cisco trustsec security (cts) security group tagging (sgt)cisco expo © 2011 cisco and/or its...

Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved. 1Cisco Expo

Cisco Expo

2011

Cisco TrustSec Security (CTS) &

Security Group Tagging (SGT)

Techtorial

Jiří Tesař – Cisco

2© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo

• Twitter www.twitter.com/CiscoCZ

• Talk2cisco www.talk2cisco.cz/dotazy

• SMS 732 488 666

http://www.twitter.com/CiscoCZ

http://www.talk2cisco.cz/dotazy


• TrustSec Solution Overview

• SGT / SGACL Concept

• NDAC Concept

• 802.1AE / SAP Concept

BRKSEC-2046_c1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 4

Introduction


NAC ProfilerACS5.1

Catalyst

Switch

802.1X

MAB

Directory Server

NAC Guest Server

Web Auth

RADIUS

Various Authorization Methods (VLAN,

Downloadable ACL, URL Redirect, etc)

Scalable / Flexible Policy

& Authentication Server

supporting RBAC

Industry Leading Guest Service Server to

provide full guest access management

with Web Authentication

Profiling System to perform

automatic device profiling for

unattended device or any type of

network attached device

Cisco IOS © intelligence to

provide phased deployment mode

for 802.1X (Monitor Mode, Low

Impact Mode, High Security Mode)

Flexible Authentication Methods

(802.1X, MAB, Web Auth in any order)

Guest

Employee

Printer


• Network Access Control provides a way to

Identify who is accessing to your network

Determine how this access is attempted

Locate where this person trying to access

Evaluate what privilege this person has

• Based on the results, Network Access Control provides

Admission to the network

Scope of resources this person can access to

Level of services this person can access to

Record of network usage


Network Address-based Access Control

ACL, VACL, PACL, PBACL etc

Network Admission Control (NAC)

Posture validation endpoint policy compliance

Identity-Based Access Control

Flexible authentication options:

802.1x, MAB, WebAuth, FlexAuth

Comprehensive post-admission control options:

dACL, VLAN assignment, URL redirect, QoS…

Integration of Profiling / Guest Access Services

Cisco Access Control Solution


• Easiest way to segment traffic

• Most vendors supports dynamic VLAN assignment (RFC3580)

• Need to introduce new VLANs

• New VLAN = New IP scopes for subnet

• Changing VLAN in authorization means changing subnet for DHCP

• VLAN ID / Name design becomes very complicated

• Static routing policy is required for inter-VLAN communication

• Managing ACL on every L3 interface for VLAN becomes complicated


• ACLs managed centrally and provisioned per source IP address / authentication session

• No need to define endpoint IP address in ACL

• Pre-authentication interface ACL to integrate with services such as PXE Boot and Wake-On-LAN (WoL) for maintenance

• Destination IP address change needs to be reflected in every ACE

• Possible TCAM flooding if large amount of ACEs are configured


Cisco TrustSecSGBAC


Source Sources x Destinations x Permissions = ACEs

Source (S1) * Destination (D1~D6) * Permission (4) = 24 ACEs for S1

Source (S1~S4) * Destination (D1~D6) * Permission (4) = 96 ACEs for S1~4

The growing number of ACEs leads to resource consumption on the enforcement point

User (Source)

S1

D1

D2

D3

D4

D5

D6

S2

S3

S4

Servers (Destination)

permit tcp S1 D1 eq https

permit tcp S1 D1 eq 8081

permit tcp S1 D1 eq 445

deny ip S1 D1

Sales

HR

Finance

Managers

IT Admins

HR Rep

S1 to D1 Access Control

Access Control Entries

(ACEs) grow as permission

statements increase


(# of Source SG) * (# of Dest SG) * Permissions = # ACEs

SGT10 * Dest SGTs (3) * Permission (4) = 12 ACEs for MGMT A SGT

SRC SGTs (4) * DST SGTs (3) * Permission (4) = 48 ACEs

User

S1

D1

D2

D3

D4

D5

D6

S2

S3

S4

ServersSecurity Group

(Source)

MGMT A

(SGT 10)

HR Rep

(SGT 30)

IT Admins

(SGT 40)

Security Group

(Destination)

Sales SRV

(SGT 500)

HR SRV

(SGT 600)

Finance SRV

(SGT 700)

MGMT B

(SGT 20)

SGACL


User ServersSecurity Group

(Source)

MGMT A

(SGT10)

HR Rep

(SGT30)

IT Admins

(SGT40)

Security Group

(Destination)

Sales SRV

(SGT400)

HR SRV

(SGT500)

Finance SRV

(SGT600)

MGMT B

(SGT20)

SGACL

10 Network

Resources

10 Network

Resources

10 Network

Resources

x 100

x 100

x 100

x 100

17© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo17

Topology independent access control based on roles

Scalable ingress tagging (SGT) / egress filtering

(SGACL)

