Enterprise Network Segmentationd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKCRS-2891.pdf · network segmentation based on User Identity/Role and allows for secure access and

Enterprise Network Segmentation with Cisco TrustSec

Hariprasad Holla | @hari_holla

Abstract

This session provides an overview of the Cisco TrustSec solution for Enterprisenetwork segmentation and Role-Based Access Control. TrustSec allows for simplifiednetwork segmentation based on User Identity/Role and allows for secure access andconsistent security policies across Wired/Wireless networks. We will cover TrustSecsolution on the Catalyst, Nexus Switching and Routing (ASR1K/CSR/ISR) platforms,including converged wired/wireless with a focus on the deployment use cases in acampus, data centre & branch networks. The session covers an architectural overviewof TrustSec and benefits of role based policies, elements of the solution such as useridentification with 802.1x, device identification, role classification using Security GroupTagging (SGT) and enforcement using Security Group Access Control List (SGACL).This session is for Network and Security Architects, Pre-Sales Engineers and TechnicalDecision Makers. Previous knowledge or experience is recommended in campusdesign, Internet edge design, routing protocol design, and Layer 2 and Layer 3switching.

3

TrustSec or related sessions

4

BRKSEC-2026 - Network as a Sensor and Enforcer

Matthew Robertson - Wednesday 9 Mar 2:30 PM - 4:00 PM – 208

BRKCRS-2891 - Enterprise Network Segmentation (with Cisco TrustSec)

Hariprasad Holla - Wednesday 9 Mar 4:30 PM - 6:00 PM – 203

BRKSEC-2690 - Deploying Security Group Tags

Kevin Regan - Wednesday 9 Mar 4:30 PM - 6:00 PM – 208

BRKSEC-2044 - Building an Enterprise Access Control Architecture Using ISE and TrustSec

Hosuk Won - Thursday 10 Mar 8:30 AM - 10:30 AM – 208

BRKSEC-3690 - Advanced Security Group Tags

Kevin Regan - Friday 11 Mar 8:45 AM - 10:45 AM – 105

BRKACI-2504 - Cisco Security on ACI - Microsegmentation, ASA, FirePOWER

Brenden Buresh - Friday 11 Mar 8:45 AM - 10:45 AM – 211

access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993


access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878

access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216

access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111

access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175

access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462

access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384

access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878

access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467Tom’s Segmentation Challenge

5

Tom manages network for ABC Corp

Line of Business

BYODCompliance

Various Segmentation needsRetain policies as network

transitions to IPv6

IPv6

Complex IP based policies

Employees

Contractors

Vendors

Guests

PCI DevicesCampus Branch

Extend segments over -

Layer 3 boundaries

VLANs

Need updates as topology changes









access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467

access-list 102 permit udp 126.183.90.85 0.0.0.255 eq 3256 114.53.254.245 255.255.255.255 lt 1780

access-list 102 deny icmp 203.36.110.37 255.255.255.255 lt 999 229.216.9.232 0.0.0.127 gt 3611

access-list 102 permit tcp 131.249.33.123 0.0.0.127 lt 4765 71.219.207.89 0.255.255.255 eq 606

access-list 102 deny tcp 112.174.162.193 0.255.255.255 gt 368 4.151.192.136 0.0.0.255 gt 4005


access-list 102 deny udp 130.237.66.56 255.255.255.255 lt 3943 141.68.48.108 0.0.0.255 gt 3782

Enterprise Network Segmentation with Cisco TrustSec

Hariprasad Holla | @hari_holla

Agenda

7

Network SegmentationThe past present and future of network segmentation

TrustSec Deep-dive WHAT is Cisco TrustSec

Deploying TrustSec HOW to deploy TrustSec

Use cases & Deployment scenarios WHY segment the TrustSec way?

Key takeaways WHEN to deploy TrustSec: Now!

1

2

3

4

5

For Your

Reference

Cisco Identity

Services Engine

Authenticated

User

8

Network Segmentation

Start

NetworkSegmentation

TrustSecDeep-dive

DeployingTrustSec

Use-cases &Scenarios

KeyTake-aways

Traditional Segmentation is operationally heavy

9

Access Layer

Enterprise

Backbone

Voice

VLAN

Voice

Data

VLAN

Employee

Aggregation Layer

Supplier

Guest

VLAN

BYOD

BYOD

VLAN

Non-Compliant

Quarantine

VLAN

VLAN

Address

DHCP Scope

Redundancy

Routing

Static ACL VACLLimitations of Traditional

Segmentation

• Security Policy based on

Topology

• High cost and complex

maintenance

Applications

access-list 102 deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165access-list 102 deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428access-list 102 permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511access-list 102 deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384

Classification

Static / Dynamic

VLAN assignments

Propagation

Carry segment context

over the network

through VLAN tags /

IP address / VRF

Enforcement

IP based policies.

ACLs, Firewall

rules

Introducing Cisco TrustSec

10

EnforcementClassification Propagation

Routers

ISE

DC Firewall

Production

Servers

Wireless

Remote

Access

Switch

DC Switch Application

Servers

Directory

Employees

8 SGT

7 SGT

Network5 SGT

Employee

App_Serv

Prod_Serv

App_Serv Prod_Serv

Permit All

Permit All Deny All

Permit AllDeny All

Deny All

So

urc

e

Destination

Egress Policy

Consistent access governed by simplified policy

11VLAN: Data-1VLAN: Data-2

Switch

Data Centre

DC Switch

Application

Servers

ISE

Enterprise

Backbone

Remediation

Switch

Voice Employee Supplier Non-CompliantVoiceEmployeeNon-Compliant

Shared

Services

Employee Tag

Supplier Tag

Non-Compliant Tag

DC switch receives policy

for only what is connected

Regardless of topology or

location, policy (Security

Group Tag) stays with

users, devices, and servers

TrustSec simplifies ACL

management for intra/inter-

VLAN traffic

BRKCRS-2891

The three common deployment scenarios

13

• Context--based access control

• Compliance requirements PCI,

HIPAA, export controlled

information

• Merger & acquisition integration,

divestments

• Server zoning & Micro-segmentation

• Production vs. Development Server

segmentation

• Compliance requirements, PCI, HIPAA

• Firewall rule automation

• Line of business segregation

• PCI, HIPAA and other compliance

regulations

• Malware propagation

control/quarantine

User to Data Centre Access Control

Data Centre Segmentation

Campus and Branch Segmentation

14

TrustSec Deep-dive(WHAT is TrustSec)

