous Goods
Graphic & Photographic
Mondi current network
9
Mondi global MPLS network
*
Donald Rumsfeld
United States Secretary of Defense
…there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns -- the ones we don't know we don't know.”
11
The Problems we wanted to solve
Internal troublemakers Malware Segmentation prevents lateral movement for scanning
botnets, worms
Creative/Malicious users Certain highly secured areas were protected additionally
Human error The right PC in the wrong segment also shouldn’t cause any problems
External troublemakers Suppliers Suppliers providing support should only be able to access
the relevant resources
Guests Guests shouldn’t be able to access anything but the Internet in a controlled manner
Suspicious Threats from intentional attacks should be minimized
Datacenterprotection
Application security
Certain applications should only be accessible to certain people
TrustSec fundamentals
TrustSec Tags Everything
Employee
Distinguished?
Suspicious
ServerRoles
Enforcement is based on TAGs
Proceedwithyour SGT
Propagation EnforcementClassification Classification
Policies between TagsPCI Device PCI Servers
MedicalDevice BYOD Device
SuspiciousPC Admin PC
POS POS
ProductManager DTME Lab
TrustSec in Action
EnforcementClassification Propagation
Routers
ISE
DC Firewall
ApplicationServers
Wireless
RemoteAccess
SwitchDC Switch Application
Servers
Directory
Users
Network5 SGT
8 SGT
7 SGT
ISE Automates Policy Provisioning with TrustSec
CONSISTENT POLICY ACROSS WIRED, WIRELESS and VPN
SGT & Policy
pxGrid
SWContext Info
Abstraction
BYOD
FinanceServer
Open TrustSecSXP and full SGT frame format submitted to IETF
18
Difference to original Cisco TrustSec:
https://datatracker.ietf.org/doc/draft-smith-kandula-sxp
Cisco pre-Standard IETF informational draft
SGT Security Group Tag Source Group Tag
SXP Security Group TAG (SGT) eXchange Protocol
Source Group Tag (SGT) eXchange Protocol
TrustSec Use-cases at Mondi
Implementing Business Policy through Segmentation
Security Framework
Identify / Trust
Visibility
Policy Enforcement
Isolation
Segmentation
ISE
TrustSec
NetFlow
SW
Simplifying Network Segmentation with SGTs
Access Layer
EnterpriseBackbone
VoiceVLAN
Voice
DataVLAN
Employee
Aggregation Layer
Supplier
GuestVLAN
BYOD
BYODVLAN
Non-Compliant
QuarantineVLAN
VLANAddress
DHCP ScopeRedundancy
RoutingStatic ACL
VACL
Security Policy based on TopologyHigh cost and complex maintenance
VoiceVLAN
Voice
DataVLAN
Employee Supplier BYODNon-Compliant
Use existing topology and automate security policy to reduce OpEx
ISE
No VLAN Change
No Topology Change
Central Policy Provisioning
Micro/Macro Segmentation
Employee TagSupplier TagNon-Compliant Tag
Access Layer
EnterpriseBackbone
DC Firewall
DC Servers
Policy
TrustSecTraditional Segmentation
Automating Firewall Access Policies with SGTs
Who: GuestWhat: iPadWhere: Office
Who: DoctorWhat: LaptopWhere: Office
Who: DoctorWhat: iPadWhere: Office
EnterpriseBackbone
ASA FirePower
Doctors
BYOD
Guest
Service
EHR
ISEWireless
Switch
VPN User to Data Center Access
Pool-A
Data Center Firewall
Regardless of topology or location, policy (Security Group Tag) stays with users, devices, and servers
TrustSec simplifies VPN Address / Filtering management
RASEMEA
Pool-B
Partner-A Supplier-B
SSL-VPN
Employee Tag
Partner-A Tag
Supplier-B Tag
Biz Server
Dev Apps
Data Center
Campus Core
Internet RASUS
EmployeeEmployee
Simplifying Firepower Threat Defense Access
Note: Security Groups used for source criteria only currently
TrustSec in WAN
26
Why TrustSec over WANDrivers Category
Corporate Growth Mondi frequently acquires companies and the integration of these companies is a major success factor
Flexibility Any technology might be present on newly acquired sites, only VLAN can be assumed as a given minimum technology
Environmental Cost MPLS is a luxury transport for mostly mundane applications
Speed High-speed Internet is available in most geographies, at a fraction of the cost with very good reliability
Technical Availability With the availability of TrustSec the game has changed
IoEAttitude change of users towards consumerisation has brought more and more device types into the corporate
environment
27
Components
Transport Layer DMVPNInternet High-bandwidth, low cost transport for low-priority traffic
DMVPNMPLS
Low-bandwidth, high cost transport for e.g. SAP, Voice and Video traffic
ZScaler Cloud proxy service as a reasonably secure method for offloading the local surf-traffic
Routing layer BGP Used as base-routing on MPLS
EIGRP Used for the overlay routing on the encryption layer
PfRv3 Used to determine link loads, congestion, availability and service based link selection
Security layer TrustSec For Security enforcement, segmentation, categorization and CoS qualification
Authorization on Trunk PortsSGT assignment for MAB over Trunk Ports and segmentation
28
Considerations:(1) The access switch MAC address too must be in the list of known MAC addresses(2) For every MAC address seen on the Distribution switch there will be two entries of the