Centralized Policy Management / Distributed Policy

Enforcement

Encryption based on IEEE802.1AE (AES-GCM 128-Bit)

Wire rate hop by hop layer 2 encryption

Key management based on 802.11n (SAP), awaiting for

standardization in 802.1X-REV

Endpoint admission enforced via 802.1X authentication,

MAB, Web Auth (Cisco Identity compatibility)

Network device admission control based on 802.1X

creates trusted networking environment

Only trusted network imposes Security Group TAG

Security Group Based

Access Control

Confidentiality

and

Integrity

Authenticated

Networking

Environment


SGACL

Security Group Based Access Control allows customers

To keep existing logical design at access layer

To change / apply policy to meet today’s business requirement

To distribute policy from central management server

802.1X/MAB/Web Auth

Database (SGT=4)

IT Server (SGT=10)

I’m a contractor

My group is IT Admin

Contactor

& IT Admin

SGT = 100

SGT = 100

SGT capable device


Unique 16 bit (65K) tag assigned to unique role

Represents privilege of the source user, device, or entity

Tagged at ingress of TrustSec domain

SGACLSG

Security

Group

Tag

Filtered (SGACL) at egress of TrustSec domain

No IP address required in ACE (IP address is bound to SGT)

Policy (ACL) is distributed from central policy server (ACS) or

configured locally on TrustSec device

Provides topology independent policy

Flexible and scalable policy based on user role

Centralized Policy Management for Dynamic policy provisioning

Egress filtering results to reduce TCAM impact

Customer Benefits


are the L2 802.1AE + TrustSec overhead

Frame is always tagged at ingress port of SGT capable device

Tagging process prior to other L2 service such as QoS

No impact IP MTU/Fragmentation

L2 Frame MTU Impact: ~ 40 bytes = less than baby giant frame (~1600 bytes

with 1552 bytes MTU)

Cisco Meta Data

DMAC SMAC 802.1AE Header 802.1Q CMD ETYPE PAYLOAD ICV CRC

Version LengthCMD EtherType SGT Opt Type SGT Value Other CMD Options

Encrypted

Authenticated

802.1AE Header CMD ICV

Ethernet Frame field


SGT Assignment


ACS5.x

Server CServer BServer A Directory

Service

Campus Access

Data Center

TrustSec Enabled

Network

User A User C

Step 1

AD User Role SGT

User A Contractor 10

User B Finance 20

User C HR 30

ACS populates its SGT policy

Server Role IP SGT

HTTP

Server

Server Group A 10.1.100.111 111

File Server Server Group B 10.1.100.222 222

SQL Server Server Group C 10.1.200.3 333

ACS is configured for its policy and all endpoints

need to be mapped to SGT in policy

User to Role Mapping

Server to Role Mapping


ACS5.x


Service

Campus Access

Data Center

TrustSec Enabled

Network

User A User C

111222333

Step 2

AD User Role SGT

User A Contractor 10

User B Finance 20

User C HR 30

SGTs are assigned to role and bound to IP

address

Server Role IP SGT

HTTP

Server

Server Group A 10.1.100.111 111

File Server Server Group B 10.1.100.222 222

SQL Server Server Group C 10.1.200.3 333

With 802.1X / MAB / Web Authentication, SGTs are

assigned in an authorization policy via RADIUS

Access devices snoops ARP and / or DHCP for

authenticated MAC Address, then bind assigned

SGT to snooped IP Address

For Servers IP addresses are bound to SGT

statically on access switch or dynamically looked

up on ACS using IPM feature

802.1X / MAB / Web Auth

3010


ACS5.x


Service

Campus Access

Data Center

TrustSec Enabled

Network

User A User C

111 222 333

Step 3 ACS provisions Egress Policy (SGT

Matrix) to TrustSec capable Device

Each TrustSec capable device downloads policy

from central policy server, that is, ACS server3010

SRC\ DSTServer A

(111)

Server B

(222)

Server C

(333)

User A (10) Permit all Deny all Deny all

User B (20) SGACL-B SGACL-C Deny all

User C (30) Deny all Permit All SGACL-D

SGACL-D

permit tcp src dst eq 1433

#remark destination SQL permit

permit tcp src eq 1433 dst

#remark source SQL permit


# web permit

permit tcps rc dst eq 443

# secure web permit

deny all

SGACLSGACLSGACL


ACS5.x


Service

Campus Access

Data Center

TrustSec Enabled

Network

User A User C

111 222 333

Step 4 Now TrustSec network is ready to enforce

the policy

User’s traffic is tagged at ingress of TrustSec

domain

SGT is carried when packet traverses within domain

At egress port, TrustSec device looks up local policy

and drops packet if needed

3010

SRC\ DSTServer A

(111)

Server B

(222)

Server C

(333)