Start

NetworkSegmentation

TrustSecDeep-dive

DeployingTrustSec


KeyTake-aways

ISE controls TrustSec

15

SGACL / Name table:

TrustSec policy matrix

to be pushed down to

the enforcers via

secure channel

SGT: Centrally define

Security Group Tags

802.1X Dynamic SGT

Assignment

ISE authenticates

Wired/Wireless/VPN

clients and assigns

SGTs

Static SGT Assignments

SGACL /

Name table

So

urc

es

Destinations

✕ ✓ ✕ ✓ ✓ ✓

✓ ✓ ✕ ✓ ✕ ✕

✕ ✓ ✓ ✕ ✕ ✕

Security Group ACL

NDAC(Network Device

Admission Control)

Rogue

Device(s)

SGT and

SGT Names3: Employee

4: Contractors

8: PCI_Servers

9: App_Servers

Security Group Tags

NDAC for a trusted

domain of ‘Network

Devices’

The ‘3’ TrustSec functions

16

5 Employee

6 Voice

7 Partner

Classification

(Assigning SGTs)

Static Assignments

Dynamic Assignments

A B

Propagation

Inline SGT

SXP

WAN Options

Enforcement

Security Group ACL

SG Firewall

VLAN-SGT Mapping

SVI (L3 Interface) to

SGTL2 Port to SGT

VM (Port Profile)

to SGTSubnet-SGT

Two ways to assign Security Group Tags

17

Classification

WLC FW Hypervisor SW

Campus

Access Distribution Core DC Core DC Dist/Access

Enterprise

Backbone

Static ClassificationDynamic Classification

MAB

Routes learnt on L3 port automatically gets SGT assignment

18

Business

Partners

Joint

Ventures

Route Updates

43.1.1.0/24

49.1.1.0/24

Route Updates

17.1.1.0/24

Can apply to Layer 3 interfaces regardless of the underlying physical interface:

Routed port, SVI (VLAN interface) , Tunnel interface, etc.

DC Access

Hypervisor SW

g3/0/1

g3/0/2

IP Address SGT Source========================================11.1.1.2 2 INTERNAL12.1.1.2 2 INTERNAL13.1.1.2 2 INTERNAL17.1.1.0/24 8 L3IF43.1.1.0/24 9 L3IF49.1.1.0/24 9 L3IF

GigabitEthernet 3/0/1 maps to SGT 8

GigabitEthernet 3/0/2 maps to SGT 9

Classification

In Nexus 1000V, SGTs can be assigned to Port Profile

20

• Port Profile

– Container of network properties

– Applied to different interfaces

• Server Admin may assign Port Profiles to new VMs

• VMs inherit network properties of the port-profile including SGT

• SGT stays with the VM even if moved

Classification


21

5 Employee

6 Voice

7 Partner

Classification

(Assigning SGTs)

Static Assignments

Dynamic Assignments

A B

Propagation

Inline SGT

SXP

WAN Options

Enforcement

Security Group ACL

SG Firewall

22

Propagation

SGT propagation through ‘Ethernet Inline Tagging’

CRC

PAYLOAD

ETHTYPE

CMD

802.1Q

Source MAC

Destination MAC

Ethernet Frame

EtherType:0x8909

SGT Value:16bits

CMD EtherType

Version

Length

SGT Option Type

Cisco Meta Data

SGT Value

Other CMD Option

CRC

PAYLOAD

ETHTYPE

CMD

802.1Q

Source MAC

Destination MAC

MACsec Frame

802.1AE Header

802.1AE Header

AE

S-G

CM

128

bit

En

cry

ption

http://tinyurl.com/sgt-draft

IETF

Faster, and most scalable way to propagate

SGT within LAN or Data Centre

SGT embedded within Cisco Meta Data (CMD)

in Layer 2 frame

Capable switches understands and process

SGT in line-rate

Protected by enabling MACsec (IEEE802.1AE)

– optional for capable hardware

No impact to QoS, IP MTP/Fragmentation

L2 Frame Impact: ~20 bytes

16 bits field gives ~ 64,000 tag space

Non-capable device drops frame with unknown

EthertypeEtherType:0x88E5

Out-of-band IP-SGT binding propagation through

SGT Exchange Protocol (SXP)

23

Propagation

Routers

Firewall

• Propagation method of IP-SGT binding

– Propagate IP-SGT from classification to enforcement point

• Open protocol (IETF-Draft) & ODL Supported

– TCP - Port:64999

• Role: Speaker (initiator) and Listener (receiver)

• Use MD5 for authentication and integrity check

• Support Single Hop SXP & Multi-Hop SXP (aggregation)

• Cisco ISE 2.0 can be an SXP Speaker and Listener.

(SXP Aggregation)

Speaker Listener

Switches

Switches

5 10.0.1.2

6 10.4.9.5

http://tinyurl.com/sxp-draft

IETF

5 10.0.1.2

6 10.4.9.5

SXP in action!

