cisco trustsec security (cts) security group tagging (sgt)cisco expo © 2011 cisco and/or its...
TRANSCRIPT
Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved. 1Cisco Expo
Cisco Expo
2011
Cisco TrustSec Security (CTS) &
Security Group Tagging (SGT)
Techtorial
Jiří Tesař – Cisco
2© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Twitter www.twitter.com/CiscoCZ
• Talk2cisco www.talk2cisco.cz/dotazy
• SMS 732 488 666
3© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• TrustSec Solution Overview
• SGT / SGACL Concept
• NDAC Concept
• 802.1AE / SAP Concept
BRKSEC-2046_c1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Introduction
6© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
NAC ProfilerACS5.1
Catalyst
Switch
802.1X
MAB
Directory Server
NAC Guest Server
Web Auth
RADIUS
Various Authorization Methods (VLAN,
Downloadable ACL, URL Redirect, etc)
Scalable / Flexible Policy
& Authentication Server
supporting RBAC
Industry Leading Guest Service Server to
provide full guest access management
with Web Authentication
Profiling System to perform
automatic device profiling for
unattended device or any type of
network attached device
Cisco IOS © intelligence to
provide phased deployment mode
for 802.1X (Monitor Mode, Low
Impact Mode, High Security Mode)
Flexible Authentication Methods
(802.1X, MAB, Web Auth in any order)
Guest
Employee
Printer
7© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Network Access Control provides a way to
Identify who is accessing to your network
Determine how this access is attempted
Locate where this person trying to access
Evaluate what privilege this person has
• Based on the results, Network Access Control provides
Admission to the network
Scope of resources this person can access to
Level of services this person can access to
Record of network usage
8© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Network Address-based Access Control
ACL, VACL, PACL, PBACL etc
Network Admission Control (NAC)
Posture validation endpoint policy compliance
Identity-Based Access Control
Flexible authentication options:
802.1x, MAB, WebAuth, FlexAuth
Comprehensive post-admission control options:
dACL, VLAN assignment, URL redirect, QoS…
Integration of Profiling / Guest Access Services
Cisco Access Control Solution
9© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Easiest way to segment traffic
• Most vendors supports dynamic VLAN assignment (RFC3580)
• Need to introduce new VLANs
• New VLAN = New IP scopes for subnet
• Changing VLAN in authorization means changing subnet for DHCP
• VLAN ID / Name design becomes very complicated
• Static routing policy is required for inter-VLAN communication
• Managing ACL on every L3 interface for VLAN becomes complicated
10© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• ACLs managed centrally and provisioned per source IP address / authentication session
• No need to define endpoint IP address in ACL
• Pre-authentication interface ACL to integrate with services such as PXE Boot and Wake-On-LAN (WoL) for maintenance
• Destination IP address change needs to be reflected in every ACE
• Possible TCAM flooding if large amount of ACEs are configured
BRKSEC-2046_c1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Cisco TrustSecSGBAC
14© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Source Sources x Destinations x Permissions = ACEs
Source (S1) * Destination (D1~D6) * Permission (4) = 24 ACEs for S1
Source (S1~S4) * Destination (D1~D6) * Permission (4) = 96 ACEs for S1~4
The growing number of ACEs leads to resource consumption on the enforcement point
User (Source)
S1
D1
D2
D3
D4
D5
D6
S2
S3
S4
Servers (Destination)
permit tcp S1 D1 eq https
permit tcp S1 D1 eq 8081
permit tcp S1 D1 eq 445
deny ip S1 D1
Sales
HR
Finance
Managers
IT Admins
HR Rep
S1 to D1 Access Control
Access Control Entries
(ACEs) grow as permission
statements increase
15© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
(# of Source SG) * (# of Dest SG) * Permissions = # ACEs
SGT10 * Dest SGTs (3) * Permission (4) = 12 ACEs for MGMT A SGT
SRC SGTs (4) * DST SGTs (3) * Permission (4) = 48 ACEs
User
S1
D1
D2
D3
D4
D5
D6
S2
S3
S4
ServersSecurity Group
(Source)
MGMT A
(SGT 10)
HR Rep
(SGT 30)
IT Admins
(SGT 40)
Security Group
(Destination)
Sales SRV
(SGT 500)
HR SRV
(SGT 600)
Finance SRV
(SGT 700)
MGMT B
(SGT 20)
SGACL
16© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
User ServersSecurity Group
(Source)
MGMT A
(SGT10)
HR Rep
(SGT30)
IT Admins
(SGT40)
Security Group
(Destination)
Sales SRV
(SGT400)
HR SRV
(SGT500)
Finance SRV
(SGT600)
MGMT B
(SGT20)
SGACL
10 Network
Resources
10 Network
Resources
10 Network
Resources
x 100
x 100
x 100
x 100
17© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo17
Topology independent access control based on roles
Scalable ingress tagging (SGT) / egress filtering
(SGACL)
Centralized Policy Management / Distributed Policy
Enforcement
Encryption based on IEEE802.1AE (AES-GCM 128-Bit)
Wire rate hop by hop layer 2 encryption
Key management based on 802.11n (SAP), awaiting for
standardization in 802.1X-REV
Endpoint admission enforced via 802.1X authentication,
MAB, Web Auth (Cisco Identity compatibility)
Network device admission control based on 802.1X
creates trusted networking environment
Only trusted network imposes Security Group TAG
Security Group Based
Access Control
Confidentiality
and
Integrity
Authenticated
Networking
Environment
18© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo18
SGACL
Security Group Based Access Control allows customers
To keep existing logical design at access layer
To change / apply policy to meet today’s business requirement
To distribute policy from central management server
802.1X/MAB/Web Auth
Database (SGT=4)
IT Server (SGT=10)
I’m a contractor
