Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
Examining Cisco TrustSec
Natalie Timms [email protected]
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Abstract
§ The session is targeted at network and security architects who want to know
more about the TrustSec solution and use this information to help prepare for the CCIE Security Exam where TrustSec is a component of the Exam Topics List (Blueprints).
3
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Agenda § TrustSec SGT Overview § SGT Classification § SGT Propagation § Policy Enforcement § Putting the solution together - Simple TrustSec use case § Is it working? - Monitoring § Summary
4
TrustSec SGT Overview
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Adding destination Object
Adding source Object based on location subnet
ACL for each src subnet to a dest object
Traditional Security Policy Maintenance
permit NY to SRV1 for HTTPS deny NY to SAP2 for SQL deny NY to SCM2 for SSH permit SF to SRV1 for HTTPS deny SF to SAP1 for SQL deny SF to SCM2 for SSH permit LA to SRV1 for HTTPS deny LA to SAP1 for SQL deny LA to SAP for SSH
Permit SJC to SRV1 for HTTPS deny SJC to SAP1 for SQL deny SJC to SCM2 for SSH
permit NY to VDI for RDP deny SF to VDI for RDP deny LA to VDI for RDP deny SJC to VDI for RDP
Traditional ACL/FW Rule Source Destination
NY SF LA
DC-MTV (SRV1) DC-MTV (SAP1) DC-RTP (SCM2)
NY 10.2.34.0/24 10.2.35.0/24 10.2.36.0/24 10.3.102.0/24 10.3.152.0/24 10.4.111.0/24 ….
SJC DC-RTP (VDI)
Production Servers
6
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
TrustSec Security Policy Maintenance
Source SGT: Employee (10)
BYOD (200)
Destination SGT: Production_Servers (50)
VDI (201) Permit Employee to Production_Servers eq HTTPS Permit Employee to Production_Servers eq SQL Permit Employee to Production_Servers eq SSH Permit Employee to VDI eq RDP
Deny BYOD to Production_Servers eq SSH Deny BYOD to VDI eq RDP
Security Group Filtering
NY SF LA
DC-MTV (SRV1) DC-MTV (SAP1) DC-RTP (SCM2)
SJC DC-RTP (VDI) Employee
Production Servers
VDI Servers BYOD
7
Location and IP address Independent -> flexible policy application and gives context.
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
TrustSec Concept
Users, Devices
Switch Router DC FW DC Switch
HR Servers
Enforcement
SGT Propagation
Fin Servers SGT = 4
SGT = 10
ISE Directory Classification
SGT:5
§ Classification of systems/users based on context (user role, device, location, access method)
§ The context-based classification propagates via a SGT
§ SGT used by firewalls, routers and switches to make intelligent forwarding or blocking decisions
8
SGT Classification
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
How a SGT is Assigned
DC Access
WLC FW
Enterprise Backbone
SRC: 10.1.100.98
Hypervisor SW
Campus Access Distribution Core DC Core DC Dist.
End User, Endpoint is classified with SGT SVI interface is
mapped to SGT Physical Server is mapped to SGT
VLAN is mapped to SGT
BYOD device is classified with SGT
Virtual Machine is mapped to SGT
10
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Dynamic Classification Static Classification • IP Address
• VLANs
• Subnets
• L2 Interface
• L3 Interface
• Virtual Port Profile
• Layer 2 Port Lookup
Common Classification for Mobile Devices
Common Classification for Servers, Topology-based policy, etc.