24

Propagation

IP Address SGT Source

========================================

172.22.2.2 2 INTERNAL


========================================

172.21.1.1 2 INTERNAL

IP-SGT Binding Table – Nexus SwitchIP-SGT Binding Table – Access Switch

WAN

10.2.2.2

802.1X Employee = SGT-5

Web_Server172.21.1.1 172.22.2.2

105

Cisco ISE 2.05

10

TrustSec Policy

SXP IP-10.2.2.2 = SGT-10

SXP IP-10.1.1.1 = SGT-5

10.2.2.2 10 SXP

10.1.1.1 5 SXP

10.1.1.1 5 LOCAL

2960X N7K

10.1.1.1

Employee

SRC: 10.1.1.1

DST: 10.2.2.2SRC: 10.1.1.1

DST: 10.2.2.2

Multiple options for SGT transport over L3 network

28

Propagation

Nexus 7000

Data Centre

ISE

Internet

Nexus 1000v

Catalyst 6500

SGACL

CTS Link

Enterprise LAN

HR

Finance

EnterpriseMPLS

DMVPN

• Multiple options for SGT transport over non CTS Layer 3 networks

• DMVPN for Internet based VPNS

• GETVPN and OTP for private WAN

BYOD

EnterpriseNetwork

IPSEC

Switch

Switch

Wireless

Switch

GETVPN

SXP

SXP

SXP


29

5 Employee

6 Voice

7 Partner

Classification

(Assigning SGTs)

Static Assignments

Dynamic Assignments

A B

Propagation

Inline SGT

SXP

WAN Options

Enforcement

Security Group ACL

SG Firewall

Ingress classification, ‘Egress enforcement’

30

Enforcement

Cat3850 Cat6800 Nexus 2248

WLC5508

Nexus 2248

Cat6800 Nexus 7000 Nexus 5500

User authenticated

Classified as Marketing (5)FIB Lookup

Destination MAC/Port SGT 20

DST: 10.1.100.52

SGT: 20

SRC: 10.1.10.220DST: 10.1.200.100

SGT: 30

Web_Dir

CRM

DST

SRC

Web_Dir

(20)

CRM

(30)

Marketing

(5)Permit Deny

BYOD

(7)Deny SGACL-A

Destination Classification

Web_Dir: SGT 20

CRM: SGT 30

Enterprise

Backbone5

SRC:10.1.10.220

DST: 10.1.100.52

SGT: 5

ACL: Access Control List

The SGACL Enforcement Policy

31

Enforcement

SGTs can be used for policies in Cisco ASA Firewall

32

Enforcement

Use Destination SGT received

from Switches connected to

destination

Use Network Object (Host, Range,

Network (subnet), or FQDN)

SGT Defined in the ISE or locally

defined on ASA

Trigger IPS/CX based on

SGT

More on ASA TrustSec:

BRKSEC-2690 and

BRKSEC-3690

TrustSec supported platforms

33

Switch Router Router Firewall DC Switch vSwitch ServerUser

Propagation EnforcementClassification

Catalyst 2960-S/-C/-Plus/-X/-XR

Catalyst 3560-E/-C/-X/-CX

Catalyst 3750-E/-X

Catalyst 3850/3650

Catalyst 4500E (Sup6E/7E) / 4500X

Catalyst 4500E (Sup8)

Catalyst 6500E (Sup720/2T)

Catalyst 6800

WLC 2500/5500/WiSM2

WLC 5760

WLC 8510/8540

Nexus 7000

Nexus 6000

Nexus 5500/2200

Nexus 1000v

ISRG2, ISR4000

ASR1000, CSR 1000v

IE2000/3000/4000

CGR 2000, CGS2500

ASA5500 (RAS VPN)

Catalyst 2960-S/-C/-Plus/-X/-XR

Catalyst 3560-E/-C/, 3750-E

Catalyst 3560-X/3750-X

Catalyst 3850/3650

Catalyst 4500E (Sup6E)

Catalyst 4500E (Sup, 7E, 7LE, 8E)

Catalyst 4500X

Catalyst 6500E (Sup720)

Catalyst 6500/Sup2T, 6800

WLC 2500/5500/WiSM2

WLC 5760, 8510/8540

Nexus 7000

Nexus 6000

Nexus 5500/2200

Nexus 1000v

ISR G2, ISR 4000

ASR1000, CSR 1000V

IE2000/3000/4000,CGR2000,CGS2500

ASA5500

ISE

Catalyst 3560-X

Catalyst 3750-X

Catalyst 3850/3650

WLC 5760

Catalyst 4500E (7E) / 4500X

Catalyst 4500E (8E)

Catalyst 6500E (2T)

Catalyst 6800

Nexus 7000

Nexus 6000

Nexus 5500/5600

Nexus 1000v

ISR G2, ISR 4000

ASR 1000, CSR 1000v

CGR2000

ASA 5500 Firewall

ASAv Firewall

Web Security Appliance

SGT

Propagation PropagationClassification Enforcement

ISE

WAN(GETVPN

DMVPN

IPSEC)

Enforcement For up-to-date information visit: http://bit.ly/cisco-trustsec-matrix

http://bit.ly/cisco-trustsec-matrix

34

Deploying TrustSec (HOW to deploy TrustSec)

Start

NetworkSegmentation

TrustSecDeep-dive

DeployingTrustSec


KeyTake-aways

Approaching a TrustSec design

35

Focus on

Business Problem

Use Cases can

be Localised

Start with

Policy Goals

• Maintain Compliance

• Protect against breach

• Complex ACLs,

Firewall rule

complexity

• Controlled access to Production systems or PCI Servers

• User to DC Access Control

• Secure BYOD

• Contractor Access Control

• Extranet Security

• Simplified Firewall Rule, VPN Access, ACLs or WSA rules

Starting a TrustSec design

36

Policy

Enforcement

Points

Discuss

assets to

protect

Classification

Mechanisms

Example:

Cardholder Data,

Medical Record,

intellectual data

Example:

Dynamic,

Static, etc.

• DC segmentation (DC

virtual/ physical switches

or virtual/physical

Firewalls)

• User to DC access control

• (Identify capable switches

or firewalls in the path)

Propagation

Methods

• Inline Tagging

• SXP

• DM-VPN

• GET-VPN

• IPSec

• OTP etc..

SGT policy matrix example

Write it down on a spreadsheet!

It all starts with ISE Things to do in Cisco ISE for TrustSec

42

WAN

Cisco ISE

Basic infrastructure setup – Certificates, Active Directory integration, etc.

