inside cisco it: how cisco deployed ise and...
TRANSCRIPT
Inside Cisco IT: How Cisco Deployed ISEand TrustSec, globally
Simon Finn
BRKCOC-2255
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 3BRKCOC-2255
ISE is a journey
• Introduction
• Foundation Deployment
• Network Deployment
• Network Policy
• Integration
• Where to next?
• Q&A
Agenda
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
122K Workforce
170 Countries
~3M IP Addresses
215K Infra Devices
275K Total Hosts
2500+ IT Applications
27K Remote Office Connections
via Cisco Virtual Office
Defending Cisco: What We Must Protect
16 major Internet connections
~47 TB bandwidth used daily
1350 Labs
180+ Acquisitions
300 partner extranet connections
500 Cloud ASPs
WebEx, Meraki, Umbrella and Growing Portfolio of Offers
BRKCOC-2255 5
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOC-2255
Network ResourcesAccess Policy
TraditionalCisco
TrustSec®
BYOD Access
Threat Containment
Guest Access
Role-Based
Access
Identity Profiling
and Posture
Who
Compliant
What
When
Where
How
A centralized security solution that automates context-aware access to network resources and shares
contextual data
Network
Door
Physical or VM
Context
ISE pxGrid
Controller
BRKCOC-2255 6
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOC-2255
ISE And The Cisco Security Solutions
NetFlow
NGIPS
Cisco StealthWatch
AMP
AMP Threat Grid
FireSIGHT™ Console
CWS
WSA
ESA
FirePOWER™ Services
DURING AFTERBEFORE
ISE
How WhatWhoWhereWhen
BRKCOC-2255 7
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOC-2255
Seamless Connectivity and Integrated Security
Identity Services Engine
Wireless Devices
AnyConnect VPN (All Mobile)
WSAESAAMP
Wired Network Devices
Adaptive Security
Appliance
Cisco Core Network
Home Access (CVO)
Device Management
StealthWatch
AMP Threat-Grid
BRKCOC-2255 8
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOC-2255
Cisco IT Network Security Requirements
*CVO is Cisco Virtual Office, for small office/home office
Requirement Major Technical
Outcome
Major Business
Outcome
Secure Guest Network
ION (Internet Only Network)
Simplified single secure
platform (reduce server footprint
from 28 to 8)
• High availability
• Secure, scalable, and flexible
offering for guests, partners,
and employees
802.1x Auth: WLAN, CVO*, LAN
VPN + AnyConnect
Complete visibility and control of
devices connecting to the
network
• One scalable policy
enforcement environment
• Network segmentation
• Productivity on the go
Consistent Assured Network
Access
Scalable enterprise secure
network
• Enhanced Risk Management
• Consistent User Experience
• Improved Operations
9
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 10BRKCOC-2255
Business Outcomes - High Level Dependency
Trusted Enterprise
Trusted DeviceTrusted Service Trusted Cloud Monitoring and Visibility
Dynamic Device Policy Dynamic User Policy
IOT Posture Acquisitions Vendors
