Weitere ähnliche Inhalte Ähnlich wie Cisco Study: State of Web Security (20) Mehr von Cisco Canada (20) Kürzlich hochgeladen (20) Cisco Study: State of Web Security 2. • Mobile phones - Please put on silent or vibrate mode
• Q&A – During Session Time Permitting and at End of Session
• Please Go Online and fill the evaluation form
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
3. • Introduction
Defining Network Access Management
Foundation Technology
• Security Group Access Overview
Source Group Tag (SGT)/ Source Group ACL (SGACL) Concepts
Network Device Access Control (NDAC) Concept
802.1AE/SAP Concept
• SGT Use Cases
SGT with Identity Deployment Modes
SGT in the Data Center/VDI
• Monitoring and Troubleshooting
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
4. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
5. Policy-based access Identity-aware Data integrity and
control for networking confidentiality
Users Identity information Securing data
for granular controls path in the switching
Endpoint devices
environment
Role-based business
Networking
service delivery IEEE 802.1AE
infrastructure
standard encryption
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
6. Identity Other Authorization
Information Conditions Profiles
Employee Time and Date Broad Access
Limited Access
Contractor
+ Guest/Internet
Quarantine
Posture Location
Guest Deny Access
Device Types Access Type Track for
Accounting
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
7. Guest Service to provide
full guest access
management with Web
Scalable / Flexible Policy Authentication
Flexible Authentication Methods
(802.1X, MAB, Web Auth in any order) & Authentication Server NAC Guest Server
supporting RBAC
Printer
MAB
ACS5.x NAC Profiler
802.1X RADIUS
Employee Catalyst
Web Auth ISE
Switch
Various Authorization Methods (VLAN,
Downloadable ACL, URL Redirect, etc)
Guest Directory Server
Profiling System to perform
Cisco IOS © intelligence to automatic device profiling for
provide phased deployment mode unattended device or any type of
for 802.1X (Monitor Mode, Low network attached device
Impact Mode, High Security Mode)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
8. • Can I create / manage the new VLANs or IP Address scope?
• How do I handle DHCP refresh in new subnet?
VLAN
• How do I manage ACL on VLAN interface?
Assignment
• Any impact to the route summarization?
802.1X/MAB/Web Auth
ACL • Who’s going to maintain ACLs?
Download • What if my destination IP addresses are changed?
• Does my switch have enough TCAM to handle all request?
Traditional access authorization methods leave some deployment concerns
Detailed design before deployment is required, otherwise…
Not so flexible for changes required by today’s business
Access control project ends up with redesigning whole network
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
9. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
10. • SGA is a broad umbrella for security improvements
based on the capability to strongly identify users,
hosts and network devices within a network
• SGA provides topology independent and scalable
access controls by uniquely classifying data traffic for a
particular role
• SGA ensures data confidentiality and integrity by
establishing trust among authenticated peer and
encrypting links with those peers
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
11. Topology independent access control based on roles
Security Group Based
Access Control Scalable ingress tagging via Source Group Tag (SGT) /
egress filtering via Source Group ACL (SGACL)
Centralized Policy Management / Distributed Policy
Enforcement
Endpoint admission enforced via 802.1X authentication,
Authenticated
MAB, Web Auth (Full IBNS compatibility)
Networking
Environment Network device admission control based on 802.1X creates
trusted networking environment
Only trusted network imposes Security Group TAG
Encryption based on IEEE802.1AE (AES-GCM 128-Bit)
Confidentiality Wire rate hop to hop layer 2 encryption
and
Integrity Key management based on 802.11n (SAP), will migrate to
standard based key management 802.1X-2010/MKA
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
12. SGT=100
I’m a contractor
My group is HR
Finance (SGT=4)
HR (SGT=10)
802.1X/MAB/Web Auth
SGACL
Contactor
& HR
SGT = 100
Security Group Based Access Control allows customers
To keep existing logical design at access layer
To change / apply policy to meet today’s business requirement
To distribute policy from central management server
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
13. Security • Unique 16 bit (65K) tag assigned to unique role
Group
Tag • Represents privilege of the source user, device, or entity
• Tagged at ingress of TrustSec domain
• Filtered (SGACL) at egress of TrustSec domain
SGACL
SG • No IP address required in ACE (IP address is bound to SGT)
• Policy (ACL) is distributed from central policy server (ISE) or
configured locally on TrustSec device
Customer Benefits
Provides topology independent policy
Flexible and scalable policy based on user role
Centralized Policy Management for Dynamic policy provisioning
© 2010 Cisco and/or its affiliates. All rights reserved.