Create Security Group Tags to be used in the network

Setup Network Device Admission Control - NDAC

Define Authentication and Authorisation policies for Users and Devices

Configure SGACL & Egress Policies (If enforcing on IOS / Nexus Switches)

Security Group Tags in ISE

43

Cisco ISE

Define SGTs under ‘Components’ section in TrustSec Work Centre (from ISE 2.0)

WAN

Define all the ‘Network Devices’

44

Cisco ISE

The Network Devices,

aka Switches, Routers,

Wireless controllers,

Firewalls, etc. needs to

be defined here.

Bulk upload via CSV is

possible too.

WAN

Configure additional parameters for TrustSec

45

Cisco ISE

In addition to RADIUS secret,

check ‘Advanced Trustsec

Settings’ and ‘Use Device ID for

Trustsec’, then type device

password.

This ID and Password needs to

be exactly same as you define

on network device CLI

WAN

Define Authorisation policies for Users and Devices

47

Cisco ISE

802.1X / MAB / Web

Authentication policy

to assign SGTs to the

Users and Devices

WAN

Configure Security Group ACLs

48

Cisco ISE

Configure SGACLs

first to be referenced

under the Egress

policy later

WAN

49

Cisco ISE

Egress

Policy

Matrix

Default Rule, Can

be Permit or Deny

WAN

Global Cisco TrustSec (CTS) configurations

50

cts authorization list cts-list

TrustSec authorisation should use cts-list AAA servers

cts role-based enforcement

cts role-based enforcement vlan-list <VLANs>

For SGT policy enforcement, if switch has to access control

aaa new-model

!

aaa authentication dot1x default group ise-group

aaa authorization network default group ise-group

aaa authorization network cts-list group ise-group

aaa accounting dot1x default start-stop group ise-group

!

aaa server radius dynamic-author

client <Switch_IP> server-key cisco

!

radius server ise

address ipv4 <ISE_IP> auth-port 1812 acct-port 1813

pac key <PAC_Password>

!

aaa group server radius ise-group

server name ise

!

Global AAA Configuration for all IOS Switches

WAN

Critical authentication for NDAC – When ISE is not reachable and

cts critical-authentication

cts critical-auth fallback cached|default

Fall back to cached / default policies when ISE is unreachable

More options: http://bit.ly/cisco-cts-critical-auth

Cisco IOS Switches

(Typically) Enable 802.1X on downlink and SGT propagation on uplink

51

Cisco IOS Devices

Campus

** Other best practice configurations applicable

interface <Uplink_Port>

description ** Uplink Interface **

switchport mode trunk

cts manual

!Or

cts dot1x

cts commands in uplink ports, automatically (hidden)

configures ‘propagate sgt’ command

‘cts manual’ – for manual configuration of (optional)

MACSec on the port, ‘cts dot1x’ – for the switch to

receive MACSec PMK keys from Cisco ISE

interface <Access-port>

switchport access vlan <Data_VLAN>

switchport voice vlan <Voice_VLAN>

switchport mode access

authentication open

authentication port-control auto

authentication host-mode multi-auth

dot1x pae authenticator

mab

Switch port configuration for dynamic SGT assignments

cts role-based sgt-map vlan-list \

<VLAN_IDs> sgt <SGT>

(Optional) For static assignment of VLAN to SGT.

Useful if the users or devices are static

Access

Agg / Core

WAN

Cisco IOS Switches

Switch ports can stay in 802.1X ‘Monitor Mode’ forever

52

WAN

Catalyst® Switches

(3K/4K/6K)Users,

Endpoints

PCI Server

Production Server

N7K

SRC \ DSTPCI Server

(2000)

Prod Server

(1000)

Dev Server

(1010)

Employees (100) Permit all Permit all Permit all

PCI User (105) Permit all Permit all Permit all

Unknown (0) Permit all Permit all Permit all

Monitor Mode: Irrespective of authentication status (pass/fail), endpoints gets IP address.

Successful authentication gets specific SGTs and failures will be classified as ‘Unknown’ SGT

Campus

Network

Monitor Mode

Tagged traffic traverses the network allowing

monitoring and validation that:

Assets are correctly classified

Traffic flows to assets are as predicted/expected

Development Server

SRC \ DSTPCI Server

(2000)

Prod Server

(1000)

Dev Server

(1010)

Employees (100) Deny all Deny all Permit all

PCI User (105) Permit all Permit all Permit all

Unknown (0) Deny all Deny all Permit all

Cisco IOS Switches

WAN

Environmental Data

TrustSec Egress Policy

RADIUS EAP FAST Channel

ISE and ‘Network Device’ transact securely using PAC keys

Switch# cts credential id C6800-001 password cisco

Switch authenticates with Cisco ISE for Secure EAP FAST Channel

Switch# show cts pacs

AID: 3E465B9E3F4E012E6AD3159B403B5004

PAC-Info:

PAC-type = Cisco Trustsec

AID: 3E465B9E3F4E012E6AD3159B403B5004

I-ID: C6800-0001

A-ID-Info: Identity Services Engine

Credential Lifetime: 13:12:04 UTC Jan 12 2016

PAC-Opaque:

000200B800030001000400103E465B9E3F4E012E6AD3159B403B50040006009C

000301008C3B32A200B23EF4A53D9DF79A6E4B2600000013555D348600093A80

8273497B5BB779165C75E75DDF4619CB3D4AD755949603F5488C5904CA27F13C

6FB45F333209915DCCED288FF304F8517663FD49D2D2D3EBF664300E3FD66925

A7DEB8C93570913A369280EB251091D92D90FEDA7BBD1148C7CCA8D018011F00

9A5548286430573F854DD3C9231476EE32E47B7AB7075372051BB3FD

Refresh timer is set for 12w4d

RADIUS PAC* keys pushed by ISE. Switch uses this to talk to ISE securely

IOS

*PAC: Protected Access Credentail

ISE

Cisco IOS Switches

WAN

Environmental DataSwitch# show cts environment-data

CTS Environment Data

====================

Current state = COMPLETE

Last status = Successful

Local Device SGT:

SGT tag = 2-00:TrustSec_Infra_SGT

Server List Info:

Installed list: CTSServerList1-0001, 1 server(s):

*Server: 10.1.1.222, port 1812, A-ID 3E465B9E3F4E012E6AD3159B403B5004

Status = DEAD

auto-test = TRUE, keywrap-enable = FALSE, idle-time = 60 mins, deadtime

= 20 secs

Multicast Group SGT Table:

Security Group Name Table:

0-00:Unknown

2-00:TrustSec_Infra_SGT

10-00:Employee_FullAccess

20-00:Employee_BYOD

30-00:Contractors

100-00:PCI_Devices

110-00:Web_Servers

120-00:Mail_Servers

255-00:Unregist_Dev_SGT

Environment Data Lifetime = 86400 secs

Last update time = 21:57:24 UTC Thu Feb 4 2016

Env-data expires in 0:23:58:00 (dd:hr:mm:sec)

Env-data refreshes in 0:23:58:00 (dd:hr:mm:sec)

Cache data applied = NONE

State Machine is running

IOSISESecurity Group Name Table:

0-00:Unknown

2-00:TrustSec_Infra_SGT

10-00:Employee_FullAccess

20-00:Employee_BYOD

30-00:Contractors

100-00:PCI_Devices

110-00:Web_Servers

120-00:Mail_Servers

255-00:Unregist_Dev_SGT

Cisco IOS Switches

Switch#show cts rbacl Permit_Email_Traffic

CTS RBACL Policy

================

RBACL IP Version Supported: IPv4

name = Permit_Email_Traffic-40

IP protocol version = IPV4

refcnt = 1

flag = 0x40000000

stale = FALSE

RBACL ACEs:

permit tcp dst eq 110







deny all log

WAN

‘cts role-based enforcement’

Cisco IOS Switches

Switch#show cts role-based permissions

IPv4 Role-based permissions default:

Permit IP-00

...

IPv4 Role-based permissions from group 10:Employee_FullAccess to group

10:Employee_FullAccess:

Malware_Contol_ACL-10

IPv4 Role-based permissions from group 10:Employee_FullAccess to group 30:Contractors:

Cisco_Jabber_Access-10

IPv4 Role-based permissions from group 30:Contractors to group 10:Employee_FullAccess:

Cisco_Jabber_Access-10

IPv4 Role-based permissions from group 30:Contractors to group 120:Mail_Servers:

Permit_Email_Traffic

...

ISE

Switch

IOS switch as enforcer

WAN

AireOS Controllers*

58

Wireless

* Supported on all Wireless Controllers except 7500 & vWLC

Cisco ISE

Switch / FW

5520

Assign

SGT

SXP

So

urc

es

Destinations

✕ ✓ ✕ ✓ ✓ ✓

✓ ✓ ✕ ✓ ✕ ✕

✕ ✓ ✓ ✕ ✕ ✕

No SG based enforcement locally on

the controller. IP-SGT sent over SXP to

enforcers / Aggregators

SXP Listener (Switch / Firewall)

SXP Speaker(Wireless Controller)

WAN

AireOS Controllers*

59

Wireless

Cisco ISE

Switch / FW

5520

Assign

SGT

SXP

So

urc

es

Destinations

✕ ✓ ✕ ✓ ✓ ✓

✓ ✓ ✕ ✓ ✕ ✕

✕ ✓ ✓ ✕ ✕ ✕

No SG based enforcement locally on

the controller. IP-SGT sent over SXP to

enforcers / Aggregators

* Supported on all Wireless Controllers except 7500 & vWLC

Wireless

WAN

Overview of TrustSec support on routers

60

Routers

Classification Propagation Enforcement

WAN

• IP-to-SGT

• Subnet-to-SGT

• L3IF-to-SGT

No dynamic classification option

Multiple options for propagation

• SXP

• Inline methods:

• SGT over Ethernet

• IPSec

• DMVPN

• GETVPN

• EIGRP OTP / LISP

Zone based Firewall (ZBFW)

SGT based PBR

(Policy Based Routing)

SGT based QoS

(Quality of Service)

WAN

One command to enable SGT transport over IPSec

61

crypto ikev2 proposal p1

encryption 3des

integrity md5

group 2

!

crypto ikev2 policy policy1

proposal p1 !

crypto ikev2 keyring key

peer v4

address 0.0.0.0 0.0.0.0

pre-shared-key cisco

!

crypto ikev2 profile prof3

match identity remote address 0.0.0.0

authentication local pre-share

authentication remote pre-share

keyring key

CTS infra CLI used to configure IP->SGT mapping

!

crypto ikev2 cts sgt

!

crypto ipsec transform-set trans esp-3des esp-sha-hmac

! ...........

Cisco Meta Data (CMD) uses protocol 99, and is inserted to

the beginning of the ESP/AH payload.

IP header (Protocol Type = ESP)

SGT in IPSec

IV

ESP Header

Next Header (IP) Len = 3 Version (0x1) Reserved

Len (0x0)

Len (0x1)

Type (1 = SGT)

Type (5 = PST)

SGT Number (16 bits)

GETVPN Psuedo timestamp

Original IP Header

Original IP Payload

Pad

Authentication Tag

Pad Length Next Header

CM

D

ESP: Encapsulating Security Payload | AH: Authentication Header

Routers

WAN

‘cts sgt inline’ enables SGT transport in DMVPN sessions

63

!

crypto ikev2 profile prof3

match identity remote address 0.0.0.0

authentication local pre-share

authentication remote pre-share

keyring key

!

cts sgt inline

!

crypto ipsec transform-set trans esp-3des esp-sha-hmac

!