TrustSec
Wireless Wired VPN
Dep
en
ds o
n
GuestQuarantine
CompleteComplete ~85%
Complete
BRKCOC-2255
Foundations
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOC-2255
Single Global ISE Deployment (WLAN, CVO, LAN, VPN)
AER
RTP
ALN
MTV
SNG
Secondary ISE PAN/M&T
ISE PSN
Primary ISE PAN/M&T
24 ISE Nodes
20 PSNs; 8 DC (Node Groups)
TYO
HKG
BGL
12
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOC-2255
Cisco IT ISE Global Deployment (WLAN, VPN, LAN)
ISE PSNs Data Center (8) Network Devices (sites/cities) Auth traffic to ISE PSNs
13
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOC-2255
Cisco IT ISE Global Deployment (All Network Devices)
14
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15BRKCOC-2255
Guestnet (ION) Deployment
MTV
Sponsor Portal
GSSinternet.cisco.com
Guest Account Creation
Wireless access
Wired access
NADs AMER
Guest Portal Auth
Pri
ma
ry
ion-mtv-guest
ion-mtv-sponsor
Wireless access
Wired access
NADs EMEA/APJC
Guest Portal Auth
AER
PPAN Alias
PA
N
PA
N
MnT
MnT
PS
N
PS
N
PS
N
PS
N
Primary
MTV
Secondary
AER
ion-aer-guest
ion-aer-sponsor
Pri
ma
ry
ION
LB
VIPs
VMS
Tool
Lobby Ambassadors
Guest Account Creation
Secondary
Secondary
ION
LB
VIPs
Geo Proximity Based NAD & GSS Configuration
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE Deployment Architecture
PPAN SPAN
Primary & Secondary ADMIN
Nodes
PMnT SMnT
Primary & Secondary Monitoring
Nodes
Automatic Failover
Replication
Logging
Primary ISE VIP
Secondary ISE VIPs
PS
N PS
N
ISE-MTV-VIP
PS
N
ISE-ALN-VIP
PS
N PS
N
ISE-RTP-VIP
PS
N
ISE-AER-VIP
PS
N PS
N
ISE-BGL-VIP
PS
N PS
N
ISE-HKG-VIP
PS
N
ISE-TYO-VIP
PS
N
ISE-SNG-VIP
Network Devices
MTV
Network Devices
AER
Network Devices
BGL
ISE Policy Service Nodes:
20 PSNs, 8 Data CentersUS Sites APAC Sites
EMEAR Site
MTV MTV ALNALN
BRKCOC-2255
ISE-AER-WLAN
ISE-AER-LAN
ISE-AER-VPN
ISE-AER-CVO
BRKCOC-2255 16
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why Use Load Balancers?
• Ease of global configuration
• Overcome device limits for AAA servers
• Ease of migration, cluster split. No need to change thousands of network devices
17BRKCOC-2255
Request for
service at
single host
‘psn-cluster’PSN
PSN
PSN
ISE-PSN-3
ISE-PSN-2
ISE-PSN-1
User
ACE LB
Response from ise-psn-3.company.com
DNS Lookup = psn-cluster.company.com
DNS Response = 10.1.98.10
Request to psn-cluster.company.com
VIP:
10.1.98.10
PSN-
CLUSTER
10.1.99.5
10.1.99.6
10.1.99.7
DNS
Serve
r
VLAN 99 (10.1.99.0/24)VLAN 98 (10.1.98.0/24)
Acce
ss
Devic
e
DNS
request sent
to resolve
psn.cluster
FQDN
Request sent to Virtual IP Address
(VIP) 10.1.98.10
Response received from real server
ise-psn-3 @ 10.1.99.7
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Consideration when Load Balancers
18BRKCOC-2255
• CoA traffic has to be NAT’ed from PSN to client by the load balancer
• Be careful what other traffic sits on udp/1700 you may catch
• Your LB may not behave as you expect…test