My group is IT Admin
Contactor
& IT Admin
SGT = 100
SGT = 100
SGT capable device
19© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo19
Unique 16 bit (65K) tag assigned to unique role
Represents privilege of the source user, device, or entity
Tagged at ingress of TrustSec domain
SGACLSG
Security
Group
Tag
Filtered (SGACL) at egress of TrustSec domain
No IP address required in ACE (IP address is bound to SGT)
Policy (ACL) is distributed from central policy server (ACS) or
configured locally on TrustSec device
Provides topology independent policy
Flexible and scalable policy based on user role
Centralized Policy Management for Dynamic policy provisioning
Egress filtering results to reduce TCAM impact
Customer Benefits
20© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo20
are the L2 802.1AE + TrustSec overhead
Frame is always tagged at ingress port of SGT capable device
Tagging process prior to other L2 service such as QoS
No impact IP MTU/Fragmentation
L2 Frame MTU Impact: ~ 40 bytes = less than baby giant frame (~1600 bytes
with 1552 bytes MTU)
Cisco Meta Data
DMAC SMAC 802.1AE Header 802.1Q CMD ETYPE PAYLOAD ICV CRC
Version LengthCMD EtherType SGT Opt Type SGT Value Other CMD Options
Encrypted
Authenticated
802.1AE Header CMD ICV
Ethernet Frame field
BRKSEC-2046_c1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
SGT Assignment
23© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
ACS5.x
Server CServer BServer A Directory
Service
Campus Access
Data Center
TrustSec Enabled
Network
User A User C
Step 1
AD User Role SGT
User A Contractor 10
User B Finance 20
User C HR 30
ACS populates its SGT policy
Server Role IP SGT
HTTP
Server
Server Group A 10.1.100.111 111
File Server Server Group B 10.1.100.222 222
SQL Server Server Group C 10.1.200.3 333
ACS is configured for its policy and all endpoints
need to be mapped to SGT in policy
User to Role Mapping
Server to Role Mapping
24© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
ACS5.x
Server CServer BServer A Directory
Service
Campus Access
Data Center
TrustSec Enabled
Network
User A User C
111222333
Step 2
AD User Role SGT
User A Contractor 10
User B Finance 20
User C HR 30
SGTs are assigned to role and bound to IP
address
Server Role IP SGT
HTTP
Server
Server Group A 10.1.100.111 111
File Server Server Group B 10.1.100.222 222
SQL Server Server Group C 10.1.200.3 333
With 802.1X / MAB / Web Authentication, SGTs are
assigned in an authorization policy via RADIUS
Access devices snoops ARP and / or DHCP for
authenticated MAC Address, then bind assigned
SGT to snooped IP Address
For Servers IP addresses are bound to SGT
statically on access switch or dynamically looked
up on ACS using IPM feature
802.1X / MAB / Web Auth
3010
25© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
ACS5.x
Server CServer BServer A Directory
Service
Campus Access
Data Center
TrustSec Enabled
Network
User A User C
111 222 333
Step 3 ACS provisions Egress Policy (SGT
Matrix) to TrustSec capable Device
Each TrustSec capable device downloads policy
from central policy server, that is, ACS server3010
SRC\ DSTServer A
(111)
Server B
(222)
Server C
(333)
User A (10) Permit all Deny all Deny all
User B (20) SGACL-B SGACL-C Deny all
User C (30) Deny all Permit All SGACL-D
SGACL-D
permit tcp src dst eq 1433
#remark destination SQL permit
permit tcp src eq 1433 dst
#remark source SQL permit
permit tcp src dst eq 80
# web permit
permit tcps rc dst eq 443
# secure web permit
deny all
SGACLSGACLSGACL
26© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
ACS5.x
Server CServer BServer A Directory
Service
Campus Access
Data Center
TrustSec Enabled
Network
User A User C
111 222 333
Step 4 Now TrustSec network is ready to enforce
the policy
User’s traffic is tagged at ingress of TrustSec
domain
SGT is carried when packet traverses within domain
At egress port, TrustSec device looks up local policy
and drops packet if needed
3010
SRC\ DSTServer A
(111)
Server B
(222)
Server C
(333)
User A (10) Permit all Deny all Deny all
User B (20) SGACL-B SGACL-C Deny all
User C (30) Deny all Permit all SGACL-D
CMD Tagged Traffic
Untagged Traffic
27© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
ACS5.x
Server CServer BServer A Directory
Service
Campus Access
Data Center
TrustSec Enabled
Network
User A User C
111 222 333
Step 5 SGACL allows topology independent
access control
Even another user accesses on same VLAN as
previous example, his traffic is tagged differently
If traffic is destined to restricted resources, packet
will be dropped at egress port of TrustSec domain
3010
SRC\ DSTServer A
(111)
Server B
(222)
Server C
(333)
User A (10) Permit all Deny all Deny all
User B (20) SGACL-B SGACL-C Deny all
User C (30) Deny all Permit all SGACL-D
SGACL-D
permit tcp src dst eq 1433
#remark destination SQL permit
permit tcp src eq 1433 dst
#remark source SQL permit
permit tcp src dst eq 80
# web permit
permit tcp src dst eq 443
# secure web permit
deny all
Web traffic
SQL traffic
SGACL
28© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo28
• via 802.1X Authentication
• via MAC Authentication Bypass
• via Web Authentication Bypass
• Or Static IP-to-SGT binding on SW
Campus/Mobile endpoints
• via Manual IP-to-SGT binding on TrustSec device
• via IP-to-Port Mapping
Data Center / Servers
Every endpoint that touches TrustSec domain is classified with SGT
SGT can be sent to switch via RADIUS authorization after:
Full integration with
Cisco Identity
Solution
Every server that touches TrustSec domain is classified with SGT
SGT is usually assigned to those servers:
Just like VLAN Assignment
or dACL, we assign SGT in
authorization process
31© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo31
802.1X
Access SwitchIT
Admin
ACS5.0
RADIUS
802.1X User AuthenticationAuth OK!