802.1X Authentication
MAC Auth Bypass
Web Authentication SGT
Classification Summary
11
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
ISE Dynamic SGT Assignments
12
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Dynamic Classification Process in Detail
Layer 2
Supplicant Switch / WLC ISE Layer 3
EAP Transaction
Authorisation
DHCP
EAPoL Transaction RADIUS Transaction
Authentication
Authorised SGT 0 Policy
Evaluation
DHCP Lease: 10.1.10.100/24
ARP Probe IP Device Tracking
Authorised MAC: 00:00:00:AB:CD:EF SGT = 5
Binding: 00:00:00:AB:CD:EF = 10.1.10.100/24
1
2
3
SRC: 10.1.10.1 = SGT 5
00:00:00:AB:CD:EF
cisco-av-pair=cts:security-group-tag=0005-01
Make sure that IP Device Tracking is TURNED ON
3560X#show cts role-based sgt-map all details Active IP-SGT Bindings Information IP Address Security Group Source ============================================= 10.1.10.1 3:SGA_Device INTERNAL 10.1.10.100 5:Employee LOCAL 13
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Static Classification
IP to SGT mapping cts role-based sgt-map A.B.C.D sgt SGT_Value
VLAN to SGT mapping* cts role-based sgt-map vlan-list VLAN sgt SGT_Value
Subnet to SGT mapping cts role-based sgt-map A.B.C.D/nn sgt SGT_Value
L3 ID to Port Mapping** (config-if-cts-manual)#policy dynamic identity name
L3IF to SGT mapping** cts role-based sgt-map interface name sgt SGT_Value
L2IF to SGT mapping* (config-if-cts-manual)#policy static sgt SGT_Value
IOS CLI Example
* relies on IP Device Tracking ** relies on route prefix snooping
14
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
SGT Migration Strategy – VLAN-SGT
15
802.1X
Cat6500/Sup2T 3K-X
Contractor ISE 1.1
RADIUS
VLAN 10 -‐> Employee: SGT (10/000A) VLAN 11 -‐> Contractor: SGT (11/000B)
MAC:0050.56BC.14AE 11.11.11.11/32
Traffic
IP Device Tracking (ARP/DHCP inspection) MAC Address Port SGT IP Address VLAN
0050.56BC.14AE Fa2/1 11/000B 11.11.11.11 11
0070.56BC.237B Fa2/1 10/000B 10.1.10.100 10 SXP Binding Table
N7K
Cat6500/Sup2T 3K-X SRC: 11.11.11.11 11.11.11.11 SGT (11/000B)
Tagging
3rd Party or Legacy Switches/APs
Trunk Connection
MAC:0070.56BC.237B 10.1.10.100/32
SRC: 10.1.10.100 10.1.10.100 SGT (10/000A)
Tagging
* - There are limits of the number of VLANs supported
Employee
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Layer 3 Interface to SGT Mapping (L3IF-SGT) Sup2T introduced in 15.0(1)SY
Business Partners
DC Access
Hypervisor SW
EOR
VSS-1#show cts role-based sgt-map all Active IP-SGT Bindings Information IP Address SGT Source ======================================== 11.1.1.2 2 INTERNAL 12.1.1.2 2 INTERNAL 13.1.1.2 2 INTERNAL 17.1.1.0/24 8 L3IF 43.1.1.0/24 9 L3IF 49.1.1.0/24 9 L3IF
Route Updates 17.1.1.0/24
cts role-based sgt-map interface GigabitEthernet 3/0/1 sgt 8
cts role-based sgt-map interface GigabitEthernet 3/0/2 sgt 9
Joint Ventures
Route Updates 43.1.1.0/24 49.1.1.0/24
g3/0/1
g3/0/2
§ Route Prefix Monitoring on a specific Layer 3 Port mapping to a SGT
§ Can apply to Layer 3 interfaces regardless of the underlying physical interface: – Routed port, SVI (VLAN interface) , Tunnel interface
16
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Nexus 1000V 2.1 – SGT Assignment
§ Port Profiles assigned to VMs
17
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
SGT Classification – Binding Source Priority The current priority enforcement order, from lowest (1) to highest (7), is as follows:
1. VLAN—Bindings learned from snooped ARP packets on a VLAN that has VLAN-SGT mapping configured.
2. CLI— Address bindings configured using the IP-SGT form of the cts role-based sgt-map global configuration command.
3. Layer 3 Interface—(L3IF) Bindings added due to FIB forwarding entries that have paths through one or more interfaces with consistent L3IF-SGT mapping or Identity Port Mapping on routed ports.
4. SXP—Bindings learned from SXP peers. 5. IP_ARP—Bindings learned when tagged ARP packets are received on a CTS capable
link. 6. LOCAL—Bindings of authenticated hosts which are learned via EPM and device tracking.
This type of binding also include individual hosts that are learned via ARP snooping on L2 [I]PM configured ports.