PSN
PSN
PSN
ISE-PSN-3
ISE-PSN-2
ISE-PSN-1
ACE LB10.1.98.10
10.1.99.5
10.1.99.6
10.1.99.7
CoA SRC=10.1.99.5
CoA SRC=10.1.98.10
aaa server radius dynamic-author
client 10.1.99.5 server-key cisco123
client 10.1.99.6 server-key cisco123
client 10.1.99.7 server-key cisco123
client 10.1.99.8 server-key cisco123
client 10.1.99.9 server-key cisco123
client 10.1.99.10 server-key cisco123
<…one entry per PSN…> aaa server radius dynamic-author
client 10.1.98.10 server-key cisco123
PSN
ISE-PSN-X
Before
After
10.1.99.x
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOC-2255
ISE Deployment Ecosystem: Building Blocks
ISE
(Logical Layer)
ISE (Physical Layer) : ISE Appliance OR VM (Fabric, Compute, Storage)
Network: DNS, NTP, SFTP, Load Balancers
Network Access
Devices
Endpoints: Devices,
Users & Supplicants
Enterprise Monitoring: HTTP(S), RADIUS, PEAP, EAP-FAST, EAP-TLS
User
Provisioning
Mobile Device
Management
Network
Device
Provisioning
ISE Policy
Management
Active
Directory
Call Manager
Data
Analysis
(Syslog)
Quality
MAP
Monitor
ActPrevent
19
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOC-2255
Active Directory Dedicated Infra For ISE
Before:
• Highly recommended by the BU
• Highly avoided by the teams
• Highly costly, causing few outages
After:
• Better fine-tuning to suit ISE requirements
• Better – and faster – troubleshooting
• Better monitoring for preventative measures
Active
DirectoryISE (Logical Layer)
Network Access
Devices
Endpoints: Devices,
Users & Supplicants
Active
Directory
20
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE AD : Physical Architecture
PPAN
Isemtv-prd-05/06/08
isemtv-prd-wlan
isemtv-prd-lan
isemtv-prd-cvo
PSN
PSN
PSN
MTV VIPs & PSNs
iseallne-prd-02/03
isealln-prd-wlan
isealln-prd-lan
isealln-prd-cvo
PSN
PSN
ALLN VIPs & PSNs
isertp-prd-02/03/04
isertp-prd-wlan
isertp-prd-lan
isertp-prd-cvo
PSN
PSN
PSN
RTP VIPs & PSNs
iseaer-prd-01/03
iseaer-prd-wlan
iseaer-prd-lan
iseaer-prd-cvo
PSN
PSN
AER VIPs & PSNsPMnT
isemtv-prd-22
isemtv-prd-32
MTV
Primary Admin &
MnT SPAN
SMnT
isealln-prd-21
Iseallne-prd-31
ALLN
Secondary Admin &
MnT
AD DCs AD DCs AD DCs
AD DCs
APAC Sites[BGL, HKG, SNG,
TYO]
Replication
Logging
AD Primary Config
AD Secondary Config
Cisco.com AD (Port 389)
Cisco.com AD (Port 389)
BRKCOC-2255 21
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
18,362
9,961
23,969 26,070
32,651
28,124
12,870
5,317
32,856
14,765
40,995
37,481
58,846
51,878
21,384
9,445
-
10,000
20,000
30,000
40,000
50,000
60,000
70,000
AER ALLN BGL HKG MTV RTP SNG TYO
Users
Endpoints/MAC
BRKCOC-2255
Wireless Users/Endpoints by Node Group
Avg. 33K Endpoints
22
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOC-2255
Testing High Availability When 1 DC Fails
23
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco IT Deployment Strategy
• Avoid the “Big Bang”
• Too many new capabilities and features to enable in a single deployment.