IT Admin: SGT (5)Access-Accept with VSA
MAC:0050.56BC.14AE
Port Open!
DHCP Request / Response
ARP Snooping (IP Device Tracking)
10.1.10.102/24
MAC Address Port SGT
0050.56BC.14AE Gig1/0/1 5
MAC Address Port SGT IP Address
0050.56BC.14AE Gig1/0/1 5 10.1.10.102
cisco-av-pair=cts:security-group-tag=0005-01
IP Address SGT
10.1.10.102 5
Access Switch has IP to SGT Binding Now
<sgt-value-in-hex>-<rev#>
32© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo32
SGT value is automatically from 2~. SGT=0 is special SGT for Unknown
33© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo33
Select Security Group for Authorization Results
(Not selected by default)
34© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo34
Rule Name
Condition
Statement
Authorization
Profile
SGT
35© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo35
Security Group
Configuration
Authorization Policy for
802.1X Access
36© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo36
Create SGTs for Servers just like creating SGTs for end user role
37© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo37
Doctor (SGT 7)
IT Admin (SGT 5)
MAB
LWA
Agent-less
Device
Campus
Network
SXP
Untagged Frame Tagged Frame
SGT=7 SGT Enforcement
Catalyst® 3750-E802.1X
Users,
Endpoints
Public Portal (SGT 8) Internal Portal (SGT 9)
Patient Record DB (SGT 10)10.1.200.100
10.1.200.20010.1.200.10
IT Portal (SGT 4)10.1.100.10
Nexus® 7000
Core
Nexus® 7000
Distribution
ACS v5.1
cts role-based sgt-map 10.1.100.10 sgt 4
cts role-based sgt-map 10.1.200.10 sgt 8
cts role-based sgt-map 10.1.200.100 sgt 10
cts role-based sgt-map 10.1.200.200 sgt 9
STG can statically assign on switch which does SGACL
VLAN100
Active
Directory
VLAN200
cts role-based sgt-map <ip_address> sgt <sgt_value>
IOS CLI
cts role-based sgt-map <ip_address> <sgt_value>
NX-OS CLI
Catalyst® 4948
BRKSEC-2046_c1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
SGT Exchange Protocol(SXP)
39© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo39
• SGT native tagging requires hardware (ASIC) support
• Non-TrustSec hardware capable devices can still receive SGT attributes from ACS for authenticated users or devices, and then forward the IP-to-SGT binding to a TrustSecSGACL capable device for tagging & enforcement
• SGT eXchange Protocol (SXP) is used to exchange IP-to-SGT bindings between TrustSec capable and incapable device
• Currently supported on Catalyst 6500, 4500/4900, 3560/3750 and Nexus 7000 switch
• Based on TCP with MD5 authentication
• Support single hop or multi-hop SXP
• SXP accelerates initial deployment of SGT/SGACL without immediate hardware upgrade
41© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
ACS5.x
Server CServer BServer A Directory
Service
Data Center
User A User C
111 222 333
TCP-based SXP is established between Non-
TrustSec capable and TrustSec-Capable devices
User is assigned to SGT
Switch binds endpoint IP address and assigned SGT
Switch uses SXP to send binding table to TrustSec
capable device
TrustSec capable device tags packet based on
source IP address when packet appears on
forwarding table
3010
CMD Tagged Traffic
Untagged Traffic
Non TrustSec
capable device
TrustSec
capable device
SXP SXP
SXP IP-SGT Binding Table
IP Address SGT Interface
10.1.10.1 10 Gig 2/10
10.1.30.4 30 Gig 2/11
CMD Tagged Traffic
Untagged Traffic
User A User C
42© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
ACS5.x
Single-Hop SXP
Non-TrustSec Domain
SXP
TrustSec Enabled SW TrustSec Capable HW
ACS5.x
Multi-Hop SXP SXP
TrustSec
Enabled SWTrustSec Capable HWTrustSec
Enabled SW
Speaker Listener
Speaker SpeakerListener Listener
SXP
TrustSec
Enabled SW
Speaker
SXP
44© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