Egress filtering results to reduce TCAM impact Cisco Confidential 13
14. Layer 2 SGT Frame and Cisco Meta Data Format
Authenticated
Encrypted
DMAC SMAC 802.1AE Header 802.1Q CMD ETYPE PAYLOAD ICV CRC
CMD EtherType Version Length SGT Opt Type SGT Value Other CMD Options
Cisco Meta Data
802.1AE Header CMD ICV are the L2 802.1AE + TrustSec overhead
Frame is always tagged at ingress port of TrustSec capable device
Tagging process prior to other L2 service such as QoS
SGT namespace is managed on central policy server (ISE)
No impact IP MTU/Fragmentation
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
15. User (Source) Servers
(Destination)
Managers D1 S1 to D1 Access Control
S1 Sales
D2 permit tcp S1 D1 eq https
permit tcp S1 D1 eq 8081
S2 permit tcp S1 D1 eq 445
D3 deny ip S1 D1
H
S3 D4 R
HR Rep
Access Control Entry -
S4 D5 ACE # grows as # of
Financ permission statement
D6 e increases
IT Admins
• Source (S1~S4) * Destination (S1~S6) * Permission (4) = 96 ACEs for S1~4
• The growing number of ACEs leads to resource comsumption on the enforcement point
• Network Admin manages every IP source to IP destination relationship explicitly
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
16. Security Group Security Group
User (Source) (Destination) Servers
SGACL
D1
S1 MGMT A
(SGT 10)
D2
Sales SRV
(SGT 500)
S2
MGMT B D3
(SGT 20)
S3 HR SRV D4
HR Rep (SGT 600)
(SGT 30)
S4 D5
Finance
IT Admins
SRV (SGT D6
(SGT 40)
700)
• Network Admin manages every source “group” to destination “group” relationship
• This abstracts the network topology from the policy and reducing the number of policy
rules necessary for the admin to maintain
• The network automates the alignment of users/servers to groups
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
17. Source Security Destination Security Group
SGACLS
Group (Dec/Hex) (Dec/Hex)
Contractor (10/A) Server A (111/6F) Permit All
Contractor (10/A) Server B (222/DE)
Deny All
Server C (333/14D)
Contractor (10/A) Deny All
HR (30/1E) Server A (111/6F) Deny All
HR (30/1E) Server B (222/DE) SGACL-D
HR (30/1E) Server C (333/14D) Permit All
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
18. SGACL-D • No IP defined
remark destination SQL permit
permit tcp dst eq 1433 • Downloaded from ISE
remark source SQL permit
permit tcp src eq 1433 • Enforcement at Egress
Remark http permit
permit tcp dst eq 80
Remark https permit
permit tcp dst eq 443
deny all
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
19. Step 1 SGT Policy definition on ISE
• ISE is configured for its policy and all
User A User C
endpoints need to be mapped to SGT in
policy
Campus Access
TrustSec Enabled
Network
AD User Role SGT
User A Contractor 10
Data Center
User B Finance 20
User C HR 30
ISE
Server Role IP SGT
HTTP Server Server Group A 10.1.100.111 111
Server A Server B Server C Directory
Service File Server Server Group B 10.1.100.222 222
SQL Server Server Group C 10.1.200.3 333
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
20. User A User C Step 2 SGTs are assigned to role and bound to
IP address
802.1X / MAB / Web • With 802.1x/MAB/Web Authentication, SGTs are
Auth assigned in an authorization policy via RADIUS
Campus
Access • Access devices snoops ARP and/or DHCP for
authenticated MAC Address, then bind assigned SGT
to snooped IP Address
TrustSec Enabled • Server IP address are bound to SGT statically on
Network access switch or dynamically looked on ISE using IPM
feature
AD User Role SGT
User A Contractor 10
Data Center
User B Finance 20
10
30
User C HR 30
ISE
Server Role IP SGT
HTTP Server Server Group A 10.1.100.111 111
Server A Server B Server C Directory
Service
File Server Server Group B 10.1.100.222 222
SQL Server Server Group C 10.1.200.3 333
© 2010 Cisco and/or its affiliates. All rights reserved. 333
222
111 Cisco Confidential 20
21. Step 3 ISE provisions Egress Policy to
User A User C TrustSec capable Device
• Each Trustsec capable device downloads policy from ISE
10 30