Hub

Spokes

cts role-based sgt-map 10.10.10.1 sgt 150


CTS infrastructure CLI , to configure static IP to SGT bindings

Router# show ip nhrp nhs detail

Legend: E=Expecting replies, R=Responding, W=Waiting

Tunnel0:

10.1.1.99 RE NBMA Address: 1.1.1.99 priority = 0

cluster = 0 req-sent 44 req-failed 0 repl-recv 43

(00:01:37 ago)

TrustSec Enabled

Routers

WAN

Enable tagging in GETVPN KS, run v1.0.5 or later on members

64

Key Server (KS)

crypto gdoi group GDOI

identity number 12345

server local

sa ipsec 2

no tag

match address ipv4 ACL_GETVPN_NO_SGT

sa ipsec 1

tag cts sgt

match address ipv4 ACL_GETVPN_SGT

Router# show crypto gdoi feature cts-sgt

Group Name: GETVPN

Key Server ID Version Feature Supported

10.0.5.2 1.0.5 Yes

10.0.6.2 1.0.5 Yes

Group Member ID Version Feature Supported

10.0.1.2 1.0.2 No

10.0.2.5 1.0.3 No

10.0.3.1 1.0.5 Yes

10.0.3.2 1.0.5 Yes

Group Members

If the KS is configured for tagging, Group members must be register

using GETVPN software version 1.0.5 or higher to be accepted.



CTS infrastructure CLI , to configure static IP to SGT bindings

Routers

WAN

Zone Based Firewall

65

class-map type inspect match-any partner-services

match protocol http

match protocol icmp

match protocol ssh

class-map type inspect match-any partner-sgts

match security-group source tag 2001



class-map type inspect match-all partner-class

match class-map partner-services

match class-map partner-sgts

class-map type inspect match-any guest-services

match protocol http

class-map type inspect match-any guest-sgts


class-map type inspect match-all guest-class

match class-map guest-services

match class-map guest-sgts

class-map type inspect match-any emp-services

match protocol http

match protocol ftp

match protocol icmp

match protocol ssh

...

SGT is a source criteria only in ISR FW,

Source or Destination in ASR 1000

Routers

WAN

Path selection based on SGT

66

VRF-GUEST

Enterprise

WAN

Inspection Router

Router /

Firewall

Network A

Policy-based

Routing based

on SGT

SGT-based VRF

Selection Redirect traffic from malware-infected hosts

• Contain threats

• Pass traffic through centralised analysis and

inspection functions

Security Example

To map different user groups to different WAN

service

Other Example

User C

Guest

Segment traffic to different VRFs based on context

Available Today: Cisco IOS XE Release 3.16S (ASR 1000) as well as ASA5500-X (9.5.1)

route-map SG_PBR


set ip next-hop 172.20.100.2

match security-group destination tag 150

set ip next-hop 172.20.101.2

User A

Employee

User B

Suspicious

Routers

WAN

Quality of Service for SGTs

67

Enterprise

WAN

Applications Router

Router /

Firewall

Network A

Critical applications

get priority treatment

Non-critical

class gets lower

bandwidth

Different user groups can be offered different Quality of

Service (QoS)

Available Today: Cisco ISE 4K and ASR 1K with 3.17S or later

class-map employee-non_critical



end

!

class-map employee-critical



end

!

policy-map sg_qos

class employee-critical

priority percent 50

class employee-non_critical

bandwidth percent 25

set dscp ef

end

CriticalServers (100)

NonCritical (254)

f Y

Employee (10)

Routers

Same policy structure for Data Centres

WAN

68

Web

Servers

Database

Servers

Middleware

ServersStorage

Data Centre

TrustSec on NXOS and IOS are alikeTowards

Enterprise

/ WAN

LOB1 DB LOB2 DB PCI DB Finance DBD

AT

A C

EN

TR

E

Nexus(config)# feature cts

Nexus(config)# feature dot1x

Nexus(config)# cts device-id N7K-DST1 password cisco

‘cts credentials’ defined in global config unlike in Exec mode in IOS

*Earlier pushed through cts refresh CLI over SSH, now CoA. More details here: http://bit.ly/nxos-7-2-RN

CoA for Environmental-Data and SGACL download from NXOS version 7.2*

Nexus(config)# int e1/30

Nexus(config-if)# cts manual

Nexus(config-if-cts-manual)# policy static sgt 0X3

Nexus(config-if-cts-manual)# no propagate-sgt

Disable SGT propagation on ports connecting to Physical servers

SXP v1 only (IPv4-to-SGT, no loop detection)

Nexus 5000/6000: Port-to-SGT classification only

Nexus 9000 doesn’t support SGTs today

C P E

WAN

69

ACI Policy Domain

ISE 2.1: ‘TrustSec ACI Policy Plane Integration’

70

Data Centre

TrustSec Policy Domain

Switch Router Router Firewall Nexus9000 Nexus3000 ServerUser

SGT

over

Ethernet

IPSec / DMVPN /

GETVPN / SXPClassification

WAN(GETVPN

DMVPN

IPSEC)

ISE creates matching

Security Groups and

Endpoint Groups

ISE exchanges IP-SGT/EPG

‘Name bindings’

IP-ClassId, VNI bindingsIP-Security Group bindings

exchanged with network

Spine Leaf

Cisco ISE 2.1 Cisco APIC-DC

Security Groups End Point Groups

WAN

APIC - Application Policy Infrastructure Controller, ACI - Application Centric Infrastructure

Security Group– EPG exchange

71

Data Centre

Cisco ISE 2.1 Cisco APIC-DC

Security Groups and IP bindings

End Point Groups (EPG) and IP bindings

WAN

More on ACI Security:

BRKACI-2504 - Cisco

Security on ACI

BRKACI-1003 - Introduction

to ACI for Security Admins

APIC - Application Policy Infrastructure Controller, ACI - Application Centric Infrastructure

TrustSec traffic monitoring in StealthWatch

72

WAN

• Highly scalable (enterprise class) collection

• High compression long term storage• Months of data retention

When Who

Where

What

Who

Security Group

More Context

flow record my-flow-record

...

match flow cts source group-tag

match flow cts destination group-tag

...