ACS5.x
Non-TrustSec Domain
SXP
Catalyst 6500 Nexus 7000
Speaker Listener
CTS6K-AS(config)#cts sxp enable
CTS6K-AS(config)#cts sxp default password <password>
CTS6K-AS(config)#cts sxp connection peer 10.1.3.1 source 10.1.3.2 password default mode peer listener
10.1.3.2 10.1.3.1
CTS7K-DC(config)#cts sxp enable
CTS7K-DC(config)#cts sxp connection peer 10.1.2.3 source 10.1.2.1 password required <password> mode speaker
45© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
ACS5.x
Non-TrustSec Domain
SXP
Catalyst 6500 Nexus 7000
Speaker Listener
10.1.3.2 10.1.3.1
CTS6K-AS#show cts sxp connections
SXP : Enabled
Default Password : Set
Default Source IP: Not Set
Connection retry open period: 120 secs
Reconcile period: 120 secs
Retry open timer is not running
----------------------------------------------
Peer IP : 10.1.3.1
Source IP : 10.1.3.2
Conn status : On
Local mode : SXP Speaker
Connection inst# : 1
TCP conn fd : 1
TCP conn password: default SXP password
Duration since last state change: 5:21:56:26 (dd:hr:mm:sec)
CTS7K-DC# show cts sxp
CTS SXP Configuration:
SXP enabled
SXP retry timeout:60
SXP reconcile timeout:120
46© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
ACS5.x
Non-TrustSec Domain
SXP
Catalyst 6500 Nexus 7000
Speaker Listener
10.1.3.2 10.1.3.1
CTS7K-DC-CTS7K-CORE# show cts sxp connection PEER_IP_ADDR VRF PEER_SXP_MODE SELF_SXP_MODE CONNECTION STATE10.1.3.2 default speaker listener connected
CTS6K-AS#show cts sxp connections brief SXP : EnabledDefault Password : SetDefault Source IP: Not SetConnection retry open period: 120 secsReconcile period: 120 secsRetry open timer is not running
-----------------------------------------------------------------------------Peer_IPSource_IP Conn Status Duration -----------------------------------------------------------------------------10.1.3.1 10.1.3.2 On 6:00:09:13 (dd:hr:mm:sec)
Total num of SXP Connections = 1
47© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo47
VLAN100
VLAN200
Doctor (SGT 7)
IT Admin (SGT 5)
MAB
LWA
Agent-less
Device
Campus
Network
Untagged Frame Tagged Frame
SGT=7 SGT Enforcement
Catalyst® 3750-E802.1X
Users,
Endpoints
Public Portal (SGT 8) Internal Portal (SGT 9)
Patient Record DB (SGT 10)10.1.200.100
10.1.200.20010.1.200.10
IT Portal (SGT 4)10.1.100.10
Nexus® 7000
Core
Nexus® 7000
Distribution
ACS v5.1Catalyst® 4948
If the switch supports SXP,
switch can send IP-to-SGT
binding table to SGT capable
device (e.g. Nexus 7000)
Active
Directory
IP Address SG
T
Sourc
e
10.1.10.102 5 LOCAL
10.1.10.110 14 LOCAL
10.1.99.100 12 LOCAL
SXP
IP Address SG
T
Sourc
e
10.1.100.10 4 CLI
10.1.200.10 8 CLI
10.1.200.100 10 CLI
10.1.200.200 9 CLI
SXP
Speaker SpeakerListener Listener
Statically configured
Locally Learned
48© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo48
VLAN100
VLAN200
Doctor (SGT 7)
IT Admin (SGT 5)
MAB
LWA
Agent-less
Device
Campus
Network
SGT=7 SGT Enforcement
Catalyst® 3750-E802.1X
Users,
Endpoints
Public Portal (SGT 8) Internal Portal (SGT 9)
Patient Record DB (SGT 10)10.1.200.100
10.1.200.20010.1.200.10
IT Portal (SGT 4)10.1.100.10
Nexus® 7000
Core
Nexus® 7000
Distribution
ACS v5.1
When SGT capable device
receives packet, it looks up
SGT value in table, insert SGT
tag to frame when it exits
egress port
Active
Directory
IP Address SG
T
Sourc
e
10.1.10.102 5 SXP
10.1.10.110 14 SXP
10.1.99.100 12 SXP
Untagged Frame Tagged Frame
SRC=10.1.10.102
IP-to-SGT Binding Table
SGT=5
Catalyst® 4948
51© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• How the SGT is assigned to role dynamically
802.1X
Cat6503HR
Admin
ACS5.0
RADIUS
802.1X User AuthenticationAuth OK!
HR Admin: SGT (6/0006)Access-Accept with VSA
MAC:0050.56BC.14AE
Port Open!