Destination
Source Security
Security Group SGACLs
Campus Access Group (Dec/Hex)
(Dec/Hex)
Contractor
Server A (111/6F) Permit All
(10/A)
Contractor
Server B (222/DE) Deny All
(10/A)
TrustSec Enabled
Contractor Server C
Network Deny All
(10/A) (333/14D)
HR (30/1E) Server A (111/6F) Deny All
Data Center HR (30/1E) Server B (222/DE) SGACL-D
SGACL-D
Server C
HR (30/1E) Permit All
SGACL
SGACL (333/14D)
permit tcp src dst eq 1433
#remark destination SQL permit
ISE permit tcp src eq 1433 dst
#remark source SQL permit
permit tcp src dst eq 80
Server A Server B Server C Directory # web permit
Service permit tcp src dst eq 443
111 222 333 # secure web permit
© 2010 Cisco and/or its affiliates. All rights reserved. deny all Cisco Confidential 21
22. Step 4 Policy enforcement begins
User A User C
• User’s traffic is tagged at ingress of TrustSec domain
10 30
• SGT is carried when packed traverses within domain
Packets are tagged
Campus with SGT at ingress
interface • At egress port, TrustSec device looks up local policy
Access
and drops packet if needed
Destination
Source Security
Security Group SGACLs
TrustSec Enabled Group (Dec/Hex)
(Dec/Hex)
SGACL Applied Network Contractor (10/A) Server A (111/6F) Permit All
SGT10 to SGT111
Contractor (10/A) Server B (222/DE) Deny All
Permit all
Contractor (10/A) Server C (333/14D) Deny All
Data Center
HR (30/1E) Server A (111/6F) Deny All
HR (30/1E) Server B (222/DE) SGACL-D
ISE HR (30/1E) Server C (333/14D) Permit All
Server A Server B Server C Directory Untagged Traffic
Service
111 222 333 CMD Tagged Traffic 22
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
23. Step 5 SGACL allows topology independent
access control
• Even another user accesses on same VLAN as
User A User C previous example, his traffic is tagged differently
10 30 • If traffic is destined to restricted resources, packet will
be dropped at egress port of TrustSec domain
Packets are tagged Source Security Destination Security
Campus with SGT at ingress SGACLs
Group (Dec/Hex) Group (Dec/Hex)
Access interface
Contractor (10/A) Server A (111/6F) Permit All
Contractor (10/A) Server B (222/DE) Deny All
Contractor (10/A) Server C (333/14D) Deny All
TrustSec Enabled
HR (30/1E) Server A (111/6F) Deny All
Network SGACL-D is applied HR (30/1E) Server B (222/DE) SGACL-D
SQL = OK
SMB = NO HR (30/1E) Server C (333/14D) Permit All
Data Center SGACL-D
permit tcp src dst eq 1433
#remark destination SQL permit
ISE permit tcp src eq 1433 dst
#remark source SQL permit
SQL traffic permit tcp src dst eq 80
# web permit
Server A Server B Server C Directory SMB traffic permit tcp src dst eq 443
Service SGACL
111 222 333 # secure web permit
© 2010 Cisco and/or its affiliates. All rights reserved. deny all Cisco Confidential 23
24. • Any member of TrustSec domain needs to establish trust
relationship to its peer, otherwise not trusted
• Only SGT from trusted member can be “trusted” and processed by
its peer
• SGT from distrusted device is tagged as “Unknown”, a special SGT
(value is zero)
• A process of authenticating network device is called “Network
Device Admission Control” or NDAC in short
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
25. Network Device Admission Control (NDAC) provides strong mutual
authentication (EAP-FAST) to form trusted domain
NDAC
Only SGT from trusted peer is honored
Authentication leads to Security Association Protocol (SAP) to
negotiate keys and cipher suite for encryption automatically
(mechanism defined in 802.11i)
802.1X-2010/MKA will replace SAP for switch to switch encryption in
the future
Trusted device acquires trust and policies from ISE server
Customer Benefits
Mitigate rogue network devices, establish trusted network fabric to
ensure SGT integrity and its privilege
Automatic key and cipher suite negotiation for strong 802.1AE based
encryption
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
26. NDAC validates peer identity before peer
becomes the circle of Trust!