7. INTERNAL—Bindings between locally configured IP addresses and the device own SGT.
18
SGT Propagation
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Propagation Option 1: Inline Tagging
§ SGT embedded within Cisco Meta Data (CMD) in Layer 2 frame
§ Capable switches understands and process SGT at line-rate
§ Optional MACsec protection
§ No impact to QoS, IP MTU/Fragmentation
§ L2 Frame Impact: ~40 bytes
§ Recommend L2 MTU~1600 bytes
§ N.B. Incapable devices will drop frames with unknown Ethertype
CRC
PAYLOAD
ETHTYPE
CMD
802.1Q
Source MAC
Destination MAC
Ethernet Frame CMD EtherType Version Length SGT Option Type
Cisco Meta Data
SGT Value Other CMD Option
CRC
PAYLOAD
ETHTYPE
CMD
802.1Q
Source MAC
Destination MAC
MACsec Frame
802.1AE Header
802.1AE Header
AE
S-G
CM
128
bit
Enc
rypt
ion
ETHTYPE:0x88E5
ETHTYPE:0x8909
20
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
SGT Link Authentication and Authorization Mode MACSEC MACSEC Pairwise
Master Key (PMK) MACSEC Pairwise
Transient Key (PTK) Encryption Cipher
Selection (no-encap, null, GCM,
GMAC)
Trust/Propagation Policy for Tags
cts dot1x Y Dynamic Dynamic Negotiated Dynamic from ISE/configured
cts manual – with encryption
Y Static Dynamic Static Static
cts manual – no encryption
N N/A N/A N/A Static
• CTS Manual is strongly recommended configuration for SGT propagation • “cts dot1x” takes link down with AAA down. Tight coupling of link state and
AAA state • Some platforms (ISRG2, ASR1K, N5K) only support cts manual/no encryption
21
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Configure Links for SGT Tagging
interface TenGigabitEthernet1/5 cts manual policy static sgt 2 trusted
C6K2T-CORE-1#sho cts interface brief Global Dot1x feature is Enabled Interface GigabitEthernet1/1: CTS is enabled, mode: MANUAL IFC state: OPEN Authentication Status: NOT APPLICABLE Peer identity: "unknown" Peer's advertised capabilities: "" Authorization Status: SUCCEEDED Peer SGT: 2:device_sgt Peer SGT assignment: Trusted SAP Status: NOT APPLICABLE Propagate SGT: Enabled Cache Info: Expiration : N/A Cache applied to link : NONE L3 IPM: disabled.
Always “shut” and “no shut” and interface for any cts manual or cts dot1x change
CTS Manual no encryption
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Propagation Option 2: SGT eXchange Protocol (SXP)
§ Control plane protocol that conveys the IP-SGT map of authenticated hosts to enforcement points
§ SXP uses TCP as the transport layer
§ Accelerate deployment of SGT
§ Support Single Hop SXP & Multi-Hop SXP (aggregation)
§ Two roles: Speaker (initiator) and Listener (receiver)
§ SXPv4 – Loop detection and Bi-directional connections
SW
SW RT
SW
SXP (Aggregation) SXP
SXP
Speaker Listener
23
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Propagation Option 2: SGT eXchange Protocol
§ SXP accelerates deployment of SGTs – Allows classification at the access edge without hardware upgrade – Allows communication from access edge to enforcement device
§ SXP also used to traverse networks/devices without SGT capabilities
§ Uses TCP for transport protocol
§ TCP port 64999 for connection initiation
§ Use MD5 for authentication and integrity check
§ Two roles: Speaker (initiator) and Listener (receiver)
24
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
SXP Flow
25
ISE 1.1
TCP SYN TCP SYN-ACK
TCP ACK CTS7K 10.1.3.1
CTS6K 10.1.3.2
Speaker Listener
IP Src: 10.1.3.2 Dst: 10.1.3.1 TCP Src Port: 16277 Dst Port: 64999 Flags: 0x02 (SYN)
IP Src: 10.1.3.1 Dst: 10.1.3.2 TCP Src Port: 64999 Dst Port: 16277 Flags: 0x12 (SYN, ACK) IP Src: 10.1.3.2 Dst: 10.1.3.1
TCP Src Port: 16277 Dst Port: 64999 Flags: 0x10 (ACK)
SXP OPEN IP Src: 10.1.3.2 Dst: 10.1.3.1 TCP Src Port: 16277 Dst Port: 64999 Flags: 0x10 ( ACK) SXP Type: Open Version: 1 Device ID: CTS6K