DHCP Request / Response
DHCP Snooping / ARP Snooping
10.1.10.100/24
MAC Address Port SGT
0050.56BC.14AE Fa2/12 6/0006
MAC Address Port SGT IP Address
0050.56BC.14AE Fa2/1 6/0006 10.1.10.100
SXP Binding Table
NX7010
Cat6503
SRC: 10.1.10.100 10.1.200.100SGT (6/0006)
Tagging
BRKSEC-2046_c1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
SGACL Policy
54© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo54
MAB
LWA
Agent-less
Device
VLAN100
Active
Directory
Campus
Network
SXP
VLAN200
Untagged Frame Tagged Frame
SGT=7 SGT Enforcement
Catalyst® 3750-E802.1X, MAB, LWA
Users,
Endpoints
Dynamic
SGT Assignment
For
Endpoint
Doctor (SGT 7)
IT Admin (SGT 5)
Public Portal (SGT 8) Internal Portal (SGT 9)
Patient Record DB (SGT 10)10.1.200.100
10.1.200.20010.1.200.10
IT Portal (SGT 4)10.1.100.10
Nexus® 7000
Core
Nexus® 7000
Distribution
ACS v5.1
Static
SGT Assignment
For
Servers
Catalyst® 4948
55© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo55
Doctor (SGT 7)
IT Admin (SGT 5)
IT Portal
(SGT 4)
Public Portal
(SGT 8)
Internal Portal
(SGT 9)
Patient Record DB
(SGT 10)
Destination
SGT
Source
SGT
Web Web No AccessWeb
File Share
Web
SSH
RDP
File Share
Web
SSH
RDP
File Share
Full Access
SSH
RDP
File Share
permit tcp dst eq 443permit tcp dst eq 80permit tcp dst eq 22permit tcp dst eq 3389permit tcp dst eq 135permit tcp dst eq 136permit tcp dst eq 137permit tcp dst eq 138permit tcp des eq 139deny ip
IT Maintenance ACL
56© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo56
1
2
3
57© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo57
• Policy downloaded to SGT capable HW (e.g. Nexus 7000 switch) when
• Device first authenticates to ACS (via NDAC)
• Policy time expires (by default 1 day)
• Manually queried to ACS (cts refresh role-based-policy)
• When new IP-to-SGT mapping is configured manually on switch
• When new SGT is seen on interface of the device doing SGACL enforcement and the current SGACL policy on switch does not have the policy for this source SGT
58© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo58
Doctor (SGT 7)
MAB
LWA
Agent-less
Device
Campus
Network
SXP
Untagged Frame Tagged Frame
SGT=7 SGT Enforcement
Catalyst® 3750-X802.1X
Users,
Endpoints
Public Portal (SGT 8) Internal Portal (SGT 9)
Patient Record DB (SGT 10)10.1.200.100
10.1.200.20010.1.200.10
Nexus® 7000
Core
Nexus® 7000
Distribution
ACS v5.1
Catalyst® 4948
VLAN100
Active
Directory
IT Portal (SGT 4)10.1.100.10
VLAN200
CTS7K-DC# show cts role-based policy
sgt:5
dgt:4 rbacl:Permit IP
permit ip
sgt:5
dgt:8 rbacl:Permit IP
permit ip
sgt:5
dgt:9 rbacl:Permit IP
permit ip
sgt:5
dgt:10 rbacl:IT_Maintenance_ACL
permit tcp dst eq 20 log
permit tcp dst eq 21 log
permit tcp dst eq 22 log
permit tcp dst eq 445 log
permit tcp dst eq 135 log
permit tcp dst eq 136 log
permit tcp dst eq 137 log
permit tcp dst eq 138 log
permit tcp dst eq 139 log
permit tcp dst eq 3389 log
permit icmp log
deny ip
<skip>
IT Admin
(SGT 5)
59© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo59
IT Portal (SGT 4)
Active
DirectoryCatalyst® 3750-E
Users,
Endpoints
Campus
Network
Nexus® 7000
Core
Nexus® 7000
Distribution
ACS v5.1802.1X
Public Portal (SGT 8) Internal Portal (SGT 9)
Patient Record DB (SGT 10)
IT Admin (SGT 5)
VLAN100
VLAN200
Untagged Frame Tagged Frame
SGT=7 SGT Enforcement
10.1.200.100
10.1.200.20010.1.200.10
10.1.100.10
Web
cts role-based enforcement
NX-OS CLI
60© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo60
IT Portal (SGT 4)
Active
DirectoryCatalyst® 3750-E
Users,
Endpoints
Campus
Network
Nexus® 7000
Core
Nexus® 7000
Distribution
ACS v5.1802.1X
Public Portal (SGT 8) Internal Portal (SGT 9)
Patient Record DB (SGT 10)
IT Admin
(SGT 5)
VLAN100
VLAN200
Untagged Frame Tagged Frame
SGT=7
10.1.200.100
10.1.200.20010.1.200.10
10.1.100.10
Web
CTS7K-DC# show cts role-based counters sgt 5
RBACL policy counters enabled
Counters last cleared: 04/20/2010 at 11:20:58 PM
sgt:5 dgt:4 [1555]
rbacl:Permit IP
permit ip [1555]
sgt:5 dgt:8 [1483]
rbacl:Permit IP
permit ip [1483]
sgt:5 dgt:9 [1541]
rbacl:Permit IP
permit ip [1541]
sgt:5 dgt:10 [1804]
rbacl:IT_Maintenance_ACL
permit tcp dst eq 20 log [0]
permit tcp dst eq 21 log [3]
permit tcp dst eq 22 log [3]
permit tcp dst eq 445 log [0]
permit tcp dst eq 135 log [0]
permit tcp dst eq 136 log [0]
permit tcp dst eq 137 log [0]
permit tcp dst eq 138 log [0]
permit tcp dst eq 139 log [0]
permit tcp dst eq 3389 log [251]
permit icmp log [1547]
deny ip [0]
CLI Available on NX-OS5.0
BRKSEC-2046_c1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Network Device Admission Control (NDAC)
62© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Any member of TrustSec domain needs to establish trust relationship to its peer, otherwise not trusted
• Only SGT from trusted member can be “trusted” and processed by its peer
• SGT from distrusted device is tagged as “Unknown”, a special SGT (value is zero)
• A process of authenticating is called “Endpoint Admission Control” (e.g. SGT tagging via 802.1X)
• A process of authenticating network device is called “Network Device Admission Control” or NDAC in short
63© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo63
Network Device Admission Control (NDAC) provides
strong mutual authentication (EAP-FAST) to form
trusted domain
Only SGT from trusted peer is honored
Authentication leads to Security Association Protocol
(SAP) to negotiate keys and cipher suite for encryption
automatically (mechanism defined in 802.11i)
802.1X-REV will succeed and replace SAP
Trusted device acquires trust and policies from ACS server
Mitigate rogue network devices, establish trusted network
fabric to ensure SGT integrity and its privilege
Automatic key and cipher suite negotiation for strong 802.1AE
based encryption
Customer Benefits
NDAC
64© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
ACS5.x
NDAC validates peer identity before peer
becomes the circle of Trust!