User C (30) Deny all Permit all SGACL-D

CMD Tagged Traffic

Untagged Traffic


ACS5.x


Service

Campus Access

Data Center

TrustSec Enabled

Network

User A User C

111 222 333

Step 5 SGACL allows topology independent

access control

Even another user accesses on same VLAN as

previous example, his traffic is tagged differently

If traffic is destined to restricted resources, packet

will be dropped at egress port of TrustSec domain

3010

SRC\ DSTServer A

(111)

Server B

(222)

Server C

(333)



User C (30) Deny all Permit all SGACL-D

SGACL-D


#remark destination SQL permit

permit tcp src eq 1433 dst

#remark source SQL permit


# web permit


# secure web permit

deny all

Web traffic

SQL traffic

SGACL


• via 802.1X Authentication

• via MAC Authentication Bypass

• via Web Authentication Bypass

• Or Static IP-to-SGT binding on SW

Campus/Mobile endpoints

• via Manual IP-to-SGT binding on TrustSec device

• via IP-to-Port Mapping

Data Center / Servers

Every endpoint that touches TrustSec domain is classified with SGT

SGT can be sent to switch via RADIUS authorization after:

Full integration with

Cisco Identity

Solution

Every server that touches TrustSec domain is classified with SGT

SGT is usually assigned to those servers:

Just like VLAN Assignment

or dACL, we assign SGT in

authorization process


802.1X

Access SwitchIT

Admin

ACS5.0

RADIUS

802.1X User AuthenticationAuth OK!

IT Admin: SGT (5)Access-Accept with VSA

MAC:0050.56BC.14AE

Port Open!

DHCP Request / Response

ARP Snooping (IP Device Tracking)

10.1.10.102/24

MAC Address Port SGT

0050.56BC.14AE Gig1/0/1 5

MAC Address Port SGT IP Address

0050.56BC.14AE Gig1/0/1 5 10.1.10.102

cisco-av-pair=cts:security-group-tag=0005-01

IP Address SGT

10.1.10.102 5

Access Switch has IP to SGT Binding Now

<sgt-value-in-hex>-<rev#>


SGT value is automatically from 2~. SGT=0 is special SGT for Unknown


Select Security Group for Authorization Results

(Not selected by default)


Rule Name

Condition

Statement

Authorization

Profile

SGT


Security Group

Configuration

Authorization Policy for

802.1X Access


Create SGTs for Servers just like creating SGTs for end user role


Doctor (SGT 7)

IT Admin (SGT 5)

MAB

LWA

Agent-less

Device

Campus

Network

SXP

Untagged Frame Tagged Frame

SGT=7 SGT Enforcement

Catalyst® 3750-E802.1X

Users,

Endpoints

Public Portal (SGT 8) Internal Portal (SGT 9)

Patient Record DB (SGT 10)10.1.200.100

10.1.200.20010.1.200.10

IT Portal (SGT 4)10.1.100.10

Nexus® 7000

Core

Nexus® 7000

Distribution

ACS v5.1

cts role-based sgt-map 10.1.100.10 sgt 4




STG can statically assign on switch which does SGACL

VLAN100

Active

Directory

VLAN200

cts role-based sgt-map <ip_address> sgt <sgt_value>

IOS CLI

cts role-based sgt-map <ip_address> <sgt_value>

NX-OS CLI

Catalyst® 4948


SGT Exchange Protocol(SXP)


• SGT native tagging requires hardware (ASIC) support

• Non-TrustSec hardware capable devices can still receive SGT attributes from ACS for authenticated users or devices, and then forward the IP-to-SGT binding to a TrustSecSGACL capable device for tagging & enforcement

• SGT eXchange Protocol (SXP) is used to exchange IP-to-SGT bindings between TrustSec capable and incapable device

• Currently supported on Catalyst 6500, 4500/4900, 3560/3750 and Nexus 7000 switch

• Based on TCP with MD5 authentication

• Support single hop or multi-hop SXP

• SXP accelerates initial deployment of SGT/SGACL without immediate hardware upgrade


ACS5.x


Service

Data Center

User A User C

111 222 333

TCP-based SXP is established between Non-

TrustSec capable and TrustSec-Capable devices

User is assigned to SGT

Switch binds endpoint IP address and assigned SGT

Switch uses SXP to send binding table to TrustSec

capable device

TrustSec capable device tags packet based on

source IP address when packet appears on

forwarding table

3010

CMD Tagged Traffic

Untagged Traffic

Non TrustSec

capable device

TrustSec

capable device

SXP SXP

SXP IP-SGT Binding Table

IP Address SGT Interface

10.1.10.1 10 Gig 2/10

10.1.30.4 30 Gig 2/11

CMD Tagged Traffic

Untagged Traffic

User A User C


ACS5.x

Single-Hop SXP

Non-TrustSec Domain

SXP

TrustSec Enabled SW TrustSec Capable HW

ACS5.x

Multi-Hop SXP SXP

TrustSec

Enabled SWTrustSec Capable HWTrustSec

Enabled SW

Speaker Listener

Speaker SpeakerListener Listener

SXP

TrustSec

Enabled SW

Speaker

SXP


ACS5.x

Non-TrustSec Domain

SXP

Catalyst 6500 Nexus 7000

Speaker Listener

CTS6K-AS(config)#cts sxp enable

CTS6K-AS(config)#cts sxp default password <password>

CTS6K-AS(config)#cts sxp connection peer 10.1.3.1 source 10.1.3.2 password default mode peer listener