SXP OPEN_RESP
IP Src: 10.1.3.1 Dst: 10.1.3.2 TCP Src Port: 64999 Dst Port: 16277 Flags: 0x18 (PSH, ACK) SXP Type: Open_Resp Version: 1 Device ID: CTS7K
SXP UPDATE
IP Src: 10.1.3.2 Dst: 10.1.3.1 TCP Src Port: 16277 Dst Port: 64999 Flags: 0x10 (ACK) SXP Type: Update Update Type: Install IP Address: 10.1.10.100 SGT: 6
10.1.10.100 (SGT6)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
SXP Informational Draft
§ SXP now published as an Informational Draft to the IETF, based on customer requests
§ Draft called ‘Source-Group Tag eXchange Protocol’ because of likely uses beyond security
§ Specifies SXP v4 functionality with backwards compatibility to SXP v2 § http://www.ietf.org/id/draft-smith-kandula-sxp-00.txt
26
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
SXP Connection Types
27
Single-Hop SXP
Non-TrustSec Domain
SXP
SXP Enabled Switch/WLC SGT Capable HW
Multi-Hop SXP SXP
SGT Capable HW SXP Enabled SW
Speaker Listener
Speaker Speaker Listener Listener
SXP
Speaker
SXP
SXP Enabled SW/WLC
SXP Enabled SW/WLC
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
IOS SXP Configuration
28
3750 cts sxp enable cts sxp connection peer 10.1.44.1 source 10.1.11.44 password default mode local ! SXP Peering to Cat6K 6K cts sxp enable cts sxp default password cisco123 ! cts sxp connection peer 10.1.11.44 source 10.1.44.1 password default mode local listener hold-time 0 0 ! ^^ Peering to Cat3K cts sxp connection peer 10.1.44.44 source 10.1.44.1 password default mode local listener hold-time 0 0 ! ^^ SXP Peering to WLC
C3750#show cts role-based sgt-map all details Active IP-SGT Bindings Information IP Address Security Group Source ====================================================================== 10.10.11.1 2:device_sgt INTERNAL 10.10.11.100 8:EMPLOYEE_FULL LOCAL C6K2T-CORE-1#show cts sxp connections brief SXP : Enabled Highest Version Supported: 4 Default Password : Set Default Source IP: Not Set Connection retry open period: 120 secs Reconcile period: 120 secs Retry open timer is not running ----------------------------------------------------------------------------- Peer_IP Source_IP Conn Status Duration ----------------------------------------------------------------------------- 10.1.11.44 10.1.44.1 On 11:28:14:59 (dd:hr:mm:sec) 10.1.44.44 10.1.44.1 On 22:56:04:33 (dd:hr:mm:sec) Total num of SXP Connections = 2 C6K2T-CORE-1#show cts role-based sgt-map all details Active IP-SGT Bindings Information IP Address Security Group Source ====================================================================== 10.1.40.10 5:PCI_Servers CLI 10.1.44.1 2:Device_sgt INTERNAL --- snip --- 10.0.200.203 3:GUEST SXP 10.10.11.100 8:EMPLOYEE_FULL SXP
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
WLC SXP Configuration
29
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Inline Tagging vs. SXP Tag Propagation
DC Access
WLC FW
Inline SGT Tagging CMD Field
ASIC
ASIC
Optionally Encrypted
SXP
SRC: 10.1.100.98
IP Address SGT SRC
10.1.100.98 50 Local
Hypervisor SW
SXP IP-SGT Binding Table
ASIC
L2 Ethernet Frame SRC: 10.1.100.98
• Inline Tagging: If Device supports SGT in ASICs
• SXP: If there are devices are not SGT-capable
IP Address SGT
10.1.100.98 50
Campus Access Distribution Core DC Core EOR
SXP
Enterprise Backbone
30
Policy Enforcement
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Cat3750X Cat6500
Policy Enforcement - Security Group ACL (SGACL)
Nexus 2248
WLC5508 ASA5585
Enterprise Backbone
Nexus 2248
Cat6500 Nexus 7000 Nexus 5500
Mary authenticated Classified as Marketing (5) FIB Lookup
Destination MAC/Port SGT 20
DST: 10.1.100.52 SGT: 20
SRC: 10.1.10.220
5SRC:10.1.10.220 DST: 10.1.100.52
SGT: 5 DST: 10.1.200.100 SGT: 30
