Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
1© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Expo Algerie :
Architecture Réseaux de Nouvelle Génération -
(Cisco Borderless Networks)
Zakaria BEN LETAIEF
Consulting Systems Engineer
© 2011 Cisco and/or its affiliates. All rights reserved. 2
Why Borderless Networks?
Cisco’s Architectural Approach
Cisco TrustSec Solution
Delivering Business Value
New and Evolving Threats
© 2011 Cisco and/or its affiliates. All rights reserved. 3
Why Borderless Networks?
Cisco’s Architectural Approach
Cisco TrustSec Solution
Delivering Business Value
New and Evolving Threats
© 2011 Cisco and/or its affiliates. All rights reserved. 4
VideoMobilityWorkplaceExperience
© 2010 Cisco and/or its affiliates. All rights reserved.
7 Billion New
Wireless Devices
by 2015
Mobile Devices
IT Resources
Blurring the BordersConsumer ↔ Workforce
Employee ↔ Partner
Physical ↔ Virtual
Changing the Way
We WorkVideo projected to
quadruple IP traffic by
2014 to 767 exabytes
Anyone, Anywhere, Anytime
© 2011 Cisco and/or its affiliates. All rights reserved. 5
IT Consumerization
Device Border
Mobile Worker
Location Border
Video/Cloud
IaaS,SaaS
Application Border
External-FacingApplications
Internal Applications
© 2011 Cisco and/or its affiliates. All rights reserved. 6
Location
Device
Application
Scalability
Availability
Performance
Security
Manageability
Cost of Ownership
Scalability, Availability, Performance, Security
and Manageability
Across Non-IT-Controlled Environments
Then: Linear Now: Multi-Dimensional
© 2011 Cisco and/or its affiliates. All rights reserved. 7
Borderless Experience
ANYWHERE
ANYONE
ANYTIME
ANYTHING
Securely, Reliably, Seamlessly
© 2011 Cisco and/or its affiliates. All rights reserved. 8
Why Borderless Networks?
Cisco’s Architectural Approach
Cisco TrustSec Solution
Delivering Business Value
New and Evolving Threats
© 2011 Cisco and/or its affiliates. All rights reserved. 9
Technology Portfolio
Borderless Networks
CollaborationData Center/Virtualization
WAASWirelessSwitching RoutingSecurity
© 2010 Cisco and/or its affiliates. All rights reserved. 10
BORDERLESSINFRASTRUCTURE
Application Networking/ Optimization
Switching SecurityRoutingWireless
BORDERLESS NETWORK SYSTEMS
BORDERLESS NETWORK SERVICES
BORDERLESS END-POINT/USER SERVICES
Securely, Reliably, Seamlessly: AnyConnect
Mobility:Motion
App Performance: App Velocity
Energy Management: EnergyWise
Multimedia Optimization:
Medianet
Security:TrustSec
Architecture for Agile Delivery of the Borderless Experience
Unified Fabric
Extended Cloud
ExtendedEdge
UnifiedAccess
CampusCore
CISCO
LIFECYCLE
SERVICES
POLICY
CISCO SMART
SERVICES
MANAGEMENT
PROFESSIONAL SERVICES:
Realize the Value of Borderless Networks Faster
© 2011 Cisco and/or its affiliates. All rights reserved. 12
Context-Aware, Prioritized, High-Quality Voice and Video
No Resource Reservation, Degraded Voice and Video
CEO Meeting
M&A Negotiation
Sports Event
GLOBAL BUSINESS,
WORLDWIDE OFFICES
Can My Network Deliver Real-Time Collaboration Experiences?
CEO Meeting
M&A Negotiation
Sports Event
Transform Voice and Video Experiences
© 2011 Cisco and/or its affiliates. All rights reserved. 13
Up to 2X Improved Response Time and 90% Reduced Bandwidth Cost
Compromisedand Costly Experience
Can My Network Optimize Performance of Applications Anytime, Anywhere?
SP CShortest path
selected!
No applicationcontrol
Wastedbandwidth
SP D
SP D
SP A
SP B
Real-time Fastest Path
Scalable App Visibility
Embedded WAN Optimization
SP C
SP D
SP D
SP C
SP D
SP D
SP A
SP B
SP A
SP B
Superior Application Performance, Better User Experience
© 2011 Cisco and/or its affiliates. All rights reserved. 14
―Lean‖ Application Hosting Provides Branch-to-Cloud Application Survivability
and Infrastructure Agility
Unreliable WAN Leads to Poor Experience with Cloud/Data Center
Hosted Applications
Can my Network Optimize Performance of Applications Anytime, Anywhere?
Cloud
WAN
Cloud
WAN
UCS-E
Enables Business Continuity and Network Reliability
© 2011 Cisco and/or its affiliates. All rights reserved. 15
Managed
Nightly Shutdown
$280,000
Additional Energy
Policies
$150,000
Annual
Energy Costs
$770,000
Reducing Energy Costs
Am I Using My Network to Reduce My Energy Costs?