• The first device to authenticate is called
the Seed Device
• Seed Device becomes authenticator to
is peer supplicant
• Role determination process selects
EAP-FAST over
RADIUS both Authenticator and Suppicant roles
Authorization ISE
• NDAC utilizes EAP-FAST/MSCHAPv2
Seed Device (PAC, Env Data,
ISE
Policy)
• Credential (including PAC) is stored in
hardware key store
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
27. As device connects to its peer, TrustSec domain
expands its border of trust
• If the device is not connected to ISE
directly, the device is called Non-Seed
Device
Supplicant Authenticator
Supplicant • First peer to gain ISE connectivity wins
Non-Seed Device authenticator role
802.1X NDAC
• Lower MAC address is the tie breaker
Non-Seed Device
802.1X NDAC
Supplicant
802.1X NDAC
Seed
Device
ISE
ISE
Seed Device
Authenticator
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
28. CTS7K-CORE CTS7K-DS
10.1.50.1 10.1.50.2
CTS7K-CORE# show cts interface ethernet 1/15 CTS7K-DC# show cts interface ethernet 1/3
CTS Information for Interface Ethernet1/15: CTS Information for Interface Ethernet1/3:
CTS is enabled, mode: CTS_MODE_DOT1X CTS is enabled, mode: CTS_MODE_DOT1X
IFC state: CTS_IFC_ST_CTS_OPEN_STATE IFC state: CTS_IFC_ST_CTS_OPEN_STATE
Authentication Status: CTS_AUTHC_SUCCESS Authentication Status: CTS_AUTHC_SUCCESS
Peer Identity: CTS7K-DC Peer Identity: CTS7K-CORE
Peer is: CTS Capable Peer is: CTS Capable
802.1X role: CTS_ROLE_SUP 802.1X role: CTS_ROLE_AUTH
Last Re-Authentication: Last Re-Authentication:
Authorization Status: CTS_AUTHZ_SUCCESS Authorization Status: CTS_AUTHZ_SUCCESS
PEER SGT: 2 PEER SGT: 2
Peer SGT assignment: Trusted Peer SGT assignment: Trusted
SAP Status: CTS_SAP_SUCCESS SAP Status: CTS_SAP_SUCCESS
Configured pairwise ciphers: GCM_ENCRYPT Configured pairwise ciphers: GCM_ENCRYPT
Replay protection: Enabled Replay protection: Enabled
Replay protection mode: Strict Replay protection mode: Strict
Selected cipher: GCM_ENCRYPT Selected cipher: GCM_ENCRYPT
Current receive SPI: sci:18bad853520000 an:2 Current receive SPI: sci:18bad853460000 an:2
Current transmit SPI: sci:18bad853460000 an:2 Current transmit SPI: sci:18bad853520000 an:2
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
29. • Trustsec provides layer 2 hop-by-hop encryption and
integrity, based on IEEE 802.1AE standard
802.1AE
• 128bit AES-GCM- NIST Approved*
• Line rate encryption/decryption for both 10 GbE/1GbE
interface
• Replay protection of each and every frame
Customer Benefits
• 802.1AE encryption to protect CMD field (SGT value)
Protects against man-in-the-middle attacks (snooping, tampering, replay)
Standards based frame format and algorithm (AES-GCM)
802.1X-2010/MKA addition supports per-device security associations in shared media
environments (e.g. PC vs. IP Phone) to provide secured communication
Network service amenable hop-by-hop approach compared to end-to-end approach (e.g.