Web_Dir
CRM
SRC\DST Web_Dir (20) CRM (30)
Marketing (5) SGACL-A SGACL-B
BYOD (7) Deny Deny
Destination Classification Web_Dir: SGT 20 CRM: SGT 30
32
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Centralized SGACL Policy Management in ISE
permit tcp dst eq 443 permit tcp dst eq 80 permit tcp dst eq 22 permit tcp dst eq 3389 permit tcp dst eq 135 permit tcp dst eq 136 permit tcp dst eq 137 permit tcp dst eq 138 permit tcp des eq 139 deny ip
Portal_ACL
33
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
SGACL Egress Policy Enforcement
§ Extended ACL syntax, without IP addresses
§ Avoids TCAM impact, can be IPv6 agnostic*
§ Can be applied anywhere (no IP dependency)
§ Switches that classify servers only download SGACLs they need from ISE
§ No device-specific ACL configs
34
Prod_Server (SGT=7)
Dev_Server (SGT=10)
SG
T=3
SG
T=4
SG
T=5
SGACL Enforcement
* Currently only Cat6k Sup 2T supports IPv6 SGACL
permit tcp dst eq 443 permit tcp dst eq 80 permit tcp dst eq 22 permit tcp dst eq 3389 permit tcp dst eq 135 permit tcp dst eq 136 permit tcp dst eq 137 permit tcp dst eq 138 permit tcp des eq 139 deny ip
Portal_ACL Prod_Servers Dev_Servers
34
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Configuring an IOS Switch for SGT § Following CLI is required to turn on NDAC (to authenticate device to ISE and
receive policies including SGACL from ISE)
Switch#config t Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#aaa new-model
Switch(config)#radius-server host <ISE_PDP_IP> pac key <RADIUS_SHARED_SECRET>
Switch(config)#aaa authentication dot1x default group radius Switch(config)#aaa authorization network <AUTHZ_List_Name> group radius
Switch(config)#cts authorization list <AUTHZ_List_Name>
① Enabling AAA
② Defining RADIUS server with PAC keyword
③ Define authorization list name for SGA policy download
④ Use default AAA group for 802.1X and “defined authz list” for authorization
35
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Configuring an IOS Switch for SGT(cont.)
Switch(config)#radius-server vsa send authentication
Switch#cts credential id <DEVICE_ID> password <DEVICE_PASSWORD>
Switch(config)#dot1x system-auth-control
⑤ Configure RADIUS server to use VSA in authentication request
⑥ Enable 802.1X in system level
⑦ Define device credential (EAP-FAST I-ID), which must match ones in ISE AAA client configuration
Note: remember that device credential under IOS is configured in Enable mode, not in config mode. This is different CLI command level between IOS and NX-OS, where you need to configure device credential in config mode
36
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Verification - PAC
TS2-6K-DIST#show cts pacs AID: 04FB30FE056125FE90A340C732ED9530 PAC-Info: PAC-type = Cisco Trustsec AID: 04FB30FE056125FE90A340C732ED9530 I-ID: TS2-6K-DIST A-ID-Info: ISE PAP Credential Lifetime: 00:54:33 UTC Dec 21 2011 PAC-Opaque: 000200B0000300010004001004FB30FE056125FE90A340C732ED95300006009400030100980BC43B8BDAB7ECC3B12C04D2D3CA6E000000134E7A69FD00093A80AD1F972E0C67757D29DBF9E8452EDC3E0A46858429C8E4714315533061DAD4FB2F31346FE4408579D4F55B3813ADA9876F04ACC1656DE2F476ED3CBC96A0DB937403AC3B0CAB64EEC15A1BD6E351A005A8DE6E6F894DEE619F4EFFF031BC7E7BD9C8B230885093FF789BAECB152E3617986D3E0B Refresh timer is set for 12w0d
Use show cts pac to verify whether PAC is provisioned or not. Key points are that A-ID matches to one that is found in environment data with IP address. Also check to see your I-ID is the one you setup in Device ID, and A-ID-Info matches one you configured on ISE (EAP-FAST configuration)
37
The PAC is provisioned during EAP-FAST phase 0. It allows a TLS tunnel to be built between ISE and CTS device. This secures later transactions.