The first device to authenticate against ACS is called
TrustSec Seed Device
Seed Device becomes authenticator to its peer
supplicant
Role determination process selects both
Authenticator and Supplicant role
NDAC utilizes EAP-FAST/MSCHAPv2
Credential (including PAC) is stored in hardware key
store
ACS5.xSeed Device
EAP-FAST over
RADIUS
Authorization
(PAC, Env Data,
Policy)
65© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
ACS5.x
As device connects to its peer, TrustSec domain
expands its border of trust
If the device is not connected to ACS directly, the
device is called non-Seed Device
First peer to gain ACS server connectivity wins
authenticator role
In case of tie, lower MAC address wins
Seed
Device
ACS5.xSeed Device
Authenticator
Supplicant
802.1X NDAC
Non-Seed Device
Supplicant
802.1X NDAC
Non-Seed Device
AuthenticatorSupplicant
802.1X NDAC
66© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
ACS5.1
Seed Device
CTS7K-DC(config)# feature dot1x
CTS7K-DC(config)# feature cts
CTS7K-DC(config)# cts device-id CTS7K-DC password trustsec123
CTS7K-DC(config)# radius-server host 10.1.100.3 key cisco123 pac
CTS7K-DC(config)# aaa group server radius cts-radius-grp
CTS7K-DC(config-radius)# server 10.1.100.3
CTS7K-DC(config-radius)# use-vrf default
CTS7K-DC(config-radius)# exit
CTS7K-DC(config)# aaa authentication dot1x default group cts-radius-grp
CTS7K-DC(config)# aaa authorization cts default group cts-radius-grp
CTS7K-DC(config)# aaa accounting dot1x default group cts-radius-grp
CTS7K-DC
10.1.100.1/24
CTS-ACS1
10.1.100.3/24
L3
co
nn
ectivity
RADIUS Shared Secret: cisco123
Device ID / Password: CTS7K-DC / trustsec123
67© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
ACS5.1
Seed Device
CTS7K-CORE(config)# feature dot1x
CTS7K-CORE(config)# feature cts
CTS7K-CORE(config)# cts device-id CTS7K-CORE password trustsec123
CTS7K-CORE(config)# interface eth1/15
CTS7K-CORE(config-if)# cts dot1x
CTS7K-CORE(config-if)# shut
CTS7K-CORE(config-if)# no shut
CTS7K-CORE(config-if)# end
CTS7K-DC
CTS-ACS1
Device ID / Password: CTS7K-CORE / trustsec123
Seed Device
CTS7K-CORE
10.1.100.0/24
.1
.3
10.1.50.0/24
.2 .1
Same command needs to be configured on the other
end of the interface on CTS7K-DC
72© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
TrustSec EnabledNetworkSupplicant
Device
ACS 5.0
Role Determination
EAPOL (EAP-FAST)
AuthenticatorDevice
RADIUS
PolicyPolicy Acquisition
Key Establishment
On-Going Key RefreshSAP
EAP-FAST Tunnel
Device Authentication
EAP-FAST Tunnel Tear Down
73© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo73
• Security Association Protocol (SAP) to negotiate keys and cipher suite for encryption automatically
• Negotiation starts after successful authentication / authorization for NDAC
• At the end of SAP, both supplicant and authenticator have same session key
• Session key is used to encrypt traffic on the link
• Session key is derived from the PMK (learned by both device from ACS during authentication) and some random numbers shared during SAP
• Perform rekey periodically
74© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo74
• SAP negotiates cipher suite. Following mode available
SAP Mode Description
GCM Galois / Counter Mode (GCM) encryption and
authentication mode (Default)
GMAC GCM authentication Mode (No encryption)
No Encapsulation No encapsulation and no security group tag (SGT)
insertion
Null Encapsulation without authentication or encryption
75© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo75
CTS7K-DS10.1.50.1
interface Ethernet1/15
cts manual
policy static sgt 0x0002 trusted
sap pmk
1234567890abcdef1234567890abcdef1234567890abcdef123456789
0abcdef
ip address 10.1.50.2/24
ip router eigrp lab
no shutdown
CTS7K-CORE10.1.50.2
interface Ethernet1/3
cts manual
policy static sgt 0x000A trusted
sap pmk
1234567890abcdef1234567890abcdef1234567890abcdef1234567890
abcdef
ip address 10.1.50.1/24
ip router eigrp lab
no shutdown
• SAP can be configured on port
• No ACS involved
• 32 byte of PMK (Pairwise Master Key) needs to match on both side
• Same SAP Modes are available for manual keying
• Make sure device SGT and trusted keyword is configured
76© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo76
CTS7K-DS10.1.50.1
CTS7K-DC-CTS7K-CORE# show cts interface ethernet 1/15
CTS Information for Interface Ethernet1/15:
CTS is enabled, mode: CTS_MODE_MANUAL
IFC state: CTS_IFC_ST_CTS_OPEN_STATE
Authentication Status: CTS_AUTHC_SKIPPED_CONFIG
Peer Identity:
Peer is: Unknown in manual mode
802.1X role: CTS_ROLE_UNKNOWN
Last Re-Authentication:
Authorization Status: CTS_AUTHZ_SKIPPED_CONFIG
PEER SGT: 2