Microsoft Domain Isolation/IPsec)
• * NIST Special Publication 800-38D (http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
30. TrustSec Frame Format
Authenticated
Encrypted
DMAC SMAC 802.1AE Header 802.1Q CMD ETYPE PAYLOAD ICV CRC
0x88e
5
MACSec EtherType TCI/AN SL Packet Number SCI (optional)
MACSec Tag Format
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
31. “Bump-in-the-wire” model
-Packets are encrypted on egress
-Packets are decrypted on ingress
-Packets are in the clear in the device
Allows the network to continue to perform all the packet inspection features
currently used
Decrypt at Encrypt at
Ingress Egress
everything in clear
01010010100010010 01010010100010010
128bit AES GCM 128bit AES GCM 128bit AES GCM
Encryption Encryption Encryption
1001010001001001000101001001110101 010100100011000100100100010100100111010101 01101001000110001001001000
ASIC
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
32. • What about all my other network devices that don’t support SGA
hardware?
• How should I assign SGTs at different points in the network?
• What use cases are covered by SGA
• How should I phase a rollout with Identity services?
• How do I monitor and report on SGA?
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
33. • SGT native tagging requires hardware (ASIC) support
• Non-TrustSec hardware capable devices can still receive SGT
attributes from ISE for authenticated users or devices, and then
forward the IP-to-SGT binding to a TrustSec SGACL capable device
for tagging & enforcement
• SGT eXchange Protocol (SXP) is used to exchange IP-to-SGT
bindings between TrustSec capable and incapable device
• Currently Catalyst 6500, 4500/4900, 3750, 3560 and Nexus 7000
switch platform support SXP
• SXP accelerates deployment of SGACL by without extensive
hardware upgrade for TrustSec
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
34. SXP enables communication between
User A User C
Non-TrustSec and TrustSec-capable devices
10 30 • SGT assigned to user
Switch builds
• Switch binds endpoint IP to SGT
Non TrustSec
capable device binding table
• Switch uses SXP to send binding table to
SXP SXP
TrustSec capable device
• TrustSec capable device tags packet
based on source IP when packet appears
Packets are tagged
with SGT based on
TrustSec
capable device
on forwarding table
source IP Address
Data Center SXP IP-SGT Binding Table
IP Address SGT Interface
10.1.10.1 10 Gig 2/10
ISE
10.1.30.4 30 Gig 2/11
Server A Server B Server C Directory
111 222 333 Service User A User C
Once SGT is tagged, Untagged Traffic Untagged Traffic
then SGACL can be CMD Tagged Traffic CMD Tagged Traffic
© 2010 Cisco and/or its affiliates. All rights reserved.
applied Cisco Confidential 34
35. Single-Hop SXP
Speaker
SXP Listener
Non-TrustSec Domain
ISE
TrustSec Enabled SW TrustSec Capable HW
Multi-Hop SXP SXP SXP
Speaker Listener Speaker Listener
ISE
TrustSec TrustSec TrustSec Capable HW
Enabled SW Enabled SW
Speaker
SXP
TrustSec
© 2010 Cisco and/or its affiliates. All rights reserved.
Enabled SW Cisco Confidential 36
36. CTS6K-AS(config)#cts sxp enable
CTS6K-AS(config)#cts sxp default password <password>
CTS6K-AS(config)#cts sxp connection peer 10.1.3.1 source 10.1.3.2 password default mode peer listener
SXP
Speaker Listener
Non-TrustSec Domain
Catalyst 6500 Nexus 7000 ISE
10.1.3.2 10.1.3.1
CTS7K-DC(config)#cts sxp enable
CTS7K-DC(config)#cts sxp connection peer 10.1.2.3 source 10.1.2.1 password required <password> mode speaker
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
37. SXP
Speaker Listener
Non-TrustSec Domain
ISE
Catalyst 6500 Nexus 7000
10.1.3.2 10.1.3.1
CTS6K-AS#show cts sxp connections CTS7K-DC# show cts sxp
SXP : Enabled CTS SXP Configuration:
Default Password : Set
SXP enabled
Default Source IP: Not Set
Connection retry open period: 120 secs
SXP retry timeout:60
Reconcile period: 120 secs SXP reconcile timeout:120
Retry open timer is not running
----------------------------------------------
Peer IP : 10.1.3.1
Source IP : 10.1.3.2
Conn status : On
Local mode : SXP Speaker
Connection inst# : 1
TCP conn fd :1
TCP conn password: default SXP password
Duration since last state change: 5:21:56:26 (dd:hr:mm:sec)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
38. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
39. • Open Mode and Multi-Auth at the access
layer with Monitor and Reporting
• Assign SGTs to a session with permit any any
for all flows
• Default for “unknown” SGTs is permit any
any
• Does not have an impact on access layer
functions (PXE, WoL, etc.)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
40. Egress Enforcement
Security Group ACL
HR Server
Campus ACME Server
Network
Users, Catalyst® Switches
Nexus® 7000
Endpoints (3K/4K/6K)
AUTH=OK ACME Server
Monitor Mode