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Downloading Policy on IOS Switch TS2-6K-DIST#show cts environment-data CTS Environment Data ==================== Current state = COMPLETE Last status = Successful Local Device SGT: SGT tag = 2-00 Server List Info: Installed list: CTSServerList1-0004, 3 server(s): *Server: 10.1.100.3, port 1812, A-ID 04FB30FE056125FE90A340C732ED9530 Status = ALIVE auto-test = FALSE, idle-time = 60 mins, deadtime = 20 secs *Server: 10.1.100.4, port 1812, A-ID 04FB30FE056125FE90A340C732ED9530 Status = ALIVE auto-test = FALSE, idle-time = 60 mins, deadtime = 20 secs *Server: 10.1.100.6, port 1812, A-ID 04FB30FE056125FE90A340C732ED9530 Status = ALIVE auto-test = FALSE, idle-time = 60 mins, deadtime = 20 secs Multicast Group SGT Table: Security Group Name Table: 0001-22 : 7-98 : 80 -> FIN_SRV 6-98 : 80 -> HR_DB 5-98 : 80 -> HR_ADMIN_SRV 4-98 : 80 -> FIN_ADMIN 3-98 : 80 -> HR_CONTRACTOR 2-98 : 80 -> Device_SGT unicast-unknown-98 : 80 -> Unknown Any : 80 -> ANY Transport type = CTS_TRANSPORT_IP_UDP Environment Data Lifetime = 86400 secs Last update time = 22:50:57 UTC Mon Sep 26 2011 Env-data expires in 0:23:59:49 (dd:hr:mm:sec) Env-data refreshes in 0:23:59:49 (dd:hr:mm:sec) Cache data applied = NONE State Machine is running
Verify Environment Data
38
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Activating SGACL Enforcement on IOS Switch § After setting up SGT/SGACL on ISE, you can now enable SGACL Enforcement
on IOS switch
Switch(config)#cts role-based sgt-map 10.1.40.10 sgt 5 Switch(config)#cts role-based sgt-map 10.1.40.20 sgt 6 Switch(config)#cts role-based sgt-map 10.1.40.30 sgt 7
Defining IP to SGT mapping for servers
Switch(config)#cts role-based enforcement Switch(config)#cts role-based enforcement vlan-list 40
Enabling SGACL Enforcement Globally and for VLAN
39
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Downloading SGACL Policy on IOS Switch Verify SGACL Content TS2-6K-DIST#show cts role-based permissions IPv4 Role-based permissions default: Permit IP-00 IPv4 Role-based permissions from group 3 to group 5: Deny IP-00 IPv4 Role-based permissions from group 4 to group 5: ALLOW_HTTP_HTTPS-20 IPv4 Role-based permissions from group 3 to group 6: ALLOW_HTTP_SQL-10 Permit IP-00 IPv4 Role-based permissions from group 4 to group 6: Deny IP-00 IPv4 Role-based permissions from group 3 to group 7: Deny IP-00 IPv4 Role-based permissions from group 4 to group 7: Permit IP-00
SGACL Mapping Policy should match to one on ISE
40
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Policy Enforcement on Firewalls: ASA SG-FW
Can still use Network Object (Host, Range, Network (subnet), or FQDN)
AND / OR the SGT
Switches inform the ASA of Security Group membership
Security Group definitions from ISE
Trigger other services by SGT
41
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Using SG-FW and SGACL Enforcement Together
§ Consistent Classification/enforcement between Firewalls and switching.
§ SGT Names will be synchronized between ISE and ASDM
§ Policy administrators need to ensure SGACL and SG-FW rules are in sync
42
Campus Network
Data Centre
SXP IP Address SGT
10.1.10.1 PCI (10)
SG-FW on ASA SGACL on Switches
ISE SGACL Policies
CSM/ASDM Policies
SGT Name Download
SGT 10 = PCI_User SGT 100 = PCI_Svr
SXP
PCI Server
Use Case: Campus and Branch Segmentation
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Campus and Branch Segmentation POLICY VIEW
LOGICAL VIEW
Switch Router
Enforcement
ISE
Classification
Sou
rce
*LoB = Line of Business
LoB1 Developers Guests Internet Access
DENY PERMIT DENY Malware Block
DENY PERMIT DENY Malware Block
DENY DENY PERMIT Malware Block
LoB1 Production Users
Malware Block
Malware Block
DENY
DENY PERMIT DENY DENY DENY
LoB2 Employees
LoB1 Production Users
LoB1 Developers
LoB2 Employees
Guest
Protected Assets
Malware Blocking ACL Deny tcp dst eq 445 log Deny tcp dst range 137 139 log Permit all
44
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public 45
Implementing Wireless User – User Policy Enforcement
45
Permit
Deny WLAN
Controller
interface Vlan2 ip local-proxy-arp ip route-cache same-interface ! cts role-based enforcement cts role-based enforcement vlan-list 2
6500
ISE
Vlan 2
SXP
§ Apply user-user policies as defined in ISE on traffic from the WLC
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Extending Inline Tagging Across WAN to Branches