10.1.3.2 10.1.3.1

CTS7K-DC(config)#cts sxp enable

CTS7K-DC(config)#cts sxp connection peer 10.1.2.3 source 10.1.2.1 password required <password> mode speaker


ACS5.x

Non-TrustSec Domain

SXP


Speaker Listener

10.1.3.2 10.1.3.1

CTS6K-AS#show cts sxp connections

SXP : Enabled

Default Password : Set

Default Source IP: Not Set

Connection retry open period: 120 secs

Reconcile period: 120 secs

Retry open timer is not running

----------------------------------------------

Peer IP : 10.1.3.1

Source IP : 10.1.3.2

Conn status : On

Local mode : SXP Speaker

Connection inst# : 1

TCP conn fd : 1

TCP conn password: default SXP password

Duration since last state change: 5:21:56:26 (dd:hr:mm:sec)

CTS7K-DC# show cts sxp

CTS SXP Configuration:

SXP enabled

SXP retry timeout:60

SXP reconcile timeout:120


ACS5.x

Non-TrustSec Domain

SXP


Speaker Listener

10.1.3.2 10.1.3.1

CTS7K-DC-CTS7K-CORE# show cts sxp connection PEER_IP_ADDR VRF PEER_SXP_MODE SELF_SXP_MODE CONNECTION STATE10.1.3.2 default speaker listener connected

CTS6K-AS#show cts sxp connections brief SXP : EnabledDefault Password : SetDefault Source IP: Not SetConnection retry open period: 120 secsReconcile period: 120 secsRetry open timer is not running

-----------------------------------------------------------------------------Peer_IPSource_IP Conn Status Duration -----------------------------------------------------------------------------10.1.3.1 10.1.3.2 On 6:00:09:13 (dd:hr:mm:sec)

Total num of SXP Connections = 1


VLAN100

VLAN200

Doctor (SGT 7)

IT Admin (SGT 5)

MAB

LWA

Agent-less

Device

Campus

Network




Users,

Endpoints



10.1.200.20010.1.200.10

IT Portal (SGT 4)10.1.100.10

Nexus® 7000

Core

Nexus® 7000

Distribution

ACS v5.1Catalyst® 4948

If the switch supports SXP,

switch can send IP-to-SGT

binding table to SGT capable

device (e.g. Nexus 7000)

Active

Directory

IP Address SG

T

Sourc

e

10.1.10.102 5 LOCAL

10.1.10.110 14 LOCAL

10.1.99.100 12 LOCAL

SXP

IP Address SG

T

Sourc

e

10.1.100.10 4 CLI

10.1.200.10 8 CLI

10.1.200.100 10 CLI

10.1.200.200 9 CLI

SXP

Speaker SpeakerListener Listener

Statically configured

Locally Learned


VLAN100

VLAN200

Doctor (SGT 7)

IT Admin (SGT 5)

MAB

LWA

Agent-less

Device

Campus

Network



Users,

Endpoints



10.1.200.20010.1.200.10

IT Portal (SGT 4)10.1.100.10

Nexus® 7000

Core

Nexus® 7000

Distribution

ACS v5.1

When SGT capable device

receives packet, it looks up

SGT value in table, insert SGT

tag to frame when it exits

egress port

Active

Directory

IP Address SG

T

Sourc

e

10.1.10.102 5 SXP

10.1.10.110 14 SXP

10.1.99.100 12 SXP


SRC=10.1.10.102

IP-to-SGT Binding Table

SGT=5

Catalyst® 4948


• How the SGT is assigned to role dynamically

802.1X

Cat6503HR

Admin

ACS5.0

RADIUS

802.1X User AuthenticationAuth OK!

HR Admin: SGT (6/0006)Access-Accept with VSA

MAC:0050.56BC.14AE

Port Open!