Countywide OfficeEnergy Management
No Energy Management
COUNTY OFFICES
10,000 PCSTotal Savings
$430,000
© 2011 Cisco and/or its affiliates. All rights reserved. 16
―Guest‖ Access PolicyIT Devices Changed Manually
CONSULTANTFOR
A PROJECT
Guest Access Made Easy
Do I Have a Consistent Access Policy ArchitectureAcross My Network for All Users and Devices?
© 2011 Cisco and/or its affiliates. All rights reserved. 17
Encrypted, Tamper-Proof Transactions
Clear Data and Video Streams in LAN
DD D D D D D D D
VV V V V V V V V
DD D D D D D D D
VV V V V V V V VMALICIOUS GUEST USER
Next-Generation Security
Is My Network Ready for Current and Future Regulatory Requirements?
© 2011 Cisco and/or its affiliates. All rights reserved. 18
Next-Generation Security
Can Mobile Devices Access My Network Securely, Reliably and Seamlessly?
Secure Mobile ConnectivityUnmanaged Devices, Risk ofData Loss, and Lack of Access
AcceptableUse
Access Control
Data Loss Prevention
MOBILEEXECUTIVE
© 2011 Cisco and/or its affiliates. All rights reserved. 19
802.11n Performance Protection
Can Mobile Devices Access My Network Securely, Reliably and Seamlessly?
CleanAir Detects and Mitigates Interference for Performance Protection
Wireless Interference Decreases 802.11n Performance
AIR QUALITY PERFORMANCE PERFORMANCEAIR QUALITY
WIRELESSPERFORMANCE
© 2011 Cisco and/or its affiliates. All rights reserved. 20
Medianet
Offers converged architecture for video; removes complexity
Makes video ready-to-use as IP telephony
Offers automatic discoveryof video endpoints
Provides automaticvideo-optimized network configuration
Provides resource reservation and resource prioritization
Offers ―one-button‖ diagnostics for troubleshooting
Provides content auto-adaptation
Cisco EnergyWise
Offers network-integrated measurement, monitoring,and control of energy usage
Increases visibility, actively reduces energy costs
Integrates with borderless services: access control, identity, location
Phase 1: Network devices(IP phones, access points, and cameras)
Phase 2: IT devices(PCs and third-party devices)
Phase 3: Non-IT systems(air conditioning, HVAC, and lighting)
Cisco TrustSecTechnology
Offers foundation for identity-directed, policy-based access
Increases data security and satisfies regulatory guidelines
Offers granular access control:
Who is trying to access
Where are they located
What device are they using
What they are accessing
Provides secure, encrypted last-hop communications for wired and wireless networks
Provides security and policy for endpoints both on and offthe corporate network
© 2011 Cisco and/or its affiliates. All rights reserved. 21
App Velocity
Large-scale discovery and prioritization optimizes application availability
WAN optimization and application-aware acceleration provides up to 99% improved response time
PfR adapts routing based on application and real-timenetwork conditions
UCS-Express provides branch-to-cloud application survivability
Motion
Protects the performance of 802.11n networks and delivers ROI for mission critical WLANs
CleanAir technology improves wireless ―air quality‖ through automated interference mitigation
ClientLink increases the throughput of legacy a/g clients by up to 65%
Location services offers unified monitoring and tracking of wired and wireless assets for end-to-end network security and business process optimization
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Management
Cisco EnergyWiseOrchestrator and Enhancements
CiscoEnergyWise Orchestrator
PC and PoE device power management
Sustainability dashboard forat-a-glance power usage, energysavings, costs, and ROI
Enhanced SDK
Extending energy management with leading intelligent Power Distribution Units partnerships
Enhanced Platform Support
New Cisco Catalyst 3750-X, Catalyst 3560-X, Catalyst 2960-S, Catalyst 4500-E, and ISR G2
CiscoWorksLMS 4.0
Next-Generation Network Management Platform
Work-center design that accelerates deployments and automates andstreamlines common tasks
New work centers for Cisco EnergyWise, Identity, Smart Operations, and Auto Smartports (Medianet)
Monitor and Troubleshoot, Manage Configurations
Immediate Platform Support
Cisco ISR G2 and Cisco Catalyst 2960-S, Catalyst 3560-X, Catalyst 3750-X, Catalyst 4500E
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Why Borderless Networks?
Cisco’s Architectural Approach
Cisco TrustSec Solution
Delivering Business Value
New and Evolving Threats
© 2011 Cisco and/or its affiliates. All rights reserved. 24
What is a Threat?
An indication or warning of probable trouble
Where are Threats?
Everywhere you can, and more importantly, cannot think of
Why are there Threats?
