authenticate everywhere - cisco.com · authenticate everywhere modern security starts with identity...
TRANSCRIPT
Authenticate everywheremodern security starts with identity
Gyorgy AcsSecurity Consulting Systems Engineer
Cisco Connect Slovenija 2019
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda
• The New IT Reality• ”Zero Trust”• Device Trust
• SAML• Integrations
• ISE Use Cases
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Today's Reality:Why Do We Not Believe Anyone and Anything?
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
The New IT RealityIt’s more difficult to establish user and device trust
1Apps are availableon-premises plusvia IaaS and SaaS
2Employees, contractors, others access these apps with BYOD and mobile devices
3Attackers most often cause data breaches by directly accessing these apps via compromised passwords and devices
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Anonymous
“Get used to the fact that your password is not (only) yours!It will be pwned finally! We need something completely different!”
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security Risks Persistwith Traditional MFA
of breaches leverage either stolen or weak
passwordsSource: Verizon, 10th edition of the Data Breach Investigations Report
81%Poorly deployed and cannot
support all applications; exposing security gaps
Cumbersome tokens and one-time passwords;
not user friendly
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Compromised DevicesCan Access Your Data
of vulnerabilities exploited will be ones known by
security team for at least one year (through 2021)
Source: Gartner, Dale Gardner, 2018 Security Summit
99%Admin lack time to patch all
corporate (managed) devices
End users access data with personal (unmanaged) devices
End users don’t want admins to take control of personal devices
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
1 2How do you stop attacks that use
stolen (yet legitimate) credentials?
How do you prevent devices with poor security hygiene from accessing
critical apps?
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
A New Model for Security: Duo Trusted Access
Every ApplicationConsistent user experience for every application
Trusted UsersStrong user authentication for all types of users.
Trusted DevicesEstablish device trust without agents
Visibility and Policies
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Duo secures the login process
Step 1: Primary authenticationUser enters their credentials to be verified by their internal server or cloud application
User’s primary device
Step 2: Server communicationOnce credentials are confirmed, the customer’s applications connect with Duo servers
Servers and apps
Step 5: Success!Once approved, user is granted access to the apps they need to do their job
User’s primary device
Step 3: Request sent to DuoCall for secondary authentication is sent to Duo
Duo cloud servers
Step 4: Secondary authenticationAuthentication request is sent to user who approves or denies it
User’s secondary device
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Multiple secondary authentication options
SMS Code
UniversalTwo
Factor (U2F)
Phone Callback
Bypass Code
HOTP Hardware
Token
*****
DuoPush
Mobile Passcode
***
WebAuthN
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Access
On-Prem Remote
Proprietary Apps (APIs)
Internal Apps(VPN)
MicrosoftShops
CloudService
Unix Devices
(SSH Sessions)
Cloud Apps
WebApps
SAML 2.0Apps
Secure “Every” Corporate App, Open API
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Identify corporate-owned & BYOD
• Verify if devices are out-of-date and potentially vulnerable to security risks
• Block devices access to critical applications
• Apply policies consistently for any device platform: Windows, MacOS, iOS & Android
Verify Trust for Any DeviceLimit Access to Compliant Devices
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
End users get just-in-time notification about out-of-date OS, browsers, Flash and Java
If users do not update by a certain day, the endpoints are blocked
Improve Security Posture by Informing the User
Learn more about self remediation
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SAML: Security Assertion Markup Language
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• SAML 2.0 is widely adopted by thousands of cloud applications.
• Once a trust is established between a SP and an IdP, SAML 2.0 requests and responses are used to verify and share user login state with cloud applications.