DHCP Request / Response

DHCP Snooping / ARP Snooping

10.1.10.100/24

MAC Address Port SGT

0050.56BC.14AE Fa2/12 6/0006

MAC Address Port SGT IP Address

0050.56BC.14AE Fa2/1 6/0006 10.1.10.100

SXP Binding Table

NX7010

Cat6503

SRC: 10.1.10.100 10.1.200.100SGT (6/0006)

Tagging


SGACL Policy


MAB

LWA

Agent-less

Device

VLAN100

Active

Directory

Campus

Network

SXP

VLAN200



Catalyst® 3750-E802.1X, MAB, LWA

Users,

Endpoints

Dynamic

SGT Assignment

For

Endpoint

Doctor (SGT 7)

IT Admin (SGT 5)



10.1.200.20010.1.200.10

IT Portal (SGT 4)10.1.100.10

Nexus® 7000

Core

Nexus® 7000

Distribution

ACS v5.1

Static

SGT Assignment

For

Servers

Catalyst® 4948


Doctor (SGT 7)

IT Admin (SGT 5)

IT Portal

(SGT 4)

Public Portal

(SGT 8)

Internal Portal

(SGT 9)

Patient Record DB

(SGT 10)

Destination

SGT

Source

SGT

Web Web No AccessWeb

File Share

Web

SSH

RDP

File Share

Web

SSH

RDP

File Share

Full Access

SSH

RDP

File Share

permit tcp dst eq 443permit tcp dst eq 80permit tcp dst eq 22permit tcp dst eq 3389permit tcp dst eq 135permit tcp dst eq 136permit tcp dst eq 137permit tcp dst eq 138permit tcp des eq 139deny ip

IT Maintenance ACL


1

2

3


• Policy downloaded to SGT capable HW (e.g. Nexus 7000 switch) when

• Device first authenticates to ACS (via NDAC)

• Policy time expires (by default 1 day)

• Manually queried to ACS (cts refresh role-based-policy)

• When new IP-to-SGT mapping is configured manually on switch

• When new SGT is seen on interface of the device doing SGACL enforcement and the current SGACL policy on switch does not have the policy for this source SGT


Doctor (SGT 7)

MAB

LWA

Agent-less

Device

Campus

Network

SXP



Catalyst® 3750-X802.1X

Users,

Endpoints



10.1.200.20010.1.200.10

Nexus® 7000

Core

Nexus® 7000

Distribution

ACS v5.1

Catalyst® 4948

VLAN100

Active

Directory

IT Portal (SGT 4)10.1.100.10

VLAN200

CTS7K-DC# show cts role-based policy

sgt:5

dgt:4 rbacl:Permit IP

permit ip

sgt:5


permit ip

sgt:5


permit ip

sgt:5

dgt:10 rbacl:IT_Maintenance_ACL

permit tcp dst eq 20 log










permit icmp log

deny ip

<skip>

IT Admin

(SGT 5)


IT Portal (SGT 4)

Active

DirectoryCatalyst® 3750-E

Users,

Endpoints

Campus

Network

Nexus® 7000

Core

Nexus® 7000

Distribution

ACS v5.1802.1X


Patient Record DB (SGT 10)

IT Admin (SGT 5)

VLAN100

VLAN200



10.1.200.100

10.1.200.20010.1.200.10

10.1.100.10

Web

cts role-based enforcement

NX-OS CLI


IT Portal (SGT 4)

Active

DirectoryCatalyst® 3750-E

Users,

Endpoints

Campus

Network

Nexus® 7000

Core

Nexus® 7000

Distribution

ACS v5.1802.1X


Patient Record DB (SGT 10)

IT Admin

(SGT 5)

VLAN100

VLAN200


SGT=7

10.1.200.100

10.1.200.20010.1.200.10

10.1.100.10

Web

CTS7K-DC# show cts role-based counters sgt 5

RBACL policy counters enabled

Counters last cleared: 04/20/2010 at 11:20:58 PM

sgt:5 dgt:4 [1555]

rbacl:Permit IP

permit ip [1555]

sgt:5 dgt:8 [1483]

rbacl:Permit IP

permit ip [1483]

sgt:5 dgt:9 [1541]

rbacl:Permit IP

permit ip [1541]

sgt:5 dgt:10 [1804]

rbacl:IT_Maintenance_ACL

permit tcp dst eq 20 log [0]










permit icmp log [1547]

deny ip [0]

CLI Available on NX-OS5.0


Network Device Admission Control (NDAC)


• Any member of TrustSec domain needs to establish trust relationship to its peer, otherwise not trusted

• Only SGT from trusted member can be “trusted” and processed by its peer

• SGT from distrusted device is tagged as “Unknown”, a special SGT (value is zero)

• A process of authenticating is called “Endpoint Admission Control” (e.g. SGT tagging via 802.1X)

• A process of authenticating network device is called “Network Device Admission Control” or NDAC in short


Network Device Admission Control (NDAC) provides

strong mutual authentication (EAP-FAST) to form

trusted domain

Only SGT from trusted peer is honored

Authentication leads to Security Association Protocol

(SAP) to negotiate keys and cipher suite for encryption

automatically (mechanism defined in 802.11i)

802.1X-REV will succeed and replace SAP

Trusted device acquires trust and policies from ACS server

Mitigate rogue network devices, establish trusted network

fabric to ensure SGT integrity and its privilege

Automatic key and cipher suite negotiation for strong 802.1AE

based encryption

Customer Benefits

NDAC


ACS5.x

NDAC validates peer identity before peer

becomes the circle of Trust!