• “ISE Deployment Bundle” model
• Capabilities have been grouped into bundles to enable targeted & manageable deployments
• Multiple clusters consolidated
• Pros and cons of single vs. distributed: ISE Limits, Scalability, # EP, Auth, Latency, AD…
• “Start with one cluster and add more if necessary”
• Global Infrastructure Foundation
• Minimize Network Device configuration where possible: Use different Virtual IPs by service (e.g., WLAN, LAN, CVO, VPN) for better manageability and ease/speed of control
• Build a parallel production infra for testing, readiness to scale, and easier upgrade
• Build a cross-functional team from the start
• Everybody is an equal partner; extend to the BU
BRKCOC-2255 24
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25BRKCOC-2255
Program Governance
Steering Committee
Core team
Foundation Wired Auth Etc…
Director level representation across all relevant areas of IT and security. Responsible for approving high level policy and direction
Senior technical and PM members across all relevant areas of IT and Security. Responsible for setting strategic technical direction
Execution and delivery tracks. Includes implementation engineers. Overseen by subset of core team.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOC-2255
Sample ISE Basic Deployment RoadmapPhase 1 Phase 2 Phase 3 Phase 4 Phase 5 Completion
Fine tune Optimize
Foundation ISE 1.2
Install
ISE 1.3
Upgrade
ISE 1.4
Upgrade
Infra
Design, Proof of Concepts, Data Analysis
Apply
patches
Fine tune Optimize
Network
Guest
Wireless
Monitor
Endpoint Analysis: Wired dot1x MM & Profiling
VPN
Wired
802.1x Authentication
Guest Access
Wireless (WLAN) Auth Deployment
CVO (Home Office) Wireless Auth
VPN AuthCVO Wired Auth
Limited Sites Wired Auth
Global Wired Auth Enforcement
Quarantine/Remediation
Posture Enforcement (ISE)
Security Group Tagging (SGT)Advanced Capabilities
ISE 2.1
Upgrade
Fine tune
Posture Assessment (DM)
PxGrid Integration
Wired 802.1X Monitor Mode Deployment
26
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Deployment Readiness
BRKCOC-2255
Design Engineer Personal Lab
Solution Verification Lab
Stage & Pilot
Deploy!
27
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Deployment Health Monitoring
Drill-down troubleshootingTransaction focused, Step-by-step breakdown
Basic Reporting
ISE
Out-of-BoxDashboard,
Alarms & Alerts Dependency MonitoringISE, AD, DNS, Filer
ISE Infra Monitors
VMs, LB VIPs,
Resource Utilization
ISE Protocol MonitorsRadius, HTTPS, PEAP, EAP
Enterprise MonitorsSNMP Based,
Integrated monitoring
Event CorrelationISE, NADs, DM, AD
Early-detection of potential issuesPattern analysis, Benchmark comparative analysis
Enhanced Reporting
SplunkData Analytics,
Pro-active alerting
ISE Deployment : Monitoring & Troubleshooting
BRKCOC-2255 28
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOC-2255
Cisco IT ISE Production Deployment Metrics
Internet Only
Corporate Access
WLAN, CVO, VPN, LAN
ISE 1.2, 8 VMs, 2 DCs
ISE 2.1, 24 VMs, 8 DCs
Over a million active profiled “Endpoints”
Max ~200K Concurrent “Endpoints”
27K CVO; ~60K EP
580 WLC; ~200K EP
70 ASA; ~90K EP
2K SW; ~200K EP
8 Sites; ~8K EP
~14K Guest/Week
98 Countries
580 Offices
130K Stakeholders
27K Home Offices
CWA
Central Web Auth
29
Network Deployment
TrustSec
Wireless Wired VPN
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
How prepared is your network?
• The deployment of TrustSec has proven to be the biggest compliance effort ever undertaken by Cisco IT.
• Despite numerous systems deployed for managing the network, exceptions were numerous, which were not accounted for in network scripting initially
• Use monitor mode and analytics for visibility
• Be prepared to adapt to your business
• Customer facing
• Special circumstances
• Physical limitations
• Different usage (e.g. demos, testbeds)
• Plan for exceptions, automate where possible
31BRKCOC-2255
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Timing is important…
BRKCOC-2255 32
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Some legacy systems :
UPS, Building Management Systems, Lighting and power management
Some newer :
Connected workspaces, Sensors…
What can be connected, will be connected
How tight are your current controls?
What is the business culture like?Do you have processes to deal with it?
BRKCOC-2255 33
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Exceptions
34BRKCOC-2255
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Top 4 cities by number of guest authentication over a 7-day period
6,379 3,583
2,232
2,107
BRKCOC-2255
Cisco IT ISE Guest Network – Wireless
35
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Internet Only NetworkAn important ‘default’ capability
• The Internet Only Netwok is a natural evolution of Guest networking, but for more generic purposes
• Important segmentation to not only enable the busininess but protect the business
• Wired and wireless
Some questions we had to ask:
• What is considered acceptable minimum access?