§ Inline tagging across WAN : – ISR G2 IOS 15.4(1)T & – ASR1000 15.4(1)S
§ Inline tagging on built-in ISRG2 & ASR 1000 Ethernet interfaces (all except 800 series ISR)
§ Carries SGT inline across GET-VPN and IPsec VPN
46
Cat3750-X
Cat3750-X Branch B
SGT over GET-VPN or IPsec VPN
HQ
Inline SGT ASR1000
Router
Branch A
ISRG2
ISRG2 e.g. 2951/3945
§ Can also use SGT-aware Zone-based Firewall in branch and DC WAN edge for reasons like PCI compliance
§ SGT allows more dynamic classification in the branch and DC WAN edge
§ SGT is a source criteria only in ISR FW, Source or Dest in ASR 1000
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
BO-2921# cts role-based sgt-map 9.9.9.1 sgt 5000 cts role-based sgt-map 11.11.11.1 sgt 65533 ! crypto ikev2 proposal p1 encryption 3des integrity md5 group 2 ! crypto ikev2 policy policy1 proposal p1 ! crypto ikev2 keyring key peer v4 address 0.0.0.0 0.0.0.0 pre-shared-key cisco ! crypto ikev2 profile prof3 match identity remote address 0.0.0.0 authentication local pre-share authentication remote pre-share keyring key ! crypto ikev2 cts sgt ! crypto ipsec transform-set trans esp-3des esp-sha-hmac ! ………..
SGT capability negotiation for IPsec inline tagging
CTS infra CLI used to configure IP->SGT mapping
IKEv2/IPsec and Inline Tagging
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
• KS can enable SGT tagging on a per-SA basis crypto gdoi group GDOI identity number 12345 server local sa ipsec 1 tag cts sgt match address ipv4 ACL_GETVPN_SGT sa ipsec 2 no tag match address ipv4 ACL_GETVPN_NO_SGT
SHOWS SGT Capability is enabled on KS
If the KS is configured for tagging, GMs must be registering using GETVPN software version 1.0.5 or higher to be accepted.
GETVPN and Inline Tagging
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
! class-map type inspect match-any partner-services match protocol http match protocol icmp match protocol ssh class-map type inspect match-any partner-sgts match security-group source tag 2001 match security-group source tag 2002 match security-group source tag 2003 class-map type inspect match-all partner-class match class-map partner-services match class-map partner-sgts class-map type inspect match-any guest-services match protocol http class-map type inspect match-any guest-sgts match security-group source tag 5555 class-map type inspect match-all guest-class match class-map guest-services match class-map guest-sgts class-map type inspect match-any emp-services match protocol http match protocol ftp match protocol icmp match protocol ssh class-map type inspect match-any emp-sgts match security-group source tag 1001 match security-group source tag 1002 match security-group source tag 1003 class-map type inspect match-all emp-class match class-map emp-services match class-map emp-sgts
match-all filter for specifying services that are allowed for partners
match-all filter for specifying services that are allowed for guests
match-all filter for specifying services that are allowed for employees
ZFW on ISR G2
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
! policy-map type inspect branch-policy class type inspect emp-class inspect class type inspect partner-class inspect class type inspect guest-class inspect class class-default drop ! zone security lan zone security ho zone-pair security lan-ho source lan destination ho service-policy type inspect branch-policy ! interface GigabitEthernet0/1 description ***branch lan network*** ip address 10.0.0.1 255.255.255.0 zone-member security lan ! ! interface GigabitEthernet0/2 description ***connection to head-office*** ip address 172.16.0.1 255.255.255.252 zone-member security ho !
Specific class filters are defined inside policy maps
for each sgt group
ZFW on ISR G2
SGACL Monitoring
51
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Verifying SGACL Enforcement Use show cts role-based counter to show traffic drop by SGACL TS2-6K-DIST#show cts role-based counters Role-based IPv4 counters From To SW-Denied HW-Denied SW-Permitted HW_Permitted * * 0 0 48002 369314 3 5 53499 53471 0 0 4 5 0 0 0 3777 3 6 0 0 0 53350 4 6 3773 3773 0 0 3 7 0 0 0 0 4 7 0 0 0 0
From * to * means Default Rule
show command displays the content statistics of RBACL enforcement. Separate counters are displayed for HW and SW switched packets. The user can specify the source SGT using the “from” clause and the destination SGT using the “to” clause.