Peer SGT assignment: Trusted
SAP Status: CTS_SAP_SUCCESS
Configured pairwise ciphers: GCM_ENCRYPT
Replay protection: Enabled
Replay protection mode: Strict
Selected cipher: GCM_ENCRYPT
Current receive SPI: sci:18bad853520000 an:0
Current transmit SPI: sci:18bad853460000 an:0
CTS7K-CORE10.1.50.1
CTS7K-DC# show cts interface eth1/3
CTS Information for Interface Ethernet1/3:
CTS is enabled, mode: CTS_MODE_MANUAL
IFC state: CTS_IFC_ST_CTS_OPEN_STATE
Authentication Status: CTS_AUTHC_SKIPPED_CONFIG
Peer Identity:
Peer is: Unknown in manual mode
802.1X role: CTS_ROLE_UNKNOWN
Last Re-Authentication:
Authorization Status: CTS_AUTHZ_SKIPPED_CONFIG
PEER SGT: 10
Peer SGT assignment: Trusted
SAP Status: CTS_SAP_SUCCESS
Configured pairwise ciphers: GCM_ENCRYPT
Replay protection: Enabled
Replay protection mode: Strict
Selected cipher: GCM_ENCRYPT
Current receive SPI: sci:18bad853460000 an:0
Current transmit SPI: sci:18bad853520000 an:0
77© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo77
* NIST Special Publication 800-38D (http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf)
802.1AE
TrustSec provides Layer 2 hop-by-hop encryption and integrity,
based on IEEE 802.1AE standard
128bit AES-GCM (Galois/Counter Mode) – NIST Approved *
Line rate Encryption / Decryption for both 10GbE/1GbE interface
Replay Protection of each and every frame
802.1AE encryption to protect CMD field (SGT value)
Protects against man-in-the-middle attacks (snooping,
tampering, replay)
Standards based frame format and algorithm (AES-GCM)
Network service amenable hop-by-hop approach compared to
end-to-end approach (e.g. Microsoft Domain Isolation/IPsec)
Customer Benefits
78© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo78
MACSec Tag Format
DMAC SMAC 802.1AE Header 802.1Q CMD ETYPE PAYLOAD ICV CRC
MACSec EtherType TCI/AN SL Packet Number SCI (optional)
TrustSec Frame Format
Encrypted
Authenticated
0x88e5
79© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo79
128bit AES GCM Encryption 128bit AES GCM Encryption 128bit AES GCM Encryption
011010010001100010010010001010010011101010
1
0110100100011000100100100001001010001001001000101001001110101
everything in clear01101001010001001
0
01101001010001001
0
ASIC
“Bump-in-the-wire” model
-Packets are encrypted on egress
-Packets are decrypted on ingress
-Packets are in the clear in the device
Allows the network to continue to perform all the packet inspection features currently used
Decrypt at
Ingress
Encrypt at
Egress
80© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo80
CTS7K-DS10.1.50.1
CTS7K-DC-CTS7K-CORE# show cts interface ethernet 2/2
CTS Information for Interface Ethernet2/2:
CTS is enabled, mode: CTS_MODE_DOT1X
IFC state:
CTS_IFC_ST_CTS_OPEN_STATE
Authentication Status: CTS_AUTHC_SUCCESS
Peer Identity: CTS7K-DC
Peer is: CTS Capable
802.1X role: CTS_ROLE_SUP
Last Re-Authentication:
Authorization Status: CTS_AUTHZ_SUCCESS
PEER SGT: 2
Peer SGT assignment: Trusted
SAP Status: CTS_SAP_SUCCESS
Configured pairwise ciphers: GCM_ENCRYPT
Replay protection: Enabled
Replay protection mode: Strict
Selected cipher: GCM_ENCRYPT
Current receive SPI: sci:22557760140000 an:0
Current transmit SPI: sci:22557760150000 an:0
Propagate SGT: Enabled
CTS7K-CORE10.1.50.2
CTS7K-DC# show cts interface ethernet 2/1
CTS Information for Interface Ethernet2/1:
CTS is enabled, mode: CTS_MODE_DOT1X
IFC state:
CTS_IFC_ST_CTS_OPEN_STATE
Authentication Status: CTS_AUTHC_SUCCESS
Peer Identity: CTS7K-CORE
Peer is: CTS Capable
802.1X role: CTS_ROLE_AUTH
Last Re-Authentication:
Authorization Status: CTS_AUTHZ_SUCCESS
PEER SGT: 2
Peer SGT assignment: Trusted
SAP Status: CTS_SAP_SUCCESS
Configured pairwise ciphers: GCM_ENCRYPT
Replay protection: Enabled
Replay protection mode: Strict
Selected cipher: GCM_ENCRYPT
Current receive SPI: sci:22557760150000 an:3
Current transmit SPI: sci:22557760140000 an:3
Propagate SGT: Enabled
81© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• AnyConnect 3.0 provides
Unified access interface for SSL-VPN, IPSec and 802.1X for LAN / WLAN
Support MACSec / MKA (802.1X-REV) for data encryption in software(Performance is based on CPU of the endpoint)
MACSec capable hardware (network interface card) enhance performance with AnyConnect 3.0
For TrustSec:
• 802.1x – headend is switch, ASA is not needed. Option to license under investigation
• MACSec:
• Hardware encryption – Requires Anyconnect and MACSec-ready hardware: (Intel
82576 Gigabit Ethernet Controller, Intel 82599 10 Gigabit Ethernet Controller, Intel
ICH10 - Q45 Express Chipset (1Gbe LOM) (Dell, Lenovo, Fujitsu, and HP have
desktops shipping with this LOM.)