• User attribution for legal events?
BRKCOC-2255
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
VPN Migration
37BRKCOC-2255
• Came after wireless (and ISE 1.2)
• Requires ASA 9.3.1 for CoA
• Part of the network…
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38BRKCOC-2255
Changing Business Logic Stores: VPN issue
Summary: The enforcement of policy for
VPN authentication/authorization uncovered
a gap in exceptions on-boarding.
Legacy approval systems placed people in
different groups on ACS, which forced a
specific tunnel-group
Migration caused some issues. Restricted
users with undocumented exceptions lost
the ability to connect to Production VPN
hubs.
Users with Corp
Prod VPN Profile
Users with
Restricted VPN
Profile
Users in restricted auth
group
User
Store
CRDC
group
Connect to
Prod Hub
Auth with ISE
Not in CRDC
– access OK!
Connect to
restricted
Hub
Auth with ISE
in restricted group
– access OK!
(Apply ISE policy)
Connect to
Prod Hub
Auth with ISE
in restricted group
group – Stop!
Temp Policy
change to
allow access
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39BRKCOC-2255
AnyConnect
AnyConnect is core to our strategy
• NVM + NAM
• Umbrella integration
• Posture services…
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40BRKCOC-2255
Platform Compatibility*Platform Min. Acceptable Code Preferred Code (if appropriate)
C3750X 15.2(1)E 15.2(2)E3
C3850 3.3.1
(15.0(1)EZ1)
3.6.5E
C4510R+E/Sup7E 3.6.1E 3.6.5E
C4510R+E/Sup8E 3.6.1E 3.6.5E
C6k/Sup32 12.2(33)SXJ6 15.1(2)SY4A
WLCs 8.0 8.0.135.0
C881W (CVO) 15.4(1)T
ISE 4451 IOS-XE 3.15.01S
ASR1K IOS-XE 3.11S
*based upon Cisco IT Routing & Switching roadmap
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Attribution
• Some questions your incident response teams need to know the answer to:
• What was using the IP at [date:time] ?
• Who owns the machine(s) in question?
• What was the machine in question (UUID, OS)?
• This can be directly integrated or shared/imported via syslog
• Analytics can benefit greatly from the addition of this information and we have found incidents from this.
• Monitor mode has no impact*, yet big rewards
41BRKCOC-2255
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
IBNS 2.0 Features In Use
BRKCOC-2255
Concurrent Authentication
Service TemplatesCritical ACL/VLAN
RADIUS Probe-On
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
EEM script – “Fail open” assurance
• Full synthetic authentication transaction.
If failure:
• Inserts "ip deny any any” to prevent traffic being redirected
• Changes the policy-map governing the switch port dot1x behavior, calling the service-template ‘AUTH OUTAGE’ ("permit ip any any" acl) - fail open for connections started after the server is identified as not responding
• Maintains and logs data base of interfaces that were “failed open”
Upon restore:
• Restores the initial service-template, and policy-map and forces user to authenticate once the authentication server is responding.
43BRKCOC-2255
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Wired Default Networking
Failed Auth
Failed Auth ACL
Default access including:
• Laptop builds
• AD
• Support pages
Redirect ACL
Deny tcp/80+443:
• Laptop builds
• Support pages
• ISE Servers
Web-Auth-RedirectPermit Access
Guest Access – Guest VLAN
Employee Credentials – Data
Pre-auth ACL – What services are needed
before auth?
Failed-auth ACL – What services are needed
by default?
Redirect ACL - What traffic do you want to
catch (or not want to)
BRKCOC-2255 44
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOC-2255
Wired Auth 802.1x Learning
First: Communicate!
Second: Automate!
Last: Regulate!