SGT=10 ISE Source Security Destination Security
SGACLs
Group (Dec/Hex) Group (Dec/Hex)
authentication port-control auto
HR (10/A) HR Server (111/6F) Permit All
authentication open
ACME
dot1x pae authenticator HR (10/A) Permit All
Servers(222/DE)
Employee (8/8) HR Server (111/6F) Deny All
1. User connects to network
2. Monitor mode allows traffic from endpoint before authentication
3. Authentication is performed and results are logged by ISE
4. Traffic traverse to Data Centre and hits SGACL at egress enforcement point
5. Only permitted traffic path (source SGT to destination SGT) is allowed
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
41. • Eases dACL challenges by reducing the
number of ACEs downloaded to ingress port
• Egress access control with SGT differentiates
service among Employee group based on
role
Difference between Monitor and Low Impact Mode is to enable very basic enforcement at ingress
interface while keeping openness for easy deployment
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
42. permit tcp any any eq 80 Egress Enforcement
permit udp any any eq bootps Internet Security Group ACL
permit esp any any
permit udp any eq 500 eq 500 HR Server
ACME Server
Campus
Users, Catalyst® Switches Network
Endpoints Nexus® 7000
(3K/4K/6K)
Low Impact Mode AUTH=OK ACME Server
SGT=30 ISE
authentication port-control auto Destination
Source Security
Security Group SGACLs
authentication open Group (Dec/Hex)
(Dec/Hex)
ip access-group PRE-AUTH-ACL in Guest (30/1E) Server A (111/6F) Deny All
dot1x pae authenticator
Guest (30/1E) Server B (222/DE) Deny All
1. User connects to network Guest (30/1E) Permit All
2. Pre-Auth ACL only allows selective service before authentication
3. Authentication is performed and results are logged by ISE. dACL is downloaded along with SGT
4. Traffic traverse to Data Center and hits SGACL at egress enforcement point
5. Only permitted traffic path (source SGT to destination SGT) is allowed
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
43. Business continuity for
Data Centers Widget, Inc. ACME
Virtual Virtual Virtual
Physical Network
Definition: 1 to Many. One network supports many virtual networks
ACME High-level Technical Requirements
Separate Widget and ACME networks until regulatory agencies approve acquisition in multiple countries
Dynamic VLAN assignment allows Widget/ACME employees to be placed in the correct network
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
44. • Fine-tuning of network policy yields greater
scalability
–Virtual Network used for coarse-grained
virtualization of ACME vs. Widget networks
–SGA enhances policy control by providing fine-
grained virtualization of user/groups within the
existing virtual domains
–Servers are separated by color
–Traffic will gravitate towards correct server across
integrated core
•One SGA namespace per network
•SGTs must be unique per virtual network
–“ACME employee” = SGT 10 while “Widget
employee” = SGT 20
Widget ACME
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
45. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
46. Campus Access 10 20
SGT Assignment via
802.1X, MAB, Web Auth Cat6500
TrustSec to cover campus network as Cat4500
Cat35750/E
well as Data Center network
Branch Access
Support for Campus / Branch access
Source SGT assigned via 802.1X, ISR w/ EtherSwitch
MAB, or Web Authentication SXP
Server SGT assigned via IPM or
statically Data Center
IP-to-SGT binding table is exchanged Nexus 7010
between Campus access switch and
Data Center TrustSec capable device
Cat6500 Cat4500
Directory
Source Security Destination Security Service
SGACLs
Group (Dec/Hex) Group (Dec/Hex)
Contractor (10/A) Server A (111/6F) Permit All File Server WEB Server SQL Server ISE
HR (30/1E) Server A (111/6F) Deny All SGACL Enforcement
111 222
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
47. Campus Access
Cat6500
TrustSec to cover Branch office LAN as Cat4500
Cat35750/E
well as Data Center network
Branch Access
Support for Branch access
ISR w/ EtherSwitch
Source SGT assigned via 802.1X, or standalone switch SGT Assignment via
802.1X, MAB, Web Auth
MAB, or Web Authentication
Server SGT assigned via IPM or 20
SXP Data Center
statically
IP-to-SGT binding table is exchanged Nexus 7010
between branch LAN access switch
and Data Center TrustSec capable
device Cat6500 Cat4500
Directory
Source Security Destination Security Service
SGACLs
Group (Dec/Hex) Group (Dec/Hex)
User B (20/14) Server B(222/DE) SGACL-C File Server WEB Server SQL Server ISE
SGACL Enforcement
111 222
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
48. Data Center
N7K
• ASR1K- avail. July NDAC/SAP
802.1AE
• 6K w/ SUP 2T –avail. July SXP 6K w/ SUP 2T Encryption
6K
SXP NDAC
Listener-1 ASR1K ASR1K
Listener-2
SXP WAN
SXP
Speaker-1 Speaker-300
...