endpoint MAC address
Employee /Endpoint
Server / Destination
Access VLAN802.1X Trunk(multi-auth)Static Trunk
Access SwitchDistribution Switch
Native VLAN
Source Classification and enforcement (SGACL)
29
Device Sensor and ISE Integration
ISE
RADIUS Probe 1
23
4
5
CDPLLDPDHCPMAC
Device connects to the network1
Switch gleans device identity from control packets (CDP, LLDP, DHCP, MAC OUI)2
Switch sends “Device info” to ISE after parsing through filters (configurable)Notifications are sent only if a changes in device info are detected
3
ISE analyzes the data and identifies device using profile library & conditions4
Based on the ISE configuration, the Device(s) get(s) appropriate authorization5
Traffic Redirection based upon SGTAvailable on ASA, ASR1000, ISR4000, CSR-1000v
VRF-GUEST
EnterpriseWAN
Inspection Router
Router / Firewall
Network A
Policy-based Routing based on SGT
SGT-based VRF Selection
User B
Suspicious
ü Redirect traffic from malware-infected hosts• Contain threats• Pass traffic through centralized analysis
and inspection functions
Security Example
ü To map different user groups to different WAN service - Segment in a site with TrustSec- SGT routes traffic to correct WAN/VRF
Other Example
User C
Guest
User A
Employee
Available Today: Cisco IOS XE Release 3.16S (ASR 1000) as well as ASA5500-X (9.5.1)
DMVPN and TrustSec integration
31
MPLS
Internet
Site A Site B (Datacenter)
Primary DMVPN, PfR
Master Controller,
Border Router
Backup DMVPN, PfR Border Router
Primary DMVPN, PfR
Master Controller,
Border Router
Backup DMVPN, PfR Border Router
Distribution switches
Distribution switches
Internet Router
Internet Router
MPLS router MPLS router
Internet traffic of sites via GRE
tunnel to ZScaler
Access switches
32
+ -
Deployment over ANY transport layer Supplier knowledge is limited
Profiling even if LANs are “Wild West” situation
Just a few other vendors fully support it
Sensor technology is currently a game-changer in the market
Not supported by every Cisco device and software
Centralized security administration once the rollout is complete SGT-based PfR would be nice
Published open IETF informational draft
SGT-based traffic redirection (PBR) and CoS now available
Is TrustSec the right approach?
33
Yes if BYOD or IoE arrive
Yes if partners have access to your network
Yes if you’ve got guests at any of your offices
Yes if you have any important asset in your network
Yes if you think that IPv6 will arrive one day and you want to be prepared
Yes if you’ve got a growth environment where acquisitions bring you the flotsam and jetsam of 30 years of Ethernet
Yes if you’re a bank and have to do PCI DSS audits (segmentations will limit the audit scope)
TrustSec is the way to go for WAN segmentation
Our design specificsWhat Mondi did and didn‘t take from the IWAN ‘‘kit“
34
● PfRv3
○ Implemented, working
● SGT based QoS/PBR
○ Prepared, but not implemented yet.
● CWS
○ Not used – OpenDNS being investigated.
● WAAS
○ Not used due to lack of requirement in our environment
● AVC
○ Not used due to complexity of our environment.
Our design specificsWhat Mondi did and didn‘t take from the IWAN ‘‘kit“
35
● Duplicate DMVPN partnership
○ Primary and backup router are part of ‘MPLS DMVPN‘ AND ‘Internet DMVPN‘
- Cisco standard design permits only one DMVPN per router
● Primary and backup router each have tunnels to primary and backup cloud-proxy
○ Fivefold backup for Internet access
● SAML-based two-factor authentication on ASA
○ SecureAuth integration
● SGT based firewalling on Cisco FP 9300
○ Integration of Active Directory, ISE and FP 9300 to provide remote access segmentation based on SGTs
● Technical
○ Product readyness is better than we expected but still it‘s NEW
○ Allignment between MPLS providers and ‘‘Overlay providers“ is critical
○ Stability in failover situations is much better than expected
○ PfR normally considers European Internet quality to be better than business grade MPLS
○ Management software environment for TrustSec and PfR is limited. LiveAction is probably best at the moment
- Logging of TrustSec drops on SGACLs isn‘t there, „half open TCP sessions“ currently the only way
36
Findings
● Organisational
○ Know your applications before you start
○ Keep your SGTs to the absolute, bare minimum. (10 SGTs per site x 100 sites = matrix with 1.000.000 fields to fill)
○ LAN projects will start wherever you start to rollout
○ Having a competent partner willing to learn during the project is necessary
○ Acceptance tests are drastically more complex than on an MPLS network (if done thoroughly)
37
Findings
38
Conclusion
• Cisco TrustSec integrates seamlessly with switches, access points, and firewalls• It provides a true end-to-end security architecture at our new headquarters and
beyond• It allows us to place users and endpoints in the right category and have the right
policy to match information security demands• TrustSec will help cut time to market for new acquisitions• It allows us to reduce our overall level of risk exposure
Thank You!
Recommended