45
Start slow and small…then
accelerate
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Example: Windows Laptop BuildsDNS/NTP/DHCP
TFTP
File shares
AD/SCCM
1. Basic IP/BOOTP
2. Download WinPE
3. WinPE Build, AD registration, new logon
BRKCOC-2255
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ecosystem Issue Example: New Hires
• New hires are required to change their password upon first login (AD setting)
• Windows PE does not provide an interactive prompt for password
• Net result : Building the windows laptop cannot be the first login a user does
• New hire process including badging system leveraged to work around, but also make a smarter on-boarding experience.
47BRKCOC-2255
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 48BRKCOC-2255
Device Identification In Policy
Conditions and permissions depending on the “identity” of the device:
• OUI: Vendor + other attributes
• Profiling attributes and/or DNS
• Profile based policy caveats
• Device sensor
• Probes
• Consistent configuration
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Collaboration Device Landscape
BRKCOC-2255 49
Network Policy
Dynamic Device Policy Dynamic User Policy
IOT Posture Acquisitions Vendors GuestQuarantine
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Quarantine Time to detect –
Time to contain
= Exposure window
To lower exposure, we need tools to contain rogue endpoints, whilst minimising business impact.
• Infrastructure configured
for CoA
• Policy must be
understood by network
device.
Quarantine Key Lessons
BRKCOC-2255 51
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Device Quarantine Process
Wired
Wireless
VPNEndpoint
CSIRT
1. CSIRT adds the
MAC address to the
‘Quarantine Endpoint’
Identity Group Via API
Policy
Admin
node
Policy
Service
Node
2. Policy change for
endpoint sent to
policy service node
3. Change of authorization
sent to the network
device, and the new policy
applied (quarantine)
Note: this method is extensible to any business case for changing
endpoint policy in real timeBRKCOC-2255 52
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
“GreyWare”
• Real security incidents from ’low impact’ malware
• Change system settings
• Ad injection
• Break A/V
• Host control
• User tracking
• Exfiltration
• Goal : low business impact mechanism to get rid of greyware.
53BRKCOC-2255
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOC-2255
End goal : Secure the network
Create device access policies based on risk/assurance criteria, your level of control, and risk tolerance:
• Public areas
• Vendor/Partner managed devices
• BYOD (OS dependent: iOS, Android, Windows Mobile, Linux, Samsung, etc.)
• Printers, Cameras, Badge Readers, Coffee machines, etc.
• IoE/IoT devices
e.g.
IoE/IoT
devices
e.g. Company
managed
devices
LOW HIGH
H
I
G
H
L
O
W
ACCESS
AS
SU
RA
NC
E
L
O
W
H
I
G
H
RIS
K
BYOD
Vendor/Partner
managed devices
?
54
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Basic Segmentation Static Network Policy
Guest VLAN
Building VLAN
IOT VLAN
IOT Internet VLAN
Prod VLAN
Proliferation of VLANs
IP address space management
Regional firewalls
Complex policy
Individual port
management
High touch
provisioning
DC FW
NGFW
VPN
Complex network topology based
policy
Human error prone, often
ineffectual
Internet
Cloud Services
Internal Systems
BRKCOC-2255 55
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Some Dynamic Segmentation
Building VLAN
Internet VLAN
Prod VLAN
VLAN’s and firewalls
reduced
Provisioning Times
reduced
Policy largely simplified
Dynamic policy for some
user and device groups,
manual for others
DC FW
NGFW
VPN
Some legacy static configuration
due to risk
Some context based policy
Policy management in ISE, DC,
etc.
Internet
Cloud Services
Internal Systems
Prime Services
Catalog
BRKCOC-2255 56
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Dynamic Segmentation (with IOT)
Internet VLAN
Prod VLAN
VLAN’s collapsed to
minimum
All endpoints
authenticated and/or
policy applied
DC FW
NGFW
VPN
Full policy automation, MUD to
assist with IOT and approval
workflows
Internet
Cloud Services
Internal Systems
MUD Service
Policy Mgmt
Prime Services
Catalog
BRKCOC-2255 57
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Business Requirement: Operational continuity after Business Unit divesture to Technicolor
• Cisco campus with multiple buildings – one building is sold to acquiring company
• Divestiture requires continued access by former Cisco and existing Technicolor employees to resources that are on Cisco’s network or physically inside Cisco buildings.
Challenge: Protect Cisco networks and applications while allowing Technicolor employees physical access to Cisco buildings and logical access to required network resources during the transition period.
Dynamic User Policy Use Case Divestiture Security Challenges
Building sold
and employees
consolidated
Lawrenceville Campus
BRKCOC-2255 58
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Business Expectations
• Cisco continues to own the existing LAN in the Technicolor building until Technicolor builds their LAN/WAN
• All users must be identified at the network access layer – either wired or wireless
• Based on user identification, access to Cisco network should be either open (Cisco users) or very limited (TCH users)
• Technicolor users need to have access to Cisco resources whether physically in Technicolor building or other Cisco buildings
• User experience is critical – minimal user impact is expected by BU
• TCH users must have continued access to required network resources
• Cisco users should not have any access limitations that they wouldn’t normally have
IT/InfoSec Requirements
BRKCOC-2255 59
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Technology Solution
• InfoSec Architecture Requirement: Provide identity-based differentiated access on both the wired and wireless networks at the divestiture sites with ongoing physical access by divested employees.
• Proposed Solution: Authenticate users with 802.1x and leverage ISE via AD group membership with TrustSec SGA/SGT enforcement.
• Referred to as Dynamic User Policy (DUP), logically segments access so Technicolor employees only have access to resources they require, whether they’re physically sitting in a Cisco or a Technicolor building
Access
PolicyWired Wireles
s
Cisco
User
Open Open
TCH
User
SG Tag
+ ACL
SG Tag
+ ACL
Identity Services Engine
802.1
x TCHSGT
TCHSGT
SG ACL
WWW
BRKCOC-2255 60
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
VPN Use Case
Problem• Different VPN solutions for
different user communities
• Overhead of hardware and
management
Solution• Use consolidated VPN clusters
• Tag traffic and apply SGACL’s as
needed
• Allows greater resiliency and
availability for all services
Before SGT
EmployeeDiverse
BU
VendorOther
After SGT
Employee Vendor Diverse BU
Single
Cluster
BRKCOC-2255 61
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
802.1x wired rollout – CAM exhaustion
Problem• Unauthorized users must have
limited access
• Limited access is enforced by an
ACL
• ACLs on a per port basis can
cause exhaustion of switch TCAM
resources
Solution• Use Security Group Tags for pre-
auth
• Most switches support L2
enforcement, ensuring
unauthenticated access
• Single instance of ACL means
saved TCAMAlso solves ipv6 scale
BRKCOC-2255 62
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Lab Use Case
Problem• Labs are uncontrolled/unauthenticated
• Labs are a source of network issues
• Need to be able to control lab traffic
and drop for certain data center
resources
Solution
• Tag all traffic leaving labs
• Drop lab tagged traffic for sensitive
applications
• Rate limit/control lab traffic
Lab
Edge
DC Edge
Drop
BRKCOC-2255 63
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Many devices are not capable of protecting themselves - the network is needed.
Abili
ty o
f devic
e
to p
rote
ct itself
Log(Time)
Android
Your refrigerator
Your car
Network
Protection
1 year 10 years
BRKCOC-2255 64
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Your business will digitize;
Monitors, sensors, probes,
distributed computing,
all need connecting
…and securing
Planning to secure more, faster
BRKCOC-2255 65
Integration
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Service Oriented Orchestration
Service Grouping
Access Control
ACI TrustSec IOS
EPG
Contract SGACL
SGTObject Group
ACL
IPv4
IPv6
IPv4
IPv6
Change ipv4/6 hosts
once
Change service port
information onceBRKCOC-2255 67BRKCOC-2255 67
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 68BRKCOC-2255
TrustSec and ACI Integration
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOC-2255
Add User and Device Information into Services
69
Cisco WSA
User policy based upon tags, users in logs
Lancope
User and device information in console
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Improve threat visibility and detection effectiveness so that IT security can detect new and stealthy malware throughout the network
• Speed time to containment so that infected endpoints are quickly and automatically removed as threats
• Lower operational overhead and malware-related costs while supporting the use of already-deployed Cisco networking devices for enforcement
Rapid Threat ContainmentFireSight
ISE
Context Information
Threat detected
CoA/ Quarantine
BRKCOC-2255 70
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Scaling management solutions
• URL redirect requirements
• Analytics and Device Groups
Posture
DMs
Configuration &
Policy
Status and
Inventory Access
Controls
ISE
Enrolled?
Compliant?
Network Access
Remediation
by
Cisco IT
BRKCOC-2255 71
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOC-2255
What is coming next for Cisco IT?
BRKCOC-2255 72
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOC-2255
Context-Aware Security : Bridging The Gap…
Network
SecurityCisco
ISE
Network Context
WHO, WHAT, HOW, WHERE,
WHEN
ConnectorIdentity Over IP
(Situational)
Context-
Aware App
Security
Network + App
Security Context
WHO, WHAT, HOW, WHERE, WHEN
Network
Limited
Context
AFARIA CASPER
SCCMMDMs
2
ISE pxGrid
1 3
4
Application
Security
Network
Rich Context
Better Security(Layered Sec, Elevated Auth)
Better User Experience(Zero Sign-On Experience)
Flexible & Granular
Access Policies
5
6Device Context
WHAT
User Context
WHO
Other Context
HOW, WHERE, WHEN
Risk Context
Vulnerability, Threat
BRKCOC-2255 73
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOC-2255
Example solution outline.
Box.net
Sso.cisco.comISE
Shares Posture
policy result Via
PxGrid. Policy
applies to small
user group
Consumes
Posture policy
result Via PxGrid.
SAML assertion
of “Low” to Box
Block access for
“Low” answer for
On Prem
Off Prem
* Off-prem will require VPN to access box for these
users in order to get posture validated in the interim
BRKCOC-2255 74
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOC-2255
Sa
les
Trusted Device Identity
Encryption
Security E
Security A
Security B
Security D
SSO
Cisco Security
On Prem
Security C
Trusted Service VisionConsistent: Security
between clouds and
on premises
Pervasive: Extend on
Premises Security to
the Cloud
Scalable
Policy based
Goal of parity
between A-E
BRKCOC-2255 75
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOC-2255
• Automation
• Identity stores
• User identity
• Device identity (certs)
• Infrastructure Information
Other Focus Areas
76
Q & A
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Demo in the Cisco on Cisco booth in the Hub
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
• “ Targeted Threat (APT) Defense for Applications Featuring pxGrid” DevNet with Dave Jones. Wed 5:00 p.m. - 5:45 p.m. | Hall 2.2, The Hub, DevNet Classroom 2
• Spark Rooom
BRKCOC-2255 78
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
References
• Cisco.com/go/ise; Cisco.com/go/anyconnect; Cisco.com/go/trustsec
• Annual Security Report 2016
• ISE Design Guides
• Bringing Context-aware Security to Applications
• Securing the Internet of Everything with ISE
• Network Segmentation with TrustSec SGT
• Securing Cloud Applications
• Ping and ID Over IP Leveraging PxGrid; PxGrid White Paper
• Forrester: “The Total Economic ImpactTM Of Cisco TrustSec” [March 2015]
BRKCOC-2255 79
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Please complete your Online Session Evaluations after each session
• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
BRKCOC-2255 80
Thank You