NetFlow

Segmentation monitoring with StealthWatch

73

WAN

Rule name and

description

DGTSGT

Trigger on traffic in both directions;

Successful or unsuccessful

Custom event

triggers on traffic

condition

More on StealthWatch:

BRKSEC-2026: Network

as a Sensor and Enforcer

74

Use Cases & Deployment Scenarios

(WHY TrustSec)

Start

NetworkSegmentation

TrustSecDeep-dive

DeployingTrustSec


KeyTake-aways

TrustSec means efficiency

75

• Large Electronics Device Manufacturing Company deploying Secure Wi-Fi

• ACL needs to scale more than 64 lines of ACL (>1,500)

• TrustSec solution within C6k chassis

WiSM2 aggregates AP traffic

Policy enforcement Sup2T based on SGT

Destination SGT values defined by IP & Subnet

• Reduced IOS static ACL managing policy using Egress Matrix

• e.g. about 500 lines of ACL allowing HTTPS is now supported by single line of SGACL

• permit tcp dst eq 443

CAPWAP Tunnel

Internet

Cat6500VSS

System

Data Centre

Branch Office

Access Points

ISE

Large Campus Wireless Deployment

SXP

Campus C

Campus D

10.4.150.0/24 = SGT 7

16.34.22.0/24 = SGT 10

10.5.1.0/24 = SGT 22

SGT 3: Full Access

Corporate

Network

10.0.0.0/8 = SGT 100Sup2T

WiSM2

WiSM2

Sup2T

WiSM2

WiSM2

SXP

Compliant

Corporate Asset

Non-Compliant

Mobile Device

SGT 2: Limited Access

10.39.22.0/24 = SGT 6

SGACLs

optimises TCAM

Utilisation

SGACL download only for known destinations

76Dev_Server

(SGT=7)

Prod_Servers (7) Dev_Servers (8)

SEGMENTATION DEFINED IN ISE

SG

T=

3

SG

T=

4

SG

T=

5

SGACL

Enforcement

Switches pull down only

the policies they need

I have nothing to protect

I know SGT-7, is there a policy for it?I pulled policies to

protect SGT-7

interface ethernet 2/1

cts manual

policy static sgt 0x7

no propagate-sgt

• TrustSec switches requests policies for

assets they protect

• Policies downloaded & applied dynamically

• Result = Software Defined Segmentation

Handling acquisitions / mergers or disinvestments

Secure,

economical way to

integrate or

segment networks

“Technicolor has acquired

Cisco's Connected

Devices business”

Initiative: To divest assets

including employees and

properties to Technicolor

Objective: To create logical

separation on network

infrastructure and provide

secure resource access in

shared workspace

Cisco on Cisco Case Study

Cisco Users

Technicolor Users

Solution: TrustSec segmentation based on user

authentication in selected offices.

Shanghai and

Lawrenceville

Offices

Technicolor

Resources

Shared

Resources

Cisco Internal

For details read: http://bit.ly/cisco-it-technicolor

Global ISE deployment

77

Destination SGT

Source SGT Cisco Internal Technicolor Shared

Cisco Permit Permit Permit

Technicolor Deny Permit Permit

Auth-Fail Deny Deny Permit

Untrusted Deny Deny Permit

http://bit.ly/cisco-it-technicolor

https://www.nsa.gov/ia/_files/factsheets/Defending_Against_Destructive_Malware.pdf

limiting workstation- to-workstation communication

78

Control lateral access with TrustSec

79

1 Scan for open ports / OS

Distribution Switch

Access Switch

BYOD Device PC

AP

Wireless Segment Wired Segment

2 Exploits vulnerability

Pawned

PC

Employee Tag

Anti-Malware-ACL

deny icmp

deny udp src dst eq domain

deny tcp src dst eq 3389







deny udp src dst eq snmp

deny tcp src dst eq telnet

deny tcp src dst eq www



deny tcp src dst eq pop3


Sample ACEs to

block PtH (SMB

over TCP) used

for privilege

escalation

SGACL Policy

• Replaces Private Isolated / Community VLAN

functionality with centrally provisioned policy

• Supports mobile devices (with DHCP address).

Statically defined ACL cannot support same

level of policy

• No other competitor can support this type of

use case

Effective East-

West Traffic

control at the

Enterprise access

PtH: Pass-the-Hash

Before: An SSID & VLAN per vendor

82

Segmenting

Vendors, Guests,

Employees and

PCI devices in

Retail Stores

LOB: Line of Business

Customer Concerns

• Employees, PCI devices, Vendors & Guest in branch needing segmentation.

• Each segment today is a VLAN and / or a SSID.

• Provisioning and decommissioning vendors is a tedious task

Store

Guest

BYOD

Vendor-1

Vendor-2

Vendor-3

…

Vendor-N

Store

PCI

Demo

Vendor-2

Vendor-A

Vendor-B

…

Vendor-N

Internet

WANData Centre

WLC ServersISR w/

ZBFW

VRFs

* Additional VLAN/VRFs for Voice,

Print, AP, etc. not shown in the picture

After: One SSID and one VLAN for vendors

83

Segmenting

Vendors, Guests,

Employees and

PCI devices in

Retail Stores

LOB: Line of Business

TrustSec Solution

• Cisco ISE authorises each endpoint with SGT and pushes SGACL to Branch CA* Switch

• One network for all Vendors, but each vendor is segmented with TrustSec

• Less VLANs & SSIDs to manage. Provisioning / retiring vendors is now EASY!

Store

Guest

BYOD

Vendors

Store

PCI

Demo

Vendors

WANData Centre

ServersISR w/

ZBFW

*Converged

Access

= Authenticated and authorised by ISE

AD

Employee

Accounts

* Additional VLAN/VRFs for Voice,

Print, AP, etc. not shown in the picture

VRFs

Vendor & Guest

Accounts

Cisco ISE

Internet

University controls IPv4 and IPv6 clients uniformly

84

Carry forward the

policies as you

transition the

network

IPv4 IPv6

TrustSec is about tags!

