designing and implementing identity security - cisco.com · designing and implementing identity ......

Session ID 20PT

Designing and Implementing Identity Security

Maurice Wheatley

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 2

Agenda

Authentication Protocols and Operation

IEEE 802.1X, MAB, Web Auth

Authorization

Host Modes and IP Telephony

Security Group Access

Deployment Scenarios

Monitor Mode

Low Impact Mode

Low Impact Mode with Security Group Access

High Security Mode


Who are you?

802.1X (or supplementary method) authenticates the user

Why Is Identity Security Important?

1

What service level to you receive?

The user can be given per-user services

3

What are you doing?

The user’s identity and location can be used for tracking and accounting

4

Where can you go?

Based on authentication, user is placed in correct VLAN

2

Keep the

Outsiders Out

Keep the

Insiders

Honest

Personalize

the Network

Increase

Network

Visibility

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 4

Authentication Protocols and Operation: IEEE 802.1X


Primary Components

Supplicant Authenticator Authentication

Server

Backend

Database

802.1X Client Switch / WLAN RADIUS Server AD, LDAP, etc.

• Submits credentials

for authentication

• Forwards credentials

to authentication

server

• Controls access to

network

• Validates supplicant’s

credentials

• Defines access policy

• Supports

authentication

server functions

IEEE 802.1X Has Multiple Components

SSC


Authentication Protocols and Operation: MAC Authentication Bypass (MAB)


Unauthenticated

Real Networks Can’t Live on 802.1X Alone Default Access Control Is Binary

802.1X Passed

SSC

Employee (bad credential)

802.1X

SSC

Employee

Guest

Managed Assets

Rogue


802.1X with MAC Auth Bypass (MAB) Deployment Considerations

MAB enables differentiated access control

MAB leverages centralized policy on AAA server

Not as strong as 802.1x - MAC addresses can be spoofed

MAB requires a database of known MAC addresses

Contractor VLAN

Printer VLAN

MAC Database

RADIUS LDAP ACS


MAC Databases: Device Discovery

Find It

• Leverage Existing Asset Database

• e.g. Purchasing Department, CUCM

Build It

• Bootstrap methods to gather data

• e.g. SNMP, Syslog, Accounting, dhcp, Monitor Mode

Buy It

• Automated Device Discovery

• e.g. ISE


Authentication Protocols and Operation: Web Authentication


802.1X with Web-Auth

Web-Auth is only for users (not devices)

• browser required

• manual entry of username/password

Web-Auth can be a fallback from 802.1X or MAB.

Web-Auth and Guest VLAN are mutually exclusive

Web-Auth supports ACL authorization only

Web-Auth behind an IP Phone requires Multi-

Domain Authentication (MDA)

Deployment Considerations


Authentication Summary

• Strong authentication

• Requires a (configured) client

IEEE 802.1X

• Supports clientless/legacy devices

• Requires pre-existing database

MAB

• Support for clientless users

• Limited applications

WebAuth


Authorization: Host Modes and IP Telephony


IPT & 802.1X: Fundamental Challenges

MODE

STACKSPEEDDUPLXSTATMASTRRPSSYST

Catalyst 3750 SERIES

1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3

Two devices per port 1

IPT Breaks the Point-to-Point Model

Security Violation PC Link State is Unknown to Switch 2

?????

MODE



1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3

“The operation of Port Access Control assumes that the Ports on which it operate offer a point-to-point connection between a single Supplicant and a single Authenticator. It is this assumption that allows the authentication decision to be made on a per-Port basis.”