© 2010 Cisco and/or its affiliates. All rights reserved.
Note: For illustration purposes only Cisco Confidential 49
49. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
50. Identity Other Access
Information Conditions Privilege
Rossi Barks
Identity: Employee
Engineering
Network HR
Administrator Time and DateHas
Everyone a Different Role
Human Resources
Identity:
Full-Time
+ Location Kowalski
Susan
Finance
Francois Didier
Employee Employee Home Access
Employee
Sales Director Consultant
Identity: Guest
Guest
Access Type
Deny Access
Vicky Sanchez
Employee
Marketing
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
51. Identity Other Access
Information Conditions Privilege
Identity: Consultant
Network
Administrator Time and Date Human Resources
Identity:
Full-Time
+ Location
Finance
Employee Marketing
Identity: Guest
Guest
Access Type
Deny Access
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
52. Identity Other Access
Information Conditions Privilege
Identity: Engineering
Network
Administrator Time and Date Human Resources
Identity:
Full-Time
+ Finance
Employee Location:Off Site Home Access
Identity: Guest
Guest Access Type:
Wired Deny Access
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
53. Identity Other Access
Information Conditions Privilege
Identity: Engineering
Network
Administrator Time and Date Human Resources
Identity:
Full-Time
+ Finance
Employee Location:Airport Home Access
Identity: Guest
Guest
Access Type:
VPN Deny Access
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
54. Egress Enforcement
Security Group ACL
HR Server
Campus X ACME Server
Catalyst® Switches Network
HR User Nexus® 7000
not in proper (3K/4K/6K)
locale AUTH=OK ACME Server
SGT=8 ISE
Source Security Destination Security
SGACLs
Group (Dec/Hex) Group (Dec/Hex)
HR User (10/A) HR Server (111/6F) Permit All
ACME Server
HR User (10/A) Permit All
(222/DE)
HR Off Site (8/8) HR Server (111/6F) Deny All
1. User connects to network ACME Server
HR Off Site (8/8) Permit
2. Pre-Auth ACL only allows selective service before authentication (222/DE)
3. Authentication is performed and results are logged by ISE. dACL is downloaded along
with SGT
4. Traffic traverse to Data Center and hits SGACL at egress enforcement point
5. Traffic Denied Due to improper location of HR User
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
55. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
56. Campus Access
Cat6500
TrustSec to cover Intra Data Center for Cat4500
Cat35750/E
server traffic segmentation
Branch Access
Manual server IP address to SGT
ISR w/ EtherSwitch
binding on Nexus 7000 or IPM (Identity or standalone switch
Port Mapping to ISE for Centralized
SGT management
Server connected to same access SGACL Enforcement Data Center
switch can be segmented using
Private VLAN feature to distribution SGT Assignment via IPM Nexus 7010
or statically
switch SXP
Server A Server C
SRC DST Server B (222)
(111) (333)
Cat6500 Cat4500
Server A Directory
--- SGACL-A Permit all
(111) Service
Serer B
Permit all --- SGACL-B
(222)
File Server WEB Server SQL Server ACS5.1
Server C
(333)
Deny all Deny all --- 111 222 333
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
57. Nexus 7000 SGT/DGT App-SVR (222) Public-SVR (333)
App-SVR (222) Permit Deny
Public-SVR (333) Deny Permit
SVI
SGACL (VLAN 10)
Enforcement
Options
• Dynamic policy enforcement
between servers within
802.1q
P Promiscuous Port Trunk same isolated VLAN
10 P (Private VLAN)
Primary VLAN Catalyst
200 Secondary • Dynamic policy enforcement
VLAN (Isolate) between servers in different
community VLANs
222 333
© 2010 Cisco and/or its affiliates. All rights reserved.