• IPv6 to SGT bindings over SXP support from 15.2(3)E / 03.06.00E

• Both IPv4 and IPv6 endpoints can co-exist today and be access-controlled uniformly

CTS-C6500#show cts role-based sgt-map all ipv6

Active IP-SGT Bindings Information


========================================================

2001:DB8:100::1 2 INTERNAL

2001:DB8:100:0:7CB0:3B1D:2F77:16A6 3 SXP

2001:DB8:200:0:9112:EB74:784F:E88B 4 SXP

2001:DB8:252::100 2 INTERNAL

2001:DB8:254::10 9 CLI

2001:DB8:254::12 7 CLI

Data Centre

Servers

Cisco ISE

= Authenticated and authorised by ISE

IPv6

Enterprise

Backbone

C6500/6800

IPv6 to SGT -binding over SXP

15.2(2)E/

3.6.0E

IPv4

Cat3K/4K

SGACL

Cat3K/4K

TrustSec reduces ‘Operational Costs’

85

Forrester Report on ‘Total Economic Impact of TrustSec’

http://bit.ly/ts-forrester-report

“Cisco TrustSec enabled the organisations interviewed, to

reduce operational costs by avoiding additional IT

headcount, deploy new environments faster, and

implement consistent and effective network segmentation

resulting in lower downtime.”

Push and enforce model

86

ISE

Campus

NetworkWAN

SGACL Policy CoA (Change of Authorisation) to push policy

change from ISE to appropriate devices

Currently supported on IOS Switch / Wireless controllers and

NXOS 7.2 and later.

CoA

TrustSec for PCI scope reduction

87

POS

Store ABC

Backbone

Floor 1 SW

Floor 2 SW

Data Centre

DC FW

POS

PCI DB

ISE

Common

Servers

Employee

Workstation

OS Type: Windows 8

User: John

AD Group: Floor Staff

Device Group: Nurse Workstation

Security Group = Employee

OS Type: Windows 7 Embedded

User: George

AD Group: Point-of-Sales Admin

Device Group: POS

Security Group = PCI DeviceAccess Privilege

Authorisation with

Security Group

ASA Firewall Policy

PCI Scope

Verizon certifies TrustSec for PCI segmentation

88

http://bit.ly/pci-trustsec-report

http://bit.ly/pci-trustsec-report

89

Key Takeaways(WHEN to-do TrustSec? – NOW!)

Start

NetworkSegmentation

TrustSecDeep-dive

DeployingTrustSec


KeyTake-aways

Tom’s Segmentation Challengeaccess-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848









access-list 102 permit udp 126.183.90.85 0.0.0.255 eq 3256 114.53.254.245 255.255.255.255 lt 1780

access-list 102 deny icmp 203.36.110.37 255.255.255.255 lt 999 229.216.9.232 0.0.0.127 gt 3611

access-list 102 permit tcp 131.249.33.123 0.0.0.127 lt 4765 71.219.207.89 0.255.255.255 eq 606

access-list 102 deny tcp 112.174.162.193 0.255.255.255 gt 368 4.151.192.136 0.0.0.255 gt 4005


access-list 102 deny udp 130.237.66.56 255.255.255.255 lt 3943 141.68.48.108 0.0.0.255 gt 3782

PCI Web Employee Contractor

Employee Deny All Permit AllAnti-

Malware-ACL

Cisco-Jabber-Access

Contractor Deny All Permit AllCisco-Jabber-Access

Permit All

BYOD Deny All Permit AllAnti-

Malware-ACL

Permit All

Tom is happy with Cisco TrustSec

90

Tom manages network for ABC Corp

Line of Business

BYODCompliance

IPv6

Employees

Contractors

Vendors

Guests

PCI DevicesCampus Branch

VLANs

I

Tr ustSec

Campus Branch

SGTs

Various Segmentation needsRetain policies as network

transitions to IPv6

Extend segments over -

Layer 3 boundariesComplex IP based policies

Need updates as topology changes

TrustSec for segmentationRemember, TrustSec is

about ‘tag’s not IP!

SGTs

TrustSec decouples

segmentation from topology

Simple tag based policies

Policy automation leading to lesser updates

“logical source and destination security groups are more flexible, are easier to maintain and reduce runtime overhead in the network’s switching fabric.”

“There is much to like about Cisco’s ambitious and innovative initiative….”

“Cisco has made great strides in integrating support for the TrustSec framework across its product lines”

“Flexibility to Segregate Resources Without Physical Segmentation or Managing VLANs”

“Reduction in ACL Maintenance, Complexity and Overhead”

http://blogs.cisco.com/security/gartners-perspective-on-cisco-trustsec

Gartner on TrustSec

http://blogs.cisco.com/security/gartners-perspective-on-cisco-trustsec

Make a Choice!

92

About 100 years after a crank was required to start a car,

modern batteries can now start many cars using just a button.

Traditional Segmentation

MethodsSegmenting using TrustSec

bcarwallpapers.comcaranddriver.com

Visit www.cisco.com/go/trustsec and know more

http://www.cisco.com/go/trustsec

Q & A

Complete Your Online Session Evaluation

Learn online with Cisco Live!

Visit us online after the conference

for full access to session videos and

presentations.

www.CiscoLiveAPAC.com

Give us your feedback and receive a

Cisco 2016 T-Shirt by completing the

Overall Event Survey and 5 Session

Evaluations.– Directly from your mobile device on the Cisco Live

Mobile App

– By visiting the Cisco Live Mobile Site http://showcase.genie-connect.com/ciscolivemelbourne2016/

– Visit any Cisco Live Internet Station located

throughout the venue

T-Shirts can be collected Friday 11 March

at Registration

http://www.ciscoliveapac.com/

http://showcase.genie-connect.com/ciscolivemelbourne2016/

Thank you

Documents

Enterprise Network Segmentationd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKCRS-2891.pdf · network segmentation based on User Identity/Role and allows for secure access and