The first device to authenticate against ACS is called

TrustSec Seed Device

Seed Device becomes authenticator to its peer

supplicant

Role determination process selects both

Authenticator and Supplicant role

NDAC utilizes EAP-FAST/MSCHAPv2

Credential (including PAC) is stored in hardware key

store

ACS5.xSeed Device

EAP-FAST over

RADIUS

Authorization

(PAC, Env Data,

Policy)


ACS5.x

As device connects to its peer, TrustSec domain

expands its border of trust

If the device is not connected to ACS directly, the

device is called non-Seed Device

First peer to gain ACS server connectivity wins

authenticator role

In case of tie, lower MAC address wins

Seed

Device

ACS5.xSeed Device

Authenticator

Supplicant

802.1X NDAC

Non-Seed Device

Supplicant

802.1X NDAC

Non-Seed Device

AuthenticatorSupplicant

802.1X NDAC


ACS5.1

Seed Device

CTS7K-DC(config)# feature dot1x

CTS7K-DC(config)# feature cts

CTS7K-DC(config)# cts device-id CTS7K-DC password trustsec123

CTS7K-DC(config)# radius-server host 10.1.100.3 key cisco123 pac

CTS7K-DC(config)# aaa group server radius cts-radius-grp

CTS7K-DC(config-radius)# server 10.1.100.3

CTS7K-DC(config-radius)# use-vrf default

CTS7K-DC(config-radius)# exit

CTS7K-DC(config)# aaa authentication dot1x default group cts-radius-grp

CTS7K-DC(config)# aaa authorization cts default group cts-radius-grp

CTS7K-DC(config)# aaa accounting dot1x default group cts-radius-grp

CTS7K-DC

10.1.100.1/24

CTS-ACS1

10.1.100.3/24

L3

co

nn

ectivity

RADIUS Shared Secret: cisco123

Device ID / Password: CTS7K-DC / trustsec123


ACS5.1

Seed Device

CTS7K-CORE(config)# feature dot1x

CTS7K-CORE(config)# feature cts

CTS7K-CORE(config)# cts device-id CTS7K-CORE password trustsec123

CTS7K-CORE(config)# interface eth1/15

CTS7K-CORE(config-if)# cts dot1x

CTS7K-CORE(config-if)# shut

CTS7K-CORE(config-if)# no shut

CTS7K-CORE(config-if)# end

CTS7K-DC

CTS-ACS1

Device ID / Password: CTS7K-CORE / trustsec123

Seed Device

CTS7K-CORE

10.1.100.0/24

.1

.3

10.1.50.0/24

.2 .1

Same command needs to be configured on the other

end of the interface on CTS7K-DC


TrustSec EnabledNetworkSupplicant

Device

ACS 5.0

Role Determination

EAPOL (EAP-FAST)

AuthenticatorDevice

RADIUS

PolicyPolicy Acquisition

Key Establishment

On-Going Key RefreshSAP

EAP-FAST Tunnel

Device Authentication

EAP-FAST Tunnel Tear Down


• Security Association Protocol (SAP) to negotiate keys and cipher suite for encryption automatically

• Negotiation starts after successful authentication / authorization for NDAC

• At the end of SAP, both supplicant and authenticator have same session key

• Session key is used to encrypt traffic on the link

• Session key is derived from the PMK (learned by both device from ACS during authentication) and some random numbers shared during SAP

• Perform rekey periodically


• SAP negotiates cipher suite. Following mode available

SAP Mode Description

GCM Galois / Counter Mode (GCM) encryption and

authentication mode (Default)

GMAC GCM authentication Mode (No encryption)

No Encapsulation No encapsulation and no security group tag (SGT)

insertion

Null Encapsulation without authentication or encryption


CTS7K-DS10.1.50.1

interface Ethernet1/15

cts manual

policy static sgt 0x0002 trusted

sap pmk

1234567890abcdef1234567890abcdef1234567890abcdef123456789

0abcdef

ip address 10.1.50.2/24

ip router eigrp lab

no shutdown

CTS7K-CORE10.1.50.2

interface Ethernet1/3

cts manual

policy static sgt 0x000A trusted

sap pmk

1234567890abcdef1234567890abcdef1234567890abcdef1234567890

abcdef

ip address 10.1.50.1/24

ip router eigrp lab

no shutdown

• SAP can be configured on port

• No ACS involved

• 32 byte of PMK (Pairwise Master Key) needs to match on both side

• Same SAP Modes are available for manual keying

• Make sure device SGT and trusted keyword is configured


CTS7K-DS10.1.50.1

CTS7K-DC-CTS7K-CORE# show cts interface ethernet 1/15

CTS Information for Interface Ethernet1/15:

CTS is enabled, mode: CTS_MODE_MANUAL

IFC state: CTS_IFC_ST_CTS_OPEN_STATE

Authentication Status: CTS_AUTHC_SKIPPED_CONFIG

Peer Identity:

Peer is: Unknown in manual mode

802.1X role: CTS_ROLE_UNKNOWN

Last Re-Authentication:

Authorization Status: CTS_AUTHZ_SKIPPED_CONFIG

PEER SGT: 2

Peer SGT assignment: Trusted

SAP Status: CTS_SAP_SUCCESS

Configured pairwise ciphers: GCM_ENCRYPT

Replay protection: Enabled

Replay protection mode: Strict

Selected cipher: GCM_ENCRYPT

Current receive SPI: sci:18bad853520000 an:0

Current transmit SPI: sci:18bad853460000 an:0

CTS7K-CORE10.1.50.1

CTS7K-DC# show cts interface eth1/3


CTS is enabled, mode: CTS_MODE_MANUAL

IFC state: CTS_IFC_ST_CTS_OPEN_STATE

Authentication Status: CTS_AUTHC_SKIPPED_CONFIG

Peer Identity:

Peer is: Unknown in manual mode

802.1X role: CTS_ROLE_UNKNOWN


Authorization Status: CTS_AUTHZ_SKIPPED_CONFIG

PEER SGT: 10







Current receive SPI: sci:18bad853460000 an:0

Current transmit SPI: sci:18bad853520000 an:0


* NIST Special Publication 800-38D (http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf)

802.1AE

TrustSec provides Layer 2 hop-by-hop encryption and integrity,

based on IEEE 802.1AE standard

128bit AES-GCM (Galois/Counter Mode) – NIST Approved *

Line rate Encryption / Decryption for both 10GbE/1GbE interface

Replay Protection of each and every frame

802.1AE encryption to protect CMD field (SGT value)

Protects against man-in-the-middle attacks (snooping,

tampering, replay)

Standards based frame format and algorithm (AES-GCM)

Network service amenable hop-by-hop approach compared to

end-to-end approach (e.g. Microsoft Domain Isolation/IPsec)

Customer Benefits

http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf








MACSec Tag Format

DMAC SMAC 802.1AE Header 802.1Q CMD ETYPE PAYLOAD ICV CRC

MACSec EtherType TCI/AN SL Packet Number SCI (optional)

TrustSec Frame Format

Encrypted

Authenticated

0x88e5


128bit AES GCM Encryption 128bit AES GCM Encryption 128bit AES GCM Encryption

011010010001100010010010001010010011101010

1

0110100100011000100100100001001010001001001000101001001110101

everything in clear01101001010001001

0

01101001010001001

0

ASIC

“Bump-in-the-wire” model

-Packets are encrypted on egress

-Packets are decrypted on ingress

-Packets are in the clear in the device

Allows the network to continue to perform all the packet inspection features currently used

Decrypt at

Ingress

Encrypt at

Egress


CTS7K-DS10.1.50.1

CTS7K-DC-CTS7K-CORE# show cts interface ethernet 2/2


CTS is enabled, mode: CTS_MODE_DOT1X

IFC state:

CTS_IFC_ST_CTS_OPEN_STATE

Authentication Status: CTS_AUTHC_SUCCESS

Peer Identity: CTS7K-DC

Peer is: CTS Capable

802.1X role: CTS_ROLE_SUP


Authorization Status: CTS_AUTHZ_SUCCESS

PEER SGT: 2







Current receive SPI: sci:22557760140000 an:0

Current transmit SPI: sci:22557760150000 an:0

Propagate SGT: Enabled

CTS7K-CORE10.1.50.2

CTS7K-DC# show cts interface ethernet 2/1


CTS is enabled, mode: CTS_MODE_DOT1X

IFC state:

CTS_IFC_ST_CTS_OPEN_STATE

Authentication Status: CTS_AUTHC_SUCCESS

Peer Identity: CTS7K-CORE

Peer is: CTS Capable

802.1X role: CTS_ROLE_AUTH


Authorization Status: CTS_AUTHZ_SUCCESS

PEER SGT: 2







Current receive SPI: sci:22557760150000 an:3

Current transmit SPI: sci:22557760140000 an:3

Propagate SGT: Enabled


• AnyConnect 3.0 provides

Unified access interface for SSL-VPN, IPSec and 802.1X for LAN / WLAN

Support MACSec / MKA (802.1X-REV) for data encryption in software(Performance is based on CPU of the endpoint)

MACSec capable hardware (network interface card) enhance performance with AnyConnect 3.0

For TrustSec:

• 802.1x – headend is switch, ASA is not needed. Option to license under investigation

• MACSec:

• Hardware encryption – Requires Anyconnect and MACSec-ready hardware: (Intel

82576 Gigabit Ethernet Controller, Intel 82599 10 Gigabit Ethernet Controller, Intel

ICH10 - Q45 Express Chipset (1Gbe LOM) (Dell, Lenovo, Fujitsu, and HP have

desktops shipping with this LOM.)