• The almighty dollar (or euro or pound or rouble), the underground cyber crime industry is a growth industry
• Political and nationalistic motivations
© 2011 Cisco and/or its affiliates. All rights reserved. 25
Criminal Specialization Driving More
Sophisticated Attacks
The Evolving Security Threats
Web Ecosystem Becomes Number
one Threat Vector
Criminals Exploit Users Trust, Challenging
Traditional Security Solutions
Creative Methods (Business Models)
Used to Attract Victims
25
© 2011 Cisco and/or its affiliates. All rights reserved. 26
• Highly intelligent individuals are collaborating to create new viruses and other malicious code
• Software development tools for handling large projects are being used
• Development is not unlike normal software development in the IT industry
• The shared information and talents of many very skilled hackers when working together can be worse than any one working alone
© 2011 Cisco and/or its affiliates. All rights reserved. 27
• Targeted Hacking
• Vulnerability Exploitation
• Malware Outbreaks
• Economic Espionage
• Intellectual Property Theft or Loss
• Network Access Abuse
• Theft of IT Resources
• Denial of Service
© 2011 Cisco and/or its affiliates. All rights reserved. 28
Operating Systems
Network Services
Applications
Users
Movin
g u
p the s
tack
29© 2010 Cisco and/or its affiliates. All rights reserved.
Source : Cisco Annual Security Report 2010
© 2011 Cisco and/or its affiliates. All rights reserved. 30
© 2011 Cisco and/or its affiliates. All rights reserved. 31
• Botnets
• TCP Stack Table Implementation (sockstress)
• Malicious Business Documents (PDF, Office)
• SQL Injection / Cross Site Scripting
• Social Networks / Web 2.0
• Cloud and Virtualization
• Transient Trust
• Wireless Network Encryption (WEP, WPA)
• MD5 / CA Root Certificates
• IPv6 Deployment
© 2011 Cisco and/or its affiliates. All rights reserved. 32
• Botnet: A collection of compromised machines running programs under a common command and control infrastructure
• Building the Botnet:
Many, many malcode vectors
• Controlling the Botnet:
Covert-channel of some form; typically IRC or custom IRC-like channel
Historically have used free DNS hosting services to point bots to the IRC server
Recent attempts to sever the command infrastructure of botnets has resulted in more sophisticated control systems
Control services increasingly placed on compromised high-speed machines
Redundant systems and blind connects are implemented for resilience (fast-flux)
Do you know if Bots are loose on your network?
• See Infiltrating a Botnet http://www.cisco.com/web/about/security/intelligence/bots.html
Source: www.wikipedia.com
33© 2010 Cisco and/or its affiliates. All rights reserved.
“Antivirus XP has found 2794
threats. It is recommended to
proceed with removal”
Fake AV is 15% of all malware -
© 2011 Cisco and/or its affiliates. All rights reserved. 34
SaaS
Affiliate marketing programs
Search Engine Optimization
Online marketplaces
Joint ventures
© 2011 Cisco and/or its affiliates. All rights reserved. 35
• SQL injection attacks return
• ―Here you have‖ email
• Stuxnet
• LinkedIn / Zeus email
• Money mules
• And others…
© 2011 Cisco and/or its affiliates. All rights reserved. 36
© 2011 Cisco and/or its affiliates. All rights reserved. 37
• Discovered 9th September 2010
• Redirected users to an infected PDF file which downloaded and ran the malware
• Infected companies included Google, NASA, Comcast & other US giants
• 79% of clicks occurred within first three hours of the worm’s spread
• E-mail based virus is not dead…
© 2011 Cisco and/or its affiliates. All rights reserved. 38
• Discovered in July 2010
• The complexity of the software is very unusual for malware, and consists of attacks against three different systems:
The Windows operating system,
An industrial software application that runs on Windows
A Siemens programmable logic controller (PLC) & SCADA networks
• Initial infections via USB flash drive
• Subsequent infections by USB flash drive, RPC and print spooler vulnerability
© 2011 Cisco and/or its affiliates. All rights reserved. 39
• The malware communicates to the C&C server through http. A list of URLs is included in the Stuxnet configuration data of Stuxnet:
www.windowsupdate.com;
www.msn.com;
www.mypremierfutbol.com;
www.todaysfutbol.com
• The first two URLs are used to check that the system has connection to the Internet, while the third and the fourth are URLs of C&C servers.
© 2011 Cisco and/or its affiliates. All rights reserved. 40
© 2011 Cisco and/or its affiliates. All rights reserved. 41
• Highly sophisticated blended attack
Still not fully grasped, although multiple papers have been published
• Highly targeted
Industrial networks – used for industrial espionage
Precisely identifies the systems it infects through a finger-printing process
• Highly targeted
Geographically
© 2011 Cisco and/or its affiliates. All rights reserved. 42
• Common threats discussed :
Botnets
Web malware
Application-layer malware
• Common themes mentioned :
Mobility
Social media
Cloud
―Hacktivism’
Privacy & Responsibility / Cyber espionage
Malicious / careless employees
© 2011 Cisco and/or its affiliates. All rights reserved. 43
• More types of new devices being added to networks
• Diversity of OS’s and Apps
• New network entrance and exit points
• More data in more places to be protected
“…software glitches that need to be fixed—are part of the 'new reality' of making complex cell phones in large volumes.“
—Jim Balsillie, RIM CEO
© 2011 Cisco and/or its affiliates. All rights reserved. 44
• Apple iOS devices cited by most analysts as ―the next targets‖
• Focus will be on applications, not the OS or related services
45© 2010 Cisco and/or its affiliates. All rights reserved.
"Know the enemy and know yourself; in a
hundred battles you will never be in peril.
When you are ignorant of the enemy, but
know yourself, your chances of winning or
losing are equal.
If ignorant both of your enemy and yourself,
you are certain in every battle to be in
peril.”
46© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Security Intelligence Operations including:
Global Threat Operations Centers
IntelliShield Threat and Vulnerability Analysis
Managed Services and IPS
SensorBase and SenderBase Analysts
Corporate Security Programs Office, Global Policy & Government Affairs
Global in scope
Encompasses network, content, physical & geopolitical security
47© 2010 Cisco and/or its affiliates. All rights reserved.
• Audit
• Assess
• Evaluate
• Monitor
• Correlate
© 2011 Cisco and/or its affiliates. All rights reserved. 48
• Integration of security in business processes is a must
• Integration of security standards in business processes
Compliance (ISO27001)
• Convergence of data security and privacy regulation worldwide
• Data security goes to the cloud
© 2011 Cisco and/or its affiliates. All rights reserved. 49
• Process, process, process:
Implement strong processes up front, document them, and use them
• User education campaigns:
Ensure there is an end-user education component of your broader information security strategy
• Make effective use of technology:
Technology exists to mitigate much of your risk of exposure to new threats—make sure you’re using what’s available
50© 2010 Cisco and/or its affiliates. All rights reserved.
• Attackers are always modifying their methods
• Users are the main focus of attacks
• Attackers follow the money
• Major systems (DNS, Internet PKI) have flaws, nothing is perfect
• Blended attacks are numerous and evolving
51© 2010 Cisco and/or its affiliates. All rights reserved.
• User education and security awareness training are critical
• Keep an eye on ―old problems‖ while being vigilant about new risks
• Never underestimate the insider threat
• Develop strong (and realistic) policies for protecting sensitive data
• Security must move at the speed of crime
© 2011 Cisco and/or its affiliates. All rights reserved. 52
Why Borderless Networks?
Cisco’s Architectural Approach
Cisco TrustSec Solution
Delivering Business Value
New and Evolving Threats
© 2011 Cisco and/or its affiliates. All rights reserved. 53
53
• TrustSec provides a way to
Identify who is accessing to your network
Determine how this access is attempted
Locate where this person trying to access
Evaluate what privilege this person has
• Based on the results, TrustSec provides
Admission to the network
Scope of resources this person can access to
Level of services this person can access to
Record of network usage
© 2011 Cisco and/or its affiliates. All rights reserved.55
NAC ProfilerACS5.1
Catalyst
Switch
802.1X
MAB
Directory Server
NAC Guest Server
Web Auth
RADIUS
Various Authorization Methods (VLAN,
Downloadable ACL, URL Redirect, etc)
Scalable / Flexible Policy
& Authentication Server
supporting RBAC
Industry Leading Guest Service Server to
provide full guest access management
with Web Authentication
Profiling System to perform
automatic device profiling for
unattended device or any type of
network attached device
Cisco IOS © intelligence to
provide phased deployment mode
for 802.1X (Monitor Mode, Low
Impact Mode, High Security Mode)
Flexible Authentication Methods
(802.1X, MAB, Web Auth in any order)
Guest
Employee
Printer
© 2011 Cisco and/or its affiliates. All rights reserved.56
• Can I create / manage the new VLANs or IP Address scope?
• How do I deal with DHCP refresh in new subnet?
• How do I manage ACL on VLAN interface?
• Does protocol such as PXE or WOL work with VLAN assignment?
• Any impact to the route summarization?
• Who’s going to maintain ACLs?
• What if my destination IP addresses are changed?
• Does my switch have enough TCAM to handle all request?
Traditional access authorization methods leave some deployment concerns
Detailed design before deployment is required, otherwise…
Not so flexible for changes required by today’s business
Access control project ends up with redesigning whole network
802.1X/MAB/Web Auth
VLAN
Assignment
ACL
Download
© 2010 Cisco and/or its affiliates. All rights reserved.Presentation_ID 57
Source Group Tag Solution Overview
© 2011 Cisco and/or its affiliates. All rights reserved. 58
58
• TrustSec is a broad umbrella for security improvements based on the capability to strongly identify users, hosts and network devices within a network
• TrustSec provides topology independent and scalable access controls by uniquely classifying data traffic for a particular role
• TrustSec ensures data confidentiality and integrity by establishing trust among authenticated peer and encrypting links with those peers
© 2011 Cisco and/or its affiliates. All rights reserved. 59
59
Topology independent access control based on roles
Scalable ingress tagging via Source Group Tag (SGT) / egress filtering via Source Group ACL (SGACL)
Centralized Policy Management / Distributed Policy Enforcement
Encryption based on IEEE802.1AE (AES-GCM 128-Bit)
Wire rate hop to hop layer 2 encryption
Key management based on 802.11n (SAP), awaiting for standardization in 802.1X-REV
Endpoint admission enforced via 802.1X authentication, MAB, Web Auth (Full IBNS compatibility)
Network device admission control based on 802.1X creates trusted networking environment
Only trusted network imposes Security Group TAG
Security Group Based Access Control
Confidentiality and
Integrity
Authenticated Networking
Environment
© 2011 Cisco and/or its affiliates. All rights reserved. 60
60
SGACL
Security Group Based Access Control allows customers
To keep existing logical design at access layer
To change / apply policy to meet today’s business requirement
To distribute policy from central management server
802.1X/MAB/Web Auth
Finance (SGT=4)
HR (SGT=10)
I’m a contractor
My group is HR
Contactor
& HR
SGT = 100
SGT=100
© 2011 Cisco and/or its affiliates. All rights reserved. 61
61
Unique 16 bit (65K) tag assigned to unique role
Represents privilege of the source user, device, or entity
Tagged at ingress of TrustSec domain
SGACLSG
SecurityGroup
Tag
Filtered (SGACL) at egress of TrustSec domain
No IP address required in ACE (IP address is bound to SGT)
Policy (ACL) is distributed from central policy server (ACS) or
configured locally on TrustSec device
Provides topology independent policy
Flexible and scalable policy based on user role
Centralized Policy Management for Dynamic policy provisioning
Egress filtering results to reduce TCAM impact
Customer Benefits
© 2011 Cisco and/or its affiliates. All rights reserved. 62
62
are the L2 802.1AE + TrustSec overhead
Frame is always tagged at ingress port of TrustSec capable device
Tagging process prior to other L2 service such as QoS
SGT namespace is managed on central policy server (ACS 5.x)
No impact IP MTU/Fragmentation
Cisco Meta Data
DMAC SMAC 802.1AE Header 802.1Q CMD ETYPE PAYLOAD ICV CRC
Version LengthCMD EtherType SGT Opt Type SGT Value Other CMD Options
Encrypted
Authenticated
802.1AE Header CMD ICV
Layer 2 SGT Frame and Cisco Meta Data Format
© 2011 Cisco and/or its affiliates. All rights reserved. 63
63
• Traditional Firewall ACLs typically use an "any" for the source in their rules because they can't classify the source effectively
• Firewalls have started to evolve to use some extra mechanism to classify the source via identity
• Significant overhead can be created when using dynamic Identity classification for the source
More ACLs since each IP address is filled in for every rule on the FW
More resource consumption (TCAM, CPU, etc.)
This is exacerbated when you try to enforcement outside of the DC since the closer you are to the access layer the more hosts you have to defend.
© 2011 Cisco and/or its affiliates. All rights reserved. 64
64
User (Source)
S1
• (# of sources) * (# of Destinations) * permissions = # ACEs
• Source (S1~S4) * Destination (S1~S6) * Permission (4) = 96 ACEs for S1~4
• The growing number of ACEs leads to resource consumption on the enforcement point
• Network Admin manages every IP source to IP destination relationship explicitly
D1
D2
D3
D4
D5
D6
S2
S3
S4
Servers (Destination)
permit tcp S1 D1 eq https
permit tcp S1 D1 eq 8081
permit tcp S1 D1 eq 445
deny ip S1 D1
Sales
HR
Finance
Managers
IT Admins
HR Rep
S1 to D1 Access Control
Access Control Entry -
ACE # grows as # of
permission statement
increases
© 2011 Cisco and/or its affiliates. All rights reserved. 65
65
User
S1
D1
D2
D3
D4
D5
D6
S2
S3
S4
ServersSecurity Group
(Source)
MGMT A
(SGT 10)
HR Rep
(SGT 30)
IT Admins
(SGT 40)
Security Group
(Destination)
Sales SRV
(SGT 500)
HR SRV
(SGT 600)
Finance SRV
(SGT 700)
MGMT B
(SGT 20)
SGACL
• Network Admin manages every source “group” to destination “group” relationship
• This abstracts the network topology from the policy and reducing the number of
policy rules necessary for the admin to maintain
• The network automates the alignment of users/servers to groups
© 2011 Cisco and/or its affiliates. All rights reserved. 66
66
• Assume current Firewall technology that we don’t specify specific source (source = Any)
• 400 users accessing 30 network resources with 4 permissions each
With Traditional ACL on FW
Any (src) * 30 (dst) * 4 permission = 120 ACEs
Traditional ACL on VLAN interface on router or FW - use
subnet ranges for source group
4 VLANs (src) * 30 (dst) * 4 permission = 480 ACEs
With SGACL
4 SGT (src) * 3 SGT (dst) * 4 permission = 48 ACEs
Per source IP on port with Downloadable ACL
1 Group (src) * 30 (dst) * 4 permission = 120 ACEs
© 2011 Cisco and/or its affiliates. All rights reserved. 67
67
SRC\ DST SRVSGT 111 SRVSGT 222 SRVSGT 333
User SGT 10 Permit all Deny all Deny all
User SGT 20 SGACL-B SGACL-C Deny all
User SGT 30 Deny all SGACL-D Permit all
permit tcp src dst eq 1433
#remark destination SQL permit
permit tcp src eq 1433 dst
#remark source SQL permit
permit tcp src dst eq 80
# web permit
permit tcp src dst eq 443
# secure web permit
deny all
SGACL D All SGTs are mapped to SGACL using
Egress Policy Matrix - available via ACS5.x
interface
Matrix Row represents Source SGT
Matrix Column represents Destination SGT
Content of SGACL and whole matrix entries
are provisioned to TrustSec capable devices
© 2011 Cisco and/or its affiliates. All rights reserved. 68
68
ACS5.x
Server CServer BServer A Directory
Service
Campus Access
Data Center
TrustSec Enabled
Network
User A User C
Step 1
AD User Role SG
T
User A Contractor 10
User B Finance 20
User C HR 30
ACS populates its SGT policy
Server Role IP SG
T
HTTP
Server
Server Group A 10.1.100.111 111
File Server Server Group B 10.1.100.222 222
SQL Server Server Group C 10.1.200.3 333
ACS is configured for its policy and all endpoints
need to be mapped to SGT in policy
© 2011 Cisco and/or its affiliates. All rights reserved. 69
69
ACS5.x
Server CServer BServer A Directory
Service
Campus Access
Data Center
TrustSec Enabled
Network
User A User C
111222333
Step 2
AD User Role SG
T
User A Contractor 10
User B Finance 20
User C HR 30
SGTs are assigned to role and bound to IP
address
Server Role IP SG
T
HTTP
Server
Server Group A 10.1.100.111 111
File Server Server Group B 10.1.100.222 222
SQL Server Server Group C 10.1.200.3 333
With 802.1X / MAB / Web Authentication, SGTs are
assigned in an authorization policy via RADIUS
Access devices snoops ARP and / or DHCP for
authenticated MAC Address, then bind assigned
SGT to snooped IP Address
For Servers IP addresses are bound to SGT
statically on access switch or dynamically looked
up on ACS using IPM feature
802.1X / MAB / Web Auth
3010
© 2011 Cisco and/or its affiliates. All rights reserved. 70
70
ACS5.x
Server CServer BServer A Directory
Service
Campus Access
Data Center
TrustSec Enabled
Network
User A User C
111 222 333
Step 3 ACS provisions Egress Policy (SGT
Matrix) to TrustSec capable Device
Each TrustSec capable device downloads policy
from central policy server, that is, ACS server3010
SRC\ DSTServer A
(111)
Server B
(222)
Server C
(333)
User A (10) Permit all Deny all Deny all
User B (20) SGACL-B SGACL-C Deny all
User C (30) Deny all SGACL-D Permit all
SGACL-D
permit tcp src dst eq 1433
#remark destination SQL permit
permit tcp src eq 1433 dst
#remark source SQL permit
permit tcp src dst eq 80
# web permit
permit tcp src dst eq 443
# secure web permit
deny all
SGACLSGACLSGACL
© 2011 Cisco and/or its affiliates. All rights reserved. 71
71
ACS5.x
Server CServer BServer A Directory
Service
Campus Access
Data Center
TrustSec Enabled
Network
User A User C
111 222 333
Step 4 Now TrustSec network is ready to enforce
the policy
User’s traffic is tagged at ingress of TrustSec domain
SGT is carried when packet traverses within domain
At egress port, TrustSec device looks up local policy
and drops packet if needed
3010
SRC\ DSTServer A
(111)
Server B
(222)
Server C
(333)
User A (10) Permit all Deny all Deny all
User B (20) SGACL-B SGACL-C Deny all
User C (30) Deny all SGACL-D Permit all
Packets are tagged
with SGT at ingress
interface
SGACL Applied
SGT10 to SGT111
Permit all
CMD Tagged Traffic
Untagged Traffic
© 2011 Cisco and/or its affiliates. All rights reserved. 72
72
ACS5.x
Server CServer BServer A Directory
Service
Campus Access
Data Center
TrustSec Enabled
Network
User A User C
111 222 333
Step 5 SGACL allows topology independent
access control
Even another user accesses on same VLAN as
previous example, his traffic is tagged differently
If traffic is destined to restricted resources, packet
will be dropped at egress port of TrustSec domain
3010
SRC\ DSTServer A
(111)
Server B
(222)
Server C
(333)
User A (10) Permit all Deny all Deny all
User B (20) SGACL-B SGACL-C Deny all
User C (30) Deny all SGACL-D Permit all
SGACL-D
permit tcp src dst eq 1433
#remark destination SQL permit
permit tcp src eq 1433 dst
#remark source SQL permit
permit tcp src dst eq 80
# web permit
permit tcp src dst eq 443
# secure web permit
deny all
Packets are tagged
with SGT at ingress
interface
SGACL-D is applied
SQL = OK
SMB = NG
SMB traffic
SQL traffic
SGACL
© 2011 Cisco and/or its affiliates. All rights reserved. 73
73
• Any member of TrustSec domain needs to establish trust relationship to its peer, otherwise not trusted
• Only SGT from trusted member can be ―trusted‖ and processed by its peer
• SGT from distrusted device is tagged as ―Unknown‖, a special SGT (value is zero)
• A process of authenticating a PC is called ―Endpoint Admission Control‖ (e.g. SGT tagging via 802.1X)
• A process of authenticating network device is called ―Network Device Admission Control‖ or NDAC in short
© 2011 Cisco and/or its affiliates. All rights reserved. 74
74
Network Device Admission Control (NDAC) provides
strong mutual authentication (EAP-FAST) to form
trusted domain
Only SGT from trusted peer is honored
Authentication leads to Security Association
Protocol (SAP) to negotiate keys and cipher suite for
encryption automatically (mechanism defined in
802.11i)
802.1X-2010/MKA will succeed and replace SAP
Trusted device acquires trust and policies from ACS
server
Mitigate rogue network devices, establish trusted network
fabric to ensure SGT integrity and its privilege
Automatic key and cipher suite negotiation for strong 802.1AE
based encryption
Customer Benefits
NDAC
© 2011 Cisco and/or its affiliates. All rights reserved. 75
75
ACS5.x
NDAC validates peer identity before peer
becomes the circle of Trust!
The first device to authenticate against ACS is called
TrustSec Seed Device
Seed Device becomes authenticator to its peer
supplicant
Role determination process selects both
Authenticator and Supplicant role
NDAC utilizes EAP-FAST/MSCHAPv2
Credential (including PAC) is stored in hardware key
store
ACS5.xSeed Device
EAP-FAST over
RADIUS
Authorization
(PAC, Env Data,
Policy)
© 2011 Cisco and/or its affiliates. All rights reserved. 76
76
ACS5.x
As device connects to its peer, TrustSec domain
expands its border of trust
If the device is not connected to ACS directly, the
device is called non-Seed Device
First peer to gain ACS server connectivity wins
authenticator role
In case of tie, lower MAC address wins
Seed
Device
ACS5.xSeed Device
Authenticator
Supplicant
802.1X NDAC
Non-Seed Device
Supplicant
802.1X NDAC
Non-Seed Device
AuthenticatorSupplicant
802.1X NDAC
© 2011 Cisco and/or its affiliates. All rights reserved. 77
77
CTS7K-DS10.1.50.1
CTS7K-CORE# show cts interface ethernet 1/15
CTS Information for Interface Ethernet1/15:
CTS is enabled, mode: CTS_MODE_DOT1X
IFC state:
CTS_IFC_ST_CTS_OPEN_STATE
Authentication Status: CTS_AUTHC_SUCCESS
Peer Identity: CTS7K-DC
Peer is: CTS Capable
802.1X role: CTS_ROLE_SUP
Last Re-Authentication:
Authorization Status: CTS_AUTHZ_SUCCESS
PEER SGT: 2
Peer SGT assignment: Trusted
SAP Status: CTS_SAP_SUCCESS
Configured pairwise ciphers: GCM_ENCRYPT
Replay protection: Enabled
Replay protection mode: Strict
Selected cipher: GCM_ENCRYPT
Current receive SPI: sci:18bad853520000 an:2
Current transmit SPI: sci:18bad853460000 an:2
CTS7K-CORE10.1.50.1
CTS7K-DC# show cts interface ethernet 1/3
CTS Information for Interface Ethernet1/3:
CTS is enabled, mode: CTS_MODE_DOT1X
IFC state:
CTS_IFC_ST_CTS_OPEN_STATE
Authentication Status: CTS_AUTHC_SUCCESS
Peer Identity: CTS7K-CORE
Peer is: CTS Capable
802.1X role: CTS_ROLE_AUTH
Last Re-Authentication:
Authorization Status: CTS_AUTHZ_SUCCESS
PEER SGT: 2
Peer SGT assignment: Trusted
SAP Status: CTS_SAP_SUCCESS
Configured pairwise ciphers: GCM_ENCRYPT
Replay protection: Enabled
Replay protection mode: Strict
Selected cipher: GCM_ENCRYPT
Current receive SPI: sci:18bad853460000 an:2
Current transmit SPI: sci:18bad853520000 an:2
© 2011 Cisco and/or its affiliates. All rights reserved. 79
79* NIST Special Publication 800-38D (http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf)
802.1AE
TrustSec provides Layer 2 hop-by-hop encryption and integrity,
based on IEEE 802.1AE standard
128bit AES-GCM (Galois/Counter Mode) – NIST Approved *
Line rate Encryption / Decryption for both 10GbE/1GbE interface
Replay Protection of each and every frame
802.1AE encryption to protect CMD field (SGT value)
Protects against man-in-the-middle attacks (snooping, tampering, replay)
Standards based frame format and algorithm (AES-GCM)
802.1X-REV/MKA addition supports per-device security associations in shared media environments (e.g. PC vs. IP Phone) to provide secured communication
Network service amenable hop-by-hop approach compared to end-to-end approach (e.g. Microsoft Domain Isolation/IPsec)
Customer Benefits
© 2011 Cisco and/or its affiliates. All rights reserved. 80
80
MACSec Tag Format
DMAC SMAC 802.1AE Header 802.1Q CMD ETYPE PAYLOAD ICV CRC
MACSec EtherType TCI/AN SL Packet Number SCI (optional)
TrustSec Frame Format
Encrypted
Authenticated
0x88e5
© 2011 Cisco and/or its affiliates. All rights reserved. 81
81
128bit AES GCM Encryption 128bit AES GCM Encryption 128bit AES GCM Encryption
011010010001100010010010001010010011101010
1
0110100100011000100100100001001010001001001000101001001110101
everything in clear01101001010001001
0
01101001010001001
0
ASIC
―Bump-in-the-wire‖ model
-Packets are encrypted on egress
-Packets are decrypted on ingress
-Packets are in the clear in the device
Allows the network to continue to perform all the packet inspection features currently used
Decrypt at
Ingress
Encrypt at
Egress
© 2011 Cisco and/or its affiliates. All rights reserved. 82
Why Borderless Networks?
Cisco’s Architectural Approach
Cisco TrustSec Solution
Delivering Business Value
New and Evolving Threats
© 2011 Cisco and/or its affiliates. All rights reserved. 83
Do I have a consistent Access Policy Architecture across my network for all Users and Devices?
Can mobile devices access my network securely, reliably and seamlessly?
Can my network deliver real-time collaboration experiences?
Can my network deliver protection from the premises to the Cloud?
Can my network optimize performance of applications Anytime, Anywhere?
Am I using my network to reduce my energy costs?
Is my network ready for current and future regulatory requirements?
Where am I now? Where do I start?
© 2011 Cisco and/or its affiliates. All rights reserved. 84
Enablea Smart Network
Enablethe Architecture
EnableBusiness Solutions
Services to Accelerate the Transformation
Where Do I Start?
Network Services
Deployment
EnergyWise Services
TrustSec Services
Application Velocity Services
Video Experience Service
How Do I Keep It Current?
Network Life Cycle Services
Network Optimization Service
Smart Net Total
Care Services
Smart Care Service
SMARTnet
IT Cost Optimization Service
Remote Security
Monitoring Service
Where am I Now?
Architectural Assessments
IPv6 Services
Medianet Readiness
Assessment
With Services from Cisco and Our Partners
© 2011 Cisco and/or its affiliates. All rights reserved.
© 2011 Cisco and/or its affiliates. All rights reserved. 85
Lower Total Cost of Ownership
• Network performance is improvedwith a pretested architecture
Prescriptive Solutions
• Preselected Cisco solutions providethe right functions for customers
Modular Design for the Future
• Build a network platform ready to support future deployments of unified communications, switching, wireless, routing, video, and data center
Complete designs with deployment guides fororganizations scaling from 100 to 10,000 endpoints
© 2011 Cisco and/or its affiliates. All rights reserved.
© 2011 Cisco and/or its affiliates. All rights reserved. 86
Cisco Delivers the Platform for Your
Business Innovations
The Borderless Organization Needs a Borderless Network
Architecture
Cisco Is Uniquely Equipped to Deliver That Architecture
with ―Broad and Deep‖ Network Innovation
© 2011 Cisco and/or its affiliates. All rights reserved.
Thank you.