• Software encryption – Requires Anyconnect and uses CPU of PC
Download All
Modes on CCO
82© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
&^*RTW#(*J^*&*sd#J$%UJ&(
802.1XAC3.0
Finance Admin
Finance Admin=
Must Encrypt
Authentication
Successful!
ACS5.2
MACSec in ActionUsing AnyConnect 3.0
Cat3750X
Note:
Already supported:
• MACSec encryption supported in DC between Nexus 7K
• Downlink encryption from AC to Cat 3KX (MKA)
Next Gen TrustSec adds:
• Switch to switch encryption (Cat 3Kx – Cat6K or Nexus 7K)
• Note that encryption uses SAP, not MKA
&^*RTW#(*J^*&*sd#J$%UJ&(
Cat 6K or
Nexus 7K
BRKSEC-2046_c1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Cisco TrustSec –Monitoring and Reporting
88© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
89© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
90© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
91© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Native Tools in ACS 5.1 to compare ACS/Switch Information
• Validate SXP bindings on differing switches
• Validate User/Device SGT assignment
BRKSEC-2046_c1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Cisco TrustSecSummary
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 93
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Highly Confidential 97
Internet
Virtual
Data Center
Campus
Network
STOP
STOP
• Identity Services Engine 1.0
• Switch-to-switch MACSec
encryption
• Catalyst 3750-X/3560-X,
• Catalyst 4500 – SUP7-E
• Catalyst 6500 SUP2T
• Security Group Access
enhancements - VDI
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Highly Confidential 99
• Centralized Policy
• Distributed Enforcement
• AAA Services
• Posture Assessment
• Guest Access Services
• Device Profiling
• Monitoring
• Troubleshooting
• Reporting
ACS
NAC
Profiler
NAC
Guest
NAC
Manager
NAC
Server
Identity
Services
Engine
102© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• TrustSec builds upon Identity services
• TrustSec provides a scalable Identity access control model
• TrustSec migration strategies allow customer to deploy with existing hardware
• TrustSec is deployable today
103© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
LAN Switch Security: What Hackers Know About Your Switches
Eric Vyncke, Christopher Paggen
http://www.ciscopress.com/bookstore/
product.asp?isbn=1587052563
104© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Cisco Wireless LAN Security -http://www.ciscopress.com/bookstore/product.asp?isbn=1587051540
• Cisco Internetwork Troubleshooting -http://www.ciscopress.com/bookstore/product.asp?isbn=1578700922
• Cisco Secure Internet Security Solutions -http://www.ciscopress.com/bookstore/product.asp?isbn=1587050161
• Managing Cisco Network Security -http://www.ciscopress.com/bookstore/product.asp?isbn=1578701031
• Cisco Network Admission Control, Volume I: NAC Framework Architecture and Design -http://www.ciscopress.com/bookstore/product.asp?isbn=1587052415
• Cisco LAN Switch Security: What Hackers Know About Your Switches -http://www.ciscopress.com/bookstore/product.asp?isbn=1587052563
105© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Configuring IEEE 802.1x Port-Based Authentication (Cat3560-E, IOS 12.2(52)SE)
http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_52_se/configuration/guide/sw8021x.html
• Network Virtualization--Access Control Design Guide (Cisco CVD)
http://www.cisco.com/en/US/docs/solutions/Enterprise/Network_Virtualization/AccContr.html
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 106
• Contact: Ziad Sarieddine, TME
• 7 Available Pods located in RTP
• Accessible to Sales team and Partners
• Self Serve. (Allows Scheduling / Available Demo Script)
• Role Based Access Control (Dot1x and SGA), Guest Access
• Available on CEC, Cisco.com and Demo Portal
CEC:http://wwwin.cisco.com/WWSales/wwops/wwse/cdp/demoremote/bn-ts.shtml
Cisco.com:http://www.cisco.com/web/partners/sell/technology/ipc/integrated-solutions/cisco_trustsec.html
Demo Portal:http://wwwin-tools.cisco.com/WWSales/DemoPortal/app/datasheetPreview.do?datasheetId=309&environmentId=3&moduleName=Admin
107© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Twitter www.twitter.com/CiscoCZ
• Talk2Cisco www.talk2cisco.cz/dotazy
• SMS 732 488 666
You are invited to Ptali jste se… TAURUS, 17:45 – 18:30
108© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Please, fill in the evaluation form
Kód přednášky