• Software encryption – Requires Anyconnect and uses CPU of PC

Download All

Modes on CCO


&^*RTW#(*J^*&*sd#J$%UJ&(

802.1XAC3.0

Finance Admin

Finance Admin=

Must Encrypt

Authentication

Successful!

ACS5.2

MACSec in ActionUsing AnyConnect 3.0

Cat3750X

Note:

Already supported:

• MACSec encryption supported in DC between Nexus 7K

• Downlink encryption from AC to Cat 3KX (MKA)

Next Gen TrustSec adds:

• Switch to switch encryption (Cat 3Kx – Cat6K or Nexus 7K)

• Note that encryption uses SAP, not MKA

&^*RTW#(*J^*&*sd#J$%UJ&(

Cat 6K or

Nexus 7K


Cisco TrustSec –Monitoring and Reporting


• Native Tools in ACS 5.1 to compare ACS/Switch Information

• Validate SXP bindings on differing switches

• Validate User/Device SGT assignment


Cisco TrustSecSummary

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Highly Confidential 97

Internet

Virtual

Data Center

Campus

Network

STOP

STOP

• Identity Services Engine 1.0

• Switch-to-switch MACSec

encryption

• Catalyst 3750-X/3560-X,

• Catalyst 4500 – SUP7-E

• Catalyst 6500 SUP2T

• Security Group Access

enhancements - VDI

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Highly Confidential 99

• Centralized Policy

• Distributed Enforcement

• AAA Services

• Posture Assessment

• Guest Access Services

• Device Profiling

• Monitoring

• Troubleshooting

• Reporting

ACS

NAC

Profiler

NAC

Guest

NAC

Manager

NAC

Server

Identity

Services

Engine


• TrustSec builds upon Identity services

• TrustSec provides a scalable Identity access control model

• TrustSec migration strategies allow customer to deploy with existing hardware

• TrustSec is deployable today


LAN Switch Security: What Hackers Know About Your Switches

Eric Vyncke, Christopher Paggen

http://www.ciscopress.com/bookstore/

product.asp?isbn=1587052563

http://www.ciscopress.com/bookstore/product.asp?isbn=1587052563



• Cisco Wireless LAN Security -http://www.ciscopress.com/bookstore/product.asp?isbn=1587051540

• Cisco Internetwork Troubleshooting -http://www.ciscopress.com/bookstore/product.asp?isbn=1578700922

• Cisco Secure Internet Security Solutions -http://www.ciscopress.com/bookstore/product.asp?isbn=1587050161

• Managing Cisco Network Security -http://www.ciscopress.com/bookstore/product.asp?isbn=1578701031

• Cisco Network Admission Control, Volume I: NAC Framework Architecture and Design -http://www.ciscopress.com/bookstore/product.asp?isbn=1587052415

• Cisco LAN Switch Security: What Hackers Know About Your Switches -http://www.ciscopress.com/bookstore/product.asp?isbn=1587052563








• Configuring IEEE 802.1x Port-Based Authentication (Cat3560-E, IOS 12.2(52)SE)

http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_52_se/configuration/guide/sw8021x.html

• Network Virtualization--Access Control Design Guide (Cisco CVD)

http://www.cisco.com/en/US/docs/solutions/Enterprise/Network_Virtualization/AccContr.html






Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 106

• Contact: Ziad Sarieddine, TME

• 7 Available Pods located in RTP

• Accessible to Sales team and Partners

• Self Serve. (Allows Scheduling / Available Demo Script)

• Role Based Access Control (Dot1x and SGA), Guest Access

• Available on CEC, Cisco.com and Demo Portal

CEC:http://wwwin.cisco.com/WWSales/wwops/wwse/cdp/demoremote/bn-ts.shtml

Cisco.com:http://www.cisco.com/web/partners/sell/technology/ipc/integrated-solutions/cisco_trustsec.html

Demo Portal:http://wwwin-tools.cisco.com/WWSales/DemoPortal/app/datasheetPreview.do?datasheetId=309&environmentId=3&moduleName=Admin

http://wwwin.cisco.com/WWSales/wwops/wwse/cdp/demoremote/bn-ts.shtml



http://www.cisco.com/web/partners/sell/technology/ipc/integrated-solutions/cisco_trustsec.html



http://wwwin-tools.cisco.com/WWSales/DemoPortal/app/datasheetPreview.do?datasheetId=309&environmentId=3&moduleName=Admin




• Twitter www.twitter.com/CiscoCZ

• Talk2Cisco www.talk2cisco.cz/dotazy

• SMS 732 488 666

You are invited to Ptali jste se… TAURUS, 17:45 – 18:30

http://www.twitter.com/CiscoCZ

http://www.talk2cisco.cz/dotazy


Please, fill in the evaluation form

Kód přednášky

cisco trustsec security (cts) security group tagging (sgt)cisco expo © 2011 cisco and/or its...

Documents