• SAML federation verifies authentication state of a user using a logon token (not shared credentials)
Identity Federation
3) Verifies Lee is authenticated OR prompts for auth (Parses SAML Auth request & generates token)
2) Salesforce sends authentication request to IdP (SAML Auth request)
1) Lee navigates to Salesforce URL
7) Lee accesses Salesforce (Verified SAML token)
Web Browser Service Provider (SP) Identity Provider (IdP)
6) DAG redirects Lee’sbrowser to Salesforce to allow access (SAML token response)
4) Lee’sbrowser DAG SSO URL 5) Lee authenticates
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Duo Access Gateway (DAG)
Cloud Hosted Services Duo Access Gateway Active Directory, OpenLDAP, or
SAML 2.0 IdentityProvider
LDAP or SAMLHTTPS 443
Perimeter Firewall Internal Firewall
Internet DMZ Internal Network
Example integrations
About this integrationDefinition: Adds 2FA to cloud applications that support SAML by providing SAML connectors and redirecting users to the DAG server on the networkOther information:• Used most commonly with SaaS applications• Applies when the customer doesn’t already have a web SSO
solution• Separates primary and secondary authentication
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Duo Network Gateway (DNG)
Internet DMZ Internal Network
Duo Network Gateway
Internal Web Application
SAML
SAML 2.0Identity Provider
Perimeter Firewall Internal Firewall
HTTP
S 44
3
About this integrationDefinition: Allows users to access on-premises apps and websites without requiring a VPN connectionOther information:• Enables access on an app-to-app basis, not access to the
entire network• Requires a SAML IdP for primary authentication• Currently supports HTTP(S) and SSH, with more protocols
to come
Example integrations
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco ISE and Duo
Corporate Network
User
MFA
Compliant Device Allow
Access
Non-compliant Device Self-
Remediation / Block
Trusted DeviceAllow Access
Untrusted DeviceQuarantine Access
MFA
Device Posture
Cloud SaaS
ISEISE
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Duo Authentication Proxy
About this integrationDefinition: Allows application integration with Duo cloud to enable 2FA for apps that support RADIUS or LDAPOther information:• Used most commonly for VPN and VDI solutions• Requires customers to install a component in their environment
Accept
Loginrequest
Reject
Application
Duo Cloud
Username
Password
Application or Service Login
Username
Password
E nte r c reden t ia ls fo r em a il access
Duo PushPhone CallPasscode
Server access to OutboardPort 443-SSL
Active Directory
Authentication Proxy
Example integrations
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• “Modify the iframe” and Secondary Auth.; push/phone or sms; but users do not like 2nd pass code on AnyConnect; http://duo.com/docs/cisco
• Alternative configuration: “auto-push” with Duo Auth Proxy, AnyConnect has only 2 fields only! http://duo.com/docs/cisco-alt
• SAML integration: no extra pass code field; easy, but it requires minimum ASA 9.7, http://duo.com/docs/ciscoasa-sso
Duo Security with ASA Integration
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
FTD RA VPN 6.3 and Duo
Duo RADIUS Proxy
AD
On premise
FTD
Duo Cloud
VPN
RADIUS
TCP 443
AD (or it could be RADIUS as well)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
FTD RAVPN Posture and Duo Duo RADIUS Proxy
AD
On premise
FTD
Duo Cloud
ISE
VPN
RADIUS
RADIUS
ISE
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Learn how to set up Duo's RDP
MFA for Windows login and Remote Desktop(RDP) access
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Identity Services Engine, ISE, Use Cases
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco ISE and AnyConnect
Access Policy
Who
What
How
When
Where
Health
Threats
Cisco ISE
CVSS
Wired Wireless VPN
Role-Based Access Control | Guest Access | BYOD | Secure Access
For Endpoints For Network
Cisco ISE
Partner Eco System
SIEM, MDM, NBA, IPS, IPAM, etc.
pxGridand APIs
Cisco Anyconnect
Supplicant for wired, wireless and VPN access. Services include: Posture assessment, Malware protection, Web security, MAC Security, Network visibility and more.
Context aware policy service, to control access and threat across wired, wireless and VPN networks.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Differentiate VPN max session time based on AD groups, for example, employees (1 week), contractors (1 day), and so on.
• Solution:• REST API Call in ISE
ISE – Session Disconnect
ISEISE
ASA or FTD
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE – Location based Authorization
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• If AP is a member of the home network -> ISE provides full access
• Otherwise -> ISE provides limited access, internet only
• Solution:• AP name should contain the name of the location• WLC should send the name of the AP as a Called Station ID• LDAP attribute contains the name of the home network
ISE – Location based Authorization
ISEISE
AP
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• 1. Set the name of AP to include teacher’s home school string
• 2. Configure WLC to use AP name as Radius Called Station ID:
ISE with Location based Authorization
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• 3. Add the LDAP attribute that holds teacher’s home school into ISE
ISE with Location based Authorization (Cont.)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• 4. Construct a condition that will compare strings between RADIUS dictionary attribute Radius-Called-Station-ID and LDAP Edu dictionary attribute holding teacher’s home school (attribute sn)
ISE with Location based Authorization (Cont.)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• 5. Use the condition in AuthZ policy rule, which is rule named location in my case
• 6. RADIUS live log showing that visiting teachers would not match location rule and will be authorized against default rule
ISE with Location based Authorization (Cont.)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
IRFLOW:Authorization based on Threat Level
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Based on REST API Calls• Flexible integration (Meraki, CMX, ISE, AMP, TG, Umbrella, NGFW, ...)• For both, threat hunting and incident response
• 2 apps: headless.py and app.py• Three databases: threats_db.json, domains_db.json and hosts_db.json• Running the headless script first will create and populate these databases• The headless script will continue to add new IOCs and associated details
to the databases on an hourly basis, auto or manual quarantine services• Web interface (app.py) using http://localhost:5555.
• https://youtu.be/KwFILkVnbEo and https://github.com/CiscoSE/irflow
IRFLOW – Incident Response Flow
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
IRFLOW with TH and IR Building Blocks
Threat Hunting Information
Incident Response
Threat Grid
”Any” with REST API
AMP forEndpoints Umbrella
Anywhere, even on your laptop
3rd partyCTA, CMX, Meraki, NGFW, ISE
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Please scan QR code for evaluation of your session!