Public-SVR App-SVR Cisco Confidential 58
58. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
59. Campus Access
• User logs into the thin client (no user
authentication performed for this example)
• User initiates a connection to Connection
Broker via RDP, PCoIP protocols
• Broker queries Active Directory for VM pool
Connection Broker
assignment
• Broker redirects user to an available VM in the Data Center
VM pool
• User is now able to the remotely view and
control the VM
Cat4500
Pools of VMs Directory
Service
File Server WEB Server SQL Server ISE
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
60. Campus Access
• User logs into VM which triggers 802.1x User A
authentication RDP
• Authentication succeeds. Authorization
assigns the SGT for the user.
Connection Broker
• Traffic hits the egress enforcement point
• Only permitted traffic path (source SGT to Auth=OK Data Center
SXP
destination SGT) is allowed 802.1x SGT=10
Pools of VMs
WEB Server
Cat4500 Directory
SRC DST File Server(111) Web Server (222) Service
User A (10) Permit all Deny All
User B (20) Deny all SGACL-C File Server WEB Server SQL Server ISE
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
61. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
62. DC-1 DC-2
Nexus 7010 Nexus 7010
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63
63. DC- DC-
Nexus 7010 Nexus 7010
1 2
vP vPC
C
e1/25
Nexus 7010 Nexus 7010
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64
64. DC- DC-
Nexus 7010 Nexus 7010
1 2
PE Device PE Device
vPC vPC
MPLS
PE Device PE Device
Nexus 7010 Nexus 7010
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65
65. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66
66. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67
67. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68
68. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 69
69. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 70
70. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 71
71. • SGA builds upon Identity services
• SGA provides a scalable Identity Access
Control model
• SGA migration strategies allow customers to
deploy with existing hardware
• SGA is deployable today
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 72
72. Platforms Available OS Version Notes
Feature
Nexus 7000 series Switch SGACL, 802.1AE + SAP, Cisco NX-OS®5.0.2a. Advanced Service Package Enforcement Device, DC
NDAC, SXP, IPM, EAC license is required Distribution
Catalyst 6500E Switch NDAC (No SAP), SXP, Cisco IOS® 12.2 (33) SXI3 or later release. IP Base Campus / DC Access
(Supervisor 32, 720, 720-VSS) EAC K9 image required switch
Catalyst 49xx switches SXP, EAC Cisco IOS® 12.2 (50) SG7 or later release. DC Access switch
Catalyst 4500 Switch (Supervisor SXP, EAC Cisco IOS® 12.2 (53) SG7 or later release. Campus Access Switch
6L-E or 6-E)
Catalyst 3560-X / 3750-X SXP, EAC Cisco IOS® 12.2 (53) SE2 or later release. Campus Access Switch
Switches
Catalyst 3560(E) / 3750(E) SXP, EAC Cisco IOS® 12.2 (53) SE1 or later release. Campus Access Switch
Switches
Catalyst Blade Module 3x00 SXP, EAC Cisco IOS® 12.2 (53) SE1 or later release. DC Access Switch
Switches
Cisco EtherSwitch service SXP, EAC Cisco IOS® 12.2 (53) SE1 or later release. IP Base K9 Branch Access Switch
module for ISR Routers image required.
Cisco Secure ACS Centralized Policy ACS Version 5.1 with TrustSec™ license required. Policy Server
Management for TrustSec CSACS1120 appliance or ESX Server 3.5 or 4.0 is
supported
Identity Services Engine Centralized Policy ISE 1.0 with Advanced license required. Policy Server
Management for TrustSec
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 73