IEEE 802.1X rev 2004

One device per port 1

Link State Dependency 2


interface fast Ethernet 3/48

dot1x pae authenticator

authentication port-control auto

authentication host-mode multi-domain

Multi-Domain Authentication (MDA) Host Mode

Single device per port Single device per domain per port

IEEE 802.1X MDA

MDA replaces CDP Bypass

Supports Cisco & 3rd Party Phones

Phones and PCs use 802.1X or MAB

Data Domain

Voice Domain

Modifying Single-MAC Requirement IP Phones


MAC–based enforcement for

each device

802.1X and/or MAB

Multi-Auth is a superset of MDA

interface fast Ethernet 3/48


authentication port-control auto

authentication host-mode multi-auth

VM

Multi-Authentication Host Mode

Modifying Single-MAC Requirement Virtualized Endpoints


Authorization: Security Group Access


Various Authorization Mechanisms

Three major enforcement mechanisms:

Dynamic VLAN assignment – Ingress

Simplifies ACLs but has major network impact – trunked vlans and IP network fragmentation

Downloadable per session ACL – Ingress

Less impact than dynamic vlans but not scalable and hard to maintain.

Security Group Access Control List (SGACL) – Egress

Scalable and easy to maintain. Allows context-aware authorisation.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BRKSPM-2604_c1 19 19

Traditional Access Control

User (Source)

S1

D1

D2

D3

D4

D5

D6

S2

S3

S4

Servers (Destination)

permit tcp S1 D1 eq https

permit tcp S1 D1 eq 8081

permit tcp S1 D1 eq 445

deny ip S1 D1

Sales

HR

Finance

Managers

IT Admins

HR Rep

S1 to D1 Access Control

ACE # grows as # users/servers

increases

Network Admin manages every IP source to IP destination

relationship explicitly

# of ACEs = (# of sources) * (# of Destinations) * permissions


Security Group Access

SGACL

Security Group Based Access Control allows customers

To keep existing logical design at access layer

To change / apply policy to meet today’s business requirement

To distribute policy from central management server

802.1X/MAB/Web Auth

Database (SGT=4)

IT Server (SGT=10)

I’m a contractor

My group is IT Admin

Contactor

& IT Admin

SGT = 100

SGT = 100

SGT capable device


Security Group Access Key Features

Topology independent access control based on roles

Scalable ingress tagging (SGT) / egress filtering (SGACL)

Centralized Policy Management / Distributed Policy Enforcement

Encryption based on IEEE802.1AE (AES-GCM 128-Bit)

Wire rate hop by hop layer 2 encryption

Key management based on 802.11n (SAP) standardized in 802.1X-2010

Endpoint admission enforced via 802.1X authentication, MAB, Web Auth (Cisco Identity compatibility)

Network device admission control based on 802.1X creates trusted networking environment

Only trusted network imposes Security Group TAG

Security Group Based Access

Control

Confidentiality and

Integrity

Authenticated Networking

Environment


How SGACL simplifies Access Control User Servers

Security Group

(Source)

MGMT A

(SGT10)

HR Rep

(SGT30)

IT Admins

(SGT40)

Security Group

(Destination)

Sales SRV

(SGT400)

HR SRV

(SGT500)

Finance SRV

(SGT600)

MGMT B

(SGT20)

SGACL

10 Network

Resources

10 Network

Resources

10 Network

Resources

x 100

x 100

x 100

x 100

• Network Admin manages every source “group” to destination

“group” relationship

• This abstracts the network topology from the policy and reducing

the number of policy rules necessary for the admin to maintain

• The network automates the alignment of users/servers to groups


Deployment Scenarios


What Is a Deployment Scenario?

A set of configuration guidelines designed to meet particular deployment goal

Simplify deployments by following a blueprint

Increase efficiency by combining features that interoperate most effectively

Phase deployments for minimal impact to end users

Customize basic blueprint as needed

General Principles:

Start simple, start small

Start with minimal restrictions

Evolve as necessary


Prevent Unauthorized Access

Increase Network Visibility

Increase Network Security

Solution deployment should be transparent to end users

Employee end-user behavior should not change.

Legacy devices must not be locked out.

Best authentication method based on device capabilities should be chosen.

Define your Goals


Considerations

What authentication method(s) should be used?

Which devices support what authentication method(s)?

Any software or firmware upgrades needed?

Where are credentials stored? How to build and manage a MAC database?

What authorization methods scale to meet ultimate goals?

How do we discover what is out on our network?


The First Scenario: Monitor Mode

Monitor Mode

• Authentication Without Access Control

Low Impact Mode

• Minimal Impact to Network and Users

High Security Mode

• Logical Isolation of User Groups / Device Types


Monitor Mode: How To

Enable 802.1X & MAB

Enable Open Access

All traffic in addition to EAP is allowed

Like not having 802.1X enabled except authentications still occur

Enable Multi-Auth Host-Mode

Disable Authorization

Monitor Mode Goals

No Impact to Existing Network Access

See… …what is on the network

…who has a supplicant

…who has good credentials

…who has bad credentials

Deterrence through accountability

Monitor Mode Overview

SSC


Monitor Mode: AAA Server and Endpoints

Should be fully configured except for authorization policy before this scenario:

Communication with AAA clients (i.e. switches)

Communication with credential repository (e.g. AD, MAC Database)

PKI (CA certs, server cert)

EAP Configuration

MAB Configuration

Should be fully configured by the end of this scenario:

PKI (CA certs, client cert) or other credentials

Supplicants configured & installed everywhere supported

Enable machine auth

Enable user auth if needed

AAA Server Endpoints


RADIUS Authentication & Accounting Logs Passed/failed 802.1x/eap attempts

List of valid 802.1X-capable endpoints List of invalid 802.1X-capable endpoints

Passed/Failed MAB attempts List of Valid MACs List of Invalid or unknown MACs

Monitor Mode: Next Steps

SSC

Monitor Mode Next Steps

Improve Accuracy

Evaluate Remaining Risk

Leverage Information

Prepare for Access Control


Preparing for Access Control Fix 802.1X Errors

Observed Failure:

Fix:

Import ACS

Server Cert

Signed by

Enterprise CA


Preparing for Access Control Put Valid MACs in MAB Database

MAC.CSV

Observed Failure

Fix


Information Pays for Itself ROI Without Access Control

RADIUS Attribute Example Value

Framed-IP-Address(8) 10.100.41.200

User-Name(1) scadora

Acct-Session-Time(46) 27

Acct-Input-Octets(42) 2614

Acct-Output-Octets(43) 2469

Acct-Input-Packets(47) 7

Acct-Output-Packets(48) 18

RADIUS Attribute Example Value

Acct-Status-Type(40) Interim-Update

NAS-Port-Type(61) Ethernet

NAS-Port-Id(87) FastEthernet2/48

Called-Station-Id(30) 00-1F-6C-3E-56-8F

Calling-Station-Id(31) 00-1E-4A-A9-00-A8

Service-Type(6) Framed-User

NAS-IP-Address(4) 10.100.10.4


Monitor Mode in a Nutshell

• Authentication without Authorization Summary

• Extensive Network Visibility

• No Impact to Endpoints or Network

• Define/refine your support processes Benefits

• No Access Control Limitations

• Monitor the Network

• Evaluate Remaining Risk

• Prepare for Access Control Next Steps


The Second Scenario: Low Impact

Monitor Mode


Low Impact Mode


High Security Mode



Low Impact Mode: How To

Start from Monitor Mode

Add new features for access-control

downloadable ACLs

flexible auth fail handling

security group access

Limit number of devices connecting to port

Add new features to support IP Phones

Low Impact Mode Goals

Begin to control/differentiate network access

Minimize Impact to Existing Network Access

Retain Visibility of Monitor Mode

“Low Impact” == no need to re-architect your network

Keep existing VLAN design

Minimize LAN changes

Low Impact Mode Overview


Example: Using Low Impact Mode to Bootstrap a New Phone

Pre-auth ACL allows just enough access for config, CTL

New config enables 802.1X on phone

After 802.1X, phone has full access

Same idea can give MAB phones access before 802.1X times out

permit ip host 10.100.20.200 any permit udp any any eq bootps permit udp any host 10.100.10.238 eq tftp permit udp any host 10.100.10.238 range 32768 61000

Pre-Auth

ACL

10.100.10.238


Example: Using Low Impact Mode for PXE

Pre-auth ACL allows just enough access for DHCP, TFTP

Downloaded OS has 802.1X Enabled

After 802.1X, Client Has Full Access

permit ip host 10.100.20.200 any permit udp any any eq bootps permit udp any host 10.100.10.238 eq tftp

Pre-Auth

ACL

DHCP, TFTP

PXE


IPT & 802.1X: The Link-State Problem

MODE



1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3A

B

Port authorized for 0011.2233.4455 only

Security Violation S:0011.2233.4455

S:6677.8899.AABB

1) Legitimate users cause security violation

MODE



1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3A

Security Hole S:0011.2233.4455

S:0011.2233.4455

2) Hackers can spoof MAC to gain access without authenticating


Link State: Three Solutions

CDP Link Down

MODE



1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3

MODE



1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3

MODE



1 2 3 4 5 6 7 8 9 10

1X

2X

15X

16X

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

17X

18X

31X

32X

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

33X

34X

47X

48X

43 44 45 46 47 48

2 4

1 3

Proxy EAPoL-Logoff SSC

Inactivity Timer

Session Cleared

Session Cleared

Session Cleared

Proxy EAPoL-Logoff Only works for 802.1X endpoints

Requires Logoff-capable phone

Inactivity Timer Switch feature

Works for MAB endpoints

Port vulnerable during timeout

Quiet devices may get kicked off

CDP 2nd Port Status Works for all 802.1X, MAB, Web-Auth.

Nothing to configure

Combined switch + phone feature.

Recommended!


Low Impact Mode with Security Group Access


ISE 1.0

Catalyst® Switches

(3K/4K/6K)

Challenge of Ingress Access Control List

Users,

Endpoints

Campus

Network

Ingress Enforcement

Downloadable ACL

TrustSec™ Domain

Switch needs to be aware of all network segment + address

that need to be protected

More dACL ACEs consume limited TCAM space on switches

Simple Networks/Policy can use dACL only

Site A

Site B

Site C

Site D

permit protocol any to Site A Servers eq services permit protocol any to Site B Servers eq services deny protocol any to Site C Servers eq services permit protocol any to Site D Servers eq services

dA

CL C

on

ten

t

Internet


SGA with Low Impact Mode Use Case Selective Access with SGT Enforcement

ISE 1.0

1. User connects to network

2. Pre-Auth ACL only allows selective service before authentication

3. Authentication is performed and results are logged by ACS. dACL is downloaded

along with SGT

4. Traffic traverse to Data Center and hits SGACL at egress enforcement point

5. Only permitted traffic path (source SGT to destination SGT) is allowed

Egress Enforcement

Security Group ACL

Cat 6500 w/

SUP 2T

Internet

Catalyst® Switches

(3K/4K/6K)

Users,

Endpoints

Low Impact Mode

SRC \ DST HR Server

(111)

ACME Server

(222)

Unknown

(0)

ACME

User(10) Deny all Permit all Permit all

HR User

(10) Permit all Permit all Permit all

Guest (30) Deny all Deny all Permit all

HR Server

ACME Server

ACME Server AUTH=OK

ACL=Permit IP Any

SGT=10 authentication port-control auto

authentication open

ip access-group PRE-AUTH-ACL in


permit tcp any any established permit udp any any eq bootps permit udp any host 10.100.10.116 eq domain permit udp any host 10.100.10.117 eq tftp

Campus

Network


+

Access

Privilege

Engineering

Human Resources

Finance

Home Access

Deny Access

Guest

Other

Conditions

Time and Date

Access Type

Location

More Flexible Policy with Role-Based Access Control

Francois Didier

Employee

Consultant

Vicky Sanchez

Employee

Marketing

Susan Kowalski

Employee

Sales Director

Everyone Has a Different Role

Identity

Information

Identity:

Network

Administrator

Identity:

Full-Time

Employee

Identity:

Guest

Rossi Barks

Employee

HR


+

Identity

Information

Identity:

Network

Administrator

Identity:

Guest

Identity:

Full-Time

Employee

Role + Rule–Based Access Control Example: Human Resources Role

Rossi Barks

Employee

HR

Access

Privilege

Engineering

Finance

Home Access

Deny Access

Guest

Human Resources

Other

Conditions

Time and Date

Location: Campus

Access Type:

Wired


+

Identity

Information

Identity:

Network

Administrator

Identity:

Guest

Identity:

Full-Time

Employee

Role + Rule–Based Access Control Example: Human Resources Role

Rossi Barks

Employee

HR

Access

Privilege

Engineering

Finance

Home Access

Guest

Human Resources

Other

Conditions

Time and Date

Location: Off-site

Access Type:

Wired Deny Access


SGA with Low Impact Mode Use Case Selective Access with SGT Enforcement

ISE 1.0

1. User connects to network

2. Pre-Auth ACL only allows selective service before authentication

3. Authentication is performed and results are logged by ACS. dACL is downloaded

along with SGT

4. Traffic traverse to Data Center and hits SGACL at egress enforcement point

5. Only permitted traffic path (source SGT to destination SGT) is allowed

Egress Enforcement

Security Group ACL

Cat 6500 w/

SUP 2T

Internet

Catalyst® Switches

(3K/4K/6K)

HR user in

wrong locale

Low Impact Mode

SRC \ DST HR Server

(111)

ACME Server

(222)

Unknown

(0)

HR Off Site (8) Deny all Permit all Permit all

HR User (10) Permit all Permit all Permit all

Guest (30) Deny all Deny all Permit all

HR Server

ACME Server

ACME Server AUTH=OK

SGT=8

Campus

Network

X


Low Impact in a Nutshell

• Default open + pre-auth ACL

• Differentiated Access Control using dynamic ACLs and/or SGA

Summary

• Minimal Impact to Endpoints

• Minimal Impact to Network Benefits

• No L2 Isolation Limitations

• Monitor the Network

• Tune ACLs as necessary

• Evaluate Remaining Risk Next Steps


The Last Scenario: High Security

Monitor Mode


Low Impact Mode


High Security Mode



High Security: How To

Return to default “closed” access

Timers or authentication order change

Implement identity-based VLAN assignment

High Security Mode Goals

No access before authentication

Rapid access for non-802.1X-capable corporate assets

Logical isolation of traffic at the access edge

High Security Mode Overview


High Security in a Nutshell

• Default closed

• Differentiated access control using dynamic VLANs, dynamic ACLs and/or Security Group Access

Summary

• Logical Isolation at L2

• No Access for Unauthorized Endpoints Benefits

• Impact to Network

• Impact to Endpoints Limitations

• Monitor the Network Next Steps


Conclusion


Lessons Learned & Factors for Success

• Collect and study network telemetry

• Progressively configure your endpoints

• Phase in authorization when you’re ready

Start with Monitor Mode

Homogeneity makes things easier

• Multiple protocols, multiple features, multiple products

• It’s not just about technology, support processes need to change too

Prioritize teamwork and communication

Proof of concept is not optional


Complete Your Session Evaluation

Please give us your feedback!!

Complete the evaluation form you were given when you entered the room

This is session 4.4

Don’t forget to complete the overall event evaluation form included in your registration kit

YOUR FEEDBACK IS VERY IMPORTANT FOR US!!! THANKS

designing and implementing identity security - cisco.com · designing and implementing identity ......

Documents