52
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
SGACL Monitoring C6K2T-CORE-1#sho cts role-based permissions
IPv4 Role-based permissions from group 8:EMPLOYEE_FULL to group 8:EMPLOYEE_FULL:
Malware_Prevention-11
C6K2T-CORE-1#sho ip access-list
Role-based IP access list Deny IP-00 (downloaded)
10 deny ip
Role-based IP access list Malware_Prevention-11 (downloaded)
10 deny icmp log-input (51 matches)
20 deny udp dst range 1 100 log-input
30 deny tcp dst range 1 100 log-input
40 deny udp dst eq domain log-input
*May 24 04:50:06.090: %SEC-6-IPACCESSLOGDP: list Malware_Prevention-11 denied icmp 10.10.18.101 (GigabitEthernet1/1 ) -> 10.10.11.100 (8/0), 119 packets
53
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Monitoring SGACL Packet Drops with Flexible NetFlow
flow record cts-v4 match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match flow direction match flow cts source group-tag match flow cts destination group-tag collect counter bytes collect counter packets flow exporter EXP1 destination 10.2.44.15 source GigabitEthernet3/1 flow monitor cts-mon record cts-record-ipv4 exporter EXP1
Interface vlan 10 ip flow monitor cts-mon input ip flow monitor cts-mon output Interface vlan 20 ip flow monitor cts-mon input ip flow monitor cts-mon output Interface vlan 30 ip flow monitor cts-mon input ip flow monitor cts-mon output Interface vlan 40 ip flow monitor cts-mon input ip flow monitor cts-mon output
cts role-based ip flow mon cts-mon dropped
*Optional – will create flows for only Role-based ACL drops
54
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Monitoring SGACL Packet Drops with Flexible Netflow
SJC01#show flow mon cts-mon cache Cache type: Normal Cache size: 4096 Current entries: 1438 High Watermark: 1632 Flows added: 33831 Flows aged: 32393 - Active timeout ( 1800 secs) 0 - Inactive timeout ( 15 secs) 32393 - Event aged 0 - Watermark aged 0 - Emergency aged 0 IPV4 SOURCE ADDRESS: 192.168.30.209 IPV4 DESTINATION ADDRESS: 192.168.200.156 TRNS SOURCE PORT: 60952 TRNS DESTINATION PORT: 80 FLOW DIRECTION: Output FLOW CTS SOURCE GROUP TAG: 30 FLOW CTS DESTINATION GROUP TAG: 200 IP PROTOCOL: 6 counter bytes: 56 counter packets: 1 IPV4 SOURCE ADDRESS: 192.168.20.140 IPV4 DESTINATION ADDRESS: 192.168.200.104 TRNS SOURCE PORT: 8233 TRNS DESTINATION PORT: 80 FLOW DIRECTION: Output FLOW CTS SOURCE GROUP TAG: 20 FLOW CTS DESTINATION GROUP TAG: 200 IP PROTOCOL: 6 counter bytes: 56 counter packets: 1 55
Summary
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Summary
57
§ TrustSec can be deployed for multiple use-cases – Can start with specific use-cases with minimal platform dependencies – Non-disruptive deployments; SGACL enforcement can be enabled incrementally and gradually via the
policy matrix
§ TrustSec SGT can mean – Centralised policy for complete network – Distributed enforcement and scale – No device-specific ACLs or rules to manage - one place to audit – Servers can cycle through Dev>UAT> Prod without readdressing
§ Operational benefits – – SGACLs avoid VLAN/dACL efforts and admin – Security policy managers/auditors do not need to understand the topology or the underlying
technology to use the policy matrix – Firewall rule simplification and OpEx reduction – Faster and easier deployment of new services
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Links
§ For more info: – http://www.cisco.com/go/trustsec
§ TrustSec platform support matrix – http://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/
trustsec_matrix.html § TrustSec and ISE Deployment Guides:
– http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
§ PCI Scope Reduction with Cisco TrustSec – QSA (Verizon) Validation: – http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/
trustsec_pci_validation.pdf § IETF SXP Draft:
– http://tools.ietf.org/html/draft-smith-kandula-sxp-00
58
Q & A
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-2690 Cisco Public
Thank You for Joining Us Today
60
Download a copy of todays slides using the link in the chat.
Today’s webcast will be available on-demand within 48hrs.
Please complete the survey after closing the WebEx event.