identity based network access - conference archive...identity based network access -agenda what are...
TRANSCRIPT
Identity Based Network Access
• “What are my issues”
• Cisco ISE Power training
• “What have I achieved”
• “What do I want to do”
Identity Based Network Access - Agenda
What are the issues?
Staff
Student
Contractor
Guest
• Staff/Student• Contractor• Guest
ISE has answers for who, what, when, where, how and more..
Cisco Identity Services EnginePower Training
Any Threats from it?
Is it Vulnerable?Where is it located?
Network Access & Digitization
How is it connected?When did it connect?
MAC ADDRESS: 00-05-01-AA-E1-FF
IP ADDRESS: 192.168.2.101
Who owns that device? What device is it?
How to secure your network with so many unknowns?
Make fully informed decisions, using ISEWith rich contextual awareness
Without ISE With ISE
UNKNOWN KNOWN
IP ADDRESS: 192.168.2.101 WHO Bob (Employee)
Unknown WHAT Apple iPad/iOS/11.0.1
Unknown WHEN 10:30 AM PST
Unknown WHERE Floor-1, San Jose, Building 19
Unknown HOW Wireless
Unknown APPS Firefox, MS Word, AnyConnect
Unknown SPEC Serial number, CPU, memory
Access to any device/user
RESULT
Authorized network access
Poor context awareness Rich context awareness
? ??
Always-on Policy Compliance
Visibility
Guest Access Simplified Firewall Rule management with TrustSec
DEFCON Policy Enforcement
Rapid Threat Containment
TrustSec Software-Defined Segmentation
Ecosystem Integration
Next Gen Access Control
ISE Use CasesWho and what is on your network and to share with other security tools (e.g. StealthWatch) for better threat and behavioral clarity
When there is a security outbreak customers have one button to push to activate different policies network-wide – using software-defined segmentation
The number and complications of firewall rule can be reduced up to 80% which reduces errors and costs
Assurance that your network, devices and their behaviors are compliant with company and regulatory compliance requirements
Stop threats anywhere in the network from one console
Easily create segments on the network and NGFW to increase protection and reduce malware proliferation - Defined Segmentation
Control access to network and resources based on context for more accurate access policy options and enforcement
One framework to integrate different security products, share intel, see threats faster and take an action from the customer’s preferred product, such as FMC or Splunk
Authentication and AuthorizationsPROTECTED
SERVERSSHARED SERVICES PUBLIC NETWORK
AUTHENTICATION
Who are you?
AUTHORIZATION
What you can do?
EMPLOYEE
alice*****
CONTRACTOR
Certificates / Passwords
NET
WO
RK A
CCES
S
Active versus Passive Identity
Active Identity
Passive Identity
Jim
Cisco ISE
Alice
Alice?
Passive IdentityIP to User mapping got via passive means like AD WMI events, AD Agents, Syslog, SPAN sessions and more.
Active Identity
IP to User mapping got via active interaction between ISE and the client via 802.1X, Web authentication, Remote access VPN, etc.
1
Yes
23
DOMAIN\Jim(AD Login)
1
Jim Logged in
2
3
AD
Authentication Option 1- 802.1XOverview
Cisco ISE(Authentication Server)
Active Directory(Identity Store)
Credentials(Certificate /
Password / Token)
EAP
Network Device(Authenticator)
Endpoint(Supplicant)
Supplicant: Software running on the client that provides credentials to the authenticator (Network Device).
RADIUS: ACCESS-REQUEST
RADIUS SERVICE-TYPE: FRAMED
EAP: EAP-RESPONSE-IDENTITY
802.1XEAP
RADIUSEAP EAP
EAP: Extensible Authentication Protocol
Authentication Option 1- 802.1XFundamentals of 802.1X
Cisco ISE(Authentication Server)
Active Directory(Identity Store)
Network Device(Authenticator)
Endpoint(Supplicant)
Supplicant: Software running on the client that provides credentials to the authenticator (Network Device).
Port-Unauthorized(If authentication fails)
RADIUS: ACCESS-ACCEPT, VSA: Airespace-ACL = Employee-ACL
EAP: EAP-SUCCESS
RADIUSEAP
802.1XEAP
EAP: Extensible Authentication Protocol
Port-Authorized
Network Device
MAB
802.1X Timeout
Authentication Option 2- MAC Authentication Bypass (MAB)
LAN
Cisco ISE802.1X
No 802.1X
Endpoints without supplicant will fail 802.1X authentication!
MAB requires a MAC address database | ISE can build this database dynamically with profiling
Bypassing “Known” MAC Addresses
00-10-23-AA-1F-38 Network DeviceCisco ISE
EAP: What’s your Id?
Any Packet User: 00-10-23-AA-1F-38
ACCESS-ACCEPT
Authentication Type 3: ISE ‘Easy Connect’
EMPLOYEES
UNKNOWN LIMITED ACCESS
FULL ACCESS
DHCP DNS
NTP AD
DOMAIN\bob
Enterprise Network
CISCO ISESWITCH-1
DOMAIN CONTROLLER
LIMITED ACCESS
ISE retrieves user-ID and user’s AD membership
Limited AccessCoA: Full AccessFULL ACCESS
No 802.1X
Bob logged in
Increased visibility into active network sessions
Flexible deployment co-operates with other auth methods
Immediate valueLeverage existing infrastructure
Identity based network access without 802.1X
MAB
Authentication Type 4: Web Authentication Local or Central Web Authentication (LWA/CWA)
alice
…....
NETWORK
Initial packet MAB Request
Google.com
ISE login page
Username + password
CoA
Force ReAuth
Cisco ISENetwork DeviceEndpoint
Initial AuthZ
Limited Access ACL + URL-Redirect to ISE
Got your MAC, need your ID
MAB Request
Final AuthZ
Full Access ACL
Matches “session cache” of previous
successful WebAuth
Change of Authorization (CoA)
Initial access
Change in access
RFC 5176
RADIUS CoA (Change of Authorization) is a feature that allows ISE to adjust an active client session.
Requires endpoint’s ‘active session’ on ISE
Automatic / Manual initiation of CoA
Use cases: • Central Web Authentication (CWA)• Device Profiling• Posture assessment• Threat Centric NAC• Adaptive Network Control and more
Authorization OptionsBeyond RADIUS ‘ACCESS-ACCEPT’ / ‘ACCESS-REJECT’
Contractordeny ip host <critical>
permit ip any any
DACL or Named ACL
Employeepermit ip any any
Downloadable ACL (Wired) or Named ACL (Wired + Wireless)
VLANs
Remediation
Dynamic VLAN Assignments
EmployeesVLAN 3
Per port / Per Domain / Per MAC
GuestVLAN 4
Scalable Group Tags
16 bit SGT assignment and SGT based Access Control
Cisco TrustSec
A Typical ISE Authentication and Authorization policy
Authentication method Where to look for identities
How to handle Auth failures
Authorization conditions
End result
Building Identity & Context
Building Context: ‘User’
Harry
Bob
Alice
CONTRACTORS
EMPLOYEES
Cisco ISE
Harry connected via Switch-SJC01
Bob connected via AP-SJC03
Alice connected via VPN005
ISE Session Database
GUESTS
CONTRACTORS
GUESTS
EMPLOYEES
Active / Passive Identity
THREATVULNERABILITYAPPLICATIONSPOSTUREHOWWHEREWHENWHATWHO
Cisco ISE
Netflow DHCP DNS HTTP RADIUS NMAP SNMP
CDP LLDP DHCP HTTP H323 SIP MDNS
ACTIVE PROBES
DEVICE SENSOR
ANYCONNECT ACIDex
AD
ISE data collection methods for Device profiling
Profiler Policy
If CDP:Platform Name = Cisco IP Phone Cisco-IP-Phone
Authorization Policy
= true, then
If Endpoint ID Group = Cisco-IP-Phone Voice VLAN= true, then
Building Context: ‘Device-Type’
AnyConnect Identity Extensions (ACIDex) | Device Sensor (DS)
ACIDex
Feed Service(Online/Offline)
THREATVULNERABILITYAPPLICATIONSPOSTUREHOWWHEREWHENWHATWHO
Endpoints send
interesting data,
that reveal their
device identityCisco ISECisco ISE
DS
DS
ISE ‘Access Control’ solution overview
Authentication Methods Authorization Options
MAC Authentication Bypass Easy Connect ®
IEEE 802.1X Web Authentication
Central WebAuth Local WebAuth
Downloadable / Named ACL Air Space ACL VLAN Assignment Security Group Tags URL-Redirection Port Configuration
(ASP Macro / Interface-Template)
PASSIVEIDENTITY
ACTIVEIDENTITY
SAML iDPs
APIs
Single Sign-On
Certificate Authorities
SCEP / CRL
Certificate based Auth
LDAP / SQL
Active Directory
LDAP Servers
SQL Server
External Identity Stores
Passwords / Tokens
ASP: Auto Smart Port
Built-in CA
500,
000
con
curre
nt s
essi
ons
500,
000
Upto 100KNetwork Devices
Up to 50 distinct AD domain support300K Internal Users
Native Supplicants / Cisco AnyConnect
802.
1X ENTERPRISE NETWORK
What have we achieved?
• ISE is profiling all staff ports on my network;
• Rich endpoint context;
• Compliance that all devices attaching into staff vlan are CIT assets;
• Better network troubleshooting;
The wired network
Rich Endpoint Context
Rich Endpoint Context – AD, SNMP, DHCP, radius probes
Better Network Troubleshooting
Melbourn1#sh authentication sessions interface gi3/9 detail
Interface: GigabitEthernet3/9MAC Address: 14b3.1f13.275e
IPv6 Address: UnknownIPv4 Address: 157.190.153.89
User-Name: CIT\toks.lapiteStatus: AuthorizedDomain: DATA
Oper host mode: multi-authCurrent Policy: POLICY_Gi3/9
Vlan Group: Vlan: 120ACS ACL: xACSACLx-IP-StaffConnect_PermitAll
• Guest wireless (Self-service or managed portal);
• Single user identity, multiple devices (3 max);
• Conference identity;
The wireless network
What next?
• Currently, eduroam for staff and students, no differentiated access. However, staff want more access when on wireless, same access they have when on wired (20% of our staff never touch wired network, and increasing);
• Profile all wired ports on the network;
• Possibly all ports will be managed dynamically based on Identity;
• Use ISE in conjunction with Software defined access (SDA) to implement:• Security Group Tagging – enhanced authorised network access;• Vxlans;
• Compliance, managed staff and student devices must have certain software before network access, e.g. Malwarebytes
Coming soon to a network near “me”
Automated Network Fabric
Single Fabric for Wired & Wireless with Workflow-based Automation
Insights & Telemetry
Analytics and insights into user and application behavior
Identity-based Policy & Segmentation
Decoupled security policy definition from VLAN and IP Address
Software-Defined AccessNetworking at the speed of Software!
DNA Center
AnalyticsPolicy Automation
IoT Network Employee Network
SDA-Extension User Mobility
Policy stays with user
User to CloudSegmentationCampus and Branch Segmentation
User to Data Center Access Control
Single User Access Policy Across LAN, WAN, DC, and Cloud
Segmentation Policy AnalyticsHow do you learn how to segment your network?
• Discover current groups and policies by interacting with existing data sources
• Model non-invasive pilot of candidate groups and policies against a data lake of network activity
• Submit potential groups and policies into enforcement infrastructure (e.g. ISE)
• Visibility into policy usage in real-time, prove policies are working
Building your network capabilities is a journey
Network and Asset Visibility; Policy Monitoring
Automated Segmentation
Outcome:
Rapid Threat Containment
Guest, Wireless Access
Identity-based Services Device Management, IoT, BYOD
SDA Access
Thank you
Aidan McDonald ([email protected])Brian O’Donoghue ([email protected])