© 2008 Cisco Systems, Inc. All rights reserved.Cisco PublicTrustSec 1 Solving (not only) L2 Security Problems Petr Růžička, CSE CCIE #20166 [email protected]

© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicTrustSec 1

Solving (not only) L2 Security Problems

Petr Růžička, CSE

CCIE #20166

[email protected]


Evolution to Network Access ControlTopology Aware to Role Aware

Network Address-based Access Control ACL, VACL, PACL, PBACL etc

Network Admission Control (NAC) Posture validation endpoint policy compliance

Cisco TrustSec Network-wide role-based access control Network device access control Consistent policies for wired, wireless

and remote access

Identity-Based Access Control Flexible authentication options:

802.1x, MAB, WebAuth, FlexAuth Comprehensive post-admission control options:

dACL, VLAN assignment, URL redirect, QoS…


Authorized

Port Enabled

Port Status

Campus Access SecurityVulnerability & Countermeasure

Authenticator

ACSWall Jack in

Conference RoomOr Cubical Area

Wiring Closet Switch

Campus LAN

Authentication Server

EAPOL Start

EAP Request

Port Status

Un-Authorized

EAP Response (w/ Credentials)

Relay Credentials to AAA via RADIUS

RADIUS-Accept

Supplicant

Miscreant User Can Spoof MAC Address of the Authenticated User and gain network access undetected

802.1AE/SAP Enabled

Authenticator

ACSWall Jack in

Conference RoomOr Cubical Area

Wiring Closet Switch

Campus LAN

Authentication Server

EAPOL StartEAP RequestEAP Response (w/ Credentials)


RADIUS-Accept (w/ PMK)

802.1AE/SAPCapable

SupplicantMiscreant User Can’t Spoof MAC Address of encrypted packets, if encryption is not enable the user’s packets don’t contain integrity information (SA or ICV) and are blocked.

PMK used to initiate 4-Way SAP exchange

Authorized

Encrypted Port Enabled

Port Status

Cisco TrustSec (CTS)Cisco TrustSec (CTS)• Extends 802.1X to provide continuous data protection

Holistic Prevention of:• MiM, Spoofing, Tampering & Replay Attacks • Prevents Shadow Hosts Attacks

Port Status

Un-Authorized

CountermeasureCountermeasureTrustSec (802.1AE/SAP)TrustSec (802.1AE/SAP)


Benefits of Hop-by-Hop Link Encryption In Campus

Secure Hop-by-hop Communications Preserves IT Tools For Network Management

Layer 3+ end-to-end encryption for IP traffic and payload No packet visibility => Prevents IT IDS, Network analysis tools Doesn’t prevent layer 2 attacks (e.g. MAC spoofing, stealing)

E2E

Hop-by-hop security prevents layer 2 attacks IT has network control, using familiar network tools (IDS, anti-virus, …) Allows incremental deployment over most vulnerable domains

HxHLinkSec LinkSec


Cipher Data In the Clear Cipher Data In the Clear Cipher Data

Link Layer Encryption

TrustSec /802.1AE Encrypted



Hop-by-Hop packet confidentiality and integrity via IEEE 802.1AE “Bump-in-the-wire” model

Packets are encrypted on egress

Packets are decrypted on ingress

Packets are in the clear in the device

Allows the network to continue to perform all the packet inspection features currently used

Can be incrementally deployed depending on link vulnerability

Decrypt OnIngress

Interface

Decrypt IncryptEncrypt OnEgress Interface

Packets in the Clear Inside the System


InternetInternet

EnterpriseEnterpriseCampusCampus

Example Authorization Rule:

Authorization Rule : if ((user Role = CRM) then apply SGT = ConfidentialAuthorization Rule : if ((user Role = Finance) then apply SGT = ConfidentialAuthorization Rule : if ((user Role = Portal Y) then apply SGT = UnrestrictedAuthorization Rule : if ((user Role = Portal Z) then apply SGT = UnrestrictedAuthorization Rule : if ((user Role = Intranet Portal) then apply SGT = SensitiveAuthorization Rule : if ((user Role = ERP) then apply SGT = ConfidentialAuthorization Rule : if ((user Role = Portal Y) then apply SGT = UnrestrictedAuthorization Rule : if ((user Role = Campus Edge) then apply SGT = Ent. CampusAuthorization Rule : if ((user Role = Internet Edge) then apply SGT = InternetAuthorization Rule : if ((user Role = Storage Class A) then apply SGT = Data Confidential

Dynamic SGT & SGACL Assignment

Finance FinanceCRM EPRPortal YStorage Class A

IntranetPortal

Portal Z

D UC C C C C C C C SDU

I

EE

2. Link Up or Port Enabled – Initiates Endpoint Authentication & Authorization

3. Host Identity Acquired (802.1X, MAB or Pre-provisioned Identity to Port Mapping (IPM)) and relayed via RADIUS to ACS

Pre-provisioned Identity to Port Mapping (IPM)

802.1X, MAB or IPM

4. Identity credentials are authenticated and then Authorization Rules are processed, SGTs assigned and SGACLs applied

Legend

Unauthenticated Campus to DC

Port Identity = Campus Edge

Port Identity = Internet Edge

Server Identity = *

1. Ensure Identities are pre-provisioned (host and or port mapping)


InternetInternetI


Example 1: Bi-Directional Enterprise Campus & Unrestricted Servers

Finance FinanceCRM EPRPortal YStorage Class A

IntranetPortal

Portal Z

• All packets entering the data center from the campus edge are tagged as Ent. Campus

• Packets from Portal Y server are tagged as Unrestricted

Legend



EE



InternetInternet

Finance FinanceCRM EPRPortal YStorage

Confidential

IntranetPortal

Portal Z

I

EE


DU

• All packets entering the data center from the campus edge are tagged as Ent. Campus

• Egress Filtering for Storage Array is tagged Data Confidential and the policy (SGACL) denies access from Ent. Campus

• All illustrated; communication from Ent. Campus are Denied to Data Confidential

Example 2: Enterprise Campus to Data Confidential

Legend

C C C C D UC C C C S


IntraDC Use Case

InternetInternet


Confidential

IntranetPortal

Portal Z

I

EE


• All packets from Portal Z are classified as Unrestricted

• Egress Filtering for Storage Array is tagged Data Confidential and the policy (SGACL) denies access from Unrestricted

• All illustrated; communication from Ent. Campus are Denied to Data Confidential

Example 3: Unrestricted to Data Confidential

Legend



Data Center Use Case

InternetInternet


Confidential

IntranetPortal

Portal Z

I

EE


• All packets from Storage Confidential are classified as Data Confidential

• Egress Filtering on the Internet tagged/filtered port denies access from Data Confidential

Example 4: Data Confidential to Internet

Legend



Source: Ken Hook

Comparison of encryption modelsComparison of encryption models

Traffic Visibility & Network Manageability

• Single SA per Link - No Complex Key Management Server Required• Hop-by-hop security – Prevents layer 2 attacks• Transparent to hosts, applications and servers• Packets remain in the clear inside the box preserving the Intelligent Information Network• IT has network control, using familiar network tools (IDS, anti-virus, …)• Allows incremental deployment over most vulnerable domains

• Layer 3+ end-to-end encryption for IP traffic and payload• No packet visibility => Prevents IT IDS, Network analysis tools• Doesn’t prevent layer 2 attacks (e.g. MAC spoofing, stealing)• Complex Security Association maintenance

E2E*E2E*

HxH*HxH*

• Host to Server IPSec Host to Server IPSec Negatively ImpactsNegatively Impacts::

• Deep Packet Inspection

• Extended ACLs (port/protocol)

• Full Netflow (port/protocol)

• Limits QoS (ports)

• Dramatic reduction of Content & SLB capabilities

• Increased Network Latency

• Increased Host/Server CPU/Memory utilization for Header insertion/removal & SAs

• Weighted Fair Queuing (WFQ) - priority & other flow-based traffic prioritization

• Breaks NAT (Requires NAT-T)

Core Network

Core Network

LinkSec

CatalystCatalyst CatalystCatalystCatalystCatalyst

TrustSec NetworkTrustSec Network

LinkSec

LinkSec LinkSec

Cisco TrustSec preserves IT tools for network management

* E2E = End-to-End, HxH = Hop-by-Hop


Data CenterConfidentiality & Integrity CTS - Network Device Admission Control (NDAC)

Mutual Device Authentication (EAP-FAST)

Confidential & Authenticated Data Communications

CTSCTSData CenterData Center

EAP-Fast EAPOL Start

EAP_Fast EAPoL Request

EAP Response (w/ Device Credentials)

Relay Cre

dentials to

AAA via R

ADIUS

RADIUS-A

ccept (w/ E

nv Data

& P

MK)

PMK used to initiate 4-Way SAP exchange

Authorized

Encrypted Port Enabled

Port Status

ACS 5.0

EAPOL StartEAPoL RequestEAP Response (w/ Host Credentials)PMK used to initiate 4-Way SAP exchange

Servers w/ 802.1AE NICs


RADIUS-Accept (w/ PMK)

Port Status

Un-Authorized

Server w/ 802.1AE NICs

CTS - Endpoint Admission Control (EAC)– 802.1X Machine Authentication

– Confidential & Authenticated Data Communications


Cisco TrustSec Overview

Identification andAuthorization

L2/L3 TrustSecConfidentialityand Integrity

Scalable Topology Independent Access

Control

Builds a Trusted Network Infrastructure with NetworkDevice Admission Control (NDAC)

Extends IBNS and NAC by adding Topology IndependentIngress Security Group Assignment

Wire-rate Encryption and Data Integrity on L2 EthernetSwitch Ports

Preserves all network based accounting, deep packet inspection, and intelligent services

Uniform encryption—transparent to application, protocols, etc.

Centralized Access Control Policy Administration

Consistent Policy for Wired, Wireless and Remote Access VPNs

Network Access Control Policy is decoupled from Network Topology providing unparalleled scale


Documents

© 2008 Cisco Systems, Inc. All rights reserved.Cisco PublicTrustSec 1 Solving (not only) L2 Security Problems Petr Růžička, CSE CCIE